How to trigger a system self destruct with a certain password is entered
Idea #1 - Hidden OS
As an alternative method you could make use of TrueCrypt's "Hidden Operating System". This allows you to access a fake alternative OS when a certain password is used, rather than the primary OS.
excerpt
If your system partition or system drive is encrypted using TrueCrypt, you need to enter your pre-boot authentication password in the TrueCrypt Boot Loader screen after you turn on or restart your computer. It may happen that you are forced by somebody to decrypt the operating system or to reveal the pre-boot authentication password. There are many situations where you cannot refuse to do so (for example, due to extortion). TrueCrypt allows you to create a hidden operating system whose existence should be impossible to prove (provided that certain guidelines are followed — see below). Thus, you will not have to decrypt or reveal the password for the hidden operating system.
Bruce Schneier covers the efficacy of using these (Deniable File Systems, so you might want to investigate it further before diving in.
The whole idea of Deniable Encryption is a bit of a can of worms, so caution around using it in certain situations needs to be well thought out ahead of time.
Idea #2 - Add a script to /etc/passwd
You can insert alternative scripts to a user's entry in the /etc/passwd
file.
Example
# /etc/passwd
tla:TcHypr3FOlhAg:237:20:Ted L. Abel:/u/tla:/usr/local/etc/sdshell
You could setup a user's account so that it runs a script such as /usr/local/etc/sdshell
which will check to see what password was provided. If it's the magical password that triggers the wipe, it could begin this process (backgrounded even) and either drop to a shell or do something else.
If the password provided is not this magical password, then continue on running a normal shell, /bin/bash
, for example.
Source: 19.6.1 Integrating One-Time Passwords with Unix
My approach for this would be to trigger the self destruct in a pam module. There are mechanisms to catch the password with a script, check if it's the "special" one and start the self destruct process.
Write a line in your /etc/pam.d/common-auth
as first line like this:
auth optional pam_exec.so debug expose_authtok /etc/security/suicide.sh
(or for example in /etc/pam.d/gdm
if you just want it to work with authentication via gdm
)
expose_authtok
causes the pam_exec.so
module to deliver the password via stdin to the login script called /etc/security/suicide.sh
. This script would be run with root priviledges and would for example look like this:
#!/bin/bash
# read the users password from stdin (pam_exec.so gives the provided password
# if invoked with expose_authtok)
read password
# if its an authentication and it's the user "user" and the special password
if [ "$PAM_TYPE" == "auth" ] && [ "$PAM_USER" == "user" ] && [ "$password" == "magic" ]; then
# do whatever you want in the background and the authentication could continue
# normally as though nothing had happened
exit 0
else
exit 0
fi
It would work even if you change the password of the "normal" user.
Just so you know if anyone from the gov etc does grab your computer the first thing they will do is copy the drive bit for bit and work off the copy. Same thing is done anytime someone does computer forensics so if you damage while analyzing a drive you only damage the copy.
So lets say the big bad NSA takes your computer and puts your thumbs in a vice to get you to tell them the password. When you give them the wrong password then it will just del to copy and not the original. Now they know your messing with them.
So any use of a kill pass word would only be effective if you ran it before anyone got a hold of your system. So all it would do is give you a complicated way of executing something you could alias.