On Tue, May 10, 2005 at 01:02:31AM +0200, Artur R. Czechowski wrote: > Hello, > Well, I know I am a devil's advocate. What if user tries to login > on any old terminal like wyse or other VT over serial? Turning off and on > the terminal should kill all processes and respawn new getty but is it > always supposed to work?
I would be pleased if you could test it and report. I don't even know what those terminal types are... > Regarding to this bug. I think this is rather general problem with security > policy. It should be mentioned in login manual in a short way (vulnerable to > phishing attach, see details at XXX) and elaborate the problem in other > place. Maybe somewhere in /usr/share/doc/shadow, maybe in any documentation > about security, Securing Debian Manual for example. I think it would be > a better way to do because of other programs, mentioned in this buglog, also > vulnerable to this kind of attack. What do you think about the addition I proposed for login(1)? You're right, when all this gets sorted out, I'll bug the debian securing manual dudes, so that they add a word about this, if not already done. Bye, Mt.
signature.asc
Description: Digital signature
