Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!unisoft!peritek!dig
From: dig@peritek.UUCP (Dave Gotwisner)
Newsgroups: comp.sources.d
Subject: Re: getty/login for callback
Keywords: tip getty login
Message-ID: <624@peritek.UUCP>
Date: 14 Apr 89 08:43:50 GMT
References: <180001@mechp10.UUCP> <13853@rpp386.Dallas.TX.US> <797@twwells.uucp> <18yLb6a0ib1010aFV6Y@amdahl.uts.amdahl.com>
Distribution: usa
Organization: Peritek Corp., Oakland, CA
Lines: 30

In article <18yLb6a0ib1010aFV6Y@amdahl.uts.amdahl.com>, shs@uts.amdahl.com (Steve Schoettler) writes:
# In article <623@peritek.UUCP> dig@peritek.UUCP (Dave Gotwisner) writes:
# >In article <14U6Pf88Sj1010WE=r6@amdahl.uts.amdahl.com>, shs@uts.amdahl.com (Steve Schoettler) writes:
# <stuff deleted -- refer to parent article>
# 
# Sorry, I guess I didn't explain it well enough.  The goal is to save the
# user's personal phone bills.  Here's what happens:
# 	user calls the computer. (can be from a terminal + modem or
#              home computer + modem)
#         user logs into the computer and runs ntip.
#         then user logs off, hangs up, sets the modem on auto-answer,
#         and the computer calls him up and forks a shell out the computer's
#              serial port, which the user sees on his terminal, just as
#              getty/login did when the user called the computer.

There is still a security hole here.  The idea of the original post was
to have a secure program running on the line (I think, at least that's what
callme offers).  If you can log into the system, so can anyone else who
wants to run a password cracker.  Even if you automate it somehow (replace
login with a special program which looks at the line, and forces login to
call ntip), tip (and probably ntip) has a shell escape!  If the caller catches
it fast enough, he could probably beat the callup.  If you aren't worried
about other users (possibly) getting onto your system, your approach would
be fine.  If you are worried (concerned), it probably isn't acceptable.
-- 
------------------------------------------------------------------------------
Dave Gotwisner					UUCP:  ...!unisoft!peritek!dig
Peritek Corporation				       ...!vsi1!peritek!dig
5550 Redwood Road
Oakland, CA 94619				Phone: 1-415-531-6500