PAM Authentication via LIRC

pam_lirc is a PAM authentication module that lets you type your password on a remote control supported by LIRC.

Example usage in PAM config file:

auth  sufficient
auth  required nullok_secure try_first_pass
Remote Controls

Usually, you want this module as the first 'auth' module. Unintuitively, it will always fail, since it does not do the authentication itself. The only thing it does is read and set the password. The next 'auth' module should then be used with the 'try_first_pass' option, reading that password and doing the actual authentication.

pam_lirc is tested with 'su' and 'gdm' and probably works with most other services, too. It was mainly designed to be used with a HTPC login via gdm after booting.

Technical Details

The module can either read input only from LIRC, or from the normal converse loop (usually keyboard input) plus IR input.

If you only read from one source, from LIRC, everything is clean and fine, since PAM is perfectly suited to do so.

However, the PAM interface is quite limited, so reading from two sources at once can only be achieved with some magic, unfortunately, since PAM assumes a monolithic, sequencial, single function to do the whole password input. Adding an additional loop requires two threads, and if one of the threads exists, there is no clean way of interrupting the other one.

So basically, this module uses a hack to stop the second thread, because PAM is too limited to allow for a clean way (if you know a clean way, I am very interested). But at least, it uses the same technique as other input modules, e.g. the Thinkpad Fingerprint PAM module: by default it artificially hits the return key via the 'uinput' interface. So the uinput kernel module must be loaded.

This module checks that it faces a local login, otherwise it passes control to the next PAM auth module (it would neither make sense to access local IR commands for remote login, no would it make sense to hit the local return key in that case).

This module will not work together with other input-extending modules like the mentioned Thinkpad Fingerprint module: only one such hack can work at the same time. For a clean way, we'd need PAM to define a way to run several threads in parallel natively with a well-defined interface to stop them.

Still: enjoy!

When transmitting valuable passwords via IR signals, close your window shutters to prevent eavesdropping. :-)

Display Manager

'gdm' login was tested. You probably want to use the user=... option in order to force a user when LIRC was used in enter the password:

auth  sufficient user=mythtv

This will always set the user mythtv when a password is typed on the remote control, so you need no keyboard interaction at all.


Next problem: we need to make the screensaver enter the PAM loop immediately instead of waiting for a key hit.




Report Problems

Please be so kind to give me feedback on all bugs and quirks. Compilation issues, failures, crashes, missing features.

(Nick) Name:

E-Mail would be nice so I can ask if anything is unclear. The address will be treated strictly confidential.


Version 2
bug fix
improved PAM conformity: should work with most services now, tested su, GDM, SLiM under Debian/Ubuntu
bug fix
For the 'hit_cr' hack: press two keys by default: 'a' and CR for login procedures requiring at least one character (e.g. for a user name), e.g. SLiM.
bug fix
The 'hit_cr' hack now supports Dvorak keyboards (and many others, hopefully) by pressing 'Keypad Enter' instead of 'Enter' and allowing to set the keycode if that is still not good (options key1=... and key2=...).
bug fix
Fixed memory leaks.
Provided config file for iMON-PAD and mceusb remote controls, and wrote guidelines on how to write lirc config files.
added user=... to set a fixed user when login in via LIRC (e.g. at GDM prompt)
added debug option
added syslog support (native and via PAM, depending on PAM version)
Version 1
initial release


January 17th, 2023
Comments? Suggestions? Corrections? You can drop me a line.