Date: Thu, 24 Jan 2002 20:03:07 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: Dag-Erling Smorgrav <des@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c Message-ID: <Pine.NEB.3.96L.1020124200023.67438I-100000@fledge.watson.org> In-Reply-To: <20020125005725.GA89369@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 25 Jan 2002, Andrey A. Chernov wrote: > On Thu, Jan 24, 2002 at 19:29:46 -0500, Robert Watson wrote: > > resolve to my address, and likewise reverse lookup? Does opieaccess() > > actually convert localhost to 127.0.0.1, or does it rely on the resolver > > To prevent any tricks with resolver it is always better to pass numeric > IP address into PAM's RHOST when possible. Will it ever not be possible to pass a numeric IP address? > Alternative way is always check back-map for names in set_item(RHOST > ...) in PAM. I guess I had in mind something more like set_item(LOCALLOGIN ...) Which would be set for a local login. That way the notion of local isn't keyed to a special value in the namespace. Adding special values to namespaces has caused frequent security problems in the past. Witness the IPFW 'established' vulnerability a little while back: a special value was used that didn't appear in common practice, but the result was that when it was used violated the requirements of the system allowing attackers to penetrate the firewall. Likewise, when that use suddenly did become common practice, the firewall didn't even appear to work :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020124200023.67438I-100000>