Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!usc!apple!amdahl!key!lfk
From: lfk@key.key.com (Lynn Kerby)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Message-ID: <LFK.90Sep28154340@key.key.com>
Date: 28 Sep 90 22:43:40 GMT
References: <11133@galbp.LBP.HARRIS.COM>
	<LUSH.90Sep21083625@athena0.EE.MsState.Edu> <50845@brunix.UUCP>
	<1990Sep26.215430.10523@csense.uucp>
Sender: lfk@key.COM
Reply-To: lfk@key.amdahl.com
Organization: Amdahl Corporation - KCL, Fremont, CA
Lines: 19
In-reply-to: bote@csense.uucp's message of 26 Sep 90 21:54:30 GMT

In article <1990Sep26.215430.10523@csense.uucp> bote@csense.uucp (John Boteler) writes:
> cgy@cs.brown.edu (Curtis Yarvin) claimed:
> >You should be able to prevent this.  SunOS (and thus likely BSD as well,
> >though I don't know) make the first login prompt "<hostname> login:", and
> >switch to plain "login:" if an incorrect password is entered.  This disables
> >login trojans by making them unconcealable.
>
> Yes, you're right.
>
> No programmer in the world could possibly defeat this.

Actually it should be pretty trivial to defeat, login will accept the
user name in argv[1], so the user would never see the difference.
Perhaps I missed something in the previous discussion....
--
Lynn Kerby, Amdahl Corporation:  lfk@key.amdahl.com  or  {...}amdahl!key!lfk
<<<<---------------------------- DISCLAIMER ---------------------------->>>>
<<<<      Any and all opinions expressed herein are my own. My          >>>>
<<<<      employer doesn't pay me for my opinion!                       >>>>