Subject: Re: [netatalk-admins] Information on other authentications
From: David Winkel (dwinkel@umich.edu)
Date: Thu Apr 22 1999 - 10:12:29 EDT
Interesting that root can't grap passwords... It seems like it wouldn't
be that difficult to find a hacked copy of in.telnetd and/or in.ftpd that
just stores passwords in a file as well as authenticating people. Then,
as root, just replace the stock ones with hacked ones, and collect
passwords like that. If you're root, you can do anything, including
collect passwords. (For that matter, on solaris 2.x, truss -fp of inetd
will give you passwords, if you're smart enough to interpret the output.)
If root is compromised, it's a fair bet that most of the accounts on the
machine can be compromised, given a competent enough hacker, and enough
time.
On Wed, 21 Apr 1999, Michael Han wrote:
> Previously...
> >On Tue, 20 Apr 1999, Michael Han wrote:
> >
> >} And root can't casually be grabbing user passwords either.
> >
> >So? root can just "su mikehan" and *blam* he's mikehan. Doesn't need a
> >password.
>
> Right, but in a lot of (admittedly ill-advised) cases, if root knows
> mikehan@best.com's password, *blam* he's also mikehan@worst.com,
> mikehan@so-so.com. Not to mention, *blam* he's authentic ATM
> card-holder mikehan. It's not a good idea to set oneself up for this
> password cascade, but most do.
>
> Meanwhile, I'm off to register some domain names ;-)
> --
> mikehan@best.com
> No one is interested in my underpants
> - The collected wisdom of Bart Simpson
>
~~~~
Dave.Winkel@umich.edu UofM/ITD Web Services
University of Michigan Webmaster
I'm not comfortable dropping the Services out of Web Services Production.
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:16:38 EST