"Eugene M. Kim" wrote: > Validating a root password is possible with other means in many cases, > if not always. OpenSSH sshd is a good example. Even with > PermitRootLogin set to no, the attacker can differentiate whether the > password has been accepted or not.
That's because the software in question sucks, not because it's a natural property of all such software. > If attacker is able enough, he could also run a hacked version of Xnest > on port 6000+N and the real xscreensaver on :N.0 for a suitable N. > Attacker would feed the real xscreensaver with the captured password and > see if the real xscreensaver releases the server grab. Yeah, and any user on the system could put up a trojan that put up a window that pretended to be the login screen instead of a screen saverm since that would be much asier, and harvest passwords that way, instead, after pretending the first login failed. I don't really see your point... any time you have more than one user using the same console, it's possible to create a trojan. -- Terry _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"