Re: [Tails-dev] Shared screen locking solution for live distributions in Debian
On 01/12/2015 03:58 PM, Klaus Knopper wrote: > Also, screen locking makes only sense if there is the apparent > possibility that someone else has physical access to the computer while > the user is not paying attention. Why would I lock the screen if I'm the > only one using the computer in a safe environment, and shut it down and > remove the live medium when I'm done with my work. I outlined some reasons for it here [1], but TL;DR is so you can step out of your office for a minute to refill your cup of coffee without having to close all your work, tell everyone you're chatting with that you'll brb, shut down your computer, and then boot it up again to get back to work. [1] https://labs.riseup.net/code/issues/5684#note-11 -- Micah Lee ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Shared screen locking solution for live distributions in Debian
Hello Sajolida, On Wed, Dec 31, 2014 at 02:03:15PM +, sajolida wrote: > Hi, > > I'm part of the people working on Tails, a live distribution that aims > at preserving privacy and anonymity: https://tails.boum.org/. Tails is > currently lacking a screen locker and this has been a frequent feature > request. See https://labs.riseup.net/code/issues/5684. > > For example, as Tails is been adopted more and more by journalists, > they want to be able to leave their computer unattended in their > office to go to the toilets for a minute and have their screen locked. > > I'm writing this emails to various Live distributions based on Debian > (Knoppix, Grml, Jondo, Kali, Debian Live, and Tanglu). I'm also > putting Micah Lee in copy as he has shown particular interest in this > feature. > > I've been investigating the screen locking mechanism of those various > Debian based live distributions, and I found out that none of them had > a real mechanism to do so. They either: > > - Do not provide any screen locking mechanism (Knoppix, Grml, > Jondo Live). Actually, Knoppix disables/circumvents the standard Debian screen locking mechanism because there is no unlocking possible once the screenlock is active. All passwords are invalid and locked. > - Either rely on their default password to unlock the screen (Kali, > Tanglu, Debian Live). > > The purpose of this email is to know whether you would be interested > in working on a common Debian package to provide a generic screen > locking solution for Debian based live distributions. > > The core usability issue that we are facing here is the one of the > unlocking password. As we are live distributions, there either is no > password or a default one. "no password" in the sense of "there is no valid authentication password", i.e. no backdoor. Sometimes, people mean "ANY password" if they say "no password", which is not the case for Knoppix. Again, all passwords are invalid and locked. > Still, screen locking only make sense if > the user is able to use a custom password. Also, screen locking makes only sense if there is the apparent possibility that someone else has physical access to the computer while the user is not paying attention. Why would I lock the screen if I'm the only one using the computer in a safe environment, and shut it down and remove the live medium when I'm done with my work. > As an interesting exception, > note that in Jondo Live, the user is prompted for a user password on > boot. Knoppix design is not to ask anything from the boot screen till the running graphical desktop, with the possible exception of an encrypted personal overlay. > In Tails the user can set up an administration password but this > is disabled by default for security reasons so we cannot rely on this > for screen locking. > > During our last monthly meeting we came up with the idea of asking for > a custom password *in the process of locking the screen* for the first > time. So, when is the right time to lock the screen? Debian does this by default when the computer goes to standby or the notebook lid is closed. In this case, the user will hardly pay attention to a dialog asking for a password. > For example, in GNOME, when doing Meta+L for the first time, the > user would be prompted to enter a screen locking password, then only > the screen would get locked. If she locks the screen again, the same > password would be reused. A "voluntary screenlock button", asking for a new screenlock (not necessarily a login) password could be worth a try. Regards -Klaus ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Shared screen locking solution for live distributions in Debian
sajolida: > Hi, Gentle ping regarding what follows as we haven't heard back from your distribution. Does this seems like an interesting solution for you? Would you install such a package if it was available in Debian? Would you put effort in developing or maintaining it? > I'm part of the people working on Tails, a live distribution that aims > at preserving privacy and anonymity: https://tails.boum.org/. Tails is > currently lacking a screen locker and this has been a frequent feature > request. See https://labs.riseup.net/code/issues/5684. > > For example, as Tails is been adopted more and more by journalists, > they want to be able to leave their computer unattended in their > office to go to the toilets for a minute and have their screen locked. > > I'm writing this emails to various Live distributions based on Debian > (Knoppix, Grml, Jondo, Kali, Debian Live, and Tanglu). I'm also > putting Micah Lee in copy as he has shown particular interest in this > feature. > > I've been investigating the screen locking mechanism of those various > Debian based live distributions, and I found out that none of them had > a real mechanism to do so. They either: > > - Do not provide any screen locking mechanism (Knoppix, Grml, > Jondo Live). > - Either rely on their default password to unlock the screen (Kali, > Tanglu, Debian Live). > > The purpose of this email is to know whether you would be interested > in working on a common Debian package to provide a generic screen > locking solution for Debian based live distributions. > > The core usability issue that we are facing here is the one of the > unlocking password. As we are live distributions, there either is no > password or a default one. Still, screen locking only make sense if > the user is able to use a custom password. As an interesting exception, > note that in Jondo Live, the user is prompted for a user password on > boot. In Tails the user can set up an administration password but this > is disabled by default for security reasons so we cannot rely on this > for screen locking. > > During our last monthly meeting we came up with the idea of asking for > a custom password *in the process of locking the screen* for the first > time. For example, in GNOME, when doing Meta+L for the first time, the > user would be prompted to enter a screen locking password, then only > the screen would get locked. If she locks the screen again, the same > password would be reused. > > What do you think? Please answer to tails-dev@boum.org and feel free to > subscribe to the list to follow the thread: > > https://mailman.boum.org/listinfo/tails-dev/ -- sajolida ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Shared screen locking solution for live distributions in Debian
Hi, I have a project called ediX which is just a minimized Debian for educational hosting. It is always under heavy redesign but especially so right now with all of the changes to the Debian Jessie. I recently took down the web site in order to move it the project to The Foundation for Learning Equality where I also help with educational projects such as Khan Academy Light etc. After reflecting on the question longer the thought finally occurred to me why others might want or need this second password feature. ediX is basically default Debian live with a few select packages for a minimum boot relying on the persistence feature to provide educational software for services and configuration. The users (teachers) are assumed to not have shell / linux knowledge and a minimal GUI is made available basically just for monitoring, changing configurations, and updates. However, tails users running directly from a live CD without using persistence do not benefit from having the users credentials saved and thus the need if I am understanding things correctly. What I would like to see is an easier method of changing the default password and other user settings in the Debian live configuration scripts. As a simple precaution I have been changing user name but allowing live as password for the image however this all gets changed once the persistence volume is loaded. As I understand it, Debian Live recommends and defaults to user / live for the user account credentials and recommends user-setup and sudo packages be installed in the packages-list providing those features. By adding those packages that account is created and there are supporting scripts for changing the default user name and password however I have not had a need to do so. Hope this helps! Thanks, On Thu Jan 01 2015 at 4:53:33 AM sajolida wrote: > Ed Dixon: > > Hi, > > Hi, which project are you from? > > > I have been using the xtrlock package which allows the screen to still be > > viewed while locked to good effect in classroom situations. It takes the > > current users password by default. I may be missing something here but as > > far as I am aware all current Debian screen locking mechanisms fill this > > need, if installed. I personally would not want a second set of > credentials > > adding a potential vector attached to the user account just to have a > > separate password for the screen lock. Can you explain more the need for > > this? > > In the case of live distributions most of the time there is no user > password by default. So if we want to use a password to lock the screen > we need to ask for a password at some point. > > I'd like to avoid introducing yet another password if there is one > already (like in the case of Jondo, and sometimes Tails) but otherwise > we need at least one. > > Does that make sense? > > Note that in the case of Tails, you can configure an administration > password at boot time: > https://tails.boum.org/doc/first_steps/startup_options/ > administration_password. > I'd like to consider reusing this for screen locking if it is set (and > only ask for a screen locking password if there is none), unless someone > has security concerns about this. > > -- > sajolida > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Shared screen locking solution for live distributions in Debian
Ed Dixon: > Hi, Hi, which project are you from? > I have been using the xtrlock package which allows the screen to still be > viewed while locked to good effect in classroom situations. It takes the > current users password by default. I may be missing something here but as > far as I am aware all current Debian screen locking mechanisms fill this > need, if installed. I personally would not want a second set of credentials > adding a potential vector attached to the user account just to have a > separate password for the screen lock. Can you explain more the need for > this? In the case of live distributions most of the time there is no user password by default. So if we want to use a password to lock the screen we need to ask for a password at some point. I'd like to avoid introducing yet another password if there is one already (like in the case of Jondo, and sometimes Tails) but otherwise we need at least one. Does that make sense? Note that in the case of Tails, you can configure an administration password at boot time: https://tails.boum.org/doc/first_steps/startup_options/administration_password. I'd like to consider reusing this for screen locking if it is set (and only ask for a screen locking password if there is none), unless someone has security concerns about this. -- sajolida ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Shared screen locking solution for live distributions in Debian
Hi, I have been using the xtrlock package which allows the screen to still be viewed while locked to good effect in classroom situations. It takes the current users password by default. I may be missing something here but as far as I am aware all current Debian screen locking mechanisms fill this need, if installed. I personally would not want a second set of credentials adding a potential vector attached to the user account just to have a separate password for the screen lock. Can you explain more the need for this? On Wed Dec 31 2014 at 7:27:13 AM sajolida wrote: > Hi, > > I'm part of the people working on Tails, a live distribution that aims > at preserving privacy and anonymity: https://tails.boum.org/. Tails is > currently lacking a screen locker and this has been a frequent feature > request. See https://labs.riseup.net/code/issues/5684. > > For example, as Tails is been adopted more and more by journalists, > they want to be able to leave their computer unattended in their > office to go to the toilets for a minute and have their screen locked. > > I'm writing this emails to various Live distributions based on Debian > (Knoppix, Grml, Jondo, Kali, Debian Live, and Tanglu). I'm also > putting Micah Lee in copy as he has shown particular interest in this > feature. > > I've been investigating the screen locking mechanism of those various > Debian based live distributions, and I found out that none of them had > a real mechanism to do so. They either: > > - Do not provide any screen locking mechanism (Knoppix, Grml, > Jondo Live). > - Either rely on their default password to unlock the screen (Kali, > Tanglu, Debian Live). > > The purpose of this email is to know whether you would be interested > in working on a common Debian package to provide a generic screen > locking solution for Debian based live distributions. > > The core usability issue that we are facing here is the one of the > unlocking password. As we are live distributions, there either is no > password or a default one. Still, screen locking only make sense if > the user is able to use a custom password. As an interesting exception, > note that in Jondo Live, the user is prompted for a user password on > boot. In Tails the user can set up an administration password but this > is disabled by default for security reasons so we cannot rely on this > for screen locking. > > During our last monthly meeting we came up with the idea of asking for > a custom password *in the process of locking the screen* for the first > time. For example, in GNOME, when doing Meta+L for the first time, the > user would be prompted to enter a screen locking password, then only > the screen would get locked. If she locks the screen again, the same > password would be reused. > > What do you think? Please answer to tails-dev@boum.org and feel free to > subscribe to the list to follow the thread: > > https://mailman.boum.org/listinfo/tails-dev/ > > -- > sajolida > > > -- > To UNSUBSCRIBE, email to debian-live-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: https://lists.debian.org/54a40223.1020...@pimienta.org > > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Shared screen locking solution for live distributions in Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi sajolida, I love this idea and have always been looking for exactly such a solution. On Tails, I am currently using "xlock" with a custom administrator password; here on my Ubuntu PC, "xlock" does not even seem to be an existing package. It would be awesome for me to have a working screen locking tool shipped with Tails; preferably one that asks me for the used password before locking the screen. The icing on the cake might be the possibility to define a password that will be used for locking if the computer has not been used for an user-defined amount of seconds. In my opinion, the password should be stored using a strong hashing algorithm that may well take some seconds to be calculated - the legitimate user can afford waiting some seconds after entering the password to unlock the screen; an attacker should have a hard time extracting the screen lock password even if the built-in software security mechanisms are somehow circumvented. But I'm not a security expert and maybe this would just be an illusion of security without actual benefits. Best regards, Tobias Frei Am 31.12.2014 um 15:03 schrieb sajolida: > Hi, > > I'm part of the people working on Tails, a live distribution that > aims at preserving privacy and anonymity: https://tails.boum.org/. > Tails is currently lacking a screen locker and this has been a > frequent feature request. See > https://labs.riseup.net/code/issues/5684. > > For example, as Tails is been adopted more and more by > journalists, they want to be able to leave their computer > unattended in their office to go to the toilets for a minute and > have their screen locked. > > I'm writing this emails to various Live distributions based on > Debian (Knoppix, Grml, Jondo, Kali, Debian Live, and Tanglu). I'm > also putting Micah Lee in copy as he has shown particular interest > in this feature. > > I've been investigating the screen locking mechanism of those > various Debian based live distributions, and I found out that none > of them had a real mechanism to do so. They either: > > - Do not provide any screen locking mechanism (Knoppix, Grml, Jondo > Live). - Either rely on their default password to unlock the screen > (Kali, Tanglu, Debian Live). > > The purpose of this email is to know whether you would be > interested in working on a common Debian package to provide a > generic screen locking solution for Debian based live > distributions. > > The core usability issue that we are facing here is the one of the > unlocking password. As we are live distributions, there either is > no password or a default one. Still, screen locking only make sense > if the user is able to use a custom password. As an interesting > exception, note that in Jondo Live, the user is prompted for a user > password on boot. In Tails the user can set up an administration > password but this is disabled by default for security reasons so we > cannot rely on this for screen locking. > > During our last monthly meeting we came up with the idea of asking > for a custom password *in the process of locking the screen* for > the first time. For example, in GNOME, when doing Meta+L for the > first time, the user would be prompted to enter a screen locking > password, then only the screen would get locked. If she locks the > screen again, the same password would be reused. > > What do you think? Please answer to tails-dev@boum.org and feel > free to subscribe to the list to follow the thread: > > https://mailman.boum.org/listinfo/tails-dev/ > -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUpBdGAAoJEOaAxTHjKzK7LFUP/1eiRFz0ZxYMI8V9Y5OYHeDP W/jq+jCOgkAo3YUxb/4rZPvIEjWw+5kC93bDDlIDsDQUsM2fi6dhgbNyeNOM6NTF zaQ/nfHRc0OGKjM738/ar91MC5BXVMhctYRSE7423bO6ZxEHRIY1dSW34YhpGgzn e7WN6kXegEsY2yYmxzrep/UbiE61TeIwsGbkOG+l/JX82pLXb/IYJ7q3ML8xMc2v jynU162L0bRrxzY9eG+VTZZCGsu8hUfUUukmQqAF7v42/557TuWoHZX2rK3+cvkE BsHwrzvXAPVx+4wBDnfAplUmcLDJ0oMs21SwiVq54PDb3QMC/oBvYOQtQCEIearN ZZCPjtnpwmy5qkq0CHu2nfzpm4CDqK9jT0wY+UqCtAb5+YSF1p6D2O5tW3ywhH4L viMzJosUZxeiK7Lr166gl7ti2tiChy8gi2Fwp4nJJf2b2ZBg6DuRYlQxP8BiqBKA FkWYdFpp+mL5kfU/fmGryofGx/oU00y1xcFM2katkJoeMjq+X1jbxKkwS2MIBuqv K7ZeIhtvMWqZyUPq4a6yvurhVOTin1cxSjg4VpB9Lpfi53JC3xfiue5CW6W42N9f tyIfQTO8PtVcjgGJgdI3hb5utBb01j8KmrliFjO1sJKjRfcQmCVWog2tgPWeYpds 6QrhfTj3XDVx+1gB4XZc =u2/+ -END PGP SIGNATURE- ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Shared screen locking solution for live distributions in Debian
Hi, I'm part of the people working on Tails, a live distribution that aims at preserving privacy and anonymity: https://tails.boum.org/. Tails is currently lacking a screen locker and this has been a frequent feature request. See https://labs.riseup.net/code/issues/5684. For example, as Tails is been adopted more and more by journalists, they want to be able to leave their computer unattended in their office to go to the toilets for a minute and have their screen locked. I'm writing this emails to various Live distributions based on Debian (Knoppix, Grml, Jondo, Kali, Debian Live, and Tanglu). I'm also putting Micah Lee in copy as he has shown particular interest in this feature. I've been investigating the screen locking mechanism of those various Debian based live distributions, and I found out that none of them had a real mechanism to do so. They either: - Do not provide any screen locking mechanism (Knoppix, Grml, Jondo Live). - Either rely on their default password to unlock the screen (Kali, Tanglu, Debian Live). The purpose of this email is to know whether you would be interested in working on a common Debian package to provide a generic screen locking solution for Debian based live distributions. The core usability issue that we are facing here is the one of the unlocking password. As we are live distributions, there either is no password or a default one. Still, screen locking only make sense if the user is able to use a custom password. As an interesting exception, note that in Jondo Live, the user is prompted for a user password on boot. In Tails the user can set up an administration password but this is disabled by default for security reasons so we cannot rely on this for screen locking. During our last monthly meeting we came up with the idea of asking for a custom password *in the process of locking the screen* for the first time. For example, in GNOME, when doing Meta+L for the first time, the user would be prompted to enter a screen locking password, then only the screen would get locked. If she locks the screen again, the same password would be reused. What do you think? Please answer to tails-dev@boum.org and feel free to subscribe to the list to follow the thread: https://mailman.boum.org/listinfo/tails-dev/ -- sajolida ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.