With WSL Hello sudo, you can use Windows Hello in Windows Subsystem for Linux
Microsoft greatly simplified the user login and authentication process with the introduction of Windows Hello. The biometric security system for Windows 10 means laboriously typing out passwords has been replaced with facial or fingerprint recognition.
Taking this idea to the next level is a great open source Rust-based utility called WSL Hello sudo. This is a pluggable authentication module (PAM) that makes it possible to use Windows Hello authentication in Windows Subsystem for Linux.
See also:
- Microsoft is using Known Issue Rollback (KIR) to fix problems caused by Windows 10 updates
- Microsoft makes Power Automate Desktop tool for Windows 10 free to help optimize workflows
- Microsoft patches serious NTFS drive corruption flaw in Windows 10... but there's a catch
WSL Hello sudo is compatible with both WSL 1 and WSL 2, and it helps to eliminate the need for time consuming, password-based authentication when running sudo commands with elevated privileges.
The idea is very simple. Just as Windows Hello replaces the need to type a password with recognition of your fingerprint or recognition of your face, so WSL Hello sudo does the same for WSL. The developers of the module explain how it works:
Windows Hello maintains RSA key-pairs for each Windows user in its TPM hardware, and tells success of authentication by signing given contents by the private key. To utilize its API, "WSL Hello sudo" contains small Windows CLI apps that return public key and singned signature of given content. On the other hand, the PAM module of "WSL Hello sudo" remembers the public keys of each Windows user who corresponds to each Linux user. So, the PAM module authenticates the given Linux user by the following process.
- The PAM module is launched by sudo and receives a Linux user to be authenticated
- The PAM module launches the companion Windows app and sends a random value via WSL's interop bridge
- The companion Windows app invokes Windows Hello
- Windows Hello makes a signature of the given input by the private key of the current Windows user
- The companion Windows app returns the signature
- The PAM module verifies the signature by the public key of the Windows user who corresponds to the given Linux user.
If you are concerned about this level of interaction with your system, you can take comfort from the fact the software is open source, so its source code is freely available and open to scrutiny.
You can grab WSL Hello sudo from its home over on GitHub