[Pkg-shadow-devel] Bug#305600: login is vulnerable to local pishing attacks

Gerhard Schrenk Gerhard Schrenk <gps@mittelerde.physik.uni-konstanz.de>, 305600@bugs.debian.org
Thu, 21 Apr 2005 16:35:08 +0200 

Tags: whishlist

* Matt Zimmerman <mdz@debian.org> [2005-04-21 03:58]:
> Correct, this can't be fixed in login, but only in the kernel.  Also, the
> kernel already provides this (via magic sysrq), so it seems that your issue
> has been addressed.

I filed this bug against login because I thought it is within their
responsibility to coordinate this issue and to benefit from such features. I
might be wrong though. Please give me a hint whom I should nerve with this
login/gdm issue. This is a *real* common user demand.

* Christian Perrier <bubulle@debian.org> [2005-04-21 08:14]:
> Quoting Gerhard Schrenk (gps@mittelerde.physik.uni-konstanz.de):
> > Package: login
> > Version: 1:4.0.3-30.7
> > Severity: important
> > Tags: security
> >
> > Every local user can simply start a little program that imitates login and
>
>
> Well, as Tomasz (shadow upstream author) mentioned, this can be told
> about any program which inputs users with a password.

I know. I have not installed vlock, lockvt, xlock, away, (which besides accept
passwords from stdin...) but unfortunately I cannot decline politely on login
and gdm.

> And I would add that, if your system allows random users to replace
> login by such a program, then you have much other problems than
> phising.

"touch /etc/nologin" and "apt-get remove gcc" and ...  is not possible.
Unfortunately I'm a not a so good paid HiWi (20h/month) for a computer lab.  We
cannot afford a smartcard based authentication for all students.

> So, really sorry, but I absolutely don't see what the shadow package
> maintainers can do with this bug reports, except closing it.

Contribute a better default behaviour of the keyboard based login procedure
that makes simple pishing attacks harder. We all know this is more a social /
educational problem than a technical one. But there are solutions and I *wish*
you make that (debian) default.

> My understanding of Matt's answer, in name of the Debian security
> team, is that the only way to try avoiding this is a special call in
> the system for "secured input" or whatever you want to name it, which
> coul dthen be used by programs needing it.

Yes. That was also my proposal.

> But, well, in such cases,
> what would prevent the people who can replace login because they
> compromised a system to write their own such program using these
> calls.

Not only server admins use Debian...

> This is a non issue, sorry.

Reminds me of the marketing speech of a Bosch guy who sells master key systems
with the latest super duper security algorithms. Only non issue error is that
you can toggle the electric relay with a simple static magnet... If you have
paid o(10000Euro) you can hardly lough.

* Tomasz K?oczko <kloczek@zie.pg.gda.pl> [2005-04-21 03:48]:
> PS. Next time try send this kind of report in 1 april ;-)

Ever read "Surely you'r joking Mr. Feynman". Funniest story was about the
crack of the uncrackable safes guarding the atomic bomb's most critical
secrets. Not so funny if you're admin of a computer lab for physicists.

--Gerhard