Re: Prompting for passwords on the desktop?

On Fri, 2008-09-19 at 13:09 +0200, Patryk Zawadzki wrote:
> On Fri, Sep 19, 2008 at 12:42 PM, Gustavo J. A. M. Carneiro
> <gjc inescporto pt> wrote:
> > Someone who has gained a user privilege could possibly show a fake
> > password input dialog that looks exactly like a "real" password prompt,
> > thereby learning the root password.
> >
> > Same thing with VT swiching.  It shouldn't be hard to make the it look
> > like we are switching VT from a simple X11 program running as the user.
> >
> > If the local user account has been compromised it seems to me that all
> > hope is lost.  So I don't really see the point of all this Trusted Path
> > complexity.
> >
> > But I'm no security expert; I might be missing something.
> I believe the goal is to use some uncatchable keyboard sequence a'la
> Windows' secure auth (Ctrl+Alt+Del).

This is kind of silly; I have to type a complex keyboard combination in
order to input a password?  That is annoying.  Additionally, switching
VTs in Linux is usually slow; more annoyance.  Expect some resistance on
this "feature".

Besides, my user account being compromised is 99% as bad as the root
account being compromised, IMHO.

Gustavo J. A. M. Carneiro
<gjc inescporto pt> <gustavo users sourceforge net>
"The universe is always one step beyond logic" -- Frank Herbert

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]