Rotary Dial Authenticates Sudo Commands

[W1ndman] won’t win any security awards for this build, but it’s an interesting idea. On many Linux-based systems commands can be run with administrator privileges by prefacing them with the keyword ‘sudo’. Normally you’d be asked for a password but [W1ndman] used the Pluggable Authentication Modules (PAM) to authenticate via his own shell script. That script checks a code from this rotary dial for authentication. An Arduino takes care of listening for each digit that is entered and then sends the code via USB for comparison with a stored file. We’re not sure if that stored code is in a plain file or is otherwise protected, but at the very least this prevents you from using ‘sudo’ willy-nilly.

27 thoughts on “Rotary Dial Authenticates Sudo Commands

  1. Here’s one to go with it…. Change all caps to your information…

    Address=MYADDRESS;Password=MYPASS; User=USERNAME; Command=’MYCOMMANDS;MORECOMMANDS’; expect -c ‘spawn ssh $User@$Address; expect “password:” ; send “$Password\n” ; expect “~#” ; send “$Command\n”; expect “~”; send “exit”‘

    This bit of code will allow Arduino to control a computer with login. It’s all done with shell and the expect command, so no need to preconfigure anything. Just have a script watch arduino and if serial says to do something, do it.

  2. Guessing Mike Szczys doesn’t use linux much.
    sudo is a program that lets users run commands as root. It’s got nothing to do with linux. And sudo could be installed on any GNU operating system.

    1. @Andrew,
      I think you’re just being pedantic here. Realistically, most people’s exposure to “sudo” is from linux/unix. While it might technically be available to all GNU derivatives, Linux is the one that jumps to mind.

      Also, Mike uses linux exclusively on his home computers. I had to ask him to set up a virtual windows machine to do something for me once.

  3. @Andrew would it make you happier if we replaced Linux with *nix?

    But if I understand this whole thing correctly, doesn’t the rotary dial just pulse the contact pairs closed/open a number of times based on the number you ‘dial’?

    Couldn’t you do the same thing with a momentary pushbutton and just tap it the correct number of times? Isn’t that pretty much all ‘Pulse Dial’ was?

    I used to dial phones without (accessible)keypads by connecting and disconnecting their leads this way.

  4. Isn’t this considered security through obscurity?

    Those rotary pads just generate a series of pulses (# pulses for # dialed), so if you know this, it should be relatively easy to spoof.

    Just curious..

  5. @ Andrew Parting

    Did you know that Mike Sczyzs is a contributor to mythicalLibrarian? mythicalLibrarian is a likely competitor for the largest bash script in the world. http://code.google.com/p/mythicallibrarian/source/browse/trunk/mythicalLibrarian

    Also, Mike Sczyzs wrote the MythDataGrabber script which interfaces a Linux database. His linux experience is very broad and robust.

    Btw… sudo is exclusive to POSIX operating systems, meaning you won’t find it on Windows. Linux is the “Q-tips” of POSIX. I think he is right in his wording and I wouldn’t question it.

  6. “I don’t run Linux, but if I did, I’d definitely have to go for dual-key-switches-and-a-big-red-covered-button authentication for Sudo.”

    ^^ THIS!

    Once I’m no longer exclusively on a laptop, I may have to build this into my PC case…

  7. Looking at the sourcecode provided on the instructables site, i wood say the security of this hack is rather non-existing.

    the password is saved as plain text an compared to the output of the serial-tty coming from the arduino.

    it would be much more efficient if part of the password was related to the switch-timing of the rotary dial.

  8. “with great power comes great responsibility.”

    In short, if there’s a chance you’re going to ‘\rm -rf /’, don’t be on the sudo’er list, or limit the commands you can run through sudo. Whilst I admire the originality, if you need this to prevent you using sudo ‘willy-nilly’ then maybe a reconsideration of your role is required.

  9. How about using the rest of the phone as an IP handset. Would also make a nice enclosure for the dial.

    BTW for other brits here, 700 series dials are pretty heavily sprung. I replaced the one in my 746 with one from a Trimphone slightly modded to fit the hole so it doesn’t slide about when you’re dialling one-handed.

  10. This would be interesting for remote users. Have a red light start flashing to indicate a user has requested sudo access (with an LCD showing the user name of course). Only an admin with the “code” and physical can allow the request. Of course this assumes good security practices in the implementation……

  11. Anyway my problem was with “prefix with the keyword sudo,,

    It implies that either he doesn’t understand what’s going on when you use sudo or he is dumbing down a SERIOUSLY simple concept.

    Obviously he thinks we’re idiots I simple insulted him back.
    (As an aside the things you posted trying to make him seem like a linux genius wasn’t especially amazing).

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.