Photo of Jordan Sissel
Jordan Sissel
geek

Search this site

Metadata

Articles

Projects

Presentations

pam_captcha - A Visual text-based CAPTCHA challenge module for PAM

Posted Fri, 02 Jan 2009

Table of Contents

  1. Description
  2. Download

Description

pam_captcha - A Visual text-based CAPTCHA challenge module for PAM
Jordan Sissel <jls@semicomplete.com> 

Version 1.3 (March 2007)

Released under the BSD license. 

If you use or make changes to pam_captcha, shoot me an email or something. I
always like to hear how people use my software :) And no, you don't have to
do it. Nor do you have to send me patches, though patches are appreciated.

Requirements:
  - Figlet
  - OpenPAM (Linux and FreeBSD should have this)

Notes: 
   Figlet needs to be in /usr/local/bin, because I'm lazy.  You can fix this
   if you want, just look for /usr/local/bin further down and you can change
   the paths used.

   - I have tested this in FreeBSD and Linux. It works there.
   - It will not build under Solaris 9, and I have no intentions of
     fixing that at this time

Installation Instructions
  - Just type 'make' (assuming you downloaded the Makefile too)
  - Copy pam_captcha.so to your pam module dir (/usr/lib on FreeBSD)
  - Place this entry in your pam config for whatever service you want. It
    needs to go at the top of your pam auth stack (first entry?):

    auth       requisite     pam_captcha.so    [options]

Available options: math, dda, randomstring
Example:
  - Enable 'math' and 'randomstring' captchas:
    auth       requisite     pam_captcha.so    math randomstring

'requisite' is absolutely necessary here. This keyword means that if a user
fails pam_captcha, the whole auth chain is marked as failure.  This ensure
that users must pass the captcha challenge before being permitted to attempt
any other kind of pam authentication, such as a standard login. 'required'
can work here too but will not break the chain. I like requisite because you
cannot even attempt to authenticate via password if you don't pass the
captcha.

IMPORTANT SSHD_CONFIG NOTE!
  To prevent brute-force scripts from bypassing the pam stack, you MUST
  disable 'password' authentication in your sshd. Disable 'password' auth
  and enable 'keyboard-interactive' instead.

  To do this, put the following in your sshd_config
  PasswordAuthentication no
  ChallengeResponseAuthentication yes

If you use ssh keys to login to your server, you will not be bothered by
pam_captcha becuase publickey authentication does not invoke PAM.

Download

Download pam_captcha-1.3.tar.gz
Comments: 3 | Link to this post | posted at: 04:37

3 responses to 'pam_captcha - A Visual text-based CAPTCHA challenge module for PAM'

Showing last 3 comments... (Click here to view all comments)

mihi wrote at Fri Feb 22 15:35:03 2008...
Does not work for me. I cannot login any longer and find the following in auth.log:

Feb 22 21:25:34 etch-vm login[12839]: PAM unable to dlopen(/lib/security/pam_captcha.so)
Feb 22 21:25:34 etch-vm login[12839]: PAM [dlerror: /lib/security/pam_captcha.so: undefined symbol: openpam_get_option]
Feb 22 21:25:34 etch-vm login[12839]: PAM adding faulty module: /lib/security/pam_captcha.so
Feb 22 21:25:34 etch-vm login[12839]: FAILED LOGIN (1) on 'tty4' FOR `root', Module is unknown

This is on Debian Etch.

adam wrote at Wed Mar 19 07:20:27 2008...
ahaaaaaaaaaa

thewall wrote at Wed May 7 00:58:59 2008...
Hi Jordan,
nice work on pam_captcha and grok.  I've been using pam_captcha for a couple of years now and have been using a ssh-bruteforce detector that is inspired by grok.  Thanks. 

I noticed in my logs a few days back that the bad guys have figured out how to pass the captcha in an automated fashion.  Here are some relevant entries from my logs, damn these bad people...


=================================
May  4 03:29:23 joby pam_captcha: User root passed the captcha (from alpha978.server4you.de)
May  4 03:29:23 joby pam_captcha: User root failed to pass the captcha (from alpha978.server4you.de)
May  4 04:05:37 joby pam_captcha: User root passed the captcha (from alpha978.server4you.de)
May  4 04:05:37 joby pam_captcha: User root failed to pass the captcha (from alpha978.server4you.de)
May  4 04:42:35 joby pam_captcha: User root passed the captcha (from alpha978.server4you.de)
May  4 04:42:35 joby pam_captcha: User root failed to pass the captcha (from alpha978.server4you.de)
May  4 05:18:36 joby pam_captcha: User root passed the captcha (from alpha978.server4you.de)
May  4 05:18:36 joby pam_captcha: User root failed to pass the captcha (from alpha978.server4you.de)
May  4 05:54:37 joby pam_captcha: User root passed the captcha (from alpha978.server4you.de)
May  4 05:54:37 joby pam_captcha: User root failed to pass the captcha (from alpha978.server4you.de)
May  4 06:30:35 joby pam_captcha: User root passed the captcha (from alpha978.server4you.de)
May  4 06:30:35 joby pam_captcha: User root failed to pass the captcha (from alpha978.server4you.de)
May  4 07:06:56 joby pam_captcha: User root passed the captcha (from alpha978.server4you.de)
May  4 07:06:56 joby pam_captcha: User root failed to pass the captcha (from alpha978.server4you.de)

Leave a reply

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.

Name (required)
E-mail (optional, if you want me to be able to email you back)
URL (also optional)
Comment: