How can I set a different password for the screen lock mechanism?
I’m on Suse 12.3 with KDE 4.10.5. Since I sometimes need to ssh into my machine, I choose a long and strong account password. For boot-up, I use auto-login, since the laptop’s bios secures booting both with a fingerprint-scan and a password for the hdd (which I think is good enough - or is it not?)
However, whenever I shortly leave my machine or even suspend it to ram, I need the long password which is annoying (since I need to look it up in my password safe), so I sometimes do not lock it. However, I fear that my kids might try typing around on the keyboard at home, or that office mates might pull a prank at the office. So a simple password with 6 or 8 characters would suffice for the screen lock.
On 09/24/2013 06:16 AM, STurtle wrote:
>
> How can I set a different password for the screen lock mechanism?
>
> I’m on Suse 12.3 with KDE 4.10.5. Since I sometimes need to ssh into my
> machine, I choose a long and strong account password. For boot-up, I use
> auto-login, since the laptop’s bios secures booting both with a
> fingerprint-scan and a password for the hdd (which I think is good
> enough - or is it not?)
I would not, and do not, rely on the BIOS for anything anymore, primarily
because it takes about two minutes to remove a hard drive and then all you
have is (possibly) the hard drive protection. Encrypting the entire drive
with a strong passphrase, though, does a good job for these types of
attacks, and includes startup.
Regarding your SSH concerns, I would recommend disabling password-based
logins for all users and then setup an SSH key for access. Forging one of
those is much harder than guessing any reasonable password, and it also
means you can speed up your access by no longer needing to type the
password for every operation done (SSH, SCP, SFTP, etc.). All attempts to
login via passwords from would-be intruders are destined to fail and you
can use things like fail2ban to quickly block their IPs entirely, further
protecting your system.
AFAIK not possible at the moment with the default desktop locker/screensaver. It’s simply the user password the locker asks for, not just some password. So, either change your user’s password to something you can remember, or learn the “hard” password by heart. But, you might take a look at the xlockmore package. From
xlock -help
I get that one can provide a separate password for it.
> Regarding your SSH concerns, I would recommend disabling password-based
> logins for all users and then setup an SSH key for access. Forging one of
> those is much harder than guessing any reasonable password, and it also
> means you can speed up your access by no longer needing to type the
> password for every operation done (SSH, SCP, SFTP, etc.). All attempts to
> login via passwords from would-be intruders are destined to fail and you
> can use things like fail2ban to quickly block their IPs entirely, further
> protecting your system.
On the other hand, once somebody gains access to your account, he has
automatically access to all the sites you use ssh on. No password,
remember…
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-09-24 14:16, STurtle wrote:
>
> How can I set a different password for the screen lock mechanism?
>
> I’m on Suse 12.3 with KDE 4.10.5. Since I sometimes need to ssh into my
> machine, I choose a long and strong account password. For boot-up, I use
> auto-login, since the laptop’s bios secures booting both with a
> fingerprint-scan and a password for the hdd (which I think is good
> enough - or is it not?)
Are you using HDD firmware password? How do you do that? Does the bios
ask for the password prior to booting?
> However, whenever I shortly leave my machine or even suspend it to ram,
> I need the long password which is annoying, so I sometimes do not lock
> it. However, I fear that my kids might try typing around on the keyboard
> at home, or that office mates might pull a prank at the office. So a
> simple password with 6 or 8 characters would suffice for the screen
> lock.
Interesting. I would like that, too. No, I’m not aware of such a feature.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
Not really, it asks for the password of the user who started it, see “man xlock”:
DESCRIPTION
xlock locks the X server till the user enters their password at the
keyboard. While xlock is running, all new server connections are
refused. The screen saver is disabled. The mouse cursor is turned
off. The screen is blanked and a changing pattern is put on the
screen. If a key or a mouse button is pressed then the user is
prompted for the password of the user who started xlock.
But then there’s also the “allowroot” option:
-/+allowroot
The allowroot option allows the root password to unlock the server
as well as the user who started xlock. May not be able to turn
this on and off depending on your system and how xlock was config-
ured.
So you would have at least the option to use two different passwords.
Could he create a new kind of (dummy) user with an easy password and write a short shell script to “su” into that account and start xlock?
The script could be put as and icon onto the desktop.
The downside: The password would have to be entered one more time or put into the skript. So that dummy user shoudn’t have any permissions at all aside from xlock and it may still be a security risk.
One easy way to create an icon on the desktop (in KDE) would be:
Right-click on the folderview and select “Create New”->“Link to Program…” in the context menu
If you want to, change the icon’s label and icon on the “General” tab
Switch to the “Application” tab and enter “/usr/bin/xlock” into the “Command:” field
Click on “Advanced Options”, activate “Run as a different user” and enter the name of your dummy user into the “Username:” field below
Click “OK”
You should now have an icon on your desktop (in the folderview plasmoid), that would lock your screen requiring your dummy user’s password to unlock it.
You can of course also drag it out of the folderview to anywhere else on your desktop, it will be changed to a plasmoid then which you can freely position anywhere you like (you could even put it into the panel).
The only drawback is, you have to enter the dummy user’s password already for locking the screen. I have no idea how this could be workarounded (making /usr/bin/xlock owned by the dummy user and setting the setuid bit doesn’t work, I already tried that ).
wolfi323 wrote:
> The only drawback is, you have to enter the dummy user’s password
> already for locking the screen. I have no idea how this could be
> workarounded (making /usr/bin/xlock owned by the dummy user and setting
> the setuid bit doesn’t work, I already tried that ).
I thought the point of the HDD password was to encrypt the whole device? Now, of course, one never knows whether the manufacturer built-in a backdoor, but given this “virus-set-HDD-password-on-HDDs-with-no-password-set-scare that went around a few years back”, I thought these HDD passwords were actually quite good. The benefit is that this method is multi-boot friendly, and sadly I still need to boot Windows every now and then.
Yes. I set the password through BIOS options, and the first thing the machine does upon activation is asking for fingerprint and a password. Only if these are correct, the machine proceeds to GRUB2.
@ALL: Thanks for the suggestion with the dummy user, I might try that.
As for the SSH, I thought about it and I think I can actually lock that out entirely on my own machine, but not on the machines that I maintain (since it makes it easier to maintain them). However, even if I lock out SSH, would it be safe to use an old-time password with, say, just 8 characters as a user password?
I mean, I am not too worried about security. Sensitive data is stored in encfs files anyway, but I am worried by security holes in software that uses the internet, say, a browser, but then again, these run with user rights already, so there is not much point in a strong user password, once ssh is locked out, or is there?
On 09/25/2013 02:46 AM, STurtle wrote:
> @ALL: Thanks for the suggestion with the dummy user, I might try that.
>
> As for the SSH, I thought about it and I think I can actually lock that
> out entirely on my own machine, but not on the machines that I maintain
> (since it makes it easier to maintain them). However, even if I lock out
> SSH, would it be safe to use an old-time password with, say, just 8
> characters as a user password?
Just to be clear, in case you are referring to my response when you refer
to locking out SSH, that was not my proposal. I would suggest locking out
password-based authentication via SSH and then access the systems entirely
with keys. Doing so means that your logins are far more secure (because
keys are harder to steal than passwords) and even faster (because the
system handles the keys for you after you enter your passphrase protecting
the key on your local system once).
One potential problem with this approach may arise if you have other users
who access the same systems via SSH. They, too, would need to learn to
use keys, though that’s a training issue and a skill from which I can
guarantee they would benefit immensely and thank-you for in the future.
On 2013-09-25 10:46, STurtle wrote:
>
> robin_listas;2587314 Wrote:
>> On 2013-09-24 14:16, STurtle wrote:
>> Are you using HDD firmware password? How do you do that? Does the bios
>> ask for the password prior to booting? Yes. I set the password through BIOS options, and the first thing the
> machine does upon activation is asking for fingerprint and a password.
> Only if these are correct, the machine proceeds to GRUB2.
But then, it does not ask for the hard disk password? Or is the
fingerprint for the bios and the password for the disk?
In fact, you are the first person I meet that says he is using this
feature. If you feel it is improper to talk about this in this thread,
I’d be happy to start another one.
My bios allows setting a password for the bios, but I have not seen
where to setup a password for the hard disk (in any machine I have
handled). Maybe your machine is special.
AFAIK, the only way to set it up is with hdparm.
This is the only text I have found in Linux talking about it:
NAME
hdparm - get/set SATA/IDE device parameters
…
ATA Security Feature Set
These switches are DANGEROUS to experiment
with, and might not work with some kernels.
USE AT YOUR OWN RISK.
…
–security-set-pass PWD
Lock the drive, using password PWD (Set
Password) (DANGEROUS). Password is
given as an ASCII string and is padded
with NULs to reach 32 bytes. Use the
special password NULL to set an empty
password. The applicable drive password
is selected with the --user-master
switch (default is “user” password) and
the applicable security mode with the
–security-mode switch. No other
options are permitted on the command
line with this one.
…
–security-mode MODE
Specifies which security mode (high/max-
imum) to set. Defaults to high. Only
useful in combination with --security-
set-pass.
h high security
m maximum security
THIS FEATURE IS EXPERIMENTAL AND NOT
WELL TESTED. USE AT YOUR OWN RISK.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
).