Finding Passwords
Joe Greco
jgreco at archimedes.math.uwm.edu
Fri Oct 5 11:23:44 AEST 1990
In comp.unix.internals article <BZS.90Sep28014217 at world.std.com>, bzs at world.std.com (Barry Shein) wrote:
:
:One simple and non-intrusive defense against most such attacks would
:be if, on successful login, the system would just tell you how many
:unsuccessful login attempts there have been on your account.
:
:This could be accomplished via a database only writeable by root. Of
:course, the printout could just be the output of a simple program run
:in your login script (itself somewhat secure, reporting only on the
:real uid, but that's not so critical as it's the ability to increment
:the count or zero it out which must be secure, not just report it.)
Hold on! Then what point is served? The "printout" would have to be
performed by login itself. Having a suid program or some similar "external"
program would be useless - it could just as easily be called by a spoofer.
... Joe
-------------------------------------------------------------------------------
Joe Greco - University of Wisconsin, Milwaukee - Department of Mathematics
jgreco at archimedes.math.uwm.edu USnail: Joe Greco
Voice: 414/321-6184 9905 W. Montana Ave.
Data: 414/321-9287 (Happy Hacker's BBS) West Allis, WI 53227-3329
ICBM: 43 05 20 N 87 53 10 W
#include <witty_and_humorous_saying.h>
Disclaimer: I don't speak for the Math Department, the University, or myself.
More information about the Comp.unix.internals
mailing list