[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Crazy (?) idea: screen locker with simpler password

Wojtek Zabolotny wrote:
> I often have to leave my students with my laptop and e.g. go to scan
> some documents or to receive printed papers from the printer room.
> Then I have to lock the console when leaving, and unlock it when
> coming back.
> As my login password is quite long, it is uncomfortable to enter it
> (especially with my students watching my keyboard ;-) ) after every
> return.
> I think it could be nice to have a possibility to use a special
> configuration of screen-locker, using another, shorter and simpler
> password...

Here is an idea.  If you wish to have two passwords that you can
switch between then you could create a small script that will switch
between high security passwords when your machine is traveling through
low security areas and a low security password when your machine is
already in a higher security area.  It would be a complete password
switch from one to the other when you do the switch.  But if you are
okay doing that then that is what I would suggest.

There are two ways that I would think about going about it.  One is to
use an 'expect'[1] script to run the passwd command to change your
password in a script.  There are some security concerns though as your
password would need to be known by the script in clear text.  So
because of that I wouldn't do it that way.  Not a bad way per se but
not great and we can do better.

The /etc/shadow file isn't that difficult to edit.  As long as some
care is taken you can do so without problem.  Especially since this is
a solution for you personally on your private laptop.  I would create
a script that edited the /etc/shadow file directly and manipulated the
encrypted passwords.  Then the clear text would never need to exist in
any form.  Only the encrypted form of the password is needed.  Use a
script to swap between two different encrypted forms.

If you are a GUI user then you could tie the actions to a couple of
custom button actions.  Switch to low security passwords during the
day and then back to high security passwords when leaving for the
day.  Or whatever schedule you desire.

The reason for passwords being in the shadow file are to prevent them
being cracked offline by a personal supercomputer.  But if that is
unlikely to happen without your knowledge (you can always change your
password if you think it has been compromised) then the security risk
is small if the encrypted forms are exposed.  Since you would be
handling them outside of the root protected file you have to consider
the risk of exposing the encrypted forms of your password.  In the old
days the encrypted forms were always available to everyone in the
/etc/passwd file.  With the larger encryption available today I think
the risk is minimal on your private laptop.

The format of the /etc/shadow file is documented in the shadow man
page.  The 'mkpasswd' utility is also useful in this context.

  man shadow

  man mkpasswd

If it weren't almost midnight my time I would consider tinkering
something together for you tonight.  Because it is really quite an
easy task. :-)

> Well I have a quick&dirty workaround - I have a special account with
> minimal privileges (e.g. with access to networked blocked in
> iptables) and really simple password.
> I have this user logged in in one text console. So when leaving, I
> can switch to this console (with Alt+Ctrl+F1) and run "vlock
> -a". This is not very elegant, but working...



[1] http://en.wikipedia.org/wiki/Expect

Attachment: signature.asc
Description: Digital signature

Reply to: