Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!usc!chaph.usc.edu!alcor.usc.edu!jeenglis
From: jeenglis@alcor.usc.edu (Joe English Muffin)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Keywords: security
Message-ID: <12165@chaph.usc.edu>
Date: 24 Sep 90 10:18:24 GMT
References: <8354@helios.TAMU.EDU> <11133@galbp.LBP.HARRIS.COM> <LUSH.90Sep21083625@athena0.EE.MsState.Edu> <50845@brunix.UUCP>
Sender: news@chaph.usc.edu
Organization: Joe's Homeopathic Hangover Remedies
Lines: 33
Nntp-Posting-Host: alcor.usc.edu

cgy@cs.brown.edu (Curtis Yarvin) writes:

>In article <LUSH.90Sep21083625@athena0.EE.MsState.Edu> lush@EE.MsState.Edu (Edward Luke) writes:
>>Unfortunately this is not true.  Trojan Horses are very easy to
>>implement, and they don't require super user access.  All an evil
>>trojan horse writer would need is access to that terminal...  Log in,
>>run login program that looks identical to the normal login procedure.
>>This proceduer would snarf up the passwd, tell the user "Sorry wrong
>>password", and then exit back to the real login procedure.

>You should be able to prevent this.  SunOS (and thus likely BSD as well,
>though I don't know) make the first login prompt "<hostname> login:", and
>switch to plain "login:" if an incorrect password is entered.  This disables
>login trojans by making them unconcealable.

Yeah, but by the time you realize that
login isn't displaying the right prompt,
it's too late to do anything.  The password-
snarfer could also exec /bin/login instead of
exiting, which would make everything look
right (it's getty that displays the hostname,
etc., not login.)

Of course, getting into the habit of always 
typing a bogus username & password when
you first sit down at a terminal will defeat
most simple-minded login trojans, if you 
want to be paranoid about it.


--Joe English

  jeenglis@alcor.usc.edu