-
Notifications
You must be signed in to change notification settings - Fork 47
-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux port? #1
Comments
Unless you have Linux running on a new MacBook, it would be useless. |
There are other devices with a thumb sensor... |
Yeah, but there are existing solutions for sudo with fingerprint readers. This is specifically for TouchID. |
Oh, didn't know of them, thanks :-) |
I did a bunch of research about fingerprint readers recently, so I'll just leave this here as this project looks (understandably) popular right now. For anyone who likes security, I made you a wall of text!
TL;DR: just use your fingerprint to unlock your computer, it's basically just a button at the end of the day because of how fingerprint readers are implemented. Great for making it utterly impractical for someone to keylog your laptop while your back is turned for 5 minutes, but woefully insufficient insecurity for eg unlocking an encrypted disk. PS. Some fingerprint readers are capable of imaging, which (perhaps obviously) gives you a copy of the fingerprint image/scan (incidentally, the old fingerprint reader I played with only has imaging support via the Windows driver, the data stream to the Windows driver is horribly obfuscated sadly), but that would need to then be normalized via some recognition algorithm. Basically fingerprint readers as implemented on PCs are, like TPM enclaves, paper tigers. |
@i336 A few notes: • Touch ID stores a one-way hash of your fingerprint, not your fingerprint itself |
Oh, interesting!
A hash makes perfect sense: the raw fingerprint data is going to be different (angle, pressure, ambient light, ...) every time, so it needs to be normalized and sanitized somewhat. My fingerprint reader handles this in the most dismal way possible: successful enrollment (swiping 3-4 times) causes the controller to emit a 200 byte binary blob that you're supposed to receive then save to disk, then feed back to the controller at verification time. After thinking about it for a bit I haven't been able to come up with an interesting sounding attack for this mechanism, but I far prefer the fact that Touch ID (presumably?) stores the hash in secure memory. (It does, right?)
Oh, that's nice. How does that work? Streaming the data through the secure processor, which encrypts/decrypts it without revealing the key? |
That's what I would assume the request is for. So is there any interest in this, or is it too out-of-scope? |
I'd say this is out of scope. |
Yeah, I did some research since my last comment here, and the hardware for the TouchBar/TouchID isn't even supported on linux yet, so there's no chance of this happening for now (I'm keeping an eye for future's sake anyway, I still have a 2015 model). |
Just use PAM. It's already supported and been supported for years. |
I'm actually confused a little that the osx version of sudo doesn't use pam anymore? They may have continued moving away from it for all auth purposes for all I know at this point (been a few years since I've used it heavily). |
what about this, |
Neat hack! :-D I know this project is focused on OSX, but would it be possible to port the same idea de Linux
sudo
command? :-) I don't hace a TouchID enabled machine, but I think it's something could be REALLY useful... :-DThe text was updated successfully, but these errors were encountered: