[Pkg-shadow-devel] Bug#305600: Preventing login pishing

Martin Quinson Martin Quinson <martin.quinson@loria.fr>, 305600@bugs.debian.org
Mon, 9 May 2005 10:37:14 +0200


--/QKKmeG/X/bPShih
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

retitle 305600 [MARTIN] [DOC] Preventing login pishing
tag 305600 patch
thanks

Ok, let's summarize a bit (Alex, you'll see with the time how much I love to
summarize stuff ;)

login is only a regular program, and as the submitter noted, it can be quite
easily faked. Unfortunately, there is very few we could do in the package
itself. We could use the root access we have and the attacker don't have,
but the prefered solution is to use the SAK linux kernel feature (too bad
for non linux users of debian ;).

So, in my mind, this is only a documentation issue. I propose to add the
following to login(1), in the "CAVEATS" section.

>>>>

As any program, login appearance could be faked. If non-trusted users have a
physical access to the machine, an attacker could use this to obtain the
password of the next person siting on front of the machine. The better way
to prevent this is to use the SAK feature of the linux kernel. See for
example Documentation/SAK.txt in the kernel source tree for more
information.

<<<<

Gerhard, would it be ok for you? Other people, comments?
Mt.

--/QKKmeG/X/bPShih
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCfyE6IiC/MeFF8zQRAibtAKCM2y53vA0ElynqkFUCchaLUuMHgACgymHv
r2phwTD8HwIHqJazJ17KZ/k=
=MVsI
-----END PGP SIGNATURE-----

--/QKKmeG/X/bPShih--