From owner-freebsd-current@FreeBSD.ORG Sat Nov 15 14:53:48 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 327B716A4CE for ; Sat, 15 Nov 2003 14:53:48 -0800 (PST) Received: from stork.mail.pas.earthlink.net (stork.mail.pas.earthlink.net [207.217.120.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60C1943F3F for ; Sat, 15 Nov 2003 14:53:46 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from user-2ivfj2j.dialup.mindspring.com ([165.247.204.83] helo=mindspring.com) by stork.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 1AL9HR-0007Ff-00; Sat, 15 Nov 2003 14:52:38 -0800 Message-ID: <3FB6AE08.98235EF4@mindspring.com> Date: Sat, 15 Nov 2003 14:51:52 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Eugene M. Kim" References: <20031112091032.GA4425@cactus> <3FB3758A.9B52625D@mindspring.com> <3FB3B4FB.1050304@astralblue.net> <3FB4A095.AF27549F@mindspring.com> <3FB5524E.30107@astralblue.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a44ee911fa35d111c35e5e2ae838453500a7ce0e8f8d31aa3f350badd9bab72f9c350badd9bab72f9c cc: current@freebsd.org Subject: Re: xscreensaver bug? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 22:53:48 -0000 "Eugene M. Kim" wrote: > Validating a root password is possible with other means in many cases, > if not always. OpenSSH sshd is a good example. Even with > PermitRootLogin set to no, the attacker can differentiate whether the > password has been accepted or not. That's because the software in question sucks, not because it's a natural property of all such software. > If attacker is able enough, he could also run a hacked version of Xnest > on port 6000+N and the real xscreensaver on :N.0 for a suitable N. > Attacker would feed the real xscreensaver with the captured password and > see if the real xscreensaver releases the server grab. Yeah, and any user on the system could put up a trojan that put up a window that pretended to be the login screen instead of a screen saverm since that would be much asier, and harvest passwords that way, instead, after pretending the first login failed. I don't really see your point... any time you have more than one user using the same console, it's possible to create a trojan. -- Terry