From owner-freebsd-bugs Mon Dec 28 22:47:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA28168 for freebsd-bugs-outgoing; Mon, 28 Dec 1998 22:47:14 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from implode.root.com (root.com [208.221.12.98]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA28155; Mon, 28 Dec 1998 22:47:12 -0800 (PST) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.8/8.8.5) with ESMTP id WAA20345; Mon, 28 Dec 1998 22:46:58 -0800 (PST) Message-Id: <199812290646.WAA20345@implode.root.com> To: Peter Wemm cc: "Jasper O'Malley" , FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: bin/9226: telnetd can log wrong IP address to utmp In-reply-to: Your message of "Tue, 29 Dec 1998 14:02:05 +0800." <199812290602.OAA71312@spinner.netplex.com.au> From: David Greenman Reply-To: dg@root.com Date: Mon, 28 Dec 1998 22:46:58 -0800 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >"Jasper O'Malley" wrote: >[..] >> This will prevent telnetd from passing hostnames longer than UT_HOSTSIZE >> on as arguments to "login -h", which is what gets the hostname relooked >> up by login(1) in the first place. It doesn't appear this change will >> break anything else, but I can't swear to it. >> >> Better solutions would be to: >> >> a) Make UT_HOSTSIZE bigger, which would break 4.4BSD utmp compatibility, >> which isn't why it hasn't been done yet. >> >> b) Rewrite/patch login(1), xterm(1), sshd(8) et al. to stop logging >> hostnames in utmp altogether (how many people have hostnames less than >> 16 characters long these days?). Make other applications do the >> reverse lookups later, a la w(1) and netstat(1). > >Without having looked at the code, I suspect telnetd suffers the same >problem as rlogind/rshd used to (until I fixed them a week or so ago). >Even with your patch, telnetd will log a forged hostname if it's shorter >than 16 chars. > >What would be better would be to reverse lookup the name and check for >validity before passing it on or using it in any logs anywhere. Yes, this >is a pest if a machine has just exploded it's named, but I'd rather have >hostnames/ip addresses in the logs that I can trust. > >Re: utmp/wtmp format.. We've already changed the username length from 8 >to 16 chars, which is different to 2.x. We could change the hostname to >32 and would then be compatable with BSD/OS's utmp format. > >However, while there, we should do a couple of other things... in >particular, add a ut_pid field (which is damn useful!!) and possibly a >couple of other things to ease porting problems (perhaps even a getutent() >-like emulation). I feel pretty strongly that both the IP address and hostname should be logged. It's easy for the bad guy to do some temporary munging of DNS, do the nasty stuff, and then undue the DNS stuff to make it difficult to impossible to know where the attacker came from. IP addresses nail this down much better. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message