On Fri, Sep 07, 2001 at 12:34:41PM +0900, Curt Sampson wrote:
> However, it seems to me that the other attack you posit (a trojan for su)
> is still open: just gain access to your machine and trojan ssh.

The difference is that to trojan su you need to have broken into a user
account, but to trojan ssh you need to be root already.  I was just
demonstrating that to all intents and purposes both login / su and remote
root login boil down to gaining root with the knowledge of just one password.

In my view most people don't realise that.


Best wishes, James
-- 
James Ponder; www.squish.net