Libpam on hikey960

mezzanine
custom_board
96boards

#1

hey everyone,

I tried to use a CROSS COMPILE to compile this Library

https://github.com/google/google-authenticator-libpam

on my hikey960 (based on ANDROID P) but it didn’t work so i am thinking about building system.img with adding this library .
is someone have an idea how to do it or if there is a link that can help me it will really resolve my problem .

thanks.


#2

Forgive my asking but why are you trying to cross compile this for Android? The library is not designed to run on Android.


#3

hey danielt
my project is to secure a system environment by using hikey960 ( android P ) so I need to :

  1. use the application google autheticator to secure access to the hikey960

the principe of 2 factor authentication ( something I know ( password) + something i have (my phone) ) So I need to find a way to install the library libpam on Android and then i can use the application google authenticator on my phone that provide a new key every time i want to access to hikey960 .
I know that this library is not designed to run on android. it’s designed to work on linux but android is based on linux so I am trying to find a way to build system.img with adding this library

  1. Find away to install SNORT ( Intrusion Detection and Prevention System ) on hikey 960

thank you.


#4

Thanks for the info.

I’m afraid I’d still take the view that cross compiling the whole library isn’t the right thing to do.

The code you are pointing at is a module and cannot function without the rest of PAM (in fact, as you may have discovered, cannot even compile without some of the PAM headers). Whilst the repo might be a good place to copy the crypto code from I suggest you think very hard about whether or not you want PAM itself to be in scope: Android already has a framework to switch between different unlock methods and you might be better off extending that instead of adding the additional complexity of PAM.

Either way however I’m afraid the challenge with research is that noone knows how to do it (yet) :wink:


#5

thank you danietl for your reply.
i already accept this challenge :smile: i will try to play with /aosp/master/frameworks/ and hope i that i find something, by the way if you have any idea or links that can help me using hikey960 based on android to secure an system information ( i already configure FIREWALL and WHITE LIST ) it will be very helpful .

thank you for your help.


#6

So if I understand this correctly, your objective here is to add a second factor to the android unlock verification.

Now Android already has a pretty decent authentication system in place, so as @danielt suggested, it may be a better idea to extend that than to try to being in PAM. For one, you will end up having to use the Android mechanism anyway, to bind to the PAM module.

In addition, I’d be quite hesitant to use any proprietary (closed source) application or 3rd party account integrations to manage secure systems. Closed source is the opposite of secure since by definition, you forfeit control of it. You would be better off trying to find something open source without the dependency on google services, and if there isn’t something like that, write it.

If it were me, I’d aim for the NFC route; https://www.seeedstudio.com/Grove-NFC-p-1804.html
Just modify the keyguard code to add a stage to the password authentication type to get a code via NFC and send it to a server to ask if its good or not.

Now keep in mind the following;

  1. The phone needs to communicate with the server to GENERATE the code. So the server needs to authenticate the phone, then the server can send the phone an access token that is valid for a short time limit, say 5 seconds. You can make the token something simple to generate, like “sha2(salt+user+time)”.
  2. The hikey960 needs to authenticate the SERVER as well as ask it if the code is secure. Pre-shared key authentication is probably a good way to go on this.

Honestly, I think that building the 2nd factor authentication mechanism would be a heck of a lot easier than trying to integrate PAM into Android.

For the rest of your questions, look into this;
https://developer.android.com/guide/topics/admin/device-admin
This allows you to do things like force password authentication, force password complexity, and force storage encryption.

Now you have a choice regarding storage encryption… you can maintain single-factor storage decryption, or make this into a really big job by tying the second factor into storage decryption. Nice thing about newer versions of Android is that the device boots up into a mostly functional state before asking for the key. Older versions paused the boot early on to prompt for the key, which really limited what you could do.

Snort shouldn’t be too big of a deal. The hard part there will be just getting it to cross compile. Its a daemon, so you just start it from an init script.


#7

hey doitright

thank you very much for your reply and It’s a great idea to get the code via NFC . really it will be the fun to do this :smile: .
and just one more things I tried many method to cross compile a code source to hikey960 , it work very well for small project but in big project ( with many lines) it’s very difficult so if you have a link that can help me to CROSS COMPILE SNORT for hikeyy960 it will really help me .

and thank you again


#8

I don’t have any resources for compiling snort for Android, but I can tell you that the biggest issue you will face for complex libraries and programs will be the fact that Android uses BIONIC C library instead of the much more common GNU libc. Then the fact that you have to not only compile that project, but all the additional parts that they depend on. It can be a big and ugly job.

There may be a simple option for you, however, which is to link snort STATICALLY, which of course would mean that it doesn’t depend on a platform provided GNU libc. It still has to be compiled for ARM, but this is pretty easy and worse case can just be done on ARM hardware, which means no cross compile at all.

http://seclists.org/snort/2005/q1/742


#9

hey doitright

thank you for reply and thank you for your help :smile:


#10

Hey everyone,
First of all thank you doitright for your help , you really have greats idea :slight_smile:
but i have some question :

1. to get the code via NFC:

I developped two application on android studio (java) first one will generate every 30 seconds a new code and will send it via NFC and the other application will receive the code and verify if that is the same code generated by it self ( those 2 application had the same algorithm to generate the same code). it works between 2 phones .And i’m waiting for the nfc reader (NFC-READER )

and this is a part of my code to get the nfc code :

if(NfcAdapter.ACTION_NDEF_DISCOVERED.equals(getIntent().getAction())){
processIntent(getIntent());
Toast.makeText(auth.this, “text received” +"|" + payload + “|” + generateTOTP(seed,steps,“8”, “HmacSHA1”),Toast.LENGTH_SHORT).show();

        Toast.makeText(auth.this, "welcome " ,Toast.LENGTH_SHORT).show();

    }

so my idea is : after the boot of android and after i tape my password , my system will require also my code . so i need to implement this code with the KEYGUARD
So my questions are :

----1-----which file of keyguard that i can modify to add my code because i couldn’t understand how it’s work the keyguard. and how i can add another condition that i can’t access for the system after the boot only after i verifie the code

----2----Is hikey960 will be able to detect automaticly this Nfc reader or i need to configure some package or driver for this??

thank you and sorry to take your time :slight_smile:


#11
  1. I can’t suggest where to edit keyguard, I don’t know it well enough.

  2. If you want to use the NFC through Android, you will need a HAL for it;
    https://android.googlesource.com/platform/hardware/interfaces/+/master/nfc/1.0/default/
    https://android.googlesource.com/platform/hardware/libhardware/+/master/modules/nfc/


#12

thank you for your help :slight_smile:


#13

Hey @doitright,
it’s me again :slight_smile:
I received today my NFC reader , and i checcked out that I have the hal for it that was build with my android version :
/AOSPUdex/hardware/interfaces/nfc/1.0/$ exist

/AOSPUdex/hardware/interfaces/nfc/1.1$ exist

but my nfc reader doesnt work . I only have those information :

[ 1965.430095] usb 1-1.1: new full-speed USB device number 12 using xhci-hcd
[ 1965.541773] usb 1-1.1: New USB device found, idVendor=072f, idProduct=2200
[ 1965.550062] usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1965.558878] usb 1-1.1: Product: ACR122U PICC Interface
[ 1965.565538] usb 1-1.1: Manufacturer: ACS

any ideau why it doesnt work.

thank you for your help


#14

It takes more than just for the HAL to exist.
That particular HAL in that location, is a PASSTHROUGH HAL. What that means, is that its there to load a “legacy” HAL (i.e., nfc.default.so or nfc.hikey960.so) and translate the old ABI into the new HAL service.

Which means that you will need to take a look in hardware/libhardware/modules/nfc/ and /nfc-nci/

In there, you will find an EXAMPLE legacy hal for a PN544. Now what does it mean by example? I don’t know. They only seem to implement the OPEN method, does it need more than that?

I can’t really follow your amazon link too well, because I can’t read French, but I gather that they are claiming support for LINUX and ANDROID 3.1+, so I would suggest that you query the vendor and ask them HOW Linux and Android support it. With any luck, they may be able to explain what that support actually means.


#15

hey @doitright,
thank you for your response.
great I had a new challenge , I think it will be the fun to make it work .
thank you again for your help.