Re: mingetty allows control c

To: Decklin Foster <fosterd@hartwick.edu>
Cc: debian-devel@lists.debian.org
Subject: Re: mingetty allows control c
From: Ben Collins <bcollins@debian.org>
Date: Sat, 15 Jan 2000 17:14:35 -0500
Message-id: <[🔎] 20000115171435.N229@visi.net>
In-reply-to: <[🔎] 20000115170431.A9054@debian>; from fosterd@hartwick.edu on Sat, Jan 15, 2000 at 05:04:32PM -0500
References: <v04220822b4a632109de1@[192.168.0.1]> <[🔎] 20000115170431.A9054@debian>

On Sat, Jan 15, 2000 at 05:04:32PM -0500, Decklin Foster wrote:
> Ethan Benson writes:
> 
> > should mingetty allow control C to work?
> >   the delay may be cancelled this way which some would consider a 
> > security problem..
> 
> IMHO it's fine. You can't exactly brute force a password if you have
> to actually do the typing on a keyboard, and mingetty only works on
> the console. For example, with xdm there's no delay at all. It's
> telnet sessions and modem gettys that we have to worry about, because
> that's where you can set up expect or somesuch to type the passwords
> in for you.
> 
> If I'm totally off base, someone please correct me, because I always
> go and cut the delay time in /etc/login.defs from 3 seconds to 1.

Su in slink can also be killed with ^C. The truth is, there is not much to
gain either way. If a brute force attacker is willing to start a script
that does a usleep() and sends SIGINT if they don't have a login, then
they are wasting their time. Mostly because they would have to do this so
fast that eventually they will load up the system so it can't react as
fast as they are trying passwords anyway. Forcing them to time their
efforts is pretty much as effective as a delay, or disallowing ^C. Either
way it just requires means more "brute" is involved. Thes best solution is
to enforce minimum password lengths and frequent password changing via
cracklib.

> > you can also disable for 5 minutes by holding down control C which 
> > causes mingetty to respawn to fast for init's taste.
> 
> That happens with anything, regular getty included.

I don't think DoS'ing the getty like this is something to worry about. It
doesn't cause many problems, and to be honest, you have little security
with physical access anyway. Disabling getty is the least of your
problems.

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`     bcollins@debian.org  --  bcollins@openldap.org  --  bmc@visi.net     '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

Reply to:

Follow-Ups:
- Re: mingetty allows control c
  - From: Falk Hueffner <falk.hueffner@student.uni-tuebingen.de>

References:
- mingetty allows control c
  - From: Ethan Benson <erbenson@alaska.net>
- Re: mingetty allows control c
  - From: Decklin Foster <fosterd@hartwick.edu>

Prev by Date: Re: Uploading for multiple architectures...automatically
Next by Date: Re: INN packages
Previous by thread: Re: mingetty allows control c
Next by thread: Re: mingetty allows control c
Index(es):
- Date
- Thread