Re: Linux login security approaches
kwrohrer@ce.mediaone.net
Thu, 10 Dec 1998 10:24:32 -0600 (EST)
And lo, Mirian Crzig Lennox saith unto me:
>
> Wesley Morgan <morganw@engr.sc.edu> writes:
> > On Tue, 8 Dec 1998, Neil Conway wrote:
> >
> > > Jeez, wrong on both counts. No-one needs to replace /bin/login, simply
> > > print a message to the screen saying "Linux blah \n login:" and then
> > > wait for someone to take the bait.
> > >
> > > Secondly, NT's C-A-D requirement DOES prevent this, and thus DOES add
> > > security, AND to make things better, I don't see how it makes life any
> > > harder for users - it's just some keys you press to get a login screen.
> >
> > This whole argument is stupid... If you have access to the console then
> > chances are you don't need the root password to get root. Bring out your
> > handy floppy disk and manually edit /etc/shadow or whatever you want.
>
> You'll probably get a million responses to this but: if the PC's BIOS
> is password protected and set to not boot off of anything but the "C:"
> drive, this attack won't work.
Well, then short the jumper. Or plug the main hard drive into a laptop,
munge /etc/shadow or /etc/passwd, and reboot.
> If the PC's case is physically locked
> so that it can't be easily opened, a cracker at the console will not
> be able to easily compromise the system.
A cracker with a luser account will still be able to log in on the console
and run their fake login screen program.
> SAK is a good thing, and I wouldn't mind seeing Linux support it
> (optionally) in some form.
A handy root-only getty, coupled with good physical security for the console,
is more than adequate in my book. And it should be trivial to make a root-
only getty, adding one test to the source code of that getty. Wonderful
stuff, that sourceluke.
Keith
--
"Well, look at that. The sun's | Linux: http://www.linuxhq.com |"Zooty,
coming up." -- John Sheridan, | KDE: http://www.kde.org | zoot
"Sleeping in Light", Babylon 5 | Keith: kwrohrer@enteract.com | zoot!"
www.midwinter.com/lurk/lurker.html | http://www.enteract.com/~kwrohrer | --Rebo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/