"Eugene M. Kim" wrote: > Validating a root password is possible with other means in many cases, > if not always. OpenSSH sshd is a good example. Even with > PermitRootLogin set to no, the attacker can differentiate whether the > password has been accepted or not. That's because the software in question sucks, not because it's a natural property of all such software. > If attacker is able enough, he could also run a hacked version of Xnest > on port 6000+N and the real xscreensaver on :N.0 for a suitable N. > Attacker would feed the real xscreensaver with the captured password and > see if the real xscreensaver releases the server grab. Yeah, and any user on the system could put up a trojan that put up a window that pretended to be the login screen instead of a screen saverm since that would be much asier, and harvest passwords that way, instead, after pretending the first login failed. I don't really see your point... any time you have more than one user using the same console, it's possible to create a trojan. -- TerryReceived on Sat Nov 15 2003 - 13:53:48 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:29 UTC