Date: Tue, 25 Jun 1996 08:36:16 +0200 (MET DST) From: guido@gvr.win.tue.nl (Guido van Rooij) To: danny@auscert.org.au (Danny Smith) Cc: jkh@time.cdrom.com, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: No comment character in hosts.equiv Message-ID: <199606250636.IAA18992@gvr.win.tue.nl> In-Reply-To: <199606242355.JAA29733@amethyst.auscert.org.au> from Danny Smith at "Jun 25, 96 09:55:12 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Danny Smith wrote: -- Start of PGP encoded section. > (Note the change of subject line!) > > "Jordan K. Hubbard" writes: > > > Hmmm. We have reason to believe that he *didn't* get root (though > > we're still assuming he did, just to be paranoid) and if the mod times > > can be trusted, hosts.equiv hasn't been touched in many months (and > > localhost is commented out). > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > There is no comment character in either the hosts.equiv file or the > .rhosts file. Use of this may allow someone to spoof DNS and gained > trusted access. > > Check out the code relating to calls to ruserok(). Wrong. FreeBSD has a comment char. Put in before the release of 2.1.0. Look in usr/src/lib/libc/net/rcmd.c in __ivaliduser. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606250636.IAA18992>