From owner-freebsd-security  Sun Jul  5 14:12:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA08552
          for freebsd-security-outgoing; Sun, 5 Jul 1998 14:12:22 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (nsmart@ts01-44.waterford.indigo.ie [194.125.139.107])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA08540
          for <security@FreeBSD.ORG>; Sun, 5 Jul 1998 14:12:07 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id WAA04694;
	Sun, 5 Jul 1998 22:06:52 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199807052106.WAA04694@indigo.ie>
Date: Sun, 5 Jul 1998 22:06:51 +0000
In-Reply-To: andrew@squiz.co.nz (Andrew McNaughton)
       "Re: bsd securelevel patch question" (Jul  3,  4:26am)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: andrew@squiz.co.nz (Andrew McNaughton), security@FreeBSD.ORG
Subject: Re: bsd securelevel patch question
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jul 3,  4:26am, Andrew McNaughton wrote:
} Subject: Re: bsd securelevel patch question
> >Eh?  If ssh/smtp/inetd bind to the port you won't be able to, no
> >matter how often you try.
> 
> Unless the server is restarted for some reason.  hence the rapid cron job
> which will eventually succeed if not detected first.

Well, this should be detected, and is easily detectable.

> >And you won't be able to steal keys
> >by hijacking sshd.
> 
> If the trojan gets to tell the other end what public key to use, then of
> course it can get at the data stream.  This is equally true with
> routing/man-in-the-middle attacks.

Yes, you could get at the data stream, but thats an implication of
having a network service compromised, you can't get the keys though;
but you probably don't care at that stage.

> I don't know enough about TCP/IP details to know if this makes sense, but
> perhaps you could use these as more than just flags and allow programmers
> to bind to the socket by just opening the appropriate device file.  ie
> 
> #!/usr/local/bin/perl
> open (SMTP, "</dev/socket/tcp/25");

portalfs does something very similar to this AFAIK.

Niall

-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message