Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic password recommendation could create an attack vector on availability #121

Open
brasswood opened this issue Oct 11, 2024 · 1 comment

Comments

@brasswood
Copy link

brasswood commented Oct 11, 2024

Not a security expert by any means, but it looks to me like the panic password recommendation could have bad consequences. For example, the suggested use is to delete the home folder when someone uses the fake password. But then, depending on how the system is configured, a remote attacker can bring down the system just by attempting to log in with the fake password. This would be especially easy if someone tried to "outsmart" the attacker by making their fake password trivial.

I think this should only be used under the assumption that the attacker already has physical access to the system, so availability is already compromised and confidentiality is more important (but if someone has physical access is rm -rf really going to fix the confidentiality problem?). If the authentication request is going through PAM then is this assumption valid? I don't know fully how PAM works but my guess is, probably not? I would think anyone who has already managed to log in to some user account through SSH could generate authentication requests that go through common-auth from their session. Maybe the duress script can be configured to run only if the current session is not an SSH session: https://unix.stackexchange.com/a/9607

Besides deleting data, this could be useful for secretly sending out a distress call. That wouldn't pose any risk to data loss, and that case could be useful in remote access scenarios (e.g., you're on vacation and someone forces you at gunpoint to ssh in).

@hellresistor
Copy link
Contributor

Heya!
I will explain you. pam_duress will run specific scripts, this scripts you build make what you want.
On this example it was a "gun".
Your point about danger is true, duress password should not be easy as well ;) Obviously, this is a example. you can create script to execute other commanmds.

Conclusion:
You make a script create.sh with content "sudo mkdir $date"
Generate duress password run that script
Each time duress password confirmed, will generate folder with $date.

Hope help clear you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants