Finding Passwords

Nick Andrew nick at kralizec.fido.oz.au
Mon Oct 22 21:32:41 AEST 1990


brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:

>In article <8685 at mirsa.inria.fr> jlf at mirsa.inria.fr (Jean-Louis Faraut) writes:
>> What about a two-ways authentication, modifying the getty program to
>> oblige the computer to authenticate itself ?

>Fails. As I've said before, you can't reliably *avoid* a Trojan Horse
>unless you can reliably *detect* a Trojan Horse. If you don't have a
>trusted path, the intruder can masquerade as you, forwarding enough of
>the responses you supply to authenticate itself and then taking control
>of your account.

	Yes, I see what you mean. What if the trojan were basically a
filter to a proper getty routine. It could be done in the traditional
sense (using pipes  user=trojan=getty), or on a multi-line system,
the trojan could talk to the author (currently logged in on another
line) and the author's system (if it had 2 lines) could call the host
on some other line and use the output from the real getty to spoof
the fake one!  Weird, what a concept!

Nick.



More information about the Comp.unix.internals mailing list