Finding Passwords
Joe English Muffin
jeenglis at alcor.usc.edu
Mon Sep 24 20:18:24 AEST 1990
cgy at cs.brown.edu (Curtis Yarvin) writes:
>In article <LUSH.90Sep21083625 at athena0.EE.MsState.Edu> lush at EE.MsState.Edu (Edward Luke) writes:
>>Unfortunately this is not true. Trojan Horses are very easy to
>>implement, and they don't require super user access. All an evil
>>trojan horse writer would need is access to that terminal... Log in,
>>run login program that looks identical to the normal login procedure.
>>This proceduer would snarf up the passwd, tell the user "Sorry wrong
>>password", and then exit back to the real login procedure.
>You should be able to prevent this. SunOS (and thus likely BSD as well,
>though I don't know) make the first login prompt "<hostname> login:", and
>switch to plain "login:" if an incorrect password is entered. This disables
>login trojans by making them unconcealable.
Yeah, but by the time you realize that
login isn't displaying the right prompt,
it's too late to do anything. The password-
snarfer could also exec /bin/login instead of
exiting, which would make everything look
right (it's getty that displays the hostname,
etc., not login.)
Of course, getting into the habit of always
typing a bogus username & password when
you first sit down at a terminal will defeat
most simple-minded login trojans, if you
want to be paranoid about it.
--Joe English
jeenglis at alcor.usc.edu
More information about the Comp.unix.internals
mailing list