Date: Wed, 05 Apr 2000 00:10:08 -0400 From: Bob Johnson <bobj@atlantic.net> To: Sheldon Hearn <sheldonh@uunet.co.za> Cc: questions@FreeBSD.ORG Subject: Re: 3.4-R telnetd doesn't prompt for password on bad user id Message-ID: <3.0.6.32.20000405001008.00813c90@rio.atlantic.net> In-Reply-To: <87113.954843930@axl.ops.uunet.co.za> References: <Your message of "Mon, 03 Apr 2000 22:30:04 -0400." <3.0.6.32.20000403223004.009bbb50@rio.atlantic.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:25 PM 04/04/2000 +0200, Sheldon Hearn wrote: > > >On Mon, 03 Apr 2000 22:30:04 -0400, Bob Johnson wrote: > >> Two of them are 3.4-RELEASE Mon Dec 20 1999. If I telnet to either of >> them, it does not prompt for a password if I enter an invalid user id: >> it simply prints "Login incorrect" and displays the login prompt again. >> This allows a bored attacker to try logins until he hits a valid userid. > >Weird. I'm using 5.0-CURRENT and I don't see this. Two things come to >mind, though: My 4.0-RELEASE system doesn't do it, either (I forgot about that one when I made the original post). > >1) Are you _sure_ you're using the stock /usr/libexec/telnetd ? It looks that way to me: # $FreeBSD: src/etc/inetd.conf,v 1.33.2.4 1999/11/18 09:45:15 des Exp $ # # Internet server configuration database # # @(#)inetd.conf 5.4 (Berkeley) 6/30/90 # #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l telnet stream tcp nowait root /usr/libexec/telnetd telnetd -h #shell stream tcp nowait root /usr/libexec/rshd rshd #login stream tcp nowait root /usr/libexec/rlogind rlogind [etc.] ps shows that telnetd is not running when there is no connection, so I don't think it's being started somewhere other than inetd. I've tried telnetd without the -h option and got the same result. >2) Are you perhaps using Kerberized telnet? If you mean the client, I tried it with the telnet that's built in to Windows 95 and got the same result. The daemon is whatever got installed in the original installation, and ls -l shows it as: -r-xr-xr-x 1 root wheel 62008 Dec 20 01:00 telnetd Which is the right date. I don't know about the size. I just discovered an important clue: I added a new user (with adduser), and attempted to log in as that user via telnet. It is treated as if the user didn't exist, i.e., there is no password prompt, despite the fact that the user exists in both /etc/passwd and /etc/master.passwd. In fact, it appears that only the user "bobj" gets a password prompt from telnetd. Other users, even though they are valid, do not. ls -l reports that the modification time for passwd, master.passwd, pwd.db, and spwd.db all match the time at which the new user was added, so they appear to be getting updated (what is spwd.db used by?). auth.conf looks like: # # $FreeBSD: src/etc/auth.conf,v 1.1.2.1 1999/08/29 14:18:39 peter Exp $ # # This file contains information on what types of authentication to use. # It is just the beginnings of a greater scheme. # auth_default = des # auth_list = passwd kerberos auth_list = passwd hosts.allow starts out with: # # hosts.allow access control file for "tcp wrapped" apps. # $FreeBSD: src/etc/hosts.allow,v 1.2.2.5 1999/08/29 14:18:45 peter Exp $ # # NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' # and 'deny' rules in the hosts.allow file. # see hosts_options(5) for the format of this file. # hosts_access(5) no longer fully applies. # This is an example! You will need to modify it for your specific # requirements! # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a "First match wins" basis. ALL : ALL : allow (and everything past that should be irrelevant, right?) skey.access contains: deny user root deny pam.conf contains: # Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # Note: the final entry must say "required" -- otherwise, things don't # work quite right. If you delete the final entry, be sure to change # "sufficient" to "required" in the entry before it. # # $FreeBSD: src/etc/pam.conf,v 1.1 1998/11/20 23:20:01 jdp Exp $ # If the user can authenticate with S/Key, that's sufficient. login auth sufficient pam_skey.so # Check skey.access to make sure it is OK to let the user type in # a cleartext password. If not, then fail right here. login auth requisite pam_cleartext_pass_ok.so # If you want KerberosIV authentication, uncomment the next line: #login auth sufficient pam_kerberosIV.so try_first_pass # Traditional getpwnam() authentication. login auth required pam_unix.so try_first_pass And finally, login.access contains a bunch of comments followed by: +:bobj:ALL -:wheel:ALL EXCEPT LOCAL -:ALL:ALL EXCEPT LOCAL bobj is the ONLY user who gets a password prompt from telnetd (I first reported that only invalid user names failed to get a password prompt, but that is not accurate), so I tried changing login.access to contain nothing but +:ALL:ALL, but the behavior didn't change, even after rebooting the system. Are there any configuration files I missed? I've got to get some sleep, so I'll have to pick this up tomorrow. I was able to do a buildworld to -STABLE on one of the systems today. I can try to find the time to actually install it if you think that will be informative, or I can keep poking at the existing one until the mystery is solved. Or both, since there are two systems doing this. > >Ciao, >Sheldon. > > Thanks for the help, -- Bob +-------------------------------------------------------- | Bob Johnson | bobj@atlantic.net +-------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.6.32.20000405001008.00813c90>