Malware might be masquerading as a login prompt and stealing login passwords.
This supposes an advanced threat model:
- A system where a limited user (user "
user") is utilizing a graphical X Window System session that is different from the user with root/sudo permissions (user "
- The limited user is expected to at some point being compromised by malware.
- Otherwise, if there was only one user account which also has sudo/su access, malware could sniff the administrative password anyhow and would not need to resort the and advanced attack of login spoofing.
The limited user account being compromised is under many threat models already considered catastrophic, since running malware:
- has full access to all user-accessible files
- can view all keyboard inputs and take over login sessions
- may present false information on the screen
- can perform other malicious actions - see: The Importance of a Malware Free System
However, when using multiple (virtual) machines for compartmentalization the harmful impact of malware might not be catastrophic. In that case other goals include prevention of root compromise to help to protect the virtualizer and avoid host compromise, and similarly to avoid hardware compromise. This is elaborated in in chapter rationale on the Safely Use Root Commands wiki page.
A broken X Window System can block switching to a virtual console. It logically follows that malware which compromised the X Window System could similarly do that. In this case the
r combination can take away control from the X Window System.  This is a safer procedure, otherwise a compromised X Window System could just be simulating a virtual console login prompt in order to sniff a login password to an account with root access. (login spoofing in Wikipedia [archive]).
k (Secure Access Key) can be used to defeat login spoofing. It will terminate all programs on that virtual console.
Sak (Secure Access Key) is useful when you want to be sure there is no trojan program running at console which could grab your password when you would try to login. It will kill all programs on given console, thus letting you make sure that the login prompt you see is actually the one from init, not some trojan program.
An operating system's Secure Attention Key is a security tool which is provided as protection against trojan password capturing programs. It is an undefeatable way of killing all programs which could be masquerading as login applications. Users need to be taught to enter this key sequence before they log in to the system.
Taking steps to defeat login spoofing probably only makes sense when also following steps to Prevent Malware from Sniffing the Root Password.
- System Recovery using SysRq Key
- Safely Use Root Commands
- Prevent Malware from Sniffing the Root Password
- Strong Linux User Account Isolation
- Since the Linux kernel takes away the control of the X Window System from the console. Linux kernel has higher privileges than the X Window System.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.