Terminal locks (was Autologout of unused terminals)
Dennis L. Mumaugh
dlm at cuuxb.ATT.COM
Wed Dec 14 10:16:43 AEST 1988
In article a previous article I described a terminal lock program
for an AT&T 630MTG:
> The neatest special program is the 630MTG program dmdlock. If
> the terminal has no user activity - mouse or keyboard - in a
> given time period, the terminal locks itself and 15 minutes later
> the screen blanks. One has to then unlock the terminal. Hence
> walking away from the 630MTG results in auto-locking the
> terminal.
>
My security friends remind me that even the above terminal lock
program won't be safe. In "UNIX Operating System Security,"
Grampp, F.T. and Morris, R. H., ATT Tech. Journal, vol 63, no
8, part 2, pp 1649-1672, October 1984, the concept of a password
grabber was discussed. Read it.
Alogithm for penetration of a system via attack on a locked
terminal. A priori know the behaviour of the lock. Break the
lock. [We assume this is done by power cycling the terminal or
dropping the line/modem]. Use the terminal to login on your
favorite system, possibly the same as the victim. Run your
version of the password grabber/ lock masquerade program.
When our victim returns and tries to unlock the terminal, they
can't. After a few tries, the program simulates a logout.
Our lock program leaves a log of attempts in the user's login
directory. Hence if I can't unlock my terminal, I always
[always?!] check the lock log to see that it did log the attempt.
If I don't see my failure, well ....
Moral: terminal locking programs are NEVER [what never? no!
never!] secure.
--
=Dennis L. Mumaugh
Lisle, IL ...!{att,lll-crg}!cuuxb!dlm OR cuuxb!dlm at arpa.att.com
More information about the Comp.unix.wizards
mailing list