Finding Passwords
Tim Sesow SSDS Rocky Mntn
ssds!tims at uunet.uu.net
Tue Sep 25 17:14:06 AEST 1990
Curtis Yarvin <cgy at cs.brown.edu> writes:
>You should be able to prevent this. SunOS (and thus likely BSD as well,
>though I don't know) make the first login prompt "<hostname> login:", and
>switch to plain "login:" if an incorrect password is entered. This disables
>login trojans by making them unconcealable. Alternatively, on at least some
>SysV machines, you can change the first prompt from the soft underbelly of
>"login:" by mucking with /etc/gettydefs (I think /etc/gettytab on BSD is the
>same).
IMHO, I don't believe there is any way on a terminal (as opposed
to TELNET) to have the UNIX O/S deter a dedicated trojan horse
writer. You can increase the levels of interaction for the trojan
horse program to simulate, but writing
a trojan horse to capture passwords for any given system is
relatively easy. A hardware scheme to shut down the terminal
session might work IF (1) every user turns off the terminal and
(2) the SIGHUP cannot be caught.
One way out: stick to TELNET sessions and ALWAYS disconnect and reconnect
before logging on.
Tim Sesow
SSDS Inc. Rocky Mountain Region
Littleton, CO
More information about the Comp.unix.internals
mailing list