trinity-devel@lists.pearsoncomputing.net

Message: previous - next
Month: April 2012

Re: [trinity-devel] First report: TSAK/TDM related issues

From: "Timothy Pearson" <kb9vqf@...>
Date: Thu, 19 Apr 2012 12:49:18 -0500
>> OK, sounds reasonable, though I would rather disable the
>> TSAK checkbox and display a warning message next to it, in order to
>> provide
>> more immediate feedback as to the state of the user's system.
>
> That sounds better. All we need is a mechanism that makes the uinput
> connection obvious to the user. I never would have figured that out. Well,
> maybe --- after many four letter words and scouring the source code. :) A
> context sensitive warning directly in the KControl dialog will do nicely.
>

I got bitten by this myself, but as I was running tsak from the command
line at the time the problem was obvious.  I can't imagine how frustrating
it would have been from within a GUI...

>> > BTW, the help handbook has nothing about TSAK. Nada. :)
>>
>> Probably because I still have not figured out how to use the
>> docbook stuff, nor do I have plans to do so. :-)
>
> Send me the text. :)
>
> We don't need a book. Just a few paragraphs. I'll merge the text into the
> existing TDM help file. Basic description for now:
>
> What is TSAK.

TSAK stands for Trinity Secure Attention Key.  A Secure Attention Key is a
special keypress to which only certain privileged applications, such as
the login and unlock dialogs, are able to respond.  This prevents an
ordinary user from creating an exact copy of the login screen to "sniff"
passwords or other sensitive information, as the unprivileged copy will
not be able to detect the SAK keypress, thus providing a visible
difference in operation to the user.

> When to configure.

Generally, using TSAK is a good idea when you have more than one graphical
login account on a machine, for instance in enterprise environments or
computer laboratories.  If you have only one graphical login account TSAK
will not provide tangible benefits over the standard login methods.

> Requirements/dependencies.

TSAK requires udev and uinput.

> How to use/what users see.

When TSAK is in use, you will be prompted to press Ctrl+Alt+Del before
sensitive information is requested.  If TSAK is enabled on a system, and
you do not see the Ctrl+Alt+Del dialog before sensitive information is
requested, someone may be attempting to phish for that information.  The
most prudent course of action would be to terminate the active X11 session
via Ctrl+Alt+Backspace or any other distribution-specific keypress for
this action, this restoring control to the kernel and base system.

Tim

powered by ezmlm-www (v1.4.5)