I have a ttl RFID reader and was planning to connect it with my computer somehow and suddenly a thought came to my mind if I could log in to ubuntu using it. Now laptops provide all kind of biometric login facilities, so I knew it was certainly possible. Only question was how exactly to do it?

A couple of google searches later I found references and tutorials to set up login mechanisms using PAM(Pluggable Authentication Module). Tutorials use standard devices, many of which have drivers with PAM modules. But since my ttl reader had no driver, I was looking for help writing my own PAM module, when fortunately I came across existing PAM modules which are generic and can be used with scripts.

So, here is my architecture:

PAM provides a pam_exec module which executes command/script provided as argument. So all I had to do was to write a python script to read card. Check number of read card and authenticate. Since I wanted to use card to all places where authentication was needed (sudo and gksu) I added following line to common-auth file in /etc/pam.d/. This file is common pam rules for all authentication programs.

auth    [success=2 default=ignore] pam_exec.so quiet /usr/bin/python2.7 /path/to/my/rfid.py

WARNING: Before adding code to common-auth, either test with individual programs in same folder or make this rule optional and test. Because a screw-up here might need amendments from recovery mode.

Now in python code, to distinguish between successful authentication and otherwise, we have to return 0 (for successful call) and any other value otherwise. In addition, since this code will be run before regular password code, and I wanted to  go to password after some wait, I added a loop to wait for 20 seconds while checking for card every 2 seconds. So after 20 seconds I return unsuccessful read and it falls back to regular password authentication.

Modifying rules to make card authentication AND password compulsory is trivial now. We just need to modify above rule and remove skip part and make it requisite/required.

My next step would be to use TTL fingerprint module on same lines. All that needs to be changed is python code.


Link: https://anondissector.blogspot.com/2015/10/login-to-linux-using-rfid.html