Finding Passwords
Dan Bernstein
brnstnd at kramden.acf.nyu.edu
Tue Sep 25 08:01:30 AEST 1990
In article <4086 at auspex.auspex.com> guy at auspex.auspex.com (Guy Harris) writes:
> >and switch to plain "login:" if an incorrect password is entered. This
> >disables login trojans by making them unconcealable.
> Err, what's to stop the trojan horse program from exhibiting the same
> behavior as "getty" (which issues the first prompt indicated above) and
> "login" (which issues the subsequent ones)?
And what if it imitates getty and login in all respects? After all,
there's no reason it can't check your password for you and then log in
as you if you provide the right password. And what if, to be somewhat
more subtle, it simply intercepts all the I/O and connects you to a
telnetd or login on a pseudo-tty?
You cannot reliably *detect* a Trojan Horse unless you can reliably
*avoid* a Trojan horse. That's why the system has to provide a trusted
path.
---Dan
More information about the Comp.unix.internals
mailing list