Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!rpi!uupsi!sunic!hagbard!luth!d87-man From: d87-man@sm.luth.se (Mikael Adolfsson) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Keywords: security Message-ID: <1132@tau.sm.luth.se> Date: 24 Sep 90 20:05:34 GMT References: <11133@galbp.LBP.HARRIS.COM> <50845@brunix.UUCP> <4086@auspex.auspex.com> Organization: University of Lulea, Sweden Lines: 27 guy@auspex.auspex.com (Guy Harris) writes: >>and switch to plain "login:" if an incorrect password is entered. This >>disables login trojans by making them unconcealable. >Err, what's to stop the trojan horse program from exhibiting the same >behavior as "getty" (which issues the first prompt indicated above) and >"login" (which issues the subsequent ones)? What's to stop the trojan horse program from executing "getty" itself. I have planned to write such a beast (just to test the idea of course :-) and here's how I would do it. First I would write a pseudo-device interface (similar to rlogin). This interface would resemble script(1) in that it could save on a file all characters passed between a child process and the tty. Then this program should just simply call "getty" and watch for keywords (sent from the child process "getty", "login" or whatever) of the form "*login: " ...followed by: "Password:" This parsing would make it possible to save only those parts of the login session that had to do with "logging in". And furthermore it would be possible to make sure that the password is correct. -- Mikael Adolfsson # d87-man@sm.luth.se University of Lulea, Sweden # ...{uunet,mcsun}!sunic!sm.luth.se!d87-man