From owner-freebsd-current Tue Sep 25 1:24:50 2001 Delivered-To: freebsd-current@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 8CE0337B415; Tue, 25 Sep 2001 01:24:23 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f8P8Nn783808; Tue, 25 Sep 2001 11:23:49 +0300 (EEST) (envelope-from ru) Date: Tue, 25 Sep 2001 11:23:49 +0300 From: Ruslan Ermilov To: "Thyer, Matthew" Cc: current@FreeBSD.ORG, markm@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: rshd broken on -CURRENT Message-ID: <20010925112349.A81446@sunbay.com> References: <3BB012BE.BD8F324@dsto.defence.gov.au> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="s/l3CgOIzMHHjg/5" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BB012BE.BD8F324@dsto.defence.gov.au>; from Matthew.Thyer@dsto.defence.gov.au on Tue, Sep 25, 2001 at 02:44:38PM +0930 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I don't know why Mark does not fix this. I have reported this yet back in May, please see attached. While pam_rhosts_auth.so is unavailable, I suggest we commit the following: Index: pam.conf =================================================================== RCS file: /home/ncvs/src/etc/pam.conf,v retrieving revision 1.19 diff -u -r1.19 pam.conf --- pam.conf 2001/08/26 18:15:32 1.19 +++ pam.conf 2001/09/25 08:21:28 @@ -63,7 +63,8 @@ login password required pam_unix.so no_warn try_first_pass rsh auth required pam_nologin.so no_warn -rsh auth required pam_permit.so no_warn +rsh auth required pam_deny.so no_warn +#rsh auth required pam_rhosts_auth.so rsh account required pam_unix.so rsh session required pam_permit.so On Tue, Sep 25, 2001 at 02:44:38PM +0930, Thyer, Matthew wrote: > Why can I "rcp" to my FreeBSD-CURRENT box (built Sept 19th) with > no password when I dont even have a .rhosts file (I dont have an > /etc/hosts.equiv either). > > I can also "rsh freebie command" with no prompt for password. > > I assume this is due to the upgrade of PAM. > > Looking on a RedHat 7.1 system I see they have the following in > /etc/pam.d/rsh: > > #%PAM-1.0 > # For root login to succeed here with pam_securetty, "rsh" must be > # listed in /etc/securetty. > auth required /lib/security/pam_nologin.so > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_env.so > auth required /lib/security/pam_rhosts_auth.so > account required /lib/security/pam_stack.so service=system-auth > session required /lib/security/pam_stack.so service=system-auth > > > My FreeBSD-CURRENT box has this for rsh: > > rsh auth required pam_nologin.so no_warn > rsh auth required pam_permit.so no_warn > rsh account required pam_unix.so > rsh session required pam_permit.so > > > It seems that we dont have a /usr/lib/pam_rhosts_auth.so. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --s/l3CgOIzMHHjg/5 Content-Type: message/rfc822 Content-Disposition: inline Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by whale.sunbay.crimea.ua (8.11.2/8.11.2) with ESMTP id f43BCx669253 for ; Thu, 3 May 2001 14:13:11 +0300 (EEST) (envelope-from mark@grondar.za) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 9589955F57 for ; Thu, 3 May 2001 04:12:53 -0700 (PDT) (envelope-from mark@grondar.za) Received: by hub.freebsd.org (Postfix) id 1931237B50D; Thu, 3 May 2001 04:12:53 -0700 (PDT) Delivered-To: ru@freebsd.org Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 1A13F37B424 for ; Thu, 3 May 2001 04:12:48 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grondar.za (gratis.grondar.za [196.7.18.133]) by gratis.grondar.za (8.11.3/8.11.3) with ESMTP id f43BChp68050 for ; Thu, 3 May 2001 13:12:43 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200105031112.f43BChp68050@gratis.grondar.za> To: Ruslan Ermilov Subject: Re: Default rshd(8) PAM configuration results in a root compromise References: <20010503135757.A66125@sunbay.com> In-Reply-To: <20010503135757.A66125@sunbay.com> ; from Ruslan Ermilov "Thu, 03 May 2001 13:57:57 +0300." Date: Thu, 03 May 2001 13:14:35 +0200 From: Mark Murray MIME-Version: 1.0 > This is JFYI that the default (as given in /etc/pam.conf) > PAM configuration for rshd(8) currently results in a root > compromise, if rshd(8) is enabled in /etc/inetd.conf. rshd is a root compromise anyway :-) > It is obvious that "we can't have a conversation with the > client over the rsh connection", but using pam_permit is > certainly a bad idea. > > If this behavior was planned when committed, /etc/pam.conf > should at least warn about this. Agreed. I'll do that. M -- Mark Murray Warning: this .sig is umop ap!sdn --s/l3CgOIzMHHjg/5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message