Login Spoofing

From Whonix


Malware might be masquerading as a login prompt and stealing login passwords.

This supposes an advanced threat model:

  • A system where a limited user (user "user") is utilizing a graphical X Window System session that is different from the user with root/sudo permissions (user "admin").
  • The limited user is expected to at some point being compromised by malware.
  • Otherwise, if there was only one user account which also has sudo/su access, malware could sniff the administrative password anyhow and would not need to resort the and advanced attack of login spoofing.

The limited user account being compromised is under many threat models already considered catastrophic, since running malware:

  • has full access to all user-accessible files
  • can view all keyboard inputs and take over login sessions
  • may present false information on the screen
  • can perform other malicious actions - see: The Importance of a Malware Free System

However, when using multiple (virtual) machines for compartmentalization the harmful impact of malware might not be catastrophic. In that case other goals include prevention of root compromise to help to protect the virtualizer and avoid host compromise, and similarly to avoid hardware compromise. This is elaborated in in chapter rationale on the Safely Use Root Commands wiki page.

A broken X Window System can block switching to a virtual console. It logically follows that malware which compromised the X Window System could similarly do that. In this case the SysRq + r combination can take away control from the X Window System. [1] This is a safer procedure, otherwise a compromised X Window System could just be simulating a virtual console login prompt in order to sniff a login password to an account with root access. (login spoofing in Wikipedia [archive]).

SysRq + k (Secure Access Key) can be used to defeat login spoofing. It will terminate all programs on that virtual console.

Quote Linux Kernel Documentation [archive]:

Sak (Secure Access Key) is useful when you want to be sure there is no trojan program running at console which could grab your password when you would try to login. It will kill all programs on given console, thus letting you make sure that the login prompt you see is actually the one from init, not some trojan program.

Quote Linux Kernel Secure Attention Key Documentation [archive]:

An operating system's Secure Attention Key is a security tool which is provided as protection against trojan password capturing programs. It is an undefeatable way of killing all programs which could be masquerading as login applications. Users need to be taught to enter this key sequence before they log in to the system.

Taking steps to defeat login spoofing probably only makes sense when also following steps to Prevent Malware from Sniffing the Root Password.

See Also[edit]


  1. Since the Linux kernel takes away the control of the X Window System from the console. Linux kernel has higher privileges than the X Window System.

Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Login spoofing&body= link= spoofing link= spoofing link= spoofing%20 spoofing

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.