From owner-freebsd-security Fri May 11 7:43:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7096437B43E for ; Fri, 11 May 2001 07:43:46 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f4BEhbf23811; Fri, 11 May 2001 10:43:37 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 11 May 2001 10:43:36 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Daniel Hauer Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? In-Reply-To: <3AFB369D.5574182A@enter.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a known problem and we are working to resolve this ASAP. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Thu, 10 May 2001, Daniel Hauer wrote: > Hello all, > After installing 4.3 release on one machine and upgrading 2 other > machines to -STABLE, I noticed there is a new mechanism used in telnetd, > namely this "SRA" authentication mechanism. While convienient, (you > don't have to type your username) I found something VERY disturbing: If > you are at a root prompt on any other BSD > based machine, you can just telnet to the 4.3 machines, and login right > in with the root username and password! This only apparently occurs from > a BSD based machine, as Myself and a co-worker tried it from 2 different > distribution Linux boxes, and we could not login as root. None of the > switches for telnetd in the inetd.conf worked to our satisfaction, and > after reading the sources, we recompiled telnetd with AUTHENTICATION=NO > to disable this behavior. What is this "SRA authentication" ? And why is > telnetd's default behavior to allow root logins at all? I realize that > any self respecting sysadmin will either use ipfirewall, ipfilter, or > good old inetd's hosts.allow file to limit telnet logins anyway, but the > question still remains.... Why? Wouldn't this SRA with a "no root" login > be a better idea? > > -- > Regards, > Daniel Hauer > Network Administration > http://www.enter.net "The Road To The Internet Starts There!" > *************************************************************************** > Windoze is for GAMES, UNIX is for the rest of us. > UNIX is like the sights on a loaded gun. If you aim the gun > at your foot and pull the trigger, it is the basic function of > UNIX to accurately deliver the bullet from the gun to the > target. In this case, it's your foot. > *************************************************************************** > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message