Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Nov 1998 06:30:01 -0800 (PST)
From:      Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        freebsd-bugs@FreeBSD.ORG
Subject:   Re: bin/8646: Implement rlogind -a option 
Message-ID:  <199811111430.GAA17587@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR bin/8646; it has been noted by GNATS.

From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To: Peter Wemm <peter@netplex.com.au>
Cc: cschuber@uumail.gov.bc.ca, FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/8646: Implement rlogind -a option 
Date: Wed, 11 Nov 1998 06:24:11 -0800

 In message <199811110504.NAA08334@spinner.netplex.com.au>, Peter Wemm 
 writes:
 > Cy Schubert wrote:
 > 
 > > >Synopsis:       Implement rlogind -a option
 > 
 > > >Description:
 > > 
 > > 	Implement rshd's -a option in rlogind.  Hopefully this will
 > > 	provide a little better security.
 > 
 > I'm not sure that this is the right thing..  What is it to protect? 
 > Hostname spoofing for .rhosts?  If so, that is already taken care of 
 > within the ruserok() and iruserok() code in libc which deals with .rhosts.
 > 
 > All that I can see that it does is verify the hostname for utmp purposes.. 
 > What it should do in this case is log the IP address instead of the 
 > hostname if there is a mismatch, and let ruserok() decide what to do.  
 > 
 > There is no need to refuse a connection from an incorrectly configured 
 > client if that client has it's IP address (not hostname) explicitly listed 
 > in the .rhosts file.
 > 
 > Refusing service solely because of DNS problems is bad.  Refusing to 
 > *trust* DNS if there is a problem is much better.  The logging should 
 > switch to IP addresses if there is any doubt about the DNS integrity.
 > 
 > Cheers,
 > -Peter
 > 
 > 
 > 
 > 
 
 I looked through the ruserok() and iruserok() code.  You are indeed 
 correct.  I stand corrected.  I suppose that the -a option in rshd 
 should also be deprecated.  Wietse Venema's comments about BSD-style 
 "paranoid" checks in BUGTRAQ are false.
 
 
 Regards,                       Phone:  (250)387-8437
 Cy Schubert                      Fax:  (250)387-5766
 Open Systems Group          Internet:  cschuber@uumail.gov.bc.ca
 ITSD                                   Cy.Schubert@gems8.gov.bc.ca
 Government of BC            
 
 
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811111430.GAA17587>