Bug#305600: [Pkg-shadow-devel] Bug#305600: What's about remote serial terminals?

Martin Quinson Martin Quinson <martin.quinson@loria.fr>, 305600@bugs.debian.org
Tue, 10 May 2005 05:56:39 +0200


--OwLcNYc0lM97+oe1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 10, 2005 at 01:02:31AM +0200, Artur R. Czechowski wrote:
> Hello,
> Well, I know I am a devil's advocate. What if user tries to login
> on any old terminal like wyse or other VT over serial? Turning off and on
> the terminal should kill all processes and respawn new getty but is it
> always supposed to work?

I would be pleased if you could test it and report. I don't even know what
those terminal types are...

> Regarding to this bug. I think this is rather general problem with securi=
ty
> policy. It should be mentioned in login manual in a short way (vulnerable=
 to
> phishing attach, see details at XXX) and elaborate the problem in other
> place. Maybe somewhere in /usr/share/doc/shadow, maybe in any documentati=
on
> about security, Securing Debian Manual for example. I think it would be
> a better way to do because of other programs, mentioned in this buglog, a=
lso
> vulnerable to this kind of attack.

What do you think about the addition I proposed for login(1)?=20

You're right, when all this gets sorted out, I'll bug the debian securing
manual dudes, so that they add a word about this, if not already done.

Bye, Mt.

--OwLcNYc0lM97+oe1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCgDD3IiC/MeFF8zQRAsZVAJ9NWKovZxHejJq1CLIVcWkCrUiUpwCgkD0Y
nzc0H1g/cwzVJZHyDJlwNsQ=
=eIWY
-----END PGP SIGNATURE-----

--OwLcNYc0lM97+oe1--