I came across an old phrack that was about "tty hacking." I though this would be a totally outdated hack, but i was sort of wrong. Say a dumb user was logged onto tty2.. i made this nifty little script that works on my redhat 7.1:
echo -ne "\nexit\n" > /dev/tty2
sleep 1
clear > tty2
echo -ne "\n\nRedHat Linux release 7.1 (Seawolf)\nKernel 2.4.3 on an i686\n\nlocalhost: $USER\nPassword: " > /dev/tty2
echo -ne "user: $USER\nwait for password..."

Now if I was a little less ignorant on scripting I could make this more believable (feel free to use/change it). What it does is it prints "exit" on the users screen then mimics redhats login prompt, except this one already has his username filled out. His cursor will be blinking after "Password: ". If/when he types it in, he wont see the characters displayed on his screen (just like in the real thing!) but youll see it on yours. Anything and Everything he types will go right back to your console! Of course after he presses enter and nothing happens, he'll start to panic, pressing all kinds of escape sequences. I didnt find any except Crtl-C, but that just gives you your [$USER blah $PWD]: thingie, you still cant do anything. The only way is if the attacker kills the proccess. Oh and there is one catch, the user has to be in your same group. Anyway, i just though that was pretty cool; if anyone knows how to make the ttys not writable to the group by default would ya let me know? thanks
-Ryan