What should the password/security/userinfo/login system include?

Richard Meesters ram at attcan.UUCP
Tue Dec 19 01:43:57 AEST 1989 

In article <1989Dec17.032435.5042 at chinet.chi.il.us>, les at chinet.chi.il.us (Leslie Mikesell) writes:
> In article <1989Dec15.182256.5912 at sq.sq.com> lee at sq.com (Liam R. E. Quin) writes:
> >This of course poses a considerable security risk.
> >Consider the case that you typed "rot" instead of "root" and gave the
> >correct root password.  It gets logged, and anyone who can look at the log
> >can see the root password.
> 
> A).  I'm only interested in the dialup lines.  If someone has trouble
>      locally, I'll walk over and help them.  This means that there won't
>      be anyone logging in as root.
>


OK, but I wouldn't be as concerned with a hack having just the root password
unless he has access to the console (or a remote console), but now if he is
able to get a user's login, AND knows the root password, you are in real 
trouble.  He can now get access from anywhere...

 
> B).  I would only log completely failing attempts (i.e. the line drops
>      before they get in), not every typo.  This doesn't happen often
>      unless there is a real problem.
>      Anyone who knows what they are doing would change their password
>      after this happens on the chance that they were typing into a
>      trojan login program anyway.
> 


So this limits the scope of the logfile, but everyone makes mistakes at one
time or another, and you still will have the possibility of single character
failures on passwords, or someone using the wrong username/password combo.


> C).  The logfile would (of course) only be readable by root.  I'd be
>      happy to encrypt it, but how do I pass the encryption key to the
>      login program?
>  
> >Your system is now *less* secure, because you have to protect the log file.
> >Recent trends such as keeping the encrypted passwords in /etc/shadow where
> >only root can see them are an improvement completely defeated if all I have
> >to do is read the raw disk to find the root password.
> 
> Can you read the raw disk if you don't already have the root password?
> If you can do stuff like that, why not just watch the clist buffers and
> catch them on the fly?


I agree with Liam, you still have to protect the file.  Perhaps you can't read
raw disk without being root, but if you get to see the file somehow, now you
can log in as any user and presto, you are in the system basically undetected.
If I'm a hacker, and I want to log in as root on some system remotely, I have
to have a user's account to get in (not on system console).  If I can get a 
user account, it makes things a lot easier for me.  If the sysadmin doesn't
know I'm not the real user, all the better.  This type of log file has the 
potential to be a MAJOR security hole.



Regards,
Richard Meesters

More information about the Comp.unix.wizards mailing list