Git Product home page Git Product logo

wsl-hello-sudo's Introduction

WSL Hello sudo

"WSL Hello sudo" is a Linux PAM module and companion Windows CLI apps that realize sudo by biometric login of Windows Hello on Windows Subsystem for Linux (WSL).
This PAM module allows you to authenticate sudo via face recognition, fingerprint authentication, and of couse machine-local PIN. It runs in both WSL and WSL 2.

Both the Linux PAM module and Windows CLI app are written in Rust. Please use it at your own risk. There is no warranty.

demo

"WSL Hello sudo" actually does not modify your sudo command at all. It is a Linux PAM module.
PAM, Plaggable Authentication Module, is a UNIX's module system that provides user authentication mechanisms to applications such as sudo or su. "WSL Hello sudo" is such a PAM module that lets applications use Windows Hello.

Installation and Configuration

Installation

The installation process is very simple.
Please download the latest release package from GitHub Release and unpack it.
Run install.sh inside the directory, and follow the instruction of install.sh

$ wget http://github.com/nullpo-head/WSL-Hello-sudo/releases/latest/download/release.tar.gz
$ tar xvf release.tar.gz
$ cd release
$ ./install.sh

Although you don't have to care about the detailed installation process,
install.sh does following things.

  1. Copy a small Windows CLI app that launches Windows Hello to C:\Users\your_account\pam_wsl_hello (default location)
  2. Install a PAM module to your WSL system.
  3. Create config files in /etc/pam_wsl_hello/
  4. Create a pam-configs entry in /usr/share/pam-configs/ for automatic PAM configuration
  5. Create uninstall.sh

Configuration

"WSL Hello sudo" is not a fork of sudo but a PAM module. You have to adjust the PAM configuration to make it effective.

Automatic configuration

On Ubuntu, you can use sudo pam-auth-update to show a list of installed PAM authentication modules, and select the ones you want to use for authentication (which will also affect sudo etc.)

The install scripts will install the required configuration. If you're not using the install script, you can copy the pam-config file from the release tarball to /usr/share/pam-configs/.

Manual configuration

If for some reason you do not want to use automatic configuration, you can configure /etc/pam.d/sudo manually. I strongly recommend to set password of root first so that you can switch to it by su, in case you make some typo in the config of sudo.
Add auth sufficient pam_wsl_hello.so to the top line of your /etc/pam.d/sudo like the following example

#%PAM-1.0

auth       sufficient pam_wsl_hello.so
session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

Even if you fail to authenticate via Windows Hello, sudo moves on to the regular password authentication by this setting with sufficient.

Other applications that authenticate users such as su can also utilize Windows Hello by this module.
Even so, I strongly recommend you to make either sudo or su free from this module to prevent from being locked out

Troubleshooting

Windows Hello window appears in background.

The Windows Hello dialog sometimes appears in background. In some cases, it even fails to recognize your face with some weird error message. It seems a bug of Windows API. In that case, restarting Windows a couple of times might solve the problem.

"Windows Hello is not invoked! sudo just prompts password!"

Maybe some error is happening. Unfortunately, sudo suppresses error messages from PAM modules.
To debug "WSL Hello sudo", make it effective for su instead of sudo. su shows error messages from PAM modules, so you can see what is going on.

For your information, the setting for su will be like the example below. I will show only relevant two lines.

auth       sufficient pam_rootok.so
auth       sufficient pam_wsl_hello.so  

Build

Both the Linux PAM module and the Windows CLI apps of "WSL Hello sudo" are written in Rust. So, only cargo is required to build it.

To build "WSL Hello sudo", make sure you're in WSL and then just run make.

$ git clone https://github.com/nullpo-head/WSL-Hello-sudo.git
$ cd WSL-Hello-sudo
$ make

Internals

Windows Hello maintains RSA key-pairs for each Windows user in its TPM hardware, and tells success of authentication by signing given contents by the private key. To utilize its API, "WSL Hello sudo" contains small Windows CLI apps that return public key and signed signature of given content. On the other hand, the PAM module of "WSL Hello sudo" remembers the public keys of each Windows user who corresponds to each Linux user. So, the PAM module authenticates the given Linux user by the following process.

  1. The PAM module is launched by sudo and receives a Linux user to be authenticated
  2. The PAM module launches the companion Windows app and sends a random value via WSL's interop bridge
  3. The companion Windows app invokes Windows Hello
  4. Windows Hello makes a signature of the given input by the private key of the current Windows user
  5. The companion Windows app returns the signature
  6. The PAM module verifies the signature by the public key of the Windows user who corresponds to the given Linux user.

wsl-hello-sudo's People

Contributors

blackholefox avatar github-actions[bot] avatar jonaskuske avatar mfenniak avatar nullpo-head avatar oofchair avatar oxc avatar thelastlin avatar vereis avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

wsl-hello-sudo's Issues

Error 0x8028008B - TPM 2.0: The Handle is not correct for the use.

I had a weird error today happening once, not before and not again afterwards.

I got the Windows Hello prompt, I confirmed with fingerprint, and then WindowsHelloAuthenticator crashed:

david@CHE-X1:~ $ sudo apt install --only-upgrade httpie

Unbehandelte Ausnahme: System.AggregateException: Mindestens ein Fehler ist aufgetreten. ---> System.Exception: TPM 2.0: Das Handle ist für die Verwendungsweise nicht korrekt. (Ausnahme von HRESULT: 0x8028008B)
   bei System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei WindowsHelloAuthenticator.Program.<VerifyUser>d__9.MoveNext() in C:\Users\abctk\Dropbox\develop\rust\wsl_hello_pam\win_components\WindowsHelloAuthenticator\WindowsHelloAuthenticator\Program.cs:Zeile 71.
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   bei System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   bei System.Threading.Tasks.Task`1.get_Result()
   bei WindowsHelloAuthenticator.Program.Main(String[] args) in C:\Users\abctk\Dropbox\develop\rust\wsl_hello_pam\win_components\WindowsHelloAuthenticator\WindowsHelloAuthenticator\Program.cs:Zeile 94.

The error message is German for TPM 2.0: The Handle is not correct for the use. (TPM_20_E_HANDLE)

Windows version 19042.867

install.sh: 10: Syntax error: "(" unexpected (expecting "then")

HELP. i cant find solution anymore.

tar.exe: Error opening archive: Failed to open 'release.tar.gz'
tar.exe doesnt work even i use wget so i manually downloaded the install.sh in URL. but following error oucurred:

install.sh: 10: Syntax error: "(" unexpected (expecting "then")

+WSL is always root even im not elevated but im in administrator account on windows. i have no other account. how to login 'normal user'?

RDP session error dialog

Error code: 80090010
at
..SECURITY_STATUS.CheckStatus(...)
...

When opening KeePass over RDP session, no Hello obviousli is available and error dialog opens.
When closing popup, normal fallback password dialog could be used.

Module is unknown

I ran the installer script and verified the existence of pam_wsl_hello.so in /lib/x86_64-linux-gnu/security/. The file is there. Permissions all seem alright.

For debugging purposes, I added

auth       required   /lib/x86_64-linux-gnu/security/pam_wsl_hello.so

to /etc/pam.d/su.
Even with the absolute path, the same error occurs: su: Module is unknown

Output of uname -a:

Linux LAPTOP-RUJJI7SM 4.4.0-17134-Microsoft #345-Microsoft Wed Sep 19 17:47:00 PST 2018 x86_64 GNU/Linux

Windows version: 10.0.17134 Build 17134
MD5Sum:
8ee75aee1cc9531bafa689d8c12ac9e3 /lib/x86_64-linux-gnu/security/pam_wsl_hello.so

What am I missing here?

Mistake in install.sh

I suppose there is a typo in install.sh in the 95th line - "\" should be in quotes or have to be deleted.

Windows Hello Face doesn't work

Windows Hello Face enters a face scanning loop and starts responding with "something went wrong, try again" after a couple of retries. Canceling the prompt cancels the installation.

+ sudo echo 'win_mnt = "/mnt/c"'
+ sudo tee -a /etc/pam_wsl_hello/config
win_mnt = "/mnt/c"
+ set +x
Please authenticate yourself now to create a credential for '*********' and '*********' pair.
+ pushd /mnt/c/Users/*********/AppData/Local/Programs/wsl-hello-sudo
/mnt/c/Users/*********/AppData/Local/Programs/wsl-hello-sudo ~/release
+ ./WindowsHelloBridge.exe creator pam_wsl_hello_*********
Error: The user cancelled.
+ test 176 = 171

chmod: changing permissions of '/mnt/c/Users/<local_user>/AppData/Local/Programs/wsl-hello-sudo/WindowsHelloBridge.exe': Operation not permitted

As the title states, running the script generates a permission error for chmod,

Choosing a different location inside the local users folder generates the same error

Running the script with sudo stops the script asking you to run it as a local user.

Tried opening Ubuntu normally and with administrative privileges inside windows

Any idea what could cause this?

running the chmod command with sudo does work after the script failed. However, restarting the script re-executes the copy and the chmod command causing it to fail again

"Error: Access Denied" during install.

When the install script reaches the line + ./WindowsHelloBridge.exe creator pam_wsl_hello_vkapadia it gives the message Error: Access Denied. This is with Ubuntu 18.04 on WSL 2 on Windows 11.

Noob question

Sorry for the noobie question, I'm new to Linux. I downloaded using

wget http://github.com/nullpo-head/WSL-Hello-sudo/releases/latest/download/release.tar.gz

after installing, can I delete the 'release ' directory that the download created? (i.e. did the install script place the required stuff elsewhere on the system so this install folder is no longer needed?)

thank you in advance!

Integration with package manager(s)

I installed this awhile back and wasn't aware there's now a v2. Rather than manually uninstalling and upgrading the two components, I wish they could be manageable via one or more package managers (e.g. WinGet and APT).

Include pam-configs file?

On Ubuntu, you can easily include the required pam settings by creating the following file:

/usr/share/pam-configs/wsl-hello-sudo

Name: WSL Hello authentication
Default: no
Priority: 260
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_wsl_hello.so

Then you can call sudo pam-auth-update and select the entry from the checkbox list. The resulting file will include the required PAM config entries without creating any conflicts with other authentication methods.

Perhaps it would make sense to include that file in the install script?

Any idea why on WSL2 PAM modules are not loaded on login (for example pam_env)?

I noticed that on WSL2 /etc/environment is not getting parsed even though Linux-PAM seems to be configured correctly. If I execute sudo login the /etc/environment is parsed. So it seems like there is something missing / wrong about how WSL handles the distribution.

Am I missing something obvious? Asking here because it seems like you know how to get Linux-PAM to properly work with WSL2.

Related:

Error: Key creation failed due to some error

hi, when I run install.sh in my WSL, it says "Error: Key creation failed due to some error". I check the WindowsHelloKeyCredentialCreator source code and find you call KeyCredentialManager.RequestCreateAsync() without any precheck if the user didn't set up PIN. here are the example from https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport

var keyCredentialAvailable = await KeyCredentialManager.IsSupportedAsync();
if (!keyCredentialAvailable)
{
    // User didn't set up PIN yet
    return;
}

Windows Hello dialogue doesn't get focus

When I sudo (from Windows Terminal), the Windows Hello dialogue pops up unfocussed - the Terminal window keeps focus. In consequence I need to first switch to the Windows Hello window using mouse or alt-tab, and then authenticate (using a fingerprint scanner in my case). This somewhat detracts from the speed/fluency advantage of using Hello over entering a password.

I'm not sure if this is the same as the FAQ item entitled "The Windows Hello dialog sometimes appears in background." If so, apologies for the overlap, but I wonder if there is a way around it. I notice that this doesn't happen with Windows apps that use Windows Hello, eg. 1Password.

1Password first opens its own window, then the Windows Hello window appears on top of that (every time, and always achieving focus). Some sort of child window relationship perhaps? In which case, might it be possible for WSL-Hello-sudo to open a blank dummy window and do something similar?

I don't know anything about Win32 dev, so I may be talking out of my hat here. If so, ignore me ;)

Doesn't work on WSL1 Ubuntu 20.04

It works on my Ubuntu 16.04 and 18.04, but it doesn't work on 20.04.

I have installed and configured WSL Hello on my Ubuntu 20.04 several times starting with a clean distro each time. Unfortunately, it prompts for the password. I tried to debug with su, but it prompts for the password too and doesn't output any errors.

Microsoft Windows [Version 10.0.18363.815]

Authenticator fails to find valid window when Hello detection returns false

In the case that Windows Hello isn't supported, but a key is still generated (or you just run the WindowsHelloAuthenticator` binary by hand), it fails to upon the expected error UI box.

Output:

> sudo whoami

Unhandled Exception: System.AggregateException: One or more errors occurred. ---> System.Exception: Invalid window handle.

This API must be called from a thread with a CoreWindow or a window must have been set explicitly.
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at WindowsHelloAuthenticator.Program.<VerifyUser>d__9.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at System.Threading.Tasks.Task`1.get_Result()
   at WindowsHelloAuthenticator.Program.Main(String[] args)

This all said, I'm not sure if there's actually a way to open a window on the desktop from WSL like this.

System details:
WSL Version: 1, Ubuntu 18
OS Info: Windows 10 Pro, 19043.1288
Terminal: Windows Terminal Preview

sudo whoami prompt never opens Windows Hello

I've tried the directions in the README.md for this error but so far no luck.

I always get the password prompt:

mbcrump@DT:/mnt/c/Users/micrum$ sudo id
Password:

My sudo nano /etc/pam.d/sudo:

#%PAM-1.0

auth       sufficient pam_wsl_hello.so
session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0@include common-auth
@include common-account
@include common-session-noninteractive

The exe copied over successfully:

mbcrump@DT:/mnt/c/Users/micrum/pam_wsl_hello/WindowsHelloAuthenticator$ tree
.
├── WindowsHelloAuthenticator.exe
├── WindowsHelloAuthenticator.exe.config
└── WindowsHelloAuthenticator.pdb

0 directories, 3 files

Anyone having an issue?

install.sh doesn't work on arch

install.sh assumes that things are in /lib/x86_64-linux-gnu, but arch has all of those paths directly under /lib. Changing the paths made it work, but the script should handle that automatically.

Face Recognition problem

Windows Hello work with PIN, Fingerprint but Face recognition. It recognize but open Windows Hello popup again and again. I have found some workaround:

  • Change to other authentication method such as PIN or fingerprint and change back to Face recognition will work.
  • Move face out of camera then move back will work as well.
  • Keep face out of camera first and wait a second then move in.

I think this problem come with authentication speed. Face recognition is fastest authentication way, it take some milliseconds to recognize compared with PIN and fingerprint (including time to type numbers and move your hand over fingerprint sensor and swipe).

Breaks if WINUSER contains a space

install.sh breaks on line 58 if $WINUSER/$PAM_WSL_HELLO_WINPATH contains a space:

./install.sh: line 58: [: /c/Users/Jonas: binary operator expected

Easy to workaround once you notice the issue because you can pass your own install location as part of the setup, but still would be nice if it'd work out of the box :)

Multiple distros?

I got this working with Ubuntu and love it, TY!

My next question is, I also have Kali installed, and ran the same exact setup instructions, but while it works in Ubuntu, it gets ignored in my Kali install. Do I have to do something different to have it work in both at the same time?

./install.sh: line 63: /mnt/c/Windows/System32/cmd.exe: Permission denied

Following the standard install steps in an Ubuntu 22.04 LTS WLS2 On Windows 11 Pro 22H2 Build 22621.1483

$ wget http://github.com/nullpo-head/WSL-Hello-sudo/releases/latest/download/release.tar.gz
$ tar xvf release.tar.gz
$ cd release
$ ./install.sh

I get the following error:

./install.sh: line 63: /mnt/c/Windows/System32/cmd.exe: Permission denied

Potentially relevant since the script is supposed to copy the cli app in my user folder...
My user folder contains special characters: C:\Users\Michaël Vanderheyden

Bypass the "OK" mouse click

Hi team - I love this! Thank you. Wondered if there is a way to automatically ok this window, please? i.e. bypass the required mouse click of the "ok" button once Windows Hello has verified me, please?

Screenshot 2022-03-04 113125

Only works if C drive is mounted in /mnt/

During installation the script asks for the /c location if /mnt/c/ doesn't exist, but then the authentication code in Rust still requires it to be /mnt/c/: https://github.com/nullpo-head/WSL-Hello-sudo/blob/master/src/auth.rs#L209

Since users enter the /c location already anyway as part of the setup, I guess this location could just be stored in etc/pam_wsl_hello/config alongside the authenticator_path – though I think it'd be cleaner to automatically use the root property in etc/wsl.conf to check for the drive mount root.

The syntax of the command is incorrect.

Hi,

I get this error:

./install.sh
'\wsl.localhost\Ubuntu\home\mvg\release'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
The syntax of the command is incorrect.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.