From owner-freebsd-security Fri Nov 24 15: 8:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from bastuba.partitur.se (bastuba.partitur.se [212.209.169.194]) by hub.freebsd.org (Postfix) with ESMTP id 443A537B4CF for ; Fri, 24 Nov 2000 15:08:37 -0800 (PST) Received: from elbas.partitur.se (elbas.partitur.se [212.209.169.222]) by bastuba.partitur.se (8.9.3/8.9.3) with ESMTP id AAA09555; Sat, 25 Nov 2000 00:08:35 +0100 (CET) (envelope-from girgen@partitur.se) Received: from partitur.se (localhost.partitur.se [127.0.0.1]) by elbas.partitur.se (8.11.1/8.11.1) with ESMTP id eAON8ZN35520; Sat, 25 Nov 2000 00:08:35 +0100 (CET) (envelope-from girgen@partitur.se) Message-ID: <3A1EF4F3.1DBB456C@partitur.se> Date: Sat, 25 Nov 2000 00:08:35 +0100 From: Palle Girgensohn Organization: Partitur X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: sv, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: telnet, SRA & preventing remote login as root? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I just realized a strange thing: Since 4.0, telnetd has SRA support. The SRA login dialog seems to bypass login(1) and I can't find a proper way prevent root from beeing able to login remotely. Here's what happens: $ telnet hostname Trying 1.2.3.4... Connected to hostname.domain Escape character is '^]'. FreeBSD/i386 (hostname.domain) (ttyp2) login: root Password: Login incorrect login: Connection closed by foreign host. $ fine, this is what I want... but: $ telnet -l root hostname Trying 1.2.3.4... Connected to hostname.domain Escape character is '^]'. Trying SRA secure login: User (root): root Password: [ SRA accepts you ] Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. ... (I'm logged in as root) WTF! This is a standard 4.2-RELEASE system. Before 4.0, it wasn't possible to remotely log in as root (well, not any proper documented way...:) and I am a bit surprised that I suddenly can. I tried stopping this with login.access, but it seems it is not used by the SRA login dialog. I tried telnetd -X SRA (in inetd.conf), and this works (but crashes my 4.0-stable server just as PR 19606 says) but is still a workaround, since it removes the SRA altogether. Also, I tried telnetd -a off, and this will create double login dialogs, the second beeing login(1): $ telnet -l root hostname Trying 1.2.3.4... Connected to hostname.domain Escape character is '^]'. Trying SRA secure login: User (root): root Password: [ SRA accepts you ] Password: Login incorrect login: root Password: Login incorrect login: Connection closed by foreign host. $ Is this intentional? /Palle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message