Date: Thu, 23 Oct 1997 09:13:56 -0700 (PDT) From: Doug Ambrisko <ambrisko@whistle.com> To: freebsd-hackers@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: Password files and virtual IP addresses Message-ID: <199710231613.JAA22205@crab.whistle.com> In-Reply-To: <Pine.BSF.3.95.971023005117.23413D-100000@current1.whistle.com> from Julian Elischer at "Oct 23, 97 00:53:22 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer writes: | We have a whole virtual machine | using chroot, and a few other tricks such as a hacked inetd. | It was described recently on either hackers or questions (I forget which) | by Doug Ambrisko. (I think it was questions) I was a hacked natd-like program. "inetd" was fine as is. | On Wed, 22 Oct 1997, Charles Mott wrote: | | > Suppose that one wanted to create different virtual | > IP addresses with ifconfig alias, and when people telnet | > or ftp or access pop3/imap2 at a virtual address, a | > password file specific to that virtual address would be | > used. This would allow username re-use. | > | > Has this sort of thing been considered before? If not, | > what sort of things would have to be hacked? If password | > access routines could somehow be informed what virtual | > address they were being accessed from, then it would | > be possible to have multiple password files. | > | > Of course, there are always unintended security | > implications to doing these things... This is a pretty simple case since this services can be controled via inetd. Since inetd is well-behaved (ie uses /etc/services to figure out what ports to use), it is pretty easy to copy the stuff you need into a small chroot and then do a "chroot path /usr/sbin/inetd" to start your services that have been shifted via editing /etc/services in the chroot. The tricky part is to make connections that come in through the alias ip to do a "port shift" from the standard to the ones used in the chroot. This can be done with a hacked natd that does port translation instead of ip translation. Note this problem is simpler then the case I described before since only incoming connections are made so you don't have to worry about translating connections originating from the chroot such as sendmail delivering mail from inside the chroot. The translate code is based on some non-public Whistle code. Doug A.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710231613.JAA22205>