Search Criteria
Package Details: pinpam-git r50.86a68c3-1
Package Actions
| Git Clone URL: | https://aur.archlinux.org/pinpam-git.git (read-only, click to copy) |
|---|---|
| Package Base: | pinpam-git |
| Description: | TPM2 backed PAM module and utility for pin-based authentication |
| Upstream URL: | https://github.com/RazeLighter777/pinpam |
| Keywords: | pam tpm2 |
| Licenses: | GPL-3.0 |
| Provides: | pinpam-git |
| Submitter: | raze_lighter777 |
| Maintainer: | raze_lighter777 |
| Last Packager: | raze_lighter777 |
| Votes: | 0 |
| Popularity: | 0.000000 |
| First Submitted: | 2026-01-25 13:48 (UTC) |
| Last Updated: | 2026-01-25 21:36 (UTC) |
Dependencies (10)
- gcc (gcc-gitAUR, gccrs-gitAUR, gcc-snapshotAUR)
- gcc-libs (gcc-libs-gitAUR, gccrs-libs-gitAUR, gcc-libs-snapshotAUR)
- openssl (openssl-gitAUR, openssl-aegisAUR, openssl-staticAUR, openssl-staticAUR, openssl-staticAUR, openssl-staticAUR, openssl-staticAUR, openssl-staticAUR)
- pam (pam-selinuxAUR)
- tpm2-tss (tpm2-tss-gitAUR)
- cargo (rust-beta-binAUR, rustup-gitAUR, rust-gitAUR, rust, rustup) (make)
- coreutils (coreutils-gitAUR, coreutils-selinuxAUR, uutils-coreutils-gitAUR) (make)
- gcc (gcc-gitAUR, gccrs-gitAUR, gcc-snapshotAUR) (make)
- git (git-gitAUR, git-glAUR, git-wd40AUR) (make)
- rust (rust-beta-binAUR, rustup-gitAUR, rust-gitAUR, rustup) (make)
Latest Comments
raze_lighter777 commented on 2026-01-25 13:52 (UTC)
pinpam
pinpam is a PAM module and credential utility to enable system-wide authentication with a secure TPM2-backed pin.
Details
pinpam consists of two components: 1. A PAM module (
libpinpam.so) exposing authentication functionality to PAM-aware applications. 2. A command-line utility (pinutil) to setup/reset/change/manage PINs.The PINs are stored in the TPM's NVRAM, protected by the TPM's hardware-backed security features. Upon creation, the PIN reset/attempts counter is marked read-only, preventing resetting the brute-force protection without clearing the TPM. This makes it difficult for an attacker to brute-force the PIN, as the TPM will lock out further attempts after a configurable number of failures. Even root will be unable to bypass this protection without clearing the TPM, which would also delete the stored PIN.
This module uses the little-known PinFail index data structure in the TPM 2.0 specification to track failed authentication attempts. This data structure is a simple counter/max-failures pair that is incremented by the TPM on each failed authentication attempt. When the maximum number of failures is reached, the TPM will refuse further authentication attempts until the counter is reset.
However, an attacker with root access could enumerate users pins and recover them by rewriting the PinFail index to reset the failure counter while making repeated authentication attempts. To mitigate this, pinpam uses a TPM2 policy to restrict the PinFail index to only being written once.