From owner-freebsd-current  Fri Jan  3 13:29:53 1997
Return-Path: <owner-current>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id NAA15530
          for current-outgoing; Fri, 3 Jan 1997 13:29:53 -0800 (PST)
Received: from tfs.com (tfs.com [140.145.250.1])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id NAA15523;
          Fri, 3 Jan 1997 13:29:48 -0800 (PST)
Received: from schizo.dk.tfs.com by tfs.com (smail3.1.28.1) with SMTP
	id m0vgH8c-0003y7C; Fri, 3 Jan 97 13:26 PST
Received: from critter.dk.tfs.com (critter-home [193.162.32.19]) by schizo.dk.tfs.com (8.8.2/8.7.3) with ESMTP id WAA04142; Fri, 3 Jan 1997 22:24:45 +0100 (MET)
Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id VAA18571; Fri, 3 Jan 1997 21:06:39 +0100 (MET)
To: Paul Traina <pst@shockwave.com>
cc: jkh@freebsd.org, current@freebsd.org
Subject: Re: utmp changes 
In-reply-to: Your message of "Fri, 03 Jan 1997 11:16:25 PST."
             <199701031916.LAA15717@precipice.shockwave.com> 
Date: Fri, 03 Jan 1997 21:06:39 +0100
Message-ID: <18569.852321999@critter.dk.tfs.com>
From: Poul-Henning Kamp <phk@critter.dk.tfs.com>
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199701031916.LAA15717@precipice.shockwave.com>, Paul Traina writes:
>To start the ball rolling, let me just suggest the following.  I know it's
>not pretty, and I'm not so sure that the remote ssh key belongs in utmp,

Actually it should probably be a more generic "authentication" field that
documents how this session got authenticated, ie, kerberos and /bin/login
would also have things to put here.

>but this is what I conceive as changing.  The big thing is I'd like to fix
>the size of the utmp structure once and for all, and define the reserved
>area as must-be-zero so we don't get in the mess we just got in ever again. :-

>#define	UT_HADDRSIZE	16	/* remote host address */

If this is binary shouldn't we make it contain the entire result
from the getpeername() ?  Ie port and proto as well ?
How big is a IPv6 sock_addr anyway ?

>#define	UT_KEYSIZE	16	/* for ssh key? hmmm... I'm not so sure

Make it:
	#define		UT_AUTHSIZE	64

And make it contain "<proto>\040<method>\040<information>"

for instance:

	"telnet passwd phk"
	"ftp skey phk"
	"ssh rsa phk@critter.tfs.com"
	"ssh passwd phk"
	"rsh rhosts critter.dk.tfs.com phk"
	"rlogin equiv spatter.freebsd.org phk"
	"telnet kerbIV mumble mumble mumble"

It is of course a double edged sword to store this info, but in the
case where a user account has been compromised, it provides valuable
information about what got compromised.  In the case of a compromised
root all bets are off of course.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@tfs.com           TRW Financial Systems, Inc.
Power and ignorance is a disgusting cocktail.