PAM script login / disk formatting

shayan35

New Member
Joined
Nov 23, 2022
Messages
1
Reaction score
1
Credits
14
Hello to all !


I'm coming to you for help with a personal project

In a few words :

When opening the Ubuntu session I would like a script to be activated when a user enters a wrong password

The script should run for example after the 3rd try and if the 3rd try is wrong, a partition or complete disk formatting command is executed with a reboot

I have seen some scripts with PAM but nothing concrete

A little help would be welcome

Thanks in advance for your help and have a nice day !
 


Alas, a challenging task you speak of, but it sounds to me like I'm reading an XY problem.
See https://en.wikipedia.org/wiki/XY_problem.

What do you want to achieve after the 3rd failure to login occurs? If you want to prevent further login attempts and lock the user out, there are robust and reliable ways of doing that other than the radical move of reformatting a partition ... but you may have something else in mind.

On the face of it, as far as I understand what you want, to clear the partition of the user and reformat it after login failure, the part of the filesystem where the user's home directory is located would best be on a separate partition itself, which is not the usual way in which home directories are set by default on linux installations. The default arrangement is based on directories for users rather than partitions, though the home directory itself that houses the users may be a separate partition. So, to achieve your goal as I understand it, you would need to have a multiplicity of partitions for users rather just directories. I guess this could be set up at installation, or created on the fly with a means of creating or allocating a partition to the new user whenever they are added to the system ... perhaps using lvm or btrfs or zfs, but I can't say more on the capabilities of those systems. In any case, the task may or may not need PAM, but rather just a shell script or other other executable that you create.
 
This sounds like a very, very bad idea.

All it takes is a wonky keyboard, caps lock, or something just mashing buttons and you've removed a bunch of seemingly important data.

There's gotta be a better way to secure your data.
 
It's not recommended to perform such extreme actions like formatting a partition or disk on failed login attempts, as this can result in unintended data loss. It's better to use a more moderate approach such as disabling the account or notifying the system administrator.

That being said, if you still want to implement such a script, you can use the pam_tally2 module to count the number of failed login attempts and execute a command after a certain threshold is reached.

Here's an example of how you can achieve this:

  1. Install the pam_tally2 module if it's not already installed:
csharpCopy code
sudo apt-get install libpam-tally2

  1. Create a script that performs the formatting command and reboot. For example, let's call it format_and_reboot.sh:
bashCopy code
#!/bin/bash
# Replace /dev/sda1 with the partition you want to format
sudo mkfs.ext4 /dev/sda1
sudo reboot

  1. Edit the PAM configuration file /etc/pam.d/common-auth to add the pam_tally2 module and the command to execute when the threshold is reached:
cssCopy code
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
auth [default=ignore] pam_exec.so /path/to/format_and_reboot.sh

This configuration will lock the account after 3 failed login attempts (deny=3) and execute the format_and_reboot.sh script (pam_exec.so) after the lockout period (unlock_time=300).

Note: Make sure to test this configuration thoroughly before implementing it on a production system, as it can have unintended consequences.
 
Hello to all !


I'm coming to you for help with a personal project

In a few words :

When opening the Ubuntu session I would like a script to be activated when a user enters a wrong password

The script should run for example after the 3rd try and if the 3rd try is wrong, a partition or complete disk formatting command is executed with a reboot

I have seen some scripts with PAM but nothing concrete

A little help would be welcome

Thanks in advance for your help and have a nice day !
You don't understand linux security or why passwords and encryption are used, do you?

Sorry if this seems harsh, but idea will not work.
 
The OP is looking for a self-destruct mechanism that triggers on the third failed login attempt. Such a policy is very dangerous and drastic. I assume that the OP requires a self-destruct that can resist forensic examination to prevent data recovery by an adversary. The question is: Who?

The OP did not describe the use case that justifies such action, but an example might be a news reporter in an authoritarian country, a war-crimes investigator protecting sources, or a non-governmental organization providing aid to refugees, etc. Keep in mind that well-funded adversaries (like governments) know about self-destruct triggers and they know how to conduct searches in ways that do not invoke the data wiping mechanism.

There are many objectionable motives for the policy you describe, like those who want to leave logic bombs in someone else's systems for blackmail, ransomware, or revenge. The target could be a system owned by the current employer, for example. There are other objectionable groups that may want data destruction triggers on their systems, such as terrorists or agents of a foreign adversary.

-> The OP (and others who followed) have not told us whether this capability would be installed with the full knowledge of those who own the system and the data, or whether it would be installed surreptitiously.

DRIVES WITH SELF-DESTRUCT TRIGGERS

Encrypted drives with self-destruct triggers are readily available (and relatively low cost) in the commercial world. I have encrypted flash drives that automatically self-destruct after too many consecutive failed unlock attempts. They "burn" (overwrite) the strong encryption key that secures the data. Most self-destruction trigger that I have seen are set to ten failed attempts; a few are configurable. In the past, you could buy drives with special physical "keys" that you must plug in to unlock them. I am not sure whether they are still available. There are ways you can create them for yourself. See below.

Commercially available encrypted drives (e.g., encrypted flash drives) are a simple, easy, and relatively low cost solution for many use cases. Most of them have a self-destruct mechanism, but they are usually set to ten failed attempts, not three.

OTHER SOLUTIONS: ENCRYPTION

Another possible solution is whole disk encryption on laptops and external drives. It is easily enabled on most operating systems, including Linux, Windows, and Mac. Depending on the data and how it is used, you can also create encrypted files that mount as virtual drives.

(By the way, the first thing I do with a new laptop is enable full disk encryption ... before I put any of my personal data on it. I use a dummy password until it is encrypted, too. Once encrypted, I change the password, configure it, and put my personal data on it.)

Encrypted drives will not "self-destruct" automatically, but without the unlock passphrase, they may be sufficient.

Another approach to self-destructing encryption would be to create encrypted drives or files that are unlocked using a physical token in your possession. Some tokens will "reset" after a certain number of failed pin attempts. Your ability to physically destroy the token may be a consideration. I have not tried creating my own token-based encrypted drives ... yet. (But I have a new Yubikey that I have been eager to try.)

RECOMMENDATION:

I would start with the threat model. Figure out the threats you are protecting against first, then go from there. Once you understand the problem (the requirements), then you can work out which solutions will secure your data sufficiently. A policy of "three failed logins then destroy everything" seems rather drastic for most threat models. Does your threat model really justify such a policy?

P.S. (added later): LEGAL CONSIDERATIONS:

There are also legal considerations when encrypting drives or installing self-destruct mechanisms. They vary by country and jurisdiction. In some places you can be sent to prison for failing to decrypt a drive. In others, you may be subject to liability for data destruction, or criminal charges for knowing destruction of evidence. In some places you can be compelled to provide a token, a fingerprint, or camera view of your face to unlock encryption, but you cannot be compelled to provide a password or passphrase. Much of the law that revolves around unlocking encrypted devices remains untested or in dispute. Be aware of the legal ramifications of any solution you evaluate.


A VERY IMPORTANT NOTE:
If anyone here is among the rare group who can morally justify a self-destruct policy like that, then you should not be popping up on a public forum to ask the question. You need professional, expert help on much more than basic data security.
 
Last edited:
The OP is looking for a self-destruct mechanism that triggers on the third failed login attempt. Such a policy is very dangerous and drastic. I assume that the OP requires a self-destruct that can resist forensic examination to prevent data recovery by an adversary. The question is: Who?

The OP did not describe the use case that justifies such action, but an example might be a news reporter in an authoritarian country, a war-crimes investigator protecting sources, or a non-governmental organization providing aid to refugees, etc. Keep in mind that well-funded adversaries (like governments) know about self-destruct triggers and they know how to conduct searches in ways that do not invoke the data wiping mechanism.

There are many objectionable motives for the policy you describe, like those who want to leave logic bombs in someone else's systems for blackmail, ransomware, or revenge. The target could be a system owned by the current employer, for example. There are other objectionable groups that may want data destruction triggers on their systems, such as terrorists or agents of a foreign adversary.

-> The OP (and others who followed) have not told us whether this capability would be installed with the full knowledge of those who own the system and the data, or whether it would be installed surreptitiously.

DRIVES WITH SELF-DESTRUCT TRIGGERS

Encrypted drives with self-destruct triggers are readily available (and relatively low cost) in the commercial world. I have encrypted flash drives that automatically self-destruct after too many consecutive failed unlock attempts. They "burn" (overwrite) the strong encryption key that secures the data. Most self-destruction trigger that I have seen are set to ten failed attempts; a few are configurable. In the past, you could buy drives with special physical "keys" that you must plug in to unlock them. I am not sure whether they are still available. There are ways you can create them for yourself. See below.

Commercially available encrypted drives (e.g., encrypted flash drives) are a simple, easy, and relatively low cost solution for many use cases. Most of them have a self-destruct mechanism, but they are usually set to ten failed attempts, not three.

OTHER SOLUTIONS: ENCRYPTION

Another possible solution is whole disk encryption on laptops and external drives. It is easily enabled on most operating systems, including Linux, Windows, and Mac. Depending on the data and how it is used, you can also create encrypted files that mount as virtual drives.

(By the way, the first thing I do with a new laptop is enable full disk encryption ... before I put any of my personal data on it. I use a dummy password until it is encrypted, too. Once encrypted, I change the password, configure it, and put my personal data on it.)

Encrypted drives will not "self-destruct" automatically, but without the unlock passphrase, they may be sufficient.

Another approach to self-destructing encryption would be to create encrypted drives or files that are unlocked using a physical token in your possession. Some tokens will "reset" after a certain number of failed pin attempts. Your ability to physically destroy the token may be a consideration. I have not tried creating my own token-based encrypted drives ... yet. (But I have a new Yubikey that I have been eager to try.)

RECOMMENDATION:

I would start with the threat model. Figure out the threats you are protecting against first, then go from there. Once you understand the problem (the requirements), then you can work out which solutions will secure your data sufficiently. A policy of "three failed logins then destroy everything" seems rather drastic for most threat models. Does your threat model really justify such a policy?

P.S. (added later): LEGAL CONSIDERATIONS:

There are also legal considerations when encrypting drives or installing self-destruct mechanisms. They vary by country and jurisdiction. In some places you can be sent to prison for failing to decrypt a drive. In others, you may be subject to liability for data destruction, or criminal charges for knowing destruction of evidence. In some places you can be compelled to provide a token, a fingerprint, or camera view of your face to unlock encryption, but you cannot be compelled to provide a password or passphrase. Much of the law that revolves around unlocking encrypted devices remains untested or in dispute. Be aware of the legal ramifications of any solution you evaluate.


A VERY IMPORTANT NOTE:
If anyone here is among the rare group who can morally justify a self-destruct policy like that, then you should not be popping up on a public forum to ask the question. You need professional, expert help on much more than basic data security.
It should be known that formatting and deletion are two different things, even though formatting does erase data in the process.
 

Staff online

Members online


Top