Secure keyboard input

Posted Nov 22, 2009 19:45 UTC (Sun) by epa (subscriber, #39769)
In reply to: Fedora 12 and unprivileged package installation by drag
Parent article: Fedora 12 and unprivileged package installation

It's trivial to install a keylogger.

Which is why Linux desktops really need a secure attention sequence such as the Ctrl-Alt-Delete used by Windows (and before that, VMS). No application may trap that keystroke, and it leads you to a screen with only the password entry dialogue and (as far as I know) no communication with other parts of the desktop.

It's kind of embarassing that for many years Windows has had better security than Linux in this one area. The 'schoolboy attack' of locking the screen and bringing up a fake password dialogue is also trivial.

So I quite agree that conditioning users to type in their password (or, perhaps worse, the root password) all the time is a terribly bad idea. However, asking them to hit Ctrl-Alt-Delete and enter their password into a secure authentication screen will piss them off, and perhaps also condition them to ignore the boring message and just authorize the action every time, but at least it does not have the problem of keyloggers or trojan websites which pop up 'enter your password' dialogues.

Non-technical users, who (demonstrably) cannot distinguish between genuine password prompts and bogus ones from malware, can at least be told to always hit Ctrl-Alt-Del before entering their password. It may not be enough, but at least it's something.

(For remote access, a remote secure attention sequence is also possible; for example many Windows remote desktop clients have a 'send Ctrl-Alt-Del' menu option, which again cannot be intercepted by ordinary applications.)

Secure keyboard input

Posted Nov 23, 2009 15:58 UTC (Mon) by drag (guest, #31333) [Link] (1 responses)

If Linux can figure out a way to lock down things inside of a user account then that would benefit everybody massively.

If you think about it (which you probably already understand completely, I am just talking about in a more general sense), right now all your most important and sensitive information is stored in your /home/$USERNAME directory. Especially for a single user system, which 70% of desktops apparently are, then getting root is not necessary at all for a attacker to have the most damage to that user.

Root is only necessary for the attacker to go unnoticed. If they want to establish a rootkit or run some sort of secret network service then they'll need root. If they just want to steel your credit card information, gain access to your online accounts, or anything like that then root is unnecessary.

Secure keyboard input

Posted Nov 23, 2009 18:35 UTC (Mon) by madscientist (subscriber, #16861) [Link]

Any really sensitive file in the user's home directory should be protected by account permissions so that non-root users wouldn't be able to modify, or even read, them. In addition, a number of distros already have the ability to encrpyt some or all of the user's home directory, so that casual observers can't read the files. I think the previous poster has an excellent point, though: if you don't have a foolproof way of getting back to a login prompt, you can't say much about any sort of password-based security, including encrpyted home directories.

Secure keyboard input

Posted Nov 23, 2009 19:31 UTC (Mon) by cmccabe (guest, #60281) [Link]

> Which is why Linux desktops really need a secure attention sequence
> such as the Ctrl-Alt-Delete used by Windows (and before that, VMS).
> No application may trap that keystroke, and it leads you to a screen
> with only the password entry dialogue and (as far as I know) no
> communication with other parts of the desktop.

That's a very good point. It's important to have a secure login path. This is an especially important issue in a shared computer lab, where people can log into any machine they like.

It would be nice if gnome or KDE could be configured to request an "uninterceptable" keystroke combination before allowing you to log in through gdm or xdm. I don't know enough about X input handling to know how feasible this would be.

Secure keyboard input

Posted Nov 25, 2009 23:59 UTC (Wed) by jmorris42 (guest, #2203) [Link] (1 responses)

Kids today..... :)

Fire up an xterm (a real one) and observe the first option on the menu if you press CTRL-F1 is Secure Keyboard. It is intended to be used for exactly the sort of thing you mention. X had thought of security and built it in long before NT 3.1 'invented' it, the GNOME/KDE kids simply forgot about that sort of thing along with most of the other good parts of X.

Seems to be a pattern with modern graphical free software development to repeat all of Microsoft's security mistakes and for the same reason. The mad rush to bring about 'the Year of Linux on the Desktop' is producing the exact same marketing based security policies that we have laughed our butts off over when Microsoft originally made em. But apparently we learned nothing.

Secure keyboard input

Posted Nov 26, 2009 17:40 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

So the attacker makes sure that your xterm is thunked with an LD_PRELOADed library that reports a successful grab without actually performing one. Xterm continues along its way and your password still gets grabbed. Xterm's grabs are intended to secure against hostile *X* applications that may be running on machines out of your control. That's simply not the common threat model any more, and instead it just results in people thinking that they're secure when they're not.

(Heck. The attacker could ignore X altogether and just thunk read and write in xterm and read everything going over the pty. You'd end up with a secure channel between the server and the xterm, which would win you absolutely nothing overall)