Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!crackers!cpoint!frog!rmkhome!rmk
From: rmk@rmkhome.UUCP (Rick Kelly)
Newsgroups: comp.unix.admin
Subject: Re: Kmem security (was: Re: How do you make your UNIX crash ???)
Message-ID: <9103201024.37@rmkhome.UUCP>
Date: 20 Mar 91 20:43:00 GMT
References: <513@bria> <1991Mar12.132003.27383@cs.widener.edu> <14454@ulysses.att.com> <1991Mar13.180300.17697@convex.com> <9103152251.41@rmkhome.UUCP> <1991Mar18.153201.23325@lth.se>
Reply-To: rmk@rmkhome.UUCP (Rick Kelly)
Organization: The Man With Ten Cats
Lines: 26

In article <1991Mar18.153201.23325@lth.se> magnus@thep.lu.se (Magnus Olsson) writes:
>In article <9103152251.41@rmkhome.UUCP> rmk@rmkhome.UUCP (Rick Kelly) writes:
>>When anyone logs in, even root, login has to decrypt
>>the password in /etc/password to compare it to the password typed it.  This
>>password in memory lays around for a while.  It is extremely easy to grab
>>passwords out of kmem, and match them to ANY user, including root.
>
>Sorry, but this is bogus.
>
>login does *not* have to decrypt the password from /etc/passwd - indeed,
>I don't think there's any way it could do that! (The encryption function
>is not invertible - several different passwords acan have the same
>encrypted from). Instead, it encrypts the typed-in password and compares
>it to the one in /etc/passwd.
>
>That doesn't mean, of course, that you can't get passwords from /dev/kmem -
>login has to keep the entered password somewhere before it encrypts it!


Your right.  I typed without thinking.

However, I have used standard UNIX commands to find the password that a user
typed in at the prompt.  It's trivial.


Rick Kelly	rmk@rmkhome.UUCP	frog!rmkhome!rmk	rmk@frog.UUCP