Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!wuarchive!cs.utexas.edu!yale!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Message-ID: <12772:Oct103:05:0390@kramden.acf.nyu.edu>
Date: 1 Oct 90 03:05:03 GMT
References: <25680:Sep2805:58:2290@kramden.acf.nyu.edu>> <BZS.90Sep28211640@world.std.com> <20849@well.sf.ca.us>
Organization: IR
Lines: 13

In article <20849@well.sf.ca.us> nagle@well.sf.ca.us (John Nagle) writes:
  [ trusted paths ]
>      You can't do it in "getty"; it has to be in the kernel.   There
> must be something the user can (and must) do that can't be intercepted
> by any user program.

No to the first; yes to the second. You can keep the user away from the
physical terminal device without changing the kernel. Steve Bellovin's
session manager paper elaborates upon this. (Well, his design required a
few extensions to System V facilities, but all the necessary features
are already in BSD.)

---Dan