Yet Another useful paper
Dave Cohrs
dave at cs.wisc.edu
Fri Dec 30 05:29:06 AEST 1988
In article <276 at gloom.UUCP> cory at gloom.UUCP (Cory Kempf) writes:
>Let's see if I have this right... you are going to allow the
>workstation that is sitting on my desk to convince another system that
>I am me, right?
>
>This workstation that I can bring down if I want, and bring back up in
>single user mode? With me in the playing the part of root?
There are types of networking hardware that make it much easier
to detect when your workstation is rebooted (or whatever). Don't assume
that all the world's an Ethernet.
Also, if I read Phil correctly, he's talking about having you, the
user, authenticate the workstation as *yours*. That is, you have to
go though some authentication protocol, giving your password, which
would give your workstation some cookie that said "this workstation
belongs to cory", and that this cookie could be verified to be
authentic in some way without you, the user, doing anything more.
Supposedly, if you hadn't authenticated yourself using the standard,
approved of procedure, you wouldn't be able to make a valid cookie
yourself, and no other computer would believe your workstation's lie.
If being root on your workstation can spoof the authentication
mechanism, then it's pretty useless in the grand scheme of things.
Yes, rlogin is too trusting.
Placing your UID in a magical location in every packet your
workstation sends out, or some other equally naive mechanism (the kind
that you appear to be assuming), is not quite up to the level of
security that Phil seems to be talking about.
--
Dave Cohrs
+1 608 262-6617 UW-Madison Computer Sciences Department
dave at cs.wisc.edu ...!{harvard,rutgers,ucbvax}!uwvax!dave
More information about the Comp.unix.wizards
mailing list