On Aug 5, 2008, at 3:38 PM, Ralph Shumaker wrote:
My point was merely to find out this: If someone was to _remotely_ crack rafael and set a keystroke logger, would the logger be able to catch keystrokes entered at one of the login prompts on consoles F1- F6? I'm sure that if I log in there as rafael, *then* the logger probably would be able to log keystrokes. But what about *before* logging in? At the login prompt? I'm guessing that if I never do anything with root privileges while logged in as rafael who's (connected to the web), then root exploits should be minimized, right? My question is that if I enter user (and root) passwords only at login prompts, sniffers installed with the privileges of a cracked regular user should never be able to gain the passwords, right? Not even the password of the cracked user, right?
Attacks we've seen at UCSD, where someone was able to get root access on a system, usually involved replacing sshd with one that recorded all the passwords it got. Another agent, hidden away under a false name (for ps) would forward these on at regular intervals.
It's entirely conceivable to do the same with mingetty (typically used to provide the login prompt on the VT consoles), or even replace a PAM module to catch passwords from any subsystem that authenticates against PAM. All this requires root access on the system. All that requires is usually a compromised user-level account and a local root- priviledge-escalation vulnerability. If you keep up with your security patches, and keep your system reasonably firewalled, and don't run unnecessary services, you greatly minimize the risks.
Once someone has shell access to your system, all bets are off. Crunchy on the outside, soft and gooey on the inside! Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
