BSD tty security, part 3: How to Fix It

Thu May 16 07:56:22 AEST 1991

In article <19276 at rpp386.cactus.org> jfh at rpp386.cactus.org (John F Haugh II) writes:
> Now, given that passwd can't verify who it is talking to, how can it
> possibly meet the assurances required to state that it isn't talking
> to a trojan horse?

You didn't answer my question. Are you going to restrict use of passwd
to people who can walk up to the console? If not, then you are always
vulnerable to eavesdropping, and it's the user's responsibility, not
passwd's, to make sure that nobody's looking over his shoulder.

It doesn't matter whether passwd can make your statement. All that's
necessary is that a normal user, under normal operation of the system,
will be able to start passwd in a safe way. That's what I've guaranteed.
If he later wants to do something stupid and start passwd in an unsafe
way, I can't stop him, and I see no reason that passwd should stop him.

> >Eavesdropping (and data corruption) is no worse a problem for passwd
> >than it is for any user program. If you want to solve those essentially
> >physical problems, encrypt your data.
> Sure.  But I'm not even talking about eavesdropping, I'm talking
> about really simple stuff, like trojan horses.  What about a case
> where my application looks just like "passwd", but is really just
> a pipe or somesuch (like the "pty" command) from your keyboard to
> the real passwd command.

Who tf cares? A sane user will never invoke such a pipe. It's not
passwd's responsibility to check that the user is sane.

Somehow we're failing to communicate here. My model is that the user
walks up to a console or makes a network connection, then types
something that (as the OS documentation guarantees) sends his future
keystrokes directly to the system and nobody else. If he then types his
username and password, nobody else gets the password. If he then types
passwd and changes his password, nobody else gets the password.

The problem right now is that there are all these security holes---the
system doesn't guarantee that nobody's looking on. My changes make that
guarantee, at least for the tty subsystem.

You seem to be in this fantasy world where the user intentionally
invokes a pipe to your recording wrapper around passwd. That's stupid.
He's going to do that about as often as he sends you his password by
e-mail. What problem are you trying to fix?

> >Sure it does. Please read suggestion #24.
> I log in as "jfh", and start my trojan horse.  It displays a login
> banner.  You type "brnstnd".  I prompt for your passwd.  You enter
> it.

Perhaps you didn't read the suggestion. I don't just type my username
and password; I press the secure attention key, then my username and
password. Surely you're familiar with Multics?

> >> As for using
> >> different SAK keys, what to do about UUCP, etc?
> >This is a non-issue.
> It just goes to show that you've never bothered thinking about what
> the issues are.  How exactly would an application turn off the SAK
> key under your system?

Be serious. The whole point of a SECURE attention key is that it cannot
be violated by unprivileged applications (i.e., things outside the TCB).
And, as Bellovin told you, there's no need for an application to turn
off the SAK---you just make the SAK a variable-length signal if normal
data is fixed-length, and vice versa. This is a non-issue.

---Dan