Wojtek Zabolotny wrote: > I often have to leave my students with my laptop and e.g. go to scan > some documents or to receive printed papers from the printer room. > Then I have to lock the console when leaving, and unlock it when > coming back. > > As my login password is quite long, it is uncomfortable to enter it > (especially with my students watching my keyboard ;-) ) after every > return. > > I think it could be nice to have a possibility to use a special > configuration of screen-locker, using another, shorter and simpler > password... Here is an idea. If you wish to have two passwords that you can switch between then you could create a small script that will switch between high security passwords when your machine is traveling through low security areas and a low security password when your machine is already in a higher security area. It would be a complete password switch from one to the other when you do the switch. But if you are okay doing that then that is what I would suggest. There are two ways that I would think about going about it. One is to use an 'expect'[1] script to run the passwd command to change your password in a script. There are some security concerns though as your password would need to be known by the script in clear text. So because of that I wouldn't do it that way. Not a bad way per se but not great and we can do better. The /etc/shadow file isn't that difficult to edit. As long as some care is taken you can do so without problem. Especially since this is a solution for you personally on your private laptop. I would create a script that edited the /etc/shadow file directly and manipulated the encrypted passwords. Then the clear text would never need to exist in any form. Only the encrypted form of the password is needed. Use a script to swap between two different encrypted forms. If you are a GUI user then you could tie the actions to a couple of custom button actions. Switch to low security passwords during the day and then back to high security passwords when leaving for the day. Or whatever schedule you desire. The reason for passwords being in the shadow file are to prevent them being cracked offline by a personal supercomputer. But if that is unlikely to happen without your knowledge (you can always change your password if you think it has been compromised) then the security risk is small if the encrypted forms are exposed. Since you would be handling them outside of the root protected file you have to consider the risk of exposing the encrypted forms of your password. In the old days the encrypted forms were always available to everyone in the /etc/passwd file. With the larger encryption available today I think the risk is minimal on your private laptop. The format of the /etc/shadow file is documented in the shadow man page. The 'mkpasswd' utility is also useful in this context. man shadow man mkpasswd If it weren't almost midnight my time I would consider tinkering something together for you tonight. Because it is really quite an easy task. :-) > Well I have a quick&dirty workaround - I have a special account with > minimal privileges (e.g. with access to networked blocked in > iptables) and really simple password. > > I have this user logged in in one text console. So when leaving, I > can switch to this console (with Alt+Ctrl+F1) and run "vlock > -a". This is not very elegant, but working... Clever. Bob [1] http://en.wikipedia.org/wiki/Expect
Attachment:
signature.asc
Description: Digital signature