A couple of random questions about login
Bryn M. Reeves
bmr at redhat.com
Mon Sep 2 16:42:22 UTC 2013
On 09/02/2013 04:42 PM, Bill Oliver wrote:
> My wife turned to me and said, "If I were the bad guy, I'd just have the
> computer delete everything if someone entered the boat name, or at least
> send me a text. The boat was an obvious guess, and I would never
> accidentally type it in."
This is pretty close to the concept of a duress code or panic password -
a special signal that you only give when under duress to covertly
indicate that fact:
http://en.wikipedia.org/wiki/Duress_code
There's a problem with this idea though: anyone who knows or suspects
that you are using such a booby trap and has access to the system just
has to guess the right term and they can hose your data.
> My answer was "That makes sense, but I have no clue about how to do it."
PAM (pluggable authentication modules for Linux) is generally how you
slip some new check into the existing login (or other) auth process:
http://www.linux-pam.org/
For e.g. there are PAM modules for LDAP directories and fingerprint
scanners.
Someone created a pam_confused module a few years back that will check
passwords against a duress list and execute some pre-configured script
when one is entered. It's not been updated lately but it shows roughly
how you might do it:
https://confused.googlecode.com/svn/trunk/pam_confused/readme.txt
> 1) What happens at a process level when one hits return after typing in
> a password? Is everything handled by the kernel? Where is this described?
Check out the PAM faq and other documentation.
Regards,
Bryn.
More information about the users
mailing list