Rotary dial authenticates sudo commands

[W1ndman] won’t win any security awards for this build, but it’s an interesting idea. On many Linux-based systems commands can be run with administrator privileges by prefacing them with the keyword ‘sudo’. Normally you’d be asked for a password but [W1ndman] used the Pluggable Authentication Modules (PAM) to authenticate via his own shell script. That script checks a code from this rotary dial for authentication. An Arduino takes care of listening for each digit that is entered and then sends the code via USB for comparison with a stored file. We’re not sure if that stored code is in a plain file or is otherwise protected, but at the very least this prevents you from using ‘sudo’ willy-nilly.

Comments

  1. bty says:
  2. MS3FGX says:

    Very light on the details, but a clever (if not terribly secure) idea.

    Also a nice proof-of-concept for more mature ideas. Like PAM-sudo authentication with an RFID reader or something along those lines.

  3. YaBa says:

    Dial 911 to reboot system :D

  4. matt says:

    exactly what i needed to launch my own minuteman brb

  5. nah! says:

    reminds me of sudo su

  6. zool says:

    heh nice

  7. psuedonymous says:

    I don’t run Linux, but if I did, I’d definitely have to go for dual-key-switches-and-a-big-red-covered-button authentication for Sudo.

  8. Midge says:

    I dabbled with a method of reading a 700 series rotary phone Dailer with an Arduino a couple of years back, if anyone needs the finer details… http://www.fizzpop.org.uk/?s=rotary+dialler
    Midge

  9. rofl mcwaffle says:

    Sounds like UAC from hell…

    Still awesome.

  10. Adam Outler says:

    Here’s one to go with it…. Change all caps to your information…

    Address=MYADDRESS;Password=MYPASS; User=USERNAME; Command=’MYCOMMANDS;MORECOMMANDS'; expect -c ‘spawn ssh $User@$Address; expect “password:” ; send “$Password\n” ; expect “~#” ; send “$Command\n”; expect “~”; send “exit”‘

    This bit of code will allow Arduino to control a computer with login. It’s all done with shell and the expect command, so no need to preconfigure anything. Just have a script watch arduino and if serial says to do something, do it.

  11. Andrew Parting says:

    Guessing Mike Szczys doesn’t use linux much.
    sudo is a program that lets users run commands as root. It’s got nothing to do with linux. And sudo could be installed on any GNU operating system.

    • Caleb Kraft says:

      @Andrew,
      I think you’re just being pedantic here. Realistically, most people’s exposure to “sudo” is from linux/unix. While it might technically be available to all GNU derivatives, Linux is the one that jumps to mind.

      Also, Mike uses linux exclusively on his home computers. I had to ask him to set up a virtual windows machine to do something for me once.

  12. M4CGYV3R says:

    @Andrew would it make you happier if we replaced Linux with *nix?

    But if I understand this whole thing correctly, doesn’t the rotary dial just pulse the contact pairs closed/open a number of times based on the number you ‘dial’?

    Couldn’t you do the same thing with a momentary pushbutton and just tap it the correct number of times? Isn’t that pretty much all ‘Pulse Dial’ was?

    I used to dial phones without (accessible)keypads by connecting and disconnecting their leads this way.

  13. medix says:

    Isn’t this considered security through obscurity?

    Those rotary pads just generate a series of pulses (# pulses for # dialed), so if you know this, it should be relatively easy to spoof.

    Just curious..

  14. Adam Outler says:

    @ Andrew Parting

    Did you know that Mike Sczyzs is a contributor to mythicalLibrarian? mythicalLibrarian is a likely competitor for the largest bash script in the world. http://code.google.com/p/mythicallibrarian/source/browse/trunk/mythicalLibrarian

    Also, Mike Sczyzs wrote the MythDataGrabber script which interfaces a Linux database. His linux experience is very broad and robust.

    Btw… sudo is exclusive to POSIX operating systems, meaning you won’t find it on Windows. Linux is the “Q-tips” of POSIX. I think he is right in his wording and I wouldn’t question it.

  15. Greenarrow says:

    @medix

    I think we can assume that a particular number is required. A big number is a big number, irrespective of how it is communicated.

  16. Stevie says:

    My computer, my rules. Too many idiots out there worried about nothing. I run sudo -s and stay powered up all day.

  17. BLuRry says:

    Man… it would take WAY too long to dial in “sudo ‘make me a sandwich'” on that phone…

  18. Urza9814 says:

    “I don’t run Linux, but if I did, I’d definitely have to go for dual-key-switches-and-a-big-red-covered-button authentication for Sudo.”

    ^^ THIS!

    Once I’m no longer exclusively on a laptop, I may have to build this into my PC case…

  19. keks says:

    Looking at the sourcecode provided on the instructables site, i wood say the security of this hack is rather non-existing.

    the password is saved as plain text an compared to the output of the serial-tty coming from the arduino.

    it would be much more efficient if part of the password was related to the switch-timing of the rotary dial.

  20. Xb0xGuru says:

    “with great power comes great responsibility.”

    In short, if there’s a chance you’re going to ‘\rm -rf /’, don’t be on the sudo’er list, or limit the commands you can run through sudo. Whilst I admire the originality, if you need this to prevent you using sudo ‘willy-nilly’ then maybe a reconsideration of your role is required.

  21. Mike of England says:

    http://hackaday.com/?s=searchlight and a red sudo phone and Battux will come:)

  22. Paul Potter says:

    Very nice. I’d be using the 700 series dial.

  23. nes says:

    How about using the rest of the phone as an IP handset. Would also make a nice enclosure for the dial.

    BTW for other brits here, 700 series dials are pretty heavily sprung. I replaced the one in my 746 with one from a Trimphone slightly modded to fit the hole so it doesn’t slide about when you’re dialling one-handed.

  24. Daniel says:

    This would be interesting for remote users. Have a red light start flashing to indicate a user has requested sudo access (with an LCD showing the user name of course). Only an admin with the “code” and physical can allow the request. Of course this assumes good security practices in the implementation……

  25. Andrew Parting says:

    Anyway my problem was with “prefix with the keyword sudo,,

    It implies that either he doesn’t understand what’s going on when you use sudo or he is dumbing down a SERIOUSLY simple concept.

    Obviously he thinks we’re idiots I simple insulted him back.
    (As an aside the things you posted trying to make him seem like a linux genius wasn’t especially amazing).

  26. Me says:

    You could just have a big red button that the script causes to blink. If the button isn’t pressed then the system doesn’t sudo.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,598 other followers