From owner-cvs-all  Thu Jan 24 17: 3:32 2002
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id A2E2437B404; Thu, 24 Jan 2002 17:03:23 -0800 (PST)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id g0P137D68106;
	Thu, 24 Jan 2002 20:03:07 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 24 Jan 2002 20:03:07 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Dag-Erling Smorgrav <des@FreeBSD.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c
In-Reply-To: <20020125005725.GA89369@nagual.pp.ru>
Message-ID: <Pine.NEB.3.96L.1020124200023.67438I-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Fri, 25 Jan 2002, Andrey A. Chernov wrote:

> On Thu, Jan 24, 2002 at 19:29:46 -0500, Robert Watson wrote:
> > resolve to my address, and likewise reverse lookup?  Does opieaccess()
> > actually convert localhost to 127.0.0.1, or does it rely on the resolver
> 
> To prevent any tricks with resolver it is always better to pass numeric
> IP address into PAM's RHOST when possible. 

Will it ever not be possible to pass a numeric IP address?

> Alternative way is always check back-map for names in set_item(RHOST
> ...) in PAM. 

I guess I had in mind something more like

set_item(LOCALLOGIN ...)

Which would be set for a local login.  That way the notion of local isn't
keyed to a special value in the namespace.  Adding special values to
namespaces has caused frequent security problems in the past.  Witness the
IPFW 'established' vulnerability a little while back: a special value was
used that didn't appear in common practice, but the result was that when
it was used violated the requirements of the system allowing attackers to
penetrate the firewall.  Likewise, when that use suddenly did become
common practice, the firewall didn't even appear to work :-).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message