Harden PAM login against brute force

Phosh and Plasma Mobile require short numeric passwords as user passwords, as the same password is used for the lock screen.

Depending on how postmarketOS was installed and on the device, the same username/password may be available via SSH or serial.

• As of writing, the on-device installer makes sure that it is not used for SSH, however creating a custom image with pmbootstrap without the on-device installer (no pmbootstrap install --ondev) will set the same password for SSH: pmbootstrap#1941
• The PinePhone and some other devices can be accessed via serial and show a login prompt.

From there on, it is possible to brute force the password (especially if the username is just "user").

All these logins go through PAM, so we could set it up to prevent brute force. For example, after 10 failed logins, require a 15 second wait after each login, and increase the time further with more failed logins.

We could also display a notification on the phone, if there was a successful login via SSH.

added discussion security labels

added help wanted label

Isn't the better option here to modify phosh so that it accepts full passwords? Additionally, is there a way we can have one password for phosh and another to login via SSH/serial (I suspect not, but it's worth an ask...)?

By ಚಿರಾಗ್ ನಟರಾಜ್ on 2020-09-08T22:33:52

Another idea is to mandate e.g. 2FA for SSH logins.

Regardless, the SSH part can be done by setting up /etc/pam.d/ssh with whatever settings we wish (well, not the notifications part, I think, but the other hardening stuff).

I believe the PAM modules for moderating failed logins are pam_faildelay (delay on failure) and pam_faillock (lock account after <n> failures). We can't do anything fancy like increasing the delay as more logins fail, but we can lock after too many invalid attempts.

By ಚಿರಾಗ್ ನಟರಾಜ್ on 2020-09-09T15:26:13

One of the reasons I like the idea of a Linux phone so much is ease of development. I would prefer to not have to jump through hoops for SSH access, 2FA should absolutely be an option for people who want it, but I would prefer jus to be able to set a password instead of a PIN.

By TheBrokenRail on 2020-09-09T15:26:13

Right, so I think there are two aspects to this:

1. The default forced by Phosh/PlasmaMobile is a PIN instead of a password. This is insecure and the option of a password (and/or a flow to allow setting up separate SSH credentials post-install) should be made available.
2. The default attack surface is way too wide. One way to deal with this is setting up firewall rules. For example, one option is using wpa_cli's actions to setup firewall rules based on the SSID that is connected (e.g. only allow SSH access if the SSID is a trusted one).

Neither of those, though, should preclude setting up better default rules to lock out brute-force attempts. So I would argue those are orthogonal considerations to the one being proposed here. I sort of spit-balled mandatory 2fa because that's an easy way to prevent hackers from gaining access while still allowing legitimate users to login, albeit with a slightly more "annoying" workflow.

By ಚಿರಾಗ್ ನಟರಾಜ್ on 2020-09-09T15:35:00

Also @TheBrokenRail, note that passwords aren't a cure-all here because people tend to choose really shitty passwords. Protections against brute-force logins are still useful (and I would argue necessary) even when we're allowed to set passwords instead of PINs.

By ಚಿರಾಗ್ ನಟರಾಜ್ on 2020-09-09T15:43:45

I mean 2FA as default would probably be awesome, and delays after multiple failed attempts are necessary, I just want a way to be able to tun off 2FA, (or use SSH on an un-trusted network).

By TheBrokenRail on 2020-09-09T16:17:00

So...I don't quite understand how pam_faillock.so works. I'm able to get it to log that, indeed, there are failed attempts. However, it's not actually blocking me from continuing to attempt to login even though I have configured it as such...there's something weird going on.

[Edit] Never mind, those are just the regular failed attempts logged. faillock doesn't seem to be engaging at all. This is weird.

[Edit2] HAH. Okay, so sshd is not configured with PAM support in pmOS (and probably Alpine?). This should be enabled...

[Edit3] The option UsePAM in /etc/ssh/sshd_config does not work because PAM support is disabled at compile-time. I am currently attempting to re-compile OpenSSH from source with the option --with-pam to see if I can get this working.

[Edit4] I got it to work! Here are the steps I used:

1. git clone git://anongit.mindrot.org/openssh.git
2. cd openssh
3. autoreconf
4. ./configure --with-pam --sysconfdir=/usr/local/etc/ssh && make && sudo make install (make sure the linux-pam-dev package is installed in addition to other prerequisites)
5. Edit /usr/local/etc/ssh/sshd_config to set UsePAM yes
6. Edit /etc/conf.d/sshd to launch the new binary instead of /usr/sbin/sshd and set the configuration file path appropriately
7. sudo mkdir /var/run/faillock
8. Add /etc/pam.d/sshd with the following contents:

auth requisite pam_faillock.so preauth
auth		include		base-auth
auth     [default=die]  pam_faillock.so authfail
auth     sufficient     pam_faillock.so authsucc
account		include		base-account
password	include		base-password
session		include		base-session

I got locked out from ssh after purposefully failing to authenticate. After 1 minute, I am again allowed to login. There are tweaks you can do (look at the manpage for faillock.conf), but this should get the right idea.

The main issue is that upstream needs to recompile sshd with built-in support for PAM. Then this can easily be tackled via a config file change.

By ಚಿರಾಗ್ ನಟರಾಜ್ on 2020-09-09T08:52:06

Turns out Alpine ships PAM-enabled openssh server in openssh-server-pam, we probably should ship that in postmarketos-base

By Dolphin von Chips on 2020-09-09T08:52:06

Ah, yes, that would help...

By ಚಿರಾಗ್ ನಟರಾಜ್ on 2020-09-09T12:57:50

On the plus side, installing it manually seems to work (although I would have thought it would conflict with openssh-server, it seems to happily overwrite/take ownership of /usr/sbin/sshd...not sure what's going on there).

By ಚಿರಾಗ್ ನಟರಾಜ್ on 2020-09-09T13:04:28

Could there be a new package postmarketos-ssh-pam or something which includes an /etc/pam.d/sshd? Presumably modifying linux-pam would require deviating from upstream, which might not make sense...

[Edit] Even better might be including postmarketos-pam-faillock which installs a file /etc/pam.d/base-faillock with:

auth requisite pam_faillock.so preauth
auth     [default=die]  pam_faillock.so authfail
auth     sufficient     pam_faillock.so authsucc

and creates the directory /var/run/faillock (using whatever boot mechanism, presumably) and then postmarketos-ssh-pam-integration which would create /etc/pam.d/sshd with:

auth     include base-auth
auth     include base-faillock
account  include base-account
password include base-password
session  include base-session

or such.

By ಚಿರಾಗ್ ನಟರಾಜ್ on 2020-09-09T13:35:14

Seems like https://github.com/deksai/pam_abl is doing what we want,

block hosts which are attempting a brute force attack.

By Dolphin von Chips on 2020-09-20T09:31:35

Closing issue due to inactivity.

By Robert Eckelmann on 2024-08-14T13:46:04

closed