Does KDM need a password?
My laptop password-protects the harddrive, to unlock it I must enter a password before the BIOS starts the OS. Is it thus redundant to have a password at the KDM logon screen? I am the only user of this laptop, and it would be that much nicer if I would only have to enter the password _once_ to boot the system, and I could have it boot to the desktop. Are there other security implications of not having a KDM screen with a password prompt? -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: Does KDM need a password?
> desktop. Are there other security implications of not having a KDM > screen with a password prompt? BIOS password can be reset after gaining access to the laptop's mainboard (or maybe even easier). However, if you are not using filesystem encryption then KDM (login) pass doesn't add much in terms of data security. Also keep in mind that login password is used when locking the screen. Regards, Bogdan -- http://bogdan.org.ua/ -- реклама --- Windows server 2008 от www.hostpro.ua 2 месяца бесплатно + домен в подарок -- To UNSUBSCRIBE, email to debian-laptop-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Does KDM need a password?
On Sun, Jan 25, 2009 at 09:30:35PM +0200, Dotan Cohen wrote: > My laptop password-protects the harddrive, to unlock it I must enter a > password before the BIOS starts the OS. Is it thus redundant to have a > password at the KDM logon screen? I am the only user of this laptop, that'd mean you are sure you always use your laptop like: 1. on, active session, you in front of kyb/scr 2. off / suspend to disk anything in between would benefit from some protection other than bios/disk. -- paolo -- To UNSUBSCRIBE, email to debian-laptop-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Does KDM need a password?
Paolo wrote: > On Sun, Jan 25, 2009 at 09:30:35PM +0200, Dotan Cohen wrote: >> My laptop password-protects the harddrive, to unlock it I must enter a >> password before the BIOS starts the OS. Is it thus redundant to have a >> password at the KDM logon screen? I am the only user of this laptop, > > that'd mean you are sure you always use your laptop like: > > 1. on, active session, you in front of kyb/scr > 2. off / suspend to disk > > anything in between would benefit from some protection other than bios/disk. > Paolo is right. It depends on the kind of security model you want. If you're going to power your laptop off every time you leave it, or you're willing to accept the risks, then go ahead and modify kdm. However, as most take their laptops places that are outside of their control, having this added layer of security is beneficial. Seth -- To UNSUBSCRIBE, email to debian-laptop-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Does KDM need a password?
On Sun, Jan 25, 2009 at 10:32:10PM +0200, Bogdan wrote: > > BIOS password can be reset after gaining access to the laptop's mainboard (or > maybe even easier). yep, there are bios-pwd crackers on the 'net; but if HDD is also protected, with it's own pwd, and bios just asks for HDD pwd, things are a bit harder, since access attempts may result in data wipe out, depending on HDD sec setting. > However, if you are not using filesystem encryption then KDM (login) pass > doesn't add much in terms of data security. zero, indeed, once you've access to hardware. -- paolo -- To UNSUBSCRIBE, email to debian-laptop-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Does KDM need a password?
2009/1/25 Paolo : > On Sun, Jan 25, 2009 at 10:32:10PM +0200, Bogdan wrote: >> >> BIOS password can be reset after gaining access to the laptop's mainboard >> (or maybe even easier). > > yep, there are bios-pwd crackers on the 'net; but if HDD is also protected, > with it's own pwd, and bios just asks for HDD pwd, things are a bit harder, > since access attempts may result in data wipe out, depending on HDD sec > setting. > >> However, if you are not using filesystem encryption then KDM (login) pass >> doesn't add much in terms of data security. > > zero, indeed, once you've access to hardware. > Thanks for the info. I see that I can safely disable the KDM password. If this laptop were to get 'lost' then it would be sold unmodified. The local thieves are not very sophisticated, yet. The only question would be if someone were to steal this laptop with the intend of finding something about _me_ and I see that as a remote enough possibility (and a small enough threat were it to happen) that I do not use a screen lock. The BIOS password is only to thwart the thieves from profiting from their crime, not to aid in recovery or to prevent them from reading my Gmail. Thanks for everyone's insight! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü -- To UNSUBSCRIBE, email to debian-laptop-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Does KDM need a password?
Dotan Cohen writes: > My laptop password-protects the harddrive, to unlock it I must enter a > password before the BIOS starts the OS. Is it thus redundant to have a > password at the KDM logon screen? I don't know about you, but I occasionally leave my laptop unattended, and while the KDE screen-saver locks it, it also offers the "switch user" option. Using that someone could trivially open a new KDM login prompt, hit return, and have access to your identity. Not much fun. A lot of Unix security assumes that you prompt for authentication before allowing access to a user account; while you can violate that you will find that it does[1] open security holes by violating upstream maintainers assumptions. Regards, Daniel Footnotes: [1] More precisely, "is extremely likely to without very, very careful configuration on your part, such that you are unlikely to always succeed in finding the holes before they are exposed." -- To UNSUBSCRIBE, email to debian-laptop-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
