Path: utzoo!attcan!ram
From: ram@attcan.UUCP (Richard Meesters)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Keywords: security
Message-ID: <12587@attcan.UUCP>
Date: 25 Sep 90 14:45:03 GMT
References: <8354@helios.TAMU.EDU> <11133@galbp.LBP.HARRIS.COM> <50845@brunix.UUCP>
Organization: AT&T Canada Inc., Toronto
Lines: 42

In article <50845@brunix.UUCP>, cgy@cs.brown.edu (Curtis Yarvin) writes:
> In article <LUSH.90Sep21083625@athena0.EE.MsState.Edu> lush@EE.MsState.Edu (Edward Luke) writes:
> >In article <11133@galbp.LBP.HARRIS.COM> mhw@wittsend.syntrex.com
> >(Michael H. Warfield (Mike)) writes:
> >>Normal system security for terminal devices
> >>and honest, diligent system administrators can prevent most of this or make it
> >>so difficult, it's not worth the effort.
> 
> >Unfortunately this is not true.  Trojan Horses are very easy to
> >implement, and they don't require super user access.  All an evil
> >trojan horse writer would need is access to that terminal...  Log in,
> >run login program that looks identical to the normal login procedure.
> >This proceduer would snarf up the passwd, tell the user "Sorry wrong
> >password", and then exit back to the real login procedure.
> 
> You should be able to prevent this.  SunOS (and thus likely BSD as well,
> though I don't know) make the first login prompt "<hostname> login:", and
> switch to plain "login:" if an incorrect password is entered.  This disables
> login trojans by making them unconcealable.  Alternatively, on at least some
> SysV machines, you can change the first prompt from the soft underbelly of
> "login:" by mucking with /etc/gettydefs (I think /etc/gettytab on BSD is the
> same).


That's true, but the user will, of course, have to _notice_ that the login 
prompt has not changed from <hostname> login: to login:, something which you
can't depend on a user to do, anymore than you can depend on the same user to
pick a good password.

It falls to the administrator of the system to check for such security 
violations, the users can't be relied upon to do security checks.

Regards,

------------------------------------------------------------------------------
     Richard A Meesters                |
     Technical Support Specialist      |     Insert std.logo here
     AT&T Canada                       |
                                       |     "Waste is a terrible thing
     ATTMAIL: ....attmail!rmeesters    |      to mind...clean up your act"
     UUCP:  ...att!attcan!ram          |
------------------------------------------------------------------------------