Path: utzoo!attcan!uunet!cos!hqda-ai!media!csense!bote
From: bote@csense.uucp (John Boteler)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Keywords: security
Message-ID: <1990Sep26.215430.10523@csense.uucp>
Date: 26 Sep 90 21:54:30 GMT
References: <11133@galbp.LBP.HARRIS.COM> <LUSH.90Sep21083625@athena0.EE.MsState.Edu> <50845@brunix.UUCP>
Organization: Common Sense Computing, McLean, VA.
Lines: 20

cgy@cs.brown.edu (Curtis Yarvin) claimed:
>In article <LUSH.90Sep21083625@athena0.EE.MsState.Edu> lush@EE.MsState.Edu (Edward Luke) writes:
>>This proceduer would snarf up the passwd, tell the user "Sorry wrong
>>password", and then exit back to the real login procedure.
>
>You should be able to prevent this.  SunOS (and thus likely BSD as well,
>though I don't know) make the first login prompt "<hostname> login:", and
>switch to plain "login:" if an incorrect password is entered.  This disables
>login trojans by making them unconcealable.

Yes, you're right.

No programmer in the world could possibly defeat this.

Especially without superuser access.


-- 
John Boteler   bote@csense.uucp           {uunet | ka3ovk}!media!csense!bote
SkinnyDipper's Hotline: 703-241-BARE | VOICE only, Touch-Tone(TM) signalling