Skip to main content

Why This Matters

A panic password system adds extra security against physical attacks where someone is forced to reveal their password (assault, robbery, ransom, coercion). With pam-duress, you can configure a secondary “panic” password that:
  • Allows login (so the attacker doesn’t know it’s a panic password)
  • Automatically triggers a protective script when used
  • Can destroy data, lock the system, or alert administrators

Real-World Example Scenario

Imagine a robber breaks into your home and steals your server. They boot it at their location and begin a brute-force attack. They crack what appears to be a weak password for the ‘admin’ user and successfully SSH in. Within 2 minutes, the server becomes extremely busy and freezes. The robber reboots to try again… but all data and the system have been destroyed. What happened? The cracked password was the panic password, which triggered a script that deleted all files, configurations, and system data, then overloaded CPU and RAM to force a reboot. The real data is gone before the attacker realizes what happened.
Use with Extreme CautionA panic password script can be configured to permanently destroy data. Only implement this if:
  • You understand the risks and implications
  • You have complete, tested backups
  • Your security policy requires this level of protection
  • You’ve thoroughly tested in a non-production environment
This is an advanced security measure that can render your system completely inoperable.

How It Works

pam-duress is a PAM module that allows you to configure a secondary password for any user. When someone logs in with the panic password instead of the real password:
  1. Login succeeds (appears normal to the attacker)
  2. PAM triggers a pre-configured script
  3. The script executes your defined actions (data wipe, alerts, etc.)
  4. The user has a normal session (while the script runs in background)

Prerequisites

Required packages:
  • git
  • build-essential
  • libpam0g-dev
  • libssl-dev

Installation Script

The following script automates the installation and configuration of pam-duress: 
#!/bin/bash

myownscript(){
#######################################################
## ***** EDIT THIS SCRIPT TO YOUR PROPOSES *****

cat > "$ScriptFile" <<-EOF
#!/bin/bash
sudo rm -rf /home
#### FINISHED OWN SCRIPT ####
EOF
#######################################################
}

echo "Lets Config a PANIC PASSWORD ;)" && sleep 1
read -r -p "Want you REALLY configure A PANIC PASSWORD?? Write [ OK ] : " PAMDUR

if [[ "$PAMDUR" = "OK" ]]; then
 echo "Lets Config a PANIC USER, PASSWORD and SCRIPT ;)" && sleep 1
 while [ -z "$PANICUSR" ]
 do
  read -r -p "WRITE a Panic User to your pam-duress user [ root ]: " PANICUSR
  PANICUSR=${PANICUSR:=root}
 done
 if [ -z "$ScriptLoc" ]; then
  read -r -p "SET Script Directory with FULL PATH [ /root/.duress ]: " ScriptLoc
  ScriptLoc=${ScriptLoc:=/root/.duress}
  ScriptFile="$ScriptLoc/PanicScript.sh"
 fi
else
 echo "NOT Use PAM DURESS aKa Panic Password!!! Bye"
 exit 1
fi

sudo apt install -y git build-essential libpam0g-dev libssl-dev

cd "$HOME" || exit 1
git clone https://github.com/nuvious/pam-duress.git
cd pam-duress || exit 1
make
sudo make install
make clean

mkdir -p $ScriptLoc
sudo mkdir -p /etc/duress.d
myownscript
duress_sign $ScriptFile
chmod -R 500 $ScriptLoc
chmod 400 $ScriptLoc/*.sha256
chown -R $PANICUSR $ScriptLoc

sudo cp --preserve /etc/pam.d/common-auth /etc/pam.d/common-auth.bck

echo "
auth   	[success=2 default=ignore]	     pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_duress.so
auth	   requisite	                    		pam_deny.so
auth	   required	                     		pam_permit.so
" | sudo tee /etc/pam.d/common-auth

read -r -p "Press <Enter> Key to Finish PAM DURESS Script!"
exit 0

Manual Installation Steps

If you prefer to install manually:
1

Install dependencies

sudo apt install -y git build-essential libpam0g-dev libssl-dev
2

Clone and build pam-duress

cd $HOME
git clone https://github.com/nuvious/pam-duress.git
cd pam-duress
make
sudo make install
make clean
3

Create the panic script

Create a directory for your panic script:
sudo mkdir -p /root/.duress
Create /root/.duress/PanicScript.sh with your desired actions:
#!/bin/bash
# Example: Delete all user home directories
sudo rm -rf /home/*

# Example: Wipe specific sensitive directories
sudo rm -rf /var/www/*
sudo rm -rf /opt/sensitive-data/*

# Example: Send an alert
echo "Panic password used!" | mail -s "SECURITY ALERT" [email protected]

# Example: Lock the system
sudo systemctl poweroff
4

Sign and secure the script

duress_sign /root/.duress/PanicScript.sh
chmod -R 500 /root/.duress
chmod 400 /root/.duress/*.sha256
chown -R root /root/.duress
5

Configure PAM

Backup the current PAM configuration:
sudo cp --preserve /etc/pam.d/common-auth /etc/pam.d/common-auth.bck
Edit /etc/pam.d/common-auth and configure it for pam-duress:
auth   	[success=2 default=ignore]	     pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_duress.so
auth	   requisite	                    		pam_deny.so
auth	   required	                     		pam_permit.so
6

Set the panic password

Run the duress password setup for your user:
duress
Follow the prompts to set your panic password.

Customizing the Panic Script

The panic script can be customized to perform various actions:

Data Destruction

#!/bin/bash
# Wipe all data
sudo rm -rf /home/*
sudo rm -rf /var/*
sudo dd if=/dev/zero of=/dev/sda bs=1M

System Lockdown

#!/bin/bash
# Lock the system
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo systemctl stop sshd

Alert and Log

#!/bin/bash
# Send alert without destruction
echo "Panic password used at $(date)" | mail -s "SECURITY ALERT" [email protected]
logger -p auth.crit "PANIC PASSWORD USED"

Fake Normal Operation

#!/bin/bash
# Appear normal while copying data to secure location
tar czf /tmp/backup.tar.gz /home/* 2>/dev/null
scp /tmp/backup.tar.gz backup-server:/secure/location/
rm /tmp/backup.tar.gz
# Then wipe after backup completes
sudo rm -rf /home/*

Testing

Test in a Safe EnvironmentBefore deploying this in production:
  1. Set up a test VM or container
  2. Configure a non-destructive panic script first (e.g., just logging)
  3. Test login with both real and panic passwords
  4. Verify the script executes as expected
  5. Only then consider using destructive actions

Safe Test Script

#!/bin/bash
# Safe test script - just logs, doesn't destroy anything
echo "$(date): Panic password was used" >> /var/log/panic.log
logger -p auth.warning "Panic password triggered"

Security Considerations

Backup Everything

Have complete, tested, off-site backups before implementing data destruction

Legal Implications

Check local laws regarding data destruction and obstruction

False Positives

You might accidentally use the panic password - make them distinct

Script Security

Ensure panic scripts are only readable/executable by root

Uninstallation

To remove pam-duress: 
cd ~/pam-duress
sudo make uninstall

# Restore original PAM configuration
sudo cp /etc/pam.d/common-auth.bck /etc/pam.d/common-auth

References

This feature is for advanced users with specific security requirements. Most users will not need a panic password system.

Build docs developers (and LLMs) love

Get started for freeTalk to us