Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Different password for screen lock?

  1. #11

    Default Re: Different password for screen lock?

    Quote Originally Posted by wolfi323 View Post
    But you would have to grant that dummy user access to your X session with "xhost".
    Sorry, actually this is _not_necessary.

    One easy way to create an icon on the desktop (in KDE) would be:
    - Right-click on the folderview and select "Create New"->"Link to Program..." in the context menu
    - If you want to, change the icon's label and icon on the "General" tab
    - Switch to the "Application" tab and enter "/usr/bin/xlock" into the "Command:" field
    - Click on "Advanced Options", activate "Run as a different user" and enter the name of your dummy user into the "Username:" field below
    - Click "OK"

    You should now have an icon on your desktop (in the folderview plasmoid), that would lock your screen requiring your dummy user's password to unlock it.
    You can of course also drag it out of the folderview to anywhere else on your desktop, it will be changed to a plasmoid then which you can freely position anywhere you like (you could even put it into the panel).
    The only drawback is, you have to enter the dummy user's password already for _locking_ the screen. I have no idea how this could be workarounded (making /usr/bin/xlock owned by the dummy user and setting the setuid bit _doesn't_ work, I already tried that ).

  2. #12

    Default Re: Different password for screen lock?

    wolfi323 wrote:
    > The only drawback is, you have to enter the dummy user's password
    > already for _locking_ the screen. I have no idea how this could be
    > workarounded (making /usr/bin/xlock owned by the dummy user and setting
    > the setuid bit _doesn't_ work, I already tried that ).


    A setting in /etc/sudoers?

  3. #13
    Join Date
    Jun 2008
    Location
    Hessia
    Posts
    303

    Default Re: Different password for screen lock?

    Quote Originally Posted by ab View Post
    On 09/24/2013 06:16 AM, STurtle wrote:
    I would not, and do not, rely on the BIOS for anything anymore, primarily
    because it takes about two minutes to remove a hard drive and then all you
    have is (possibly) the hard drive protection.
    I thought the point of the HDD password was to encrypt the whole device? Now, of course, one never knows whether the manufacturer built-in a backdoor, but given this "virus-set-HDD-password-on-HDDs-with-no-password-set-scare that went around a few years back", I thought these HDD passwords were actually quite good. The benefit is that this method is multi-boot friendly, and sadly I still need to boot Windows every now and then.

  4. #14
    Join Date
    Jun 2008
    Location
    Hessia
    Posts
    303

    Default Re: Different password for screen lock?

    Quote Originally Posted by robin_listas View Post
    On 2013-09-24 14:16, STurtle wrote:
    Are you using HDD firmware password? How do you do that? Does the bios
    ask for the password prior to booting?
    Yes. I set the password through BIOS options, and the first thing the machine does upon activation is asking for fingerprint and a password. Only if these are correct, the machine proceeds to GRUB2.



    @ALL: Thanks for the suggestion with the dummy user, I might try that.

    As for the SSH, I thought about it and I think I can actually lock that out entirely on my own machine, but not on the machines that I maintain (since it makes it easier to maintain them). However, even if I lock out SSH, would it be safe to use an old-time password with, say, just 8 characters as a user password?

    I mean, I am not too worried about security. Sensitive data is stored in encfs files anyway, but I am worried by security holes in software that uses the internet, say, a browser, but then again, these run with user rights already, so there is not much point in a strong user password, once ssh is locked out, or is there?

  5. #15

    Default AW: Re: Different password for screen lock?

    Quote Originally Posted by djh-novell View Post
    wolfi323 wrote:
    > The only drawback is, you have to enter the dummy user's password
    > already for _locking_ the screen. I have no idea how this could be
    > workarounded (making /usr/bin/xlock owned by the dummy user and setting
    > the setuid bit _doesn't_ work, I already tried that ).


    A setting in /etc/sudoers?
    Won't help because kdesu (what is used by the "Run as different user" functionality) uses "su" by default.
    But it can be configured to use "sudo" instead: Default kdesu to use sudo and not su | Free Techie Blog

    For switching to root a line like this f.e. in /etc/sudoers would work then (no root password needed):
    Code:
    user ALL=(ALL) NOPASSWD: ALL
    but this has no effect when switching to the dummy user. In this case kdesu apparently still uses "su"...

    And using sudo directly doesn't work either, because xlock can't open the display then.

  6. #16

    Default Re: Different password for screen lock?

    Quote Originally Posted by wolfi323 View Post
    And using sudo directly doesn't work either, because xlock can't open the display then.
    OK, it _does_ work with sudo, but you have to do those things:
    - you have to grant the dummy user access to your X display, by running this as your standard user (not root!):
    Code:
    xhost si:localuser:dummy_user_name
    - you have to pass the $DISPLAY environment variable to xlock. Examples on how to do that:
    Code:
    # sudo -u dummy_user_name DISPLAY=$DISPLAY xlock
    # sudo -u dummy_user_name xlock -display $DISPLAY
    or configure sudo to pass $DISPLAY on automatically. I'll leave that as exercise for the reader though...

  7. #17

    Default Re: Different password for screen lock?

    wolfi323 wrote:
    > And using sudo directly doesn't work either, because xlock can't open
    > the display then.


    http://www.rainydayz.org/content/all...n-running-sudo

  8. #18

    Default Re: Different password for screen lock?

    Quote Originally Posted by djh-novell View Post
    wolfi323 wrote:
    > And using sudo directly doesn't work either, because xlock can't open
    > the display then.


    Allowing access to X when running sudo | www.rainydayz.org
    OK, merging an entry to the dummy user's .Xauthority file should work as well I guess instead of my "xhost" line (don't want to try this right now).

    But you still have to pass the $DISPLAY variable as I explained in my last post (on openSUSE sudo is configured to not pass this by default).

  9. #19

    Default Re: Different password for screen lock?

    On 09/25/2013 02:46 AM, STurtle wrote:
    > @ALL: Thanks for the suggestion with the dummy user, I might try that.
    >
    > As for the SSH, I thought about it and I think I can actually lock that
    > out entirely on my own machine, but not on the machines that I maintain
    > (since it makes it easier to maintain them). However, even if I lock out
    > SSH, would it be safe to use an old-time password with, say, just 8
    > characters as a user password?


    Just to be clear, in case you are referring to my response when you refer
    to locking out SSH, that was not my proposal. I would suggest locking out
    password-based authentication via SSH and then access the systems entirely
    with keys. Doing so means that your logins are far more secure (because
    keys are harder to steal than passwords) and even faster (because the
    system handles the keys for you after you enter your passphrase protecting
    the key on your local system once).

    One potential problem with this approach may arise if you have other users
    who access the same systems via SSH. They, too, would need to learn to
    use keys, though that's a training issue and a skill from which I can
    guarantee they would benefit immensely and thank-you for in the future.

    Good luck.

  10. #20
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Different password for screen lock?

    On 2013-09-25 10:46, STurtle wrote:
    >
    > robin_listas;2587314 Wrote:
    >> On 2013-09-24 14:16, STurtle wrote:
    >> Are you using HDD firmware password? How do you do that? Does the bios
    >> ask for the password prior to booting? Yes. I set the password through BIOS options, and the first thing the

    > machine does upon activation is asking for fingerprint and a password.
    > Only if these are correct, the machine proceeds to GRUB2.


    But then, it does not ask for the hard disk password? Or is the
    fingerprint for the bios and the password for the disk?

    In fact, you are the first person I meet that says he is using this
    feature. If you feel it is improper to talk about this in this thread,
    I'd be happy to start another one.


    My bios allows setting a password for the bios, but I have not seen
    where to setup a password for the hard disk (in any machine I have
    handled). Maybe your machine is special.

    AFAIK, the only way to set it up is with hdparm.


    This is the only text I have found in Linux talking about it:


    NAME
    hdparm - get/set SATA/IDE device parameters
    ....
    ATA Security Feature Set

    These switches are DANGEROUS to experiment
    with, and might not work with some kernels.
    USE AT YOUR OWN RISK.
    ....

    --security-set-pass PWD
    Lock the drive, using password PWD (Set
    Password) (DANGEROUS). Password is
    given as an ASCII string and is padded
    with NULs to reach 32 bytes. Use the
    special password NULL to set an empty
    password. The applicable drive password
    is selected with the --user-master
    switch (default is "user" password) and
    the applicable security mode with the
    --security-mode switch. No other
    options are permitted on the command
    line with this one.
    ....
    --security-mode MODE
    Specifies which security mode (high/max-
    imum) to set. Defaults to high. Only
    useful in combination with --security-
    set-pass.
    h high security
    m maximum security

    THIS FEATURE IS EXPERIMENTAL AND NOT
    WELL TESTED. USE AT YOUR OWN RISK.



    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •