BSD tty security, part 3: How to Fix It

Dan Bernstein brnstnd at kramden.acf.nyu.edu
Sun May 19 11:08:35 AEST 1991


In article <19306 at rpp386.cactus.org> jfh at rpp386.cactus.org (John F Haugh II) writes:
> Yes.  Not everything has an out of band channel to send a SAK sequence
> along on.

Then the sequence must be in-band. For the sake of argument, let's say
that getty (or whatever process does the I/O on a hardwired line) checks
for ^K everywhere in the input stream. ^K<space> is translated into a ^K
for the underlying session, and ^K<anything else> disconnects the
session for later reconnection and provides a login prompt. That's a
secure attention key, and one which cannot be defeated on most
terminals. (The exceptions are those terminals which can somehow be
forced to silently transmit a space right after the user types ^K, and
those in which the ^K key itself can be reprogrammed.)

> Dan assures us that
> for a properly started login process (which he can't guarantee the
> user is going to press SAK to start) we get a clean line.

What's the point of your parenthetical comment? The system documentation
will tell users that they should press ^K a few times to get a login
prompt. Otherwise, sayeth the docs, some other user might be faking the
login prompt, and that's a Bad Thing. In any case, yes, I assert that my
solution provides a secure tty, and I've explained in another article
exactly why this is true.

> I say,
> remove the dependency on the user pressing SAK to start with - let
> the system clean the line off itself.  If the user wants to clean the
> line, let her nail the SAK key and kill any trojans lurking in the
> wings.

Frankly, John, that is one of the most idiotic statements I've ever
heard from you. You complain about my solution because it can't stop
stupid users from telling other users their passwords, but you want to
trust the user to press SAK after he's given away the password? Wake up.
Revoking tty access does not solve any more problems than my solution
does, and your ridiculous ideas about how a SAK can be implemented have
nothing to do with tty security.

---Dan



More information about the Comp.unix.internals mailing list