Date: Mon, 28 Dec 1998 22:46:58 -0800 From: David Greenman <dg@root.com> To: Peter Wemm <peter@netplex.com.au> Cc: "Jasper O'Malley" <jooji@neptune.oceancomputer.com>, FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: bin/9226: telnetd can log wrong IP address to utmp Message-ID: <199812290646.WAA20345@implode.root.com> In-Reply-To: Your message of "Tue, 29 Dec 1998 14:02:05 %2B0800." <199812290602.OAA71312@spinner.netplex.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>"Jasper O'Malley" wrote: >[..] >> This will prevent telnetd from passing hostnames longer than UT_HOSTSIZE >> on as arguments to "login -h", which is what gets the hostname relooked >> up by login(1) in the first place. It doesn't appear this change will >> break anything else, but I can't swear to it. >> >> Better solutions would be to: >> >> a) Make UT_HOSTSIZE bigger, which would break 4.4BSD utmp compatibility, >> which isn't why it hasn't been done yet. >> >> b) Rewrite/patch login(1), xterm(1), sshd(8) et al. to stop logging >> hostnames in utmp altogether (how many people have hostnames less than >> 16 characters long these days?). Make other applications do the >> reverse lookups later, a la w(1) and netstat(1). > >Without having looked at the code, I suspect telnetd suffers the same >problem as rlogind/rshd used to (until I fixed them a week or so ago). >Even with your patch, telnetd will log a forged hostname if it's shorter >than 16 chars. > >What would be better would be to reverse lookup the name and check for >validity before passing it on or using it in any logs anywhere. Yes, this >is a pest if a machine has just exploded it's named, but I'd rather have >hostnames/ip addresses in the logs that I can trust. > >Re: utmp/wtmp format.. We've already changed the username length from 8 >to 16 chars, which is different to 2.x. We could change the hostname to >32 and would then be compatable with BSD/OS's utmp format. > >However, while there, we should do a couple of other things... in >particular, add a ut_pid field (which is damn useful!!) and possibly a >couple of other things to ease porting problems (perhaps even a getutent() >-like emulation). I feel pretty strongly that both the IP address and hostname should be logged. It's easy for the bad guy to do some temporary munging of DNS, do the nasty stuff, and then undue the DNS stuff to make it difficult to impossible to know where the attacker came from. IP addresses nail this down much better. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812290646.WAA20345>