Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!van-bc!ubc-cs!alberta!access!edm!geoff
From: geoff@edm.uucp (Geoff Coleman)
Newsgroups: comp.unix.misc
Subject: Re: Login vs. typeahead
Message-ID: <1990Nov16.231110.12978@edm.uucp>
Date: 16 Nov 90 23:11:10 GMT
References: <1990Nov13.233329.8736@athena.mit.edu>
Organization: Unexsys Systems inc.
Lines: 30

From article <1990Nov13.233329.8736@athena.mit.edu>, by jik@athena.mit.edu (Jonathan I. Kamens):
> In article <1990Nov13.182623.18967@smsc.sony.com>, dce@smsc.sony.com (David Elliott) writes:
> |> ... if a user tries to do this, some or all of
> |> the password they type is displayed on the screen, and then this data
> |> is ignored by getpass(), which flushes the input before it reads.
> |> 
> |> What I would like to know is if there is a good reason for the current
> |> behavior, and if changing this behavior might in some way compromise
> |> the security of the system.
> 
>   The flushing of typeahead is meant to prevent people from doing exactly what
> you describe.  Allowing the first characters of your password to be displayed
> on the screen as you type them is a Bad Idea (tm) and a clear security
> problem.  If the login program doesn't accept input typed before echoing is
> turned off, then people have an incentive not to type any input before echoing
> is turned off.
> 

	But isn't AIX supposed to be a more secure UNIX. It does allow
type ahead on the login and accepts it. I wonder if anyone has logged this 
as a bug. I'm at my quota for the week already.


Geoff

> -- 
> Jonathan Kamens			              USnail:
> MIT Project Athena				11 Ashford Terrace
> jik@Athena.MIT.EDU				Allston, MA  02134
> Office: 617-253-8085			      Home: 617-782-0710