Microsoft greatly simplified the user login and authentication process with the introduction of Windows Hello. The biometric security system for Windows 10 means laboriously typing out passwords has been replaced with facial or fingerprint recognition.
Taking this idea to the next level is a great open source Rust-based utility called WSL Hello sudo. This is a pluggable authentication module (PAM) that makes it possible to use Windows Hello authentication in Windows Subsystem for Linux.
WSL Hello sudo is compatible with both WSL 1 and WSL 2, and it helps to eliminate the need for time consuming, password-based authentication when running sudo commands with elevated privileges.
The idea is very simple. Just as Windows Hello replaces the need to type a password with recognition of your fingerprint or recognition of your face, so WSL Hello sudo does the same for WSL. The developers of the module explain how it works:
Windows Hello maintains RSA key-pairs for each Windows user in its TPM hardware, and tells success of authentication by signing given contents by the private key. To utilize its API, “WSL Hello sudo” contains small Windows CLI apps that return public key and singned signature of given content. On the other hand, the PAM module of “WSL Hello sudo” remembers the public keys of each Windows user who corresponds to each Linux user. So, the PAM module authenticates the given Linux user by the following process.
- The PAM module is launched by sudo and receives a Linux user to be authenticated
- The PAM module launches the companion Windows app and sends a random value via WSL’s interop bridge
- The companion Windows app invokes Windows Hello
- Windows Hello makes a signature of the given input by the private key of the current Windows user
- The companion Windows app returns the signature
- The PAM module verifies the signature by the public key of the Windows user who corresponds to the given Linux user.
If you are concerned about this level of interaction with your system, you can take comfort from the fact the software is open source, so its source code is freely available and open to scrutiny.
You can grab WSL Hello sudo from its home over on GitHub