brian/pam_sphinx
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
6 commits 1 branch 0 tags 53 KiB
  • C++ 74.7%
  • CMake 25.3%
Find a file
Exact
Brian Hong 6d2cc54f6f Add README
2026-01-12 11:32:45 -05:00
cmake pam_sphinx.so 2026-01-11 11:49:59 -05:00
include Initial executable 2026-01-11 10:25:12 -05:00
src Add config 2026-01-12 10:06:22 -05:00
.clang-format Initial (empty code) 2026-01-10 11:47:05 -05:00
.gitignore Initial executable 2026-01-11 10:25:12 -05:00
CMakeLists.txt pam_sphinx.so 2026-01-11 11:49:59 -05:00
README.md Add README 2026-01-12 11:32:45 -05:00
sphinx pam-auth-update config 2026-01-12 10:16:20 -05:00
sphinx.conf Add config 2026-01-12 10:06:22 -05:00
sphinx.prompt Initial executable 2026-01-11 10:25:12 -05:00

README.md

PAM Sphinx

PAM Sphinx is a Pluggable Authentication Module (PAM) that asks a riddle for the user to solve in order to gain access to the system.

The name "Sphinx" is inspired by the mythical Sphinx from ancient Egyptian mythology, known for posing riddles to travelers.
It leverages large language models (LLMs) to generate and evaluate riddles.

This was created for entertainment purposes...

Demo here, which is actually from the previous version implemented in Python.

Uses my fork of openai-cpp and the version of nlohmann/json embedded in that project.

Build Instructions

# Install required dependencies
sudo apt-get update
sudo apt-get install build-essential cmake libpam-dev # nlohmann-json3-dev (included in this repo)
# Build
mkdir build && cd build
cmake ..
make

Installation

# In build dir
sudo cp pam_sphinx.so /usr/lib/x86_64-linux-gnu/security
# Copy configuration files to system directories
sudo cp ../sphinx.conf /etc/sphinx.conf
sudo cp ../sphinx.prompt /etc/sphinx.prompt
sudo vim /etc/pam.d/common-auth  # Add rules to PAM config as described below

Configuration

The module requires various configurations:

sphinx.conf

# API Base URL (Optional)
# Defaults to 'https://api.openai.com/v1/' -- don't forget the trailing slash
#api_url https://api.openai.com/v1/

# OpenAI Organization (Optional)
# Defaults to ''
#organization test

# API Key (Required)
api_key your-api-key-here

# LLM Model to use (Required)
model gpt-4

# Prompt file (Optional)
# Defaults to '/etc/sphinx.prompt'
#prompt_file /etc/sphinx.prompt

sphinx.prompt

The prompt file defines the behavior and personality of the AI assistant. It includes examples of how the authentication conversation should proceed, including successful and failed authentication scenarios.

See sphinx.prompt to see the default prompt.

Usage

To use this module, you need to configure PAM to use it. Add the following line to your PAM configuration (typically /etc/pam.d/common-auth or similar):

auth required pam_sphinx.so

You can also enable debug mode by adding the debug option, which will output debug logs to auth syslog:

auth required pam_sphinx.so debug

You can replace the password auth by replacing pam_unix.so with pam_sphinx.so like so:

auth	[success=1 default=ignore]	pam_sphinx.so nullok

Or, pam_sphinx can try first, and if the user doesn't answer correctly, fall back to password auth:

auth	[success=2 default=ignore]	pam_sphinx.so
auth	[success=1 default=ignore]	pam_unix.so nullok

(The success=2 means: skip 2, including self, if successful)

PAM Config Profile

Alternatively, Ubuntu systems don't like it when PAM configs are manually updated.

You can use the provided sphinx file:

Name: Sphinx Authentication
Default: no
Priority: 257
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_sphinx.so nullok try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_sphinx.so nullok

Install that file into /usr/share/pam-configs and run sudo pam-auth-update to enable it in the menu. It has higher priority than the default unix auth and on success, jumps to the end of the primary block, resulting in the same config as the last manual example provided just above.

TODO

CI build Debian package