tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: BSD Auth

On 19-Aug-08, at 4:13 AM, SODA Noriyuki wrote:

Think about X11 screen-lock program which tries to access user's
password.  As you know, X11 programs are big and may have a security
problem, so let's assume the screen-lock program has a hole.

Also, way back in 1998 David Holland wrote the following about the fallacies of poor screen lock program design:

    Why should my login password have anything to do with unlocking my
    screen? This strikes me as a bad idea in general.

What about passwordless accounts where you get access via .shosts or ssh keys or weird site-specific systems? Even if you use PAM, some of
    these just plain won't work with xlock. Of course, this in itself
doesn't mean that people who have login passwords and want to use them shouldn't, necessarily, but I really don't see that typing an 8- letter
    word is a big strain.

    Ok, so I don't have a good argument against it, but I don't think
    "xlock should be able to look up my password" is a good argument to
    use when discussing authentication system designs.

(from <URL: >)

                                        Greg A. Woods; Planix, Inc.

Home | Main Index | Thread Index | Old Index