There's 'arrested' and 'detained'. In the US police can detain anyone for up to 48 hours (72 hours if it's a weekend or long holiday). If they don't file charges by then they have to release you.
For a silent/duress alarm it's easy to cross reference the person at the door with a list of personnel authorized to be in the facility. Security in a scenario like that would normally ask for an ID, radio it back to their security office to validate the person is on the access list for that office/building/facility/etc and then do a quick walk-around.
I may actually incorporate that into the system() call in the module itself now that I think about it. The Hello World implementation was just a quick way for me to debug while I developed it and it's probably smarter to dump it to /dev/null by default.
Author here; #3 also defies the use-case for a duress word. The attacker is supposed to be presented with what appears to be a normal login scenario while in the background sensitive data is being scrubbed or even have the routines remove the pam-duress module completely so there's no evidence there was a duress routine in place.
Real law enforcement agencies would also simply confiscate the device and hand it to a forensic team to pull a "golden image" from it to work with in lieu of a user session.
Author here and I wasn't really thinking of this as a useful use case either. Most of my consideration was say corporate espionage or journalists working in authoritarian countries where killing the person would create a highly visible incident. Mostly was just a thought-experiment turned into a real implementation. With any tool like this the risks/benefits should always be considered.
For sure; there's risk/benefit to this kind of mitigation. One thing to note is all the actions occur before the user drops into a shell (or for desktop login the desktop rendering). If one is simply getting rid of LUKS containers or deleting VPN credentials it wouldn't take very long at all.
One could even write in a routine that removes the duress module entirely so it's a one-shot duress password that cleans up sensitive data, notifies anyone who needs it and then immediately removes all evidence that pam-duress was employed.
But you are right this is a tool with risks/benefits and the risks changed based on what's being protected and the context of the coercion.
Hey, surprised to find myself here and appreciate all the discussion. I'm the author of the above project and wanted to shed some light on the inspiration for the project.
It started as a simple weekend project based on an off-hand comment someone made in a security professional chat I'm in. I had used duress words in military and translating the concept to a PAM seemed like a fun exercise. Also supports my current shift towards swapping careers from pure software engineering to cyber-research or cybersecurity generally. So in the end, it was a weekend project that served a dual purpose as a resume stamp.
The design use case I had in mind was more benign; such as corporate espionage or journalists getting their devices confiscated (maybe keep a sticky note on the laptop that has a duress password on it as a red-herring). Comments to the effect that law enforcement would image a device are very relevant as any competent law enforcement agency should have their staff trained to get the device fully powered off and hand it to someone that can maintain a chain of custody and get a golden image for use in potential criminal charges.
One thought I had was to apply this to SSH auth for honeypots and if a rockyou.txt password is attempted it runs some routines that aid in crafting the honeypot before the intruder drops to a shell prompt. Another even more light-hearted implementation could be you have password X is the one you login to normally and your "duress" password Y just clears your browser history and is the one you give your spouse for when they log into your computer :). I'm sure there's use cases in the full spectrum and with it being a relatively simple implementation with user generated scripts, it'd be easy to extend to any potential use case.
In any case I'm glad it prompted such a good discussion. Feel free to submit issues if there are particular feature requests or bugs that one might run across. Additionally if there's a PR up, I'm currently the only dedicated dev on the project and welcome anyone that wants to review my PRs; always prefer a 3rd person review even on my own projects. I created a demo video using Pushover and in the process of doing the demo uncovered some bugs that I patched as well as some fixes to the documentation. Again, glad you all found this interesting and humbled it fostered such a good discussion.
For a silent/duress alarm it's easy to cross reference the person at the door with a list of personnel authorized to be in the facility. Security in a scenario like that would normally ask for an ID, radio it back to their security office to validate the person is on the access list for that office/building/facility/etc and then do a quick walk-around.