Date: Wed, 11 Nov 1998 06:40:01 -0800 (PST) From: Peter Wemm <peter@netplex.com.au> To: freebsd-bugs@FreeBSD.ORG Subject: Re: bin/8646: Implement rlogind -a option Message-ID: <199811111440.GAA20509@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/8646; it has been noted by GNATS. From: Peter Wemm <peter@netplex.com.au> To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: bin/8646: Implement rlogind -a option Date: Wed, 11 Nov 1998 22:36:47 +0800 Cy Schubert - ITSD Open Systems Group wrote: > In message <199811110504.NAA08334@spinner.netplex.com.au>, Peter Wemm > writes: > > Cy Schubert wrote: > > > > > >Synopsis: Implement rlogind -a option > > > > > >Description: > > > > > > Implement rshd's -a option in rlogind. Hopefully this will > > > provide a little better security. > > > > I'm not sure that this is the right thing.. What is it to protect? > > Hostname spoofing for .rhosts? If so, that is already taken care of > > within the ruserok() and iruserok() code in libc which deals with .rhosts. > > > > All that I can see that it does is verify the hostname for utmp purposes.. > > What it should do in this case is log the IP address instead of the > > hostname if there is a mismatch, and let ruserok() decide what to do. > > > > There is no need to refuse a connection from an incorrectly configured > > client if that client has it's IP address (not hostname) explicitly listed > > in the .rhosts file. > > > > Refusing service solely because of DNS problems is bad. Refusing to > > *trust* DNS if there is a problem is much better. The logging should > > switch to IP addresses if there is any doubt about the DNS integrity. > > I looked through the ruserok() and iruserok() code. You are indeed > correct. I stand corrected. I suppose that the -a option in rshd > should also be deprecated. Wietse Venema's comments about BSD-style > "paranoid" checks in BUGTRAQ are false. Wietse's comments could well be correct for older BSD code, I don't have it to check, but I was pretty sure I'd seen it somewhere in there. The -a checks do have some purpose, but are not implemented the way I'd like. They are used for logging the hostname in log files and the utmp/ wtmp. What I would prefer: - the checks are on permanently - a mismatch is not a fatal error, but instead of using the hostname, we use the IP address in ascii form in the logs and utmp/wtmp. ie: if we get a connection from 1.2.3.4 and "1.2.3.4 -> foo.bar.org", but "foo.bar.org -> 2.3.4.5", then rather than dropping the connection, we just use "1.2.3.4" in the logs and the utmp files. And this should be on always. :-) After all, there is little point in refusing a connection if the user's .rhosts has explicitly got: "1.2.3.4 otheruser" in it. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811111440.GAA20509>