Re: [uCsimm] login problem

From: Geoffrey Wossum (gpw0341@omega.uta.edu)
Date: Wed Jun 28 2000 - 01:13:03 EDT


> You could easily get login.c to fopen /etc/password and pull a plain text
> password from that, you could even add username support. It wouldn't add
> many bytes to the code, there isn't much to it :)
> But if you want encryption, then you are asking a hard question :)

There's not really any point in using /etc/passwd unless your /etc/ is NFS
mounted or in a flashFS, since otherwise changing /etc/passwd requires
changing /bin/login as well.

As for "encryption", a one-way hash should fit into the login program.
Standard Linux crypt() is a modified DES. Not a light algorithm, but
should fit I think.

However, real user accounts aren't worth wasting your time with because
1) You aren't going to timeshare a uClinux device, are you?

2) No truly enforceable protection mechanism (due to no MMU). You could
try to restrict access to files, but since you can't restrict my access to
memory I could just circumvent your protection. True, it would deter me,
but you probably aren't keeping valuable data on your uClinux device. I
would want to crack it to crash it, which I can do quite easily thanks to
no MMU.

Now that I think about, adding a one-hash to the password is useless,
because you'd have to get on the system first to run strings over the
files. But if I got in the system in the first place, I don't need other
passwords because I can already do anything I want.

Just don't use a password on the uClinux system that you use elsewhere.

To summarize: Probably be better to spend your time elsewhere.

---
Geoffrey Wossum
gwossum@acm.org
Project AKO - http://rover1.uta.edu/~ako
Internet Imperialists - http://inetimperial.sourceforge.net
This message resent by the ucsimm@uclinux.com list server http://www.uClinux.com/



This archive was generated by hypermail 2b30 : Sun Apr 07 2002 - 00:01:37 EST