-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Meant to pull tech-sec in on CC:...

On Tue, 5 Apr 2005, Geert Hendrickx wrote:

>Hi,
>
>I was wondering whether it is possible for a user to protect himself
>against login trojans.  Another user could easily write a shell script
>that displays a login: prompt, followed by a Password: prompt, and then
>leave the console.  The next user would then enter his login-name and
>password into that trojan.
>
>In XDM you could simply hit Ctrl-Alt-Backspace to reset the X-server.
>In win2k you can hit Ctrl-Alt-Delete, also to reset the login-prompt.
>
>Is there any way to reset a UNIX getty (or could that be implemented?),
>so that a user can be sure he's talking to getty and not to some trojan?

Traditionally, many Unixes have supported a `secure login path'
extension, which would, upon receiving a `break' character on a terminal
line, kill the processes using that terminal -- in the case where getty
was running, this would simply result in getty being respawned, and in
the case where a trojan was running, this would kill it, also resulting
in getty being respawned.

I don't know that NetBSD supports this, but if not, it would be worth
implementing...

- --
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFCVACapRpI6SYACmIRAvdKAKC7N4XJSKICquphCtjWkMthLoaTwACgnedw
/aqnqLLO4gAeaQnOyizEe4U=
=GRu7
-----END PGP SIGNATURE-----