libpam-captcha is a visual text-based CAPTCHA challenge module for PAM. This is a custom version, refear to semicomplete for the original one.
-
Set up the minos archive:
$ sudo add-apt-repository ppa:minos-archive/main -
Install:
$ sudo apt-get update && sudo apt-get install libpam-captcha -
Enjoy ☺!
Red Hat Linux and its derivatives require pam-devel RPM package before compiling libpam-captcha.
-
Type
make -
Copy pam_captcha.so to your pam module dir.
- FreeBSD: /usr/lib
- Arch: /usr/lib/security
- Others: Find other files named
pam_*.so
-
Configure the system
Configuration should be setup in your pam config for whatever service you want. It needs to go at the top of your pam auth stack (first entry?):
auth requisite pam_captcha.so [options]
Available options: math, randomstring. Example:
auth requisite pam_captcha.so math randomstring
requisite is absolutely necessary here. This keyword means that if a user fails pam_captcha, the whole auth chain is marked as failure. This ensure that users must pass the captcha challenge before being permitted to attempt any other kind of pam authentication, such as a standard login. required can work here too but will not break the chain. I like requisite because you cannot even attempt to authenticate via password if you don't pass the captcha.
IMPORTANT SSHD_CONFIG NOTE FOR NON UBUNTU|MINOS SYSTEMS!
To prevent brute-force scripts from bypassing the pam stack, you MUST disable password authentication in your sshd. Disable password auth and enable keyboard-interactive instead. To do this, put the following in your sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
If you use ssh keys to login to your server, you will not be bothered by pam_captcha because publickey authentication does not invoke PAM.