SiRFIDaL - Simple RFID authentication for Linux

Before I do anything, can you check if you can install pam_python? I have absolutely no idea how ones goes about installing stuff on OSX. I’m assuming there’s a repository of some kind somewhere, but surely you know better than I do. I know pam_python was ported to OSX because there’s a fork of it here that specifically mentions it.

Be careful that there are a million PAM-related Python modules out there. The one I need to know can be installed on your machine is pam_python - with “pam” before “python”, not pampy or pypam or python_pam - written by Stuart Russel, version 1.0.4, 1.0.5, 1.0.6 or 1.0.7.

If you can find a pre-built version, it’ll all work out smoothly. If you can’t, then you’ll have to compile it yourself - or I’d have to make a PAM module in C “blind”, because I have no way to test it under OSX, and that sounds like a recipe for headaches…

1 Like

Looks like I should be able to install if I can source a complied .so file, but I get errors whenever I try to compile either the original pam_python or the MacOS fork you linked using make

make[1]: sphinx-build: No such file or directory
make[1]: *** [build] Error 1
make: *** [doc] Error 2
1 Like

Hmm bummer. That OSX thing is a lot harder than it needs to be. Seriously, PAM auth is trivial…

Let me think of the best way to do things here. I suppose it should be done in C, but since I don’t have a Mac to test it with, I guess it would involve setting up OSX in a virtual machine - which I don’t even know is possible. All that is starting to sound a lot like work :slight_smile:

2 Likes

It is. I had to do it a couple of years ago. It’s annoyingly fiddly and once you have it working it’s painfully slow… It may have gotten better since but I doubt it.

2 Likes

I think I may just circle back to my other plan, an Arduino password typer that verifies UID before typing. It’s not as clean as having the work to authenticate in the computer, but it’ll do the job for me.

Thanks for looking into this though, sorry to derail your thread so much!

2 Likes

Yeah but then you have this thing dangling between your computer and the reader. Not clean.

You could also learn to code in C, if you like a challenge :slight_smile: For this particular project, the program wouldn’t be very long or difficult: it would essentially be a variant of pam_unix.c: you’d just have to change the pam_sm_authenticate function a bit to do what you want.

If I were you, I’d grab OpenPAM and get it to compile cleanly (which I suspect is going to be the only real hard part) but not install it. Once it builds, modify pam_unix.c until it rebuilds cleanly with your code. Then copy the new pam_unix.so file as pam_mycustomprogram.so or something in the live directory - wherever it is in OSX, add it in the PAM config as second auth, and try to login, see if it works. Rinse, repeat until it does.

Threads are there to be derailed :slight_smile:

1 Like

Guys,

I added support for the Proxmark3 reader in SiRFIDaL. At the moment it only handles ISO14443a transponders, but I’ll add support for other types of HF and LF transponders later.

I figured when I don’t use my Proxmark3 to hack around, it’s gathering dust in a drawer. So I might as well use it as yet another reader I can use to log into my Linux boxes the rest of the time.

Also, it’s the only reader I have that can read FDX-B chips, so I plan on adding support for that next, so I can authenticate with my xBT implant also. And well, my cat could login too I guess, but he’s a strictly a Windows guy :slight_smile:

3 Likes

This is awesome, great addition!

Didn’t you get a SureSense working as a reader? I know it was a bit clunky, but you seemed to have victory in the end with it

1 Like

Well it’s a half-working hack really, especially because you have to remove and reinstall the batteries, then connect it at the right time to abuse the firmware. And then if you disconnect it, half of the time it crashes, then you have to do the battery disconnect/reconnect rigmarole all over again.

So, a fun hack, but not really practical.

Okay, I’ve added support for the following transponders:

  • ISO15963 [Dangerous Things xSLX]
  • EM410x [Dangerous Things xEM when stock]
  • FDX [Dangerous Things xBT]
  • Indala [that’s just for me, because I have an xEM implant programmed as a 224-bit Indala]

More can be added easily, but I just wanted to support my own implants. So that’s good enough for me. But if you feel like adding support for other transponders, feel free to contribute the relevant PM3 sequences and regexes.

3 Likes

FYI for your notes, ISO15963 covers Spark original also :+1:

Right. I wasn’t trying to be exhaustive, just to give examples of DT products that correspond to the listed standards, for casual visitors reading this thread who might wonder what any of this has to do with DT’s offerings. Because this is DT’s forum after all :slight_smile:

Hi @anon3825968 and thank you for this project!
I aim to use it for a professional project and I need to have card UIDs server-side in an LDAP server. Do you think it is doable without hacking your server to check the UID over LDAP, i.e. by using the LDAP PAM module?
Thank you,
Mat.

Not currently. It saves the file in a proprietary format in /etc with the UIDs encrypted, for obvious reasons. If you just want it on a server, the easiest is to stick it on a network drive mounted somewhere in the filesystem and symlink to it (or point it somewhere else in the script), or rsync it. If you really want to use LDAP, then I guess you’ll have to implement that bit :slight_smile:

Guys,

I added support for the ChameleonMini, ChameleonTiny and ChameleonTiny Pro Bluetooth in SiRFIDaL.

You can connect your Chameleon device with a USB-C cable, SiRFIDaL will automatically see it (if you configured it properly), set the slot you chose in reader mode and transparently poll the Chameleon continuously for ISO14443A transponders in the field.

In other words, you can use your Chameleon as a regular NFC reader to log in and out, unlock your screensaver, send automated commands or passwords, emulate a keyboard wedge, and all the other fabulous things you can do with SiRFIDaL. Yeees, you know you want it :slight_smile:

This is pretty useful if you travel a lot with a laptop and you want to authenticate with your implant, but you don’t want to clutter up your laptop bag with a full-size desktop reader. Particularly if you own a ChameleonTiny, because it truly is tiny. Personally, I always carry mine in my pocket. Now it doubles as a reader I can use with my PC also:

I’ll add support for the ChameleonMini / Tiny over BLE when I finally find time to figure out the exact protocol. For now it only works with a USB connection. But at least there’s a rationale for it: you can charge the Chameleon while it serves as a reader at the same time, so it’s not just sitting there doing nothing useful.

5 Likes

That is an awesome addition, Thanks for sharing, I have a Linux Laptop and a Chameleon; I am whatever is less than a Noob with Linux, but I will put this on my list of things to do /learn.

Is it simply reading the NUID?
(Then I will only have to memorise 4bytes as a backup…and not change it)

It is UID-based, but it’s not like a keyboard wedge. It doesn’t “type” your UID. This is a proper PAM module. You can keep your normal password and either combine it with one or more RFID/NFC UIDs to do 2FA, or log with either for ultimate laziness like I do.

1 Like

I added support for the uFR Nano Online NFC reader over Wifi in SiRFIDaL.

The way it works is, you configure the reader to connect to your Wifi router, then you configure it in master mode, enable HTTP POST and point it to the computer address / port the SiRFIDaL server is running on - meaning it should have a fixed IP or a resolvable address on your LAN of course.

You can leave this little reader quite far from your computer, and it doesn’t need to be tethered to it by yet another cable. Nice.

As for the reader’s performances, it’s on par with the good ole ACR122U, despite being half the size. Digital Logic readers usually aren’t short of power. This one reads my IAR glass M1k without any problem:

And of course, like all Digital Logic readers, it has more lights than a Christmas tree, so it’s perfect for the season :slight_smile:

Seriously though, I don’t know why that company has such an obsession with ultra-powerful status LEDs: they’re so bright they’re almost painful to look at. This is my third Digital Logic reader, and each time I’m astonished by how bright the LEDs are.

1 Like

I feel this one, bit of a derail but I have a TCL TV in my bedroom. In their infinite wisdom they decided it should have a white standby LED that burns with the intensity of 1000 suns, and no option to turn it off.

To make it worse, it’s also where the IR receiver is, so can’t just put black gaff over it. Best solution to date has been multiple layers of red electrical tape…

I appreciate status lights, but come on guys, read the room!