This is pretty sweet. I feel like the only thing is that Windows Hello, and other fingerprint/face scanning tech is pretty slow compared to typing in a password, so doubt i'll be using it anytime soon. This is still very interesting from a technical pov.
I know nothing of PAM, but could it be used with something like LDAP? or ActiveDirectory?
Both face and fingerprint authenticate in under a second on all the machines I use.
If the machine is joined to a domain you'd need to use Hello for Business. It's more involved to set up, but if you've got enough Windows computers to have an AD domain you should definitely do it.
yep! PAM is "Pluggable Authentication Module" which sits between applications and the auth method, so you can put anything there. LDAP and ActiveDirectory are fairly common ones
> This is pretty sweet. I feel like the only thing is that Windows Hello, and other fingerprint/face scanning tech is pretty slow compared to typing in a password
My Dell Vostro has pretty instantaneous fingerprint recognition, much faster than a password (my previous Acer has a less convenient location for the sensor, and was much slower, and was much less reliable.)
I would be on KDE if I didn't have to use Visual Studio for my day job (project is still not fully .NET core). But WSL is a good compromise I use it as my shell for all git, dotnet related stuff.
I hate the Windows desktop (and server). Right now I am using XFCE. Much faster than Windows, lower memory footprint and I got it to look similar to macOS to some extent.
Using Windows compared to using XFCE is like pulling a stubborn donkey. No, I don't want to update, I don't want a voice assistant, I don't want absurd UIs, I don't want telemetry, I just want a goddamn menu and desktop icons.
What kind of prompt is this? It looks like Windows Terminal running Bash, but are the icons PNGs (windows + home), or a specific type-face rendering emoji?
To me developing with WSL2 is now even better than on native Linux - works exceptionally well. I use it with VS Code + WSL plugin and Docker for Windows.
> The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data.
What exactly is the point of sudo/UAC these days of single-user machines? I think https://xkcd.com/1200 put it well. Anything running as an unelevated user account can access my browser sessions where it can steal my passwords, emails, other other private info. It can turn on my microphone and camera. It can read all of my documents. Those are the things I care about protecting, not whatever special things root can do like install drivers and create virtual network interfaces.
The best configuration for WSL sudo is probably to just allow all commands without any authentication.
Have you forgotten what life was like before windows got UAC? Just because a machine is single user doesn't mean it's a good idea for all processes to run as root/Admin.
On Windows, it's a malware thing. Windows XP applications were designed with horrible security issues disguised as features because of it, partially causing the massive pain everybody felt when migrating to Windows Vista. Your favourite text editor could be the reason your graphics card would randomly make the screen go green, or that your flash drive didn't work, or that your system bluescreened and you'd have no idea of knowing because *anything* could be causing those problems.
Modern Windows has permission levels and capabilities that segregate background processes and system services. If your browser, running in low integrity mode, gets exploited, there's a whole layer of security that needs to be bypassed to read the keys you type or to install tasks at startup.
On Linux, I think it's mostly an anti-fuckup-thing. You can't accidentally delete system files if you're not root, you can't accidentally restart the wrong service, you can't accidentally edit the system config when you want to edit the user config. Badly-written tools can't mutate something when I ask them to just read. It also works for the same reasons as UAC does for Windows, though the Linux permission model is much simpler than the Windows one for most use cases.
If you run everything as root, the first compromise rootkits your computer. If you use proper user segregation additional steps need to be executed in order to trick you into getting the malware hooked deep into your system.
For WSL, the problem is similar to Linux, because WSL is just a well-integrated Linux VM. Dev tools such as npm download and execute random code from the internet, which can be infected somewhere six levels down the dependency chain. If you run those as root, you're giving that malware full access to your system whereas your local user account can only modify some of the files outside of WSL.
It doesn't protect you from theft of your unlocked laptop. It does protect you from bad software, at least partially.
Even a single user machine is really not single user because your applications are also users on your machine and being Internet connected/updated you better have control over what they can do.
Hello, author of please (https://gitlab.com/edneville/please) here, where I've taken a different approach to make permitting grnular things simple.
Permiting everything is no different really to browsing the web as root.
Permitting granular things in sudo and doas isn't easy.
For what it is worth, many of the systems I work on on have many more than just one user and I am sure that other people work on bigger environments too. When you have multiple users, you run the risk of delegating more access than you should and thus compromise content, hence why I think access should simple!
AFAICT this isn’t by Microsoft, and anyways by this definition it would mean that Microsoft cannot do anything without being declared EEE revival except strictly implementing the baseline standard.
Extending standards is normal and expected. It’s the extinguishing part that we get in trouble, but a natural risk of any large player “contributing” to OS (their weight is what opens the possibility; but their weight is also what you want to enable larger/comprehensive OS codebases).
That is, you want Microsoft contributing to Linux. The thing to avoid is only Microsoft contributing to Linux.
[+] [-] erklik|5 years ago|reply
I know nothing of PAM, but could it be used with something like LDAP? or ActiveDirectory?
[+] [-] MrMorden|5 years ago|reply
If the machine is joined to a domain you'd need to use Hello for Business. It's more involved to set up, but if you've got enough Windows computers to have an AD domain you should definitely do it.
https://docs.microsoft.com/en-us/windows/security/identity-p...
[+] [-] MetricMike|5 years ago|reply
[+] [-] dragonwriter|5 years ago|reply
My Dell Vostro has pretty instantaneous fingerprint recognition, much faster than a password (my previous Acer has a less convenient location for the sensor, and was much slower, and was much less reliable.)
[+] [-] The_rationalist|5 years ago|reply
[+] [-] alexdumitru|5 years ago|reply
[+] [-] kbumsik|5 years ago|reply
[+] [-] lambda_dn|5 years ago|reply
[+] [-] 29athrowaway|5 years ago|reply
Using Windows compared to using XFCE is like pulling a stubborn donkey. No, I don't want to update, I don't want a voice assistant, I don't want absurd UIs, I don't want telemetry, I just want a goddamn menu and desktop icons.
[+] [-] rhplus|5 years ago|reply
https://github.com/nullpo-head/WSL-Hello-sudo/blob/master/de...
[+] [-] ranieuwe|5 years ago|reply
[+] [-] jjjeii3|5 years ago|reply
[+] [-] anhner|5 years ago|reply
[+] [-] kungito|5 years ago|reply
[+] [-] You-Are-Right|5 years ago|reply
[+] [-] Guillaume86|5 years ago|reply
https://docs.microsoft.com/en-us/windows/security/identity-p....
[+] [-] anaisbetts|5 years ago|reply
[+] [-] perryizgr8|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] throwaway8581|5 years ago|reply
What exactly is the point of sudo/UAC these days of single-user machines? I think https://xkcd.com/1200 put it well. Anything running as an unelevated user account can access my browser sessions where it can steal my passwords, emails, other other private info. It can turn on my microphone and camera. It can read all of my documents. Those are the things I care about protecting, not whatever special things root can do like install drivers and create virtual network interfaces.
The best configuration for WSL sudo is probably to just allow all commands without any authentication.
[+] [-] kiwijamo|5 years ago|reply
[+] [-] jeroenhd|5 years ago|reply
Modern Windows has permission levels and capabilities that segregate background processes and system services. If your browser, running in low integrity mode, gets exploited, there's a whole layer of security that needs to be bypassed to read the keys you type or to install tasks at startup.
On Linux, I think it's mostly an anti-fuckup-thing. You can't accidentally delete system files if you're not root, you can't accidentally restart the wrong service, you can't accidentally edit the system config when you want to edit the user config. Badly-written tools can't mutate something when I ask them to just read. It also works for the same reasons as UAC does for Windows, though the Linux permission model is much simpler than the Windows one for most use cases.
If you run everything as root, the first compromise rootkits your computer. If you use proper user segregation additional steps need to be executed in order to trick you into getting the malware hooked deep into your system.
For WSL, the problem is similar to Linux, because WSL is just a well-integrated Linux VM. Dev tools such as npm download and execute random code from the internet, which can be infected somewhere six levels down the dependency chain. If you run those as root, you're giving that malware full access to your system whereas your local user account can only modify some of the files outside of WSL.
It doesn't protect you from theft of your unlocked laptop. It does protect you from bad software, at least partially.
[+] [-] kyriakos|5 years ago|reply
[+] [-] eneville|5 years ago|reply
Permiting everything is no different really to browsing the web as root.
Permitting granular things in sudo and doas isn't easy.
For what it is worth, many of the systems I work on on have many more than just one user and I am sure that other people work on bigger environments too. When you have multiple users, you run the risk of delegating more access than you should and thus compromise content, hence why I think access should simple!
[+] [-] e12e|5 years ago|reply
[+] [-] throwoutttt|5 years ago|reply
[deleted]
[+] [-] Orochikaku|5 years ago|reply
Hacking around at systems you’re interested in is hardly a waste of time, it’s through projects driven by self interest that we learn the most imo.
[+] [-] swiley|5 years ago|reply
[+] [-] setr|5 years ago|reply
Extending standards is normal and expected. It’s the extinguishing part that we get in trouble, but a natural risk of any large player “contributing” to OS (their weight is what opens the possibility; but their weight is also what you want to enable larger/comprehensive OS codebases).
That is, you want Microsoft contributing to Linux. The thing to avoid is only Microsoft contributing to Linux.
[+] [-] powersnail|5 years ago|reply