Ubuntu
libpam-blue package

Bug #912695
Comment #8

Comment 8 for bug 912695

Revision history for this message

Ross Boswell (drb-x) wrote on 2013-06-07: Re: [Bug 912695] Re: libpam_blue requires root, fails if non-privileged

Dear Craig

No I can't see why it wouldn't work -- it worked for me with gnome-screensaver and Ubuntu 10.
Perhaps you will get a clue from the system logfiles.
You might also try running hcitool as the user running the screensaver and make sure that user has bluetooth access permissions.

Good luck -- Ross

----- Original Message -----

From: "Craig McQueen" <email address hidden>
To: <email address hidden>
Sent: Friday, 7 June, 2013 12:15:39 PM
Subject: [Bug 912695] Re: libpam_blue requires root, fails if non-privileged

I've tried that patch, and it does seem to work. Great!

However, it doesn't seem to work for the unlocking the lock screen
(Unity GUI, Ubuntu 13.04). I have to type in a password to unlock it.
I've seen bug reports about LDAP and the lock screen. But a fingerprint
reader PAM (pam_fingerprint-gui) does seem to work on the lock screen.
Any idea why pam-blue wouldn't work to unlock the lock screen?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/912695

Title:
libpam_blue requires root, fails if non-privileged

Status in “libpam-blue” package in Ubuntu:
Confirmed

Bug description:
I modified /etc/pam.d/common-auth to allow two-factor authentication
using password and either bluetooth proximity or, if that fails,
google-authenticator:

. . .
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
#
auth [success=1 default=ignore] pam_blue.so
auth required pam_google_authenticator.so
#
# prime the stack . . .

This works fine for login, but bluetooth authentication always fails when unlocking gnome-screensaver with the error message:
Bluetooth scan failure [bluetooth device up?]

The reason seems to be that pam_blue is based on l2cap which requires
root authority to create sockets (l2ping runs as root but fails for a
non-privileged user).

An alternative method of detecting bluetooth proximity is to use hcitool:
hcitool name xx:xx:xx:xx:xx:xx
returns the name of the device whose MAC is given, or nothing on fail, and it works for a non-privileged user.

Replacing pam_blue with a simple hacked version using hcitool works for both login and gnome-screensaver unlock:

int rc = PAM_SESSION_ERR;
FILE *fpipe;
char *command="hcitool name xx:xx:xx:xx:xx:xx";
char line[256];

if ( !(fpipe = (FILE*)popen(command,"r")) ) {
perror("Problems with pipe");
exit(1);
}
while ( fgets( line, sizeof line, fpipe)) {
if (strlen(line) > 2) rc = PAM_SUCCESS;
}
pclose(fpipe);
return rc;

This bug probably affects all versions to date, but has been confirmed
in Ubuntu 11.04 and 11.10, and in libpam-blue 0.9.0-3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-blue/+bug/912695/+subscriptions

Dear Craig

No I can't see why it wouldn't work -- it worked for me with gnome-screensaver and Ubuntu 10. 
Perhaps you will get a clue from the system logfiles. 
You might also try running hcitool as the user running the screensaver and make sure that user has bluetooth access permissions.

Good luck -- Ross

----- Original Message -----

From: "Craig McQueen" <912695@bugs.launchpad.net> 
To: drb@med.co.nz 
Sent: Friday, 7 June, 2013 12:15:39 PM 
Subject: [Bug 912695] Re: libpam_blue requires root, fails if non-privileged

I've tried that patch, and it does seem to work. Great!

However, it doesn't seem to work for the unlocking the lock screen 
(Unity GUI, Ubuntu 13.04). I have to type in a password to unlock it. 
I've seen bug reports about LDAP and the lock screen. But a fingerprint 
reader PAM (pam_fingerprint-gui) does seem to work on the lock screen. 
Any idea why pam-blue wouldn't work to unlock the lock screen?

-- 
You received this bug notification because you are subscribed to the bug 
report. 
https://bugs.launchpad.net/bugs/912695

Title: 
libpam_blue requires root, fails if non-privileged

Status in “libpam-blue” package in Ubuntu: 
Confirmed

Bug description: 
I modified /etc/pam.d/common-auth to allow two-factor authentication 
using password and either bluetooth proximity or, if that fails, 
google-authenticator:

. . . 
# here are the per-package modules (the "Primary" block) 
auth [success=1 default=ignore] pam_unix.so nullok_secure 
# here's the fallback if no module succeeds 
auth requisite pam_deny.so 
# 
auth [success=1 default=ignore] pam_blue.so 
auth required pam_google_authenticator.so 
# 
# prime the stack . . .

This works fine for login, but bluetooth authentication always fails when unlocking gnome-screensaver with the error message: 
Bluetooth scan failure [bluetooth device up?]

The reason seems to be that pam_blue is based on l2cap which requires 
root authority to create sockets (l2ping runs as root but fails for a 
non-privileged user).

An alternative method of detecting bluetooth proximity is to use hcitool: 
hcitool name xx:xx:xx:xx:xx:xx 
returns the name of the device whose MAC is given, or nothing on fail, and it works for a non-privileged user.

Replacing pam_blue with a simple hacked version using hcitool works for both login and gnome-screensaver unlock:

int rc = PAM_SESSION_ERR; 
FILE *fpipe; 
char *command="hcitool name xx:xx:xx:xx:xx:xx"; 
char line[256];

if ( !(fpipe = (FILE*)popen(command,"r")) ) { 
perror("Problems with pipe"); 
exit(1); 
} 
while ( fgets( line, sizeof line, fpipe)) { 
if (strlen(line) > 2) rc = PAM_SUCCESS; 
} 
pclose(fpipe); 
return rc;

This bug probably affects all versions to date, but has been confirmed 
in Ubuntu 11.04 and 11.10, and in libpam-blue 0.9.0-3

To manage notifications about this bug go to: 
https://bugs.launchpad.net/ubuntu/+source/libpam-blue/+bug/912695/+subscriptions

Ubuntulibpam-blue package

Comment 8 for bug 912695

Ubuntu
libpam-blue package