Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!brunix!cgy From: email@example.com (Curtis Yarvin) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Keywords: security Message-ID: <50845@brunix.UUCP> Date: 24 Sep 90 02:33:24 GMT References: <8354@helios.TAMU.EDU> <11133@galbp.LBP.HARRIS.COM>
Sender: news@brunix.UUCP Reply-To: firstname.lastname@example.org (Curtis Yarvin) Organization: Brown University Department of Computer Science Lines: 26 In article lush@EE.MsState.Edu (Edward Luke) writes: >In article <11133@galbp.LBP.HARRIS.COM> email@example.com >(Michael H. Warfield (Mike)) writes: >>Normal system security for terminal devices >>and honest, diligent system administrators can prevent most of this or make it >>so difficult, it's not worth the effort. >Unfortunately this is not true. Trojan Horses are very easy to >implement, and they don't require super user access. All an evil >trojan horse writer would need is access to that terminal... Log in, >run login program that looks identical to the normal login procedure. >This proceduer would snarf up the passwd, tell the user "Sorry wrong >password", and then exit back to the real login procedure. You should be able to prevent this. SunOS (and thus likely BSD as well, though I don't know) make the first login prompt " login:", and switch to plain "login:" if an incorrect password is entered. This disables login trojans by making them unconcealable. Alternatively, on at least some SysV machines, you can change the first prompt from the soft underbelly of "login:" by mucking with /etc/gettydefs (I think /etc/gettytab on BSD is the same). -Curtis Yarvin firstname.lastname@example.org "Now you can go where people are one, Now you can go where they get things done." -The Dead Kennedys, "Holiday in Cambodia"