On Wed, Aug 11, 2004 at 08:04:17PM +0200, Thomas Glanzmann wrote: > On the other hand when your sysadm really wants your accounts, he gets > it. I have a similar problem here. :-)
That is the reason not to work on systems with untrusted admin. He can trace lftp process, dump its memory, snoop network etc. He can even replace lftp with modified version which sends all passwords to him. It is possible to make it harder for admin to get passwords, but it's impossible to prevent it completely. To make it harder it would be necessary to implement ssh protocol inside lftp and connect to lftp directly over ssh without use of a pseudo-tty, keep all passwords crypted even in memory, link lftp statically with trusted libraries, check gpg signature of lftp binary before launching, transfer statically linked gpg binary from trusted machine... Then again what would you use to transfer gpg? It's possible to replace copying server which would replace gpg binary which would say the lftp binary is ok when it is actually replaced. BTW, even statically linked binary won't help much as admin can replace ld-linux.so and even the kernel itself. In short, it is a hell to fight with admin. -- Alexander.
