* Christian Perrier <[EMAIL PROTECTED]> [2005-04-21 19:15]: > > > > I know. I have not installed vlock, lockvt, xlock, away, (which besides > > accept > > passwords from stdin...) but unfortunately I cannot decline politely on > > login > > and gdm. > > > > > And I would add that, if your system allows random users to replace > > > login by such a program, then you have much other problems than > > > phising. > > > > "touch /etc/nologin" and "apt-get remove gcc" and ... is not possible. > > Unfortunately I'm a not a so good paid HiWi (20h/month) for a computer lab. > > We > > cannot afford a smartcard based authentication for all students. > > Please explain me how, on a non compromised system, users can replace > the login program with something else.
Wasn't that only you in <[EMAIL PROTECTED]> who claims this? I'm speaking of a simple childish script kiddy script that you start as a normal local user *without* root access. I thought you have misunderstood something because you might have a system in mind with users you trust. I'm speaking of systems with users you don't trust. Please read my first mail in the bug report and try it. I have the impression you have read only some answers. > > * Tomasz K?oczko <[EMAIL PROTECTED]> [2005-04-21 03:48]: > > > PS. Next time try send this kind of report in 1 april ;-) > > > > Ever read "Surely you'r joking Mr. Feynman". Funniest story was about the > > crack of the uncrackable safes guarding the atomic bomb's most critical > > secrets. Not so funny if you're admin of a computer lab for physicists. > > Do all the physicists in your lab have root access to the machine? If > so, then you have a problem. No, but they can wrap it, imitate it and start it [EMAIL PROTECTED]:~$ ls -l /bin/login -rwsr-xr-x 1 root root 35512 2004-12-23 22:40 /bin/login I suggested a different default behaviour of getty / login / inittab to make it harder for these simple but effective kind of attacks. Keyboard based authentication is flawed by design but nevertheless you can improve it. For example login doesn't accept input from stdin to improve this. -- Gerhard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
