PAM Duress – Alternate passwords for panic situations

Hey, surprised to find myself here and appreciate all the discussion. I&#x27;m the author of the above project and wanted to shed some light on the inspiration for the project.<p>It started as a simple weekend project based on an off-hand comment someone made in a security professional chat I&#x27;m in. I had used duress words in military and translating the concept to a PAM seemed like a fun exercise. Also supports my current shift towards swapping careers from pure software engineering to cyber-research or cybersecurity generally. So in the end, it was a weekend project that served a dual purpose as a resume stamp.<p>The design use case I had in mind was more benign; such as corporate espionage or journalists getting their devices confiscated (maybe keep a sticky note on the laptop that has a duress password on it as a red-herring). Comments to the effect that law enforcement would image a device are very relevant as any competent law enforcement agency should have their staff trained to get the device fully powered off and hand it to someone that can maintain a chain of custody and get a golden image for use in potential criminal charges.<p>One thought I had was to apply this to SSH auth for honeypots and if a rockyou.txt password is attempted it runs some routines that aid in crafting the honeypot before the intruder drops to a shell prompt. Another even more light-hearted implementation could be you have password X is the one you login to normally and your &quot;duress&quot; password Y just clears your browser history and is the one you give your spouse for when they log into your computer :). I&#x27;m sure there&#x27;s use cases in the full spectrum and with it being a relatively simple implementation with user generated scripts, it&#x27;d be easy to extend to any potential use case.<p>In any case I&#x27;m glad it prompted such a good discussion. Feel free to submit issues if there are particular feature requests or bugs that one might run across. Additionally if there&#x27;s a PR up, I&#x27;m currently the only dedicated dev on the project and welcome anyone that wants to review my PRs; always prefer a 3rd person review even on my own projects. I created a demo video using Pushover and in the process of doing the demo uncovered some bugs that I patched as well as some fixes to the documentation. Again, glad you all found this interesting and humbled it fostered such a good discussion.

Training is very important in duress systems.<p>I once worked in a place with a keypad duress code on the security system. If you prefixed your security PIN with NN-, it was the duress version of the code and would trigger a silent alarm.<p>This was setup long-ago, and not communicated. One night, the keypad was acting glitchy. Partially out of frustration (countdown is running), and partially to test, I ended up accidentally engaging the duress code by tapping a convenient corner number, which resulted in NNNNNNNNN-PIN.<p>After law enforcement had surrounded the building, a quick chat and search alongside a few officers got it all sorted.

There are multiple levels of protection one might want.<p>I.e. when you are being selected for random questioning entering US as a non-US citizen, you&#x27;d benefit from steganography-like approach: you give a password, and relatively bland, non-personal stuff shows up, giving appearance of full access to a system.<p>If you only care about your privacy, the next one is to have a destroy-everything script (and it&#x27;s not that hard: usually, passphrases are only used to decrypt the actual encryption keys, so overwriting those keys should be super fast). This would also work against unsophisticated attacks which are not going to really cost you your life.<p>If there is a potential for you to be a target of a sophisticated attack and the attacker does not care about taking your life, the biggest benefit is to have a way to inform someone of your whereabouts while you are actually giving access, ideally in a way that buys you time (eg. &quot;webcam has detected stress on your face, please wait another 6 hours before trying to log in again&quot; — sorry, company mandated software, when it happens usually, we call support).

Comments are full of gunpoint scenarios, but I think a far more likely scenario for most HN readers is law enforcement &#x2F; customs agents asking you to unlock your device during travel or some other random checkpoint so they can scan it. In that case, I doubt the officer would even have a clue about the use of a duress password to selectively and silently delete some private data. I think the biggest risk would be that a scan of your device could detect the PAM config and duress script which could be a flag to monitor you more closely, or might possibly be considered illegal itself in some jurisdictions.

The company that was pitching my employer retina scanners on data center doors 20 years ago had an idea like this. Left eye gets you in, right eye gets you in and alerts security.

I hate when my bank calls me about something and then asks to confirm my identity prior to giving out details about my account. Even when I think I know what it is about (e.g., a transaction with my card was declined just before the phone call), I feel very strange giving out any information to an inbound caller.<p>One thing I have thought about doing is providing mistaken information to the caller and see if they go along with it. I came up with this idea when one bank said they could send me a text message and I could read back the number to them (huge red flag).<p>Does anyone else have any ideas for how to authenticate a BigCorp caller whose corporate policies do not allow them to provide any account information to the people they are calling?

It&#x27;s a very cool idea, but I think it would be most useful if applied to things like phones. I suspect most people pressed for passwords, are using a GUI system.

There&#x27;s always a big issue with systems like this: Any sophisticated attacker will have an image of the machine he&#x27;s trying to get into at hand to stop exactly what this pam module is trying to achieve from happening.<p>All this would do is make you appear in a worse light to the deciding judge when it comes to trial or get your other kneecap shattered in a not so civil situation.

Nice, pretty cool stuff. In high-school I worked on something similar (<a href="https:&#x2F;&#x2F;github.com&#x2F;rafket&#x2F;pam_duress" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;rafket&#x2F;pam_duress</a>), though this seems to have a somewhat cleaner implementation which is nice to see, and hopefully a more eager maintainer.

I remember Kali Linux had a patched LUKS implementation for full disk encryption with self destruction password<p><a href="https:&#x2F;&#x2F;www.kali.org&#x2F;blog&#x2F;emergency-self-destruction-luks-kali&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.kali.org&#x2F;blog&#x2F;emergency-self-destruction-luks-ka...</a>

What I never quite understand is how this can work in practice. When someone is under real duress, they do not always behave in a logical way and may be too stressed to remember certain details like a password that they never use...

If your threat model is “guy with guns,” they’ll just follow you and snatch it when you think you’re safe and unlock the device. If your threat model is “government at border” just mail the device or data to yourself overnight. Don’t be that guy…<p>I was flying into Atlanta (Intl) with “radioactive” rocks (not on purpose, just picked some up near a volcano, they looked cool) and they flipped their collective shit. I was taken to a separate area where they dumped my stuff next to another guy who got pulled into “routine” inspection. This other guy “forgot” his phone pin earlier that day… he was still there four hours later, after my four hours of reasonably straight forward BS.

The Hello World example shows echoing to stdout from the duress script. Seems like a bad idea. I don&#x27;t want to get beaten or shot when some rm -rf fails with an I&#x2F;O error, alerting the attacker to what&#x27;s going on. It seems like it would be more sensible for the module to suppress all output by design.

yeah there&#x27;s that one guy who tried to cross the border from canada and got blocked for having scruff on his phone<p><a href="https:&#x2F;&#x2F;www.huffingtonpost.ca&#x2F;2017&#x2F;02&#x2F;22&#x2F;canadian-man-customs-gay-app_n_14928858.html" rel="nofollow">https:&#x2F;&#x2F;www.huffingtonpost.ca&#x2F;2017&#x2F;02&#x2F;22&#x2F;canadian-man-custom...</a><p>5 years on we&#x27;re somehow all managing our own crypto keys, the phone is the key to unlock our digital lives, so we&#x27;re all in the counterintelligence game. more tools like this.

I think it should be pretty trivial to have a hidden dualboot, let&#x27;s say you have some plain boring Windows that takes 10% of you drive and 90% is unassigned. In reality that&#x27;s encrypted LVM disk with bootloader on a flash drive that is easily tossed away if necessary. Or zapped in a microwave if you watched too much of Mr. Robot.

Do not carry devices with sensitive data around if not necessary, simple as. All this hidden user stuff will go nowhere. Have the data encrypted on a server and access it remotely.<p>Anything else is simply not safe at all or might cost you prison time, check the UK laws on this.

I mean, that&#x27;s pretty cool, but who enables password logins for SSH anymore? If I&#x27;m an attacker, I&#x27;m going to wonder why my target of duress is giving me a password and not a private key; most likely if I have access to my target of duress, then I have access to some kind of client &#x2F; endpoint that my target uses to connect to the network, and that client will have the SSH private keys likely already loaded into ssh-agent.<p>Maybe a more modern concept would be to both a) have a duress private key, that triggers duress scripts in the same way, b) an implementation of ssh-agent that adds the duress private key when a duress password is entered?

Surprised to not see this mentioned here: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Rubberhose_%28file_system%29" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Rubberhose_%28file_system%29</a><p>And <a href="http:&#x2F;&#x2F;dmsteg.sourceforge.net&#x2F;" rel="nofollow">http:&#x2F;&#x2F;dmsteg.sourceforge.net&#x2F;</a><p>Alas, work in this space appears to be abandoned, too bad too because much could be done to improve robustness when writing with umounted aspects, or preserving security against attackers that can take images of the disk at different times.<p>Not to mention: integrating the results in standard software so the mere presence of the software on your host doesn&#x27;t harm the deniability.

You all live much more interesting lives than me

You could set this up with three possible passwords, #1 for normal login, #2 for what looks like normal login but deletes most sensitive things and #3 that wipes the disk encryption keys and reboots. If forced by criminals or a not so free government enter #2 and pretend everything is normal. If pressured by the US or EU government with your lawyer present enter #3, see it fail and claim you forgot the encryption keys to make it boot (which is technically true, just never admit you made it delete them since that&#x27;s illegal in most places)

The &quot;guy with the gun&quot; narrative comes up a lot, so this seems to counter that? I love the concept. It seems like something that would work well in a movie but fail miserably in real life.

Nice idea! I have this on my social site, people have two passwords, their regular one and an &#x27;under duress&#x27; one that wipes their profile&#x2F;locks it down.<p>I always wondered why more services don&#x27;t offer it.<p>The reason we have it is it&#x27;s a fairly political place (not by design, but when you offer &#x27;free speech&#x27; you get everyone booted from every other place) and we&#x27;ve had a fair few members arrested, and I&#x27;d hate to think my site contributes to that so easy wipe.

Just like how ancient games and screen savers had a “Boss Mode” shortcut that showed a fake screenshot of Excel or whatever, all modern devices should have an “Allow limited or fake access to someone else to avoid the socially awkward situation of saying No” option.<p>Call it Duress&#x2F;Panic&#x2F;Boss&#x2F;Jealous Boy&#x2F;&#x2F;Girlfriend&#x2F;Puritan Family Mode or whatever.<p>iOS has something called Guided Access which sorta helps a little bit but is very obvious to the other party.

&gt; <i>This is transparent to the person coersing the password from the user as the duress password will grant authentication and drop to the user&#x27;s shell.</i><p>I would assume the user shouldn&#x27;t understand that he was given a duress password, so is transparent the right term here?

Would love this as a standard option for phones &#x2F; desktop logins.

<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Rubberhose_(file_system)" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Rubberhose_(file_system)</a>

We need this on iPhones.

If I understand correctly, this appears to be Linux only?

I always thought it would be great if Apple allowed a duress iPhone faceid (say, you making a certain face) that could be used to erase the phone.

Real password:<p>woD3PRBgELFHH9nuABH]ksD<p>Duress password:<p>duress123

&gt;~&#x2F;.duress<p>A project that&#x27;s 2 days old should be using $XDG_CONFIG_HOME. My home directory is where I need a clean slate, not your clutter.

This is highly unlikely, but; What is someone guesses your duress password and triggers your fail safe commands to delete everything?

perhaps i could use that as a screensaver password to share with my girlfriend? it would close spreadsheets, emacs, un-mount journals and personal drives. PAM&#x27;s used to reauth from the screen-saver, right?

How can I have a duress password for MacOSX that triggers a script on login?

I&#x27;d like an option like this for Password Safe

Nice, this actually tries to mitigate XKCD&#x27;s famous $5 security backdoor.<p><a href="https:&#x2F;&#x2F;xkcd.com&#x2F;538&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xkcd.com&#x2F;538&#x2F;</a>

What does &quot;PAM&quot; mean?

I miss the SecurID stress PIN.

This could result in serious personal harm if the individual(s) causing the duress sense something is up, which they almost certainly will if things start magically disappearing or locking up. You better make sure that whatever you are protecting with this is more important than your personal safety.