Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 03 Jan 1997 21:06:39 +0100
From:      Poul-Henning Kamp <phk@critter.dk.tfs.com>
To:        Paul Traina <pst@shockwave.com>
Cc:        jkh@freebsd.org, current@freebsd.org
Subject:   Re: utmp changes 
Message-ID:  <18569.852321999@critter.dk.tfs.com>
In-Reply-To: Your message of "Fri, 03 Jan 1997 11:16:25 PST." <199701031916.LAA15717@precipice.shockwave.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <199701031916.LAA15717@precipice.shockwave.com>, Paul Traina writes:
>To start the ball rolling, let me just suggest the following.  I know it's
>not pretty, and I'm not so sure that the remote ssh key belongs in utmp,

Actually it should probably be a more generic "authentication" field that
documents how this session got authenticated, ie, kerberos and /bin/login
would also have things to put here.

>but this is what I conceive as changing.  The big thing is I'd like to fix
>the size of the utmp structure once and for all, and define the reserved
>area as must-be-zero so we don't get in the mess we just got in ever again. :-

>#define	UT_HADDRSIZE	16	/* remote host address */

If this is binary shouldn't we make it contain the entire result
from the getpeername() ?  Ie port and proto as well ?
How big is a IPv6 sock_addr anyway ?

>#define	UT_KEYSIZE	16	/* for ssh key? hmmm... I'm not so sure

Make it:
	#define		UT_AUTHSIZE	64

And make it contain "<proto>\040<method>\040<information>"

for instance:

	"telnet passwd phk"
	"ftp skey phk"
	"ssh rsa phk@critter.tfs.com"
	"ssh passwd phk"
	"rsh rhosts critter.dk.tfs.com phk"
	"rlogin equiv spatter.freebsd.org phk"
	"telnet kerbIV mumble mumble mumble"

It is of course a double edged sword to store this info, but in the
case where a user account has been compromised, it provides valuable
information about what got compromised.  In the case of a compromised
root all bets are off of course.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@tfs.com           TRW Financial Systems, Inc.
Power and ignorance is a disgusting cocktail.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18569.852321999>