Linux login method secure?

Richard Lightman richard at nezumi.plus.com
Sun Sep 1 23:28:58 PDT 2002


* T.B. van der Molen <tbm at home.nl> [2002-09-02 06:54]:
> I was wondering the following.
> 
> On Windows NT/2000/whatever you usually first have to press Ctrl+Alt+Del 
> before you can log on. This way you are sure you are giving your login 
> information to Windows because only Windows can recognize the 
> Ctrl+Alt+Del key combination.
> 
> This does not exist in the Linux login method. So, someone could easily 
> write a program or script that visually imitates the behaviour of the 
> login program on a system, capture the user's login information and 
> could then exit and log out so the user sees the real login program.
> 
> Isn't this a relevant security threat? Can it be prevented?
> 
This is a security flaw.
It can be prevented.

Read /usr/src/linux/Documentation/sysrq.txt

When compiling the kernel, add:

Kernel hacking  --->
    [*] Kernel debugging
    [*]   Magic SysRq key (NEW)

Pessing <alt><sysrq>k (the Secure Access Key) will kill any processes
on the current terminal. Init should then start *getty, so you can
be confident that you are not giving your password to a script.

The bad news is, this enables some debugging features like
<alt><sysrq>b - reboot the system without unmounting anything. This
is not such a disaster for most systems. A malicous person could always
pull the power cord. According to the documentation, you can use the
magic sysrq key on keyboard attached to a standard PC serial port.
If you lock crackers out of the room with the PC, but give them acces
to the serial port, then you should think carefully before enabling
this option.

Richard

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-chat' in the subject header of the message



More information about the lfs-chat mailing list