Re: Linux login security approaches

Scott Wood (master@darkflame.ml.org)
Tue, 8 Dec 1998 16:52:10 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Re: 2.1.131-ac5 - I2O is great to have but does not build..."
Previous message: Cort Dougan: "Re: Good news for SPARC/Linux"

Henrik Olsen wrote:
> <long letter about protecting against a trojaned login snipped>
>
> You have a fundamental flaw in your assumptions, since you don't take into
> account the fact that unless the security of the system is very badly
> messed up already, if a user is able to substitute his own program for
> the normal login/getty, he can also exchange his programs for whatevery
> else you add to give better "security".

He's not talking about actually replacing the getty or login binaries,
but running a regular unprivileged program that makes itself look exactly
like a valid login screen.

When the unsuspecting user tries to log in, it saves the
username/password, and tells the user that the login failed.
It then exits, and the real getty gets respawned by init.
The user assumes he mistyped his password and retries, and it works.
The person who ran the program then has the user's password, and the user
isn't suspicious at all.

This is why the secure attention key exists; it kills anything on that vt
and lets init respawn the real getty. It would be pointless if the real
getty had been altered.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: 2.1.131-ac5 - I2O is great to have but does not build..."
Previous message: Cort Dougan: "Re: Good news for SPARC/Linux"