
Hi! My problem: Any user can write a simple program that emulates the behavior of the console login. Executed in a console it waits for an unsuspecting user and logs the username/password to a file. It then shows login incorrect and exists (starting the real login-program). Most users will assume they had a typo in the password and will not know that their password was stolen. This is a problem e.g. at university labs with linux-PCs and many "creative" users. Is there a way to prevent a user from "emulating" a login screen (especially for the console)? I think in WinNT this problem is solved by pressing Ctrl-Alt-Del before logging in and it is guarateed that that key-combination will be answered by the OS login screen. Is there anything similar for linux? Michael -- eMail: m1chael@gmx.net PGP key available on request

Hi!
My problem: Any user can write a simple program that emulates the behavior of the console login. Executed in a console it waits for an unsuspecting user and logs the username/password to a file. It then shows login incorrect and exists (starting the real login-program). Most users will assume they had a typo in the password and will not know that their password was stolen. This is a problem e.g. at university labs with linux-PCs and many "creative" users.
Is there a way to prevent a user from "emulating" a login screen (especially for the console)?
This is a difficult problem. You can't really tell if somebody emulates a login screen. You need to kill all processes accessing the console at the time before a password is entered by a user. Basically, only three ideas come into my mind whereas the last is the most suitable: On X (xdm, kdm, gdm), the admin could remove the suid bit from the Xwrapper program (that runs the X-server, finally). Before the user logs on, he could kill the running X-server using the ctrl-alt-backspace method. Then a new X-server comes up, which can only be started as root from (x|k|g)dm. The second solution is using the sysrq (system request) magic from the kernel (v2.2+). sysrq-k kills all programs running on the current virtual console. Very handy at times if you play around with realtime stuff... :-) Downside: It is possible for a user to boot the machine and do other nasty stuff. The last that comes into my mind is a small script or program that runs started by init and that kills all non-root (and possibly others) programs on the machine. It could be bound to ctrl-alt-del like the following (/etc/inittab): ca::ctrlaltdel:/bin/fuser -k /dev/tty[1-6] Unfortunately, this will be executed only once since init remembers that it did already. So this requires either a small init hack another line in /etc/inittab as well as a little shell script, looking like this: ca::ctrlaltdel:/root/bin/camperkiller /root/bin/camperkiller is: #!/bin/sh # don't kill processes on tty7: X! /bin/fuser -k /dev/tty[1-6] # want X to be killed, too? Do it gracefully, no KILL signal! /bin/fuser -k -TERM /dev/tty7 /bin/sleep 2 /sbin/init U This works quite nicely. Since the X-server starts up, it changes VT. So upon X-setup (/usr/X11R6/lib/X11/xdm/Xsetup), you could use `chvt 2´ and display a message there that the users should hit ctrl-alt-del (do this in /etc/issue!).
I think in WinNT this problem is solved by pressing Ctrl-Alt-Del before logging in and it is guarateed that that key-combination will be answered by the OS login screen.
Personally, I dislike the ctrl-alt-del thing. It seems to me that it should teach people that rebooting just like in old DOS times isn't really necessary any more and that there has been some progress since color TV was invented.
Is there anything similar for linux?
Should be possible... :-)
Michael
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

[snip]
Is there a way to prevent a user from "emulating" a login screen (especially for the console)?
This is a difficult problem. You can't really tell if somebody emulates a login screen. You need to kill all processes accessing the console at the time before a password is entered by a user. Basically, only three ideas come into my mind whereas the last is the most suitable:
On X (xdm, kdm, gdm), the admin could remove the suid bit from the Xwrapper program (that runs the X-server, finally). Before the user logs on, he could kill the running X-server using the ctrl-alt-backspace method. Then a new X-server comes up, which can only be started as root
from (x|k|g)dm.
The second solution is using the sysrq (system request) magic from the kernel (v2.2+). sysrq-k kills all programs running on the current virtual console. Very handy at times if you play around with realtime stuff... :-) Downside: It is possible for a user to boot the machine and do other nasty stuff.
The last that comes into my mind is a small script or program that runs started by init and that kills all non-root (and possibly others) programs on the machine. It could be bound to ctrl-alt-del like the following (/etc/inittab):
ca::ctrlaltdel:/bin/fuser -k /dev/tty[1-6]
Unfortunately, this will be executed only once since init remembers that it did already. So this requires either a small init hack another line in /etc/inittab as well as a little shell script, looking like this:
ca::ctrlaltdel:/root/bin/camperkiller
/root/bin/camperkiller is:
#!/bin/sh # don't kill processes on tty7: X! /bin/fuser -k /dev/tty[1-6] # want X to be killed, too? Do it gracefully, no KILL signal! /bin/fuser -k -TERM /dev/tty7 /bin/sleep 2 /sbin/init U
Thanks a lot! It works great. Except that you can remap Alt and then Ctrl-Alt-Del no longer works on the console. Maybe it still does for X (have not tried that).
This works quite nicely. Since the X-server starts up, it changes VT. So upon X-setup (/usr/X11R6/lib/X11/xdm/Xsetup), you could use `chvt 2´ and display a message there that the users should hit ctrl-alt-del (do this in /etc/issue!).
Michael Roman.
Thanks, Michael

On Tue, 31 Oct 2000, someone (possibly Michael Grundel) said: //snip
Is there a way to prevent a user from "emulating" a login screen (especially for the console)?
If you enable the magic sysrq key, you can press Alt+SysRq+k to kill all processes running on the current console. Init will then start another instance of getty, and you can log in relatively safely. The sysrq key does other stuff too, which could be a problem (like the ability for anybody to crash the box in passing) -- you may want to hack the kernel sources. &:-)

On Tue, 31 Oct 2000, someone (possibly Michael Grundel) said:
//snip
Is there a way to prevent a user from "emulating" a login screen (especially for the console)?
If you enable the magic sysrq key, you can press Alt+SysRq+k to kill all processes running on the current console. Init will then start another instance of getty, and you can log in relatively safely. The sysrq key does other stuff too, which could be a problem (like the ability for anybody to crash the box in passing) -- you may want to hack the kernel sources.
Keyboards can be remapped.
&:-)
-Kurt

On Tue, 31 Oct 2000, someone (possibly Michael Grundel) said:
//snip
Is there a way to prevent a user from "emulating" a login screen (especially for the console)?
If you enable the magic sysrq key, you can press Alt+SysRq+k to kill all processes running on the current console. Init will then start another instance of getty, and you can log in relatively safely. The sysrq key does other stuff too, which could be a problem (like the ability for anybody to crash the box in passing) -- you may want to hack the kernel sources.
Thanks, it works. I have also found the src-file and I may remove the other sysrq functions later.
Keyboards can be remapped.
Sigh, loadkeys... Ok, I have tried to remap "Alt" and the result is quite interesting: Ctrl-Alt-Del is no longer working, but Alt-Sysrq-k is still working! I have not tried alot, so there may still be a way to stop it. E.g. I did not try to remap Sysrq. Is it possible to restrict remapping (how?)? Is it possible to restore the original keyboard-map on logout?
&:-)
-Kurt
Thanks, Michael

Keyboards can be remapped.
Unfortunately, this is true. I've just tried it out. You need to patch the kernel to make it safe. See line 170 and 289 in drivers/char/vt.c within the kernel source. Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
participants (4)
-
Andrew McGill
-
Kurt Seifried
-
Michael Grundel
-
Roman Drahtmueller