Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!nrl-cmf!ukma!rutgers!att!cuuxb!dlm
From: dlm@cuuxb.ATT.COM (Dennis L. Mumaugh)
Newsgroups: comp.unix.wizards
Subject: Terminal locks (was Autologout of unused terminals)
Summary: terminal locks won't work
Message-ID: <2292@cuuxb.ATT.COM>
Date: 14 Dec 88 00:16:43 GMT
References: <201.nlunix6@orcenl.uucp> <8978@smoke.BRL.MIL> <2682@sultra.UUCP> <9012@smoke.BRL.MIL> <3603@jpl-devvax.JPL.NASA.GOV> <2255@cuuxb.ATT.COM> <KARL.88Dec7213420@dinosaur.cis.ohio-state.edu>
Reply-To: dlm@cuuxb.UUCP (Dennis L. Mumaugh)
Organization: ATT Data Systems Group, Lisle, Ill.
Lines: 35

In article a previous article I described a terminal lock program
for an AT&T 630MTG:
>   The neatest special program is the  630MTG  program  dmdlock.  If
>   the  terminal  has  no  user  activity - mouse or keyboard - in a
>   given time period, the terminal locks itself and 15 minutes later
>   the  screen  blanks.  One has to then unlock the terminal.  Hence
>   walking  away  from  the  630MTG  results  in  auto-locking   the
>   terminal.
>

My security friends remind me that even the above terminal lock
program won't be safe.  In "UNIX Operating System Security,"
Grampp, F.T. and Morris, R.  H., ATT Tech.  Journal, vol 63, no
8, part 2, pp 1649-1672, October 1984, the concept of a password
grabber was discussed.  Read it.

Alogithm for penetration of a system via attack on a locked
terminal.  A priori know the behaviour of the lock.  Break the
lock. [We assume this is done by power cycling the terminal or
dropping the line/modem].  Use the terminal to login on your
favorite system, possibly the same as the victim.  Run your
version of the password grabber/ lock masquerade program.

When our victim returns and tries to unlock the terminal, they
can't.  After a few tries, the program simulates a logout.

Our lock program leaves a log of attempts in the user's login
directory.  Hence if I can't unlock my terminal, I always
[always?!] check the lock log to see that it did log the attempt.
If I don't see my failure, well ....

Moral: terminal locking programs are NEVER [what never? no!
never!] secure.
-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{att,lll-crg}!cuuxb!dlm  OR cuuxb!dlm@arpa.att.com