Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
Imagine that you suddenly have some unexpected guests on your doorstep who might be interested in the information on your computer. But you are already prepared! Even if you are forced to log into the system or give out a password, you can name a special password, which activates a script that destroys everything interesting.
By the way, Kali Linux has a similar feature. But it works differently. When you enter a password, emergency data encryption occurs.
Installation is a little more complicated than usual, but worth it.
After installing the module, you need to enable it for the system to use it for user authentication. To do this, you need to edit /etc/pam.d/common-auth and replace these two lines with the following:
Now you can customize and test.
Scripts in ~/.duress must have permissions of 500, 540 or 550, otherwise they will not be executed.
The bogus password is set at runtime duress_sign and must not match the normal password.
Emergency deletion when you enter a special Linux password.
In the screenshot above, you see testing. In the first case, I entered the real password and nothing happened. In the second, he entered a fake one - and the script was executed, the output of which got into the console.
An important clarification: when building according to this instruction, you will not receive any output in the console. This is not an error: the script is still executed, but its output is redirected to /dev/null. If no script can be executed when entering a fake password, pam_test will output Not Authenticated.
A debug build is required to view the output. How to build it - read in the author's repository.
By the way, Kali Linux has a similar feature. But it works differently. When you enter a password, emergency data encryption occurs.
Emergency deletion when entering password in Linux
The pam-duress tool will help you to do this. It is implemented as a PAM library (Pluggable Authentication Module), which connects to the process of processing an authorization request and processes the entered password according to its logic, if the usual login failed.Installation is a little more complicated than usual, but worth it.
Code:
sudo apt install build-essential libpam0g-dev libssl-dev
git clone https://github.com/nuvious/pam-duress.git
make
sudo make install
make clean
mkdir -p ~/.duress
sudo mkdir -p /etc/duress.dAfter installing the module, you need to enable it for the system to use it for user authentication. To do this, you need to edit /etc/pam.d/common-auth and replace these two lines with the following:
Code:
auth [success=1 default=ignore] pam_unix.so
auth requisite pam_deny.so
auth [success=2 default=ignore] pam_unix.so
auth [success=1 default=ignore] pam_duress.so
auth requisite pam_deny.soNow you can customize and test.
Scripts in ~/.duress must have permissions of 500, 540 or 550, otherwise they will not be executed.
The bogus password is set at runtime duress_sign and must not match the normal password.
Emergency deletion when you enter a special Linux password.
In the screenshot above, you see testing. In the first case, I entered the real password and nothing happened. In the second, he entered a fake one - and the script was executed, the output of which got into the console.
An important clarification: when building according to this instruction, you will not receive any output in the console. This is not an error: the script is still executed, but its output is redirected to /dev/null. If no script can be executed when entering a fake password, pam_test will output Not Authenticated.
A debug build is required to view the output. How to build it - read in the author's repository.
