Date: Mon, 27 Nov 2000 14:49:54 +0200 From: Peter Pentchev <roam@orbitel.bg> To: Richard Ward <mh@neonsky.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: *login Message-ID: <20001127144953.C420@ringworld.oblivion.bg> In-Reply-To: <028e01c0586d$fb1c7680$0101a8c0@pavilion>; from mh@neonsky.net on Mon, Nov 27, 2000 at 07:31:31AM -0500 References: <028e01c0586d$fb1c7680$0101a8c0@pavilion>
index | next in thread | previous in thread | raw e-mail
On Mon, Nov 27, 2000 at 07:31:31AM -0500, Richard Ward wrote: > Hello, > I'm wondering what program would use root to execute 'login -h <some weird host> -p". I've noticed every now and then that it would be running as root, and as a regular user, you cannot use the -h option. What exactly could be going on? I only run telnet and ssh1 as remote login daemons. Does telnet or ssh1 require this login command to be executed certain times or randomly? I have both telnet and ssh clients chmod 700, so a regular user won't be able to remotely login from my computer... Both /usr/libexec/telnetd and the OpenSSH sshd start login with a -h option. However, it is next to impossible (or at least very, very improbable) to feed fake hostnames to either of them - SSH as a whole is notoriously picky as to DNS-resolving hostnames and such, and I've just checked the telnetd source in 4.2-STABLE - it accepts no data from the client, but tries to resolve the hostname both ways using realhostname_sa(3). So, both telnetd and sshd only record (and pass to login) the real client hostname. Have you been seeing actual login processes on your system, running with a weird -h command-line option, or do you base your judgement on utmp/wtmp records? If it is utmp/wtmp records, there might be other candidates for writing bad info there - X terminals come to mind immediately, PAM might also be involved in some way, and there certainly are other possibilities. G'luck, Peter -- This sentence contradicts itself - or rather - well, no, actually it doesn't! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001127144953.C420>