Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!ucsd!orion.oac.uci.edu!cedman From: cedman@lynx.ps.uci.edu (Carl Edman) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Message-ID: Date: 3 Oct 90 22:52:46 GMT References: <8685@mirsa.inria.fr> Organization: non serviam Lines: 36 Nntp-Posting-Host: lynx.ps.uci.edu In-reply-to: mikep@dirty.csc.ti.com's message of 3 Oct 90 04:34:20 GMT In article mikep@dirty.csc.ti.com (Michael A. Petonic) writes: In article <8685@mirsa.inria.fr> jlf@mirsa.inria.fr (Louis Faraut) writes: >What about a two-ways authentication, modifying the getty program to >oblige the computer to authenticate itself ? > >This could be achieved the following way, by use of a secret keyword, >sort of secondary passwd : > >- CPU prompts "login:" >- type your login name >- CPU uncrypts your secret keyword and display it on screen . >(Each user keeps up his own secret keyword encrypted in a personal file ; >only the owner and root can read/modify this file ) >- CPU prompts "passwd:" >- Now you can either type your usual passwd if the secret >keyword was right, or do anything else possibly aborting the session . > >So, is there an easy way to attack this protocol ? How about watching over someone's shoulder to observe their "secret" password. Why go to such lengths as watching over peoples shoulders ? Simply 'login' and type the username. Then you get the password. You can even automate this and add a 'secret'(!) password database file to your trojan horse. Nice try, but , of course, is far to easy to circumvent. Carl Edman Theorectial Physicist,N.:A physicist whose | Send mail existence is postulated, to make the numbers | to balance but who is never actually observed | cedman@golem.ps.uci.edu in the laboratory. | edmanc@uciph0.ps.uci.edu