Re: off-topic: is a login, login?
In article <[🔎] 199904122255.SAA03149@roundtable.cif.rochester.edu> you write:
>easy... log in with an incorrect password first. if the system uses shadow
>passwords then a fake login will have no way to tell whether it's right or
>not, and something obvious will happen.
What if the fake login just says "invalid password" and then logs
the user out to give you the real login?
>alternatively, log in with the right password; only a setuid fake could
>really log you in as you, so if you aren't logged in you know that you need
>to log in from some secure place and change your password immediately (not
>to mention find out what user was on that tty at that time, and have him
>arrested).
Of course, this assumes the security of the computer hasn't already
been compromised...
The system login may have been attacked. I have seen such a computer
(although it was obvious something was wrong in this case as the
hacked login kept crashing). Even though the system has already been
compromised, if you share your password on different computers...
>if by contrast you were talking about local logins to the console, there's
>one easy way: reboot the machine, then nobody has a chance to put in a
>trojan horse (except root, and again, if root wants to spy on you, there's
>just about zip you can do, except switch to another machine).
Same thing. If you see the computer rebooting though, at least it
rules out any non-root trojan horses.
Microsofts solution to this is to require the user to push Ctrl+Alt+Del
before entering your password on WinNT, but even this is not fool proof
(just boot DOS and run the fake login there).
Reply to: