From owner-freebsd-bugs Mon Dec 28 22:50:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA28645 for freebsd-bugs-outgoing; Mon, 28 Dec 1998 22:50:11 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA28638 for ; Mon, 28 Dec 1998 22:50:09 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id WAA18039; Mon, 28 Dec 1998 22:50:00 -0800 (PST) Date: Mon, 28 Dec 1998 22:50:00 -0800 (PST) Message-Id: <199812290650.WAA18039@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.ORG From: David Greenman Subject: Re: bin/9226: telnetd can log wrong IP address to utmp Reply-To: David Greenman Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/9226; it has been noted by GNATS. From: David Greenman To: Peter Wemm Cc: "Jasper O'Malley" , FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: bin/9226: telnetd can log wrong IP address to utmp Date: Mon, 28 Dec 1998 22:46:58 -0800 >"Jasper O'Malley" wrote: >[..] >> This will prevent telnetd from passing hostnames longer than UT_HOSTSIZE >> on as arguments to "login -h", which is what gets the hostname relooked >> up by login(1) in the first place. It doesn't appear this change will >> break anything else, but I can't swear to it. >> >> Better solutions would be to: >> >> a) Make UT_HOSTSIZE bigger, which would break 4.4BSD utmp compatibility, >> which isn't why it hasn't been done yet. >> >> b) Rewrite/patch login(1), xterm(1), sshd(8) et al. to stop logging >> hostnames in utmp altogether (how many people have hostnames less than >> 16 characters long these days?). Make other applications do the >> reverse lookups later, a la w(1) and netstat(1). > >Without having looked at the code, I suspect telnetd suffers the same >problem as rlogind/rshd used to (until I fixed them a week or so ago). >Even with your patch, telnetd will log a forged hostname if it's shorter >than 16 chars. > >What would be better would be to reverse lookup the name and check for >validity before passing it on or using it in any logs anywhere. Yes, this >is a pest if a machine has just exploded it's named, but I'd rather have >hostnames/ip addresses in the logs that I can trust. > >Re: utmp/wtmp format.. We've already changed the username length from 8 >to 16 chars, which is different to 2.x. We could change the hostname to >32 and would then be compatable with BSD/OS's utmp format. > >However, while there, we should do a couple of other things... in >particular, add a ut_pid field (which is damn useful!!) and possibly a >couple of other things to ease porting problems (perhaps even a getutent() >-like emulation). I feel pretty strongly that both the IP address and hostname should be logged. It's easy for the bad guy to do some temporary munging of DNS, do the nasty stuff, and then undue the DNS stuff to make it difficult to impossible to know where the attacker came from. IP addresses nail this down much better. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message