/etc/duress.d scripts should run after ~/.duress scripts

nuvious / pam-duress

A Pluggable Authentication Module (PAM) which allows the establishment of alternate passwords that can be used to perform actions to clear sensitive data, notify IT/Security staff, close off sensitive network connections, etc if a user is coerced into giving a threat actor a password.

GNU Lesser General Public License v3.0

1.33k stars 39 forks source link

/etc/duress.d scripts should run after ~/.duress scripts #21

Closed nuvious closed 2 years ago

nuvious commented 3 years ago

/etc/duress.d scripts should be run after ~/.duress script to allow for a script to be implemented that removes pam-duress itself as a cleanup action. In the current implementation one would have to write a delayed-action script to remove pam-duress system-wide which if misconfigured may allow an attacker to see the modules presence after the attacker has dropped to a user shell.

nuvious commented 2 years ago

Closed in most recent PR. Merged on my end based on personal testing. Couldn't find a reviewer unforunately.