Panic password recommendation could create an attack vector on availability #121
Description
Not a security expert by any means, but it looks to me like the panic password recommendation could have bad consequences. For example, the suggested use is to delete the home folder when someone uses the fake password. But then, depending on how the system is configured, a remote attacker can bring down the system just by attempting to log in with the fake password. This would be especially easy if someone tried to "outsmart" the attacker by making their fake password trivial.
I think this should only be used under the assumption that the attacker already has physical access to the system, so availability is already compromised and confidentiality is more important (but if someone has physical access is rm -rf really going to fix the confidentiality problem?). If the authentication request is going through PAM then is this assumption valid? I don't know fully how PAM works but my guess is, probably not? I would think anyone who has already managed to log in to some user account through SSH could generate authentication requests that go through common-auth from their session. Maybe the duress script can be configured to run only if the current session is not an SSH session: https://unix.stackexchange.com/a/9607
Besides deleting data, this could be useful for secretly sending out a distress call. That wouldn't pose any risk to data loss, and that case could be useful in remote access scenarios (e.g., you're on vacation and someone forces you at gunpoint to ssh in).