From owner-freebsd-security Mon Nov 27 4:50:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id AAF5837B479 for ; Mon, 27 Nov 2000 04:50:25 -0800 (PST) Received: (qmail 3977 invoked by uid 1000); 27 Nov 2000 12:49:54 -0000 Date: Mon, 27 Nov 2000 14:49:54 +0200 From: Peter Pentchev To: Richard Ward Cc: freebsd-security@FreeBSD.ORG Subject: Re: *login Message-ID: <20001127144953.C420@ringworld.oblivion.bg> Mail-Followup-To: Richard Ward , freebsd-security@FreeBSD.ORG References: <028e01c0586d$fb1c7680$0101a8c0@pavilion> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <028e01c0586d$fb1c7680$0101a8c0@pavilion>; from mh@neonsky.net on Mon, Nov 27, 2000 at 07:31:31AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 07:31:31AM -0500, Richard Ward wrote: > Hello, > I'm wondering what program would use root to execute 'login -h -p". I've noticed every now and then that it would be running as root, and as a regular user, you cannot use the -h option. What exactly could be going on? I only run telnet and ssh1 as remote login daemons. Does telnet or ssh1 require this login command to be executed certain times or randomly? I have both telnet and ssh clients chmod 700, so a regular user won't be able to remotely login from my computer... Both /usr/libexec/telnetd and the OpenSSH sshd start login with a -h option. However, it is next to impossible (or at least very, very improbable) to feed fake hostnames to either of them - SSH as a whole is notoriously picky as to DNS-resolving hostnames and such, and I've just checked the telnetd source in 4.2-STABLE - it accepts no data from the client, but tries to resolve the hostname both ways using realhostname_sa(3). So, both telnetd and sshd only record (and pass to login) the real client hostname. Have you been seeing actual login processes on your system, running with a weird -h command-line option, or do you base your judgement on utmp/wtmp records? If it is utmp/wtmp records, there might be other candidates for writing bad info there - X terminals come to mind immediately, PAM might also be involved in some way, and there certainly are other possibilities. G'luck, Peter -- This sentence contradicts itself - or rather - well, no, actually it doesn't! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message