Date: Thu, 26 Feb 1998 08:14:37 +0000 (GMT) From: marc@sniff.ct-net.de To: freebsd-security@FreeBSD.ORG (FreeBSD Security List) Subject: login.access weakness Message-ID: <199802260814.IAA01580@home.sniff.ct-net.de>
next in thread | raw e-mail | index | archive | help
Hello! (Never heard of this, so it should be new?) On a 2.2.2 box I found the following behaviour which I think is a bug: in /etc/login.access -:testuser: ALL EXCEPT ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5 ttyv6 ttyv7 and in 192.168.254.zone 10 IN PTR ttyv7. (192.168.254.x is the private address space I use for my small test-network. The file 192.168.254.zone is the reverse-mapping for the DNS bind) I expected the login.access line to prevent any login from the net. This works for a telnet from a system with e.g. 192.168.254.2. But from a computer with the IP address 192.168.254.10 one is able to login into testuser. Can anyone else confirm this? Is this a bug or did I do a mistake? The login process should look for at least do.main, right? Or is there anyone out in the internet with a toplevel hostname? ;) Regards, Marc -- Marc Binderberger 97076 Wuerzburg, Germany marc@sniff.ct-net.de Powered by FreeBSD ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802260814.IAA01580>