Finding Passwords
Curtis Yarvin
cgy at cs.brown.edu
Mon Sep 24 12:33:24 AEST 1990
In article <LUSH.90Sep21083625 at athena0.EE.MsState.Edu> lush at EE.MsState.Edu (Edward Luke) writes:
>In article <11133 at galbp.LBP.HARRIS.COM> mhw at wittsend.syntrex.com
>(Michael H. Warfield (Mike)) writes:
>>Normal system security for terminal devices
>>and honest, diligent system administrators can prevent most of this or make it
>>so difficult, it's not worth the effort.
>Unfortunately this is not true. Trojan Horses are very easy to
>implement, and they don't require super user access. All an evil
>trojan horse writer would need is access to that terminal... Log in,
>run login program that looks identical to the normal login procedure.
>This proceduer would snarf up the passwd, tell the user "Sorry wrong
>password", and then exit back to the real login procedure.
You should be able to prevent this. SunOS (and thus likely BSD as well,
though I don't know) make the first login prompt "<hostname> login:", and
switch to plain "login:" if an incorrect password is entered. This disables
login trojans by making them unconcealable. Alternatively, on at least some
SysV machines, you can change the first prompt from the soft underbelly of
"login:" by mucking with /etc/gettydefs (I think /etc/gettytab on BSD is the
same).
-Curtis Yarvin cgy at cs.brown.edu
"Now you can go where people are one,
Now you can go where they get things done."
-The Dead Kennedys, "Holiday in Cambodia"
More information about the Comp.unix.internals
mailing list