From owner-freebsd-security Fri Jul 3 02:03:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA15898 for freebsd-security-outgoing; Fri, 3 Jul 1998 02:03:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA15893 for ; Fri, 3 Jul 1998 02:03:40 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA07815; Fri, 3 Jul 1998 05:01:45 -0400 (EDT) From: "Allen Smith" Message-Id: <9807030501.ZM7814@beatrice.rutgers.edu> Date: Fri, 3 Jul 1998 05:01:44 -0400 In-Reply-To: andrew@squiz.co.nz (Andrew McNaughton) "Re: bsd securelevel patch question" (Jul 3, 4:26am) References: X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: andrew@squiz.co.nz (Andrew McNaughton) Cc: Allen Smith , dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com, phk@critter.freebsd.dk Subject: Re: bsd securelevel patch question Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 3, 4:26am, Andrew McNaughton (possibly) wrote: > >Eh? If ssh/smtp/inetd bind to the port you won't be able to, no > >matter how often you try. > > Unless the server is restarted for some reason. hence the rapid cron job > which will eventually succeed if not detected first. Quite; sorry I wasn't clearer, but I forgot that others might not realize that. Notice, for instance, that named comes with a script for such restarting - implying there's a frequent enough need for such that it's likely to come up. (It's also the case that currently sendmail and some other stuff gets started _after_ cron, but that can be taken care of via rearranging the /etc/rc.* files.) Another example is squid, which can be run as a http accelerator; it comes with a RunAccel script that restarts squid whenever it crashes - and crashes could be induced by an attacker. > >And you won't be able to steal keys > >by hijacking sshd. > > If the trojan gets to tell the other end what public key to use, > then of course it can get at the data stream. This is equally true > with routing/man-in-the-middle attacks. Without access to > master.passwd though it can't do a very good job of masquerading as > an authentication agent. It will fail to emulate any authentication > unless that can be done by accepting any connection regardless. I > don't know enough about the authentication systems ssh uses to know > which if any are vulnerable here. All it has to do to act as an authentication agent for password sniffing purposes is use telnetd or login. One ssh mode is to essentially act as an encrypted telnet, with normal password authentication. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message