From owner-freebsd-hackers Thu Oct 23 09:23:27 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA07627 for hackers-outgoing; Thu, 23 Oct 1997 09:23:27 -0700 (PDT) (envelope-from owner-freebsd-hackers) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA07616; Thu, 23 Oct 1997 09:23:24 -0700 (PDT) (envelope-from ambrisko@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id JAA17056; Thu, 23 Oct 1997 09:15:16 -0700 (PDT) Received: from crab.whistle.com(207.76.205.112) via SMTP by alpo.whistle.com, id smtpd017049; Thu Oct 23 16:15:06 1997 Received: (from ambrisko@localhost) by crab.whistle.com (8.8.7/8.6.12) id JAA22205; Thu, 23 Oct 1997 09:13:57 -0700 (PDT) From: Doug Ambrisko Message-Id: <199710231613.JAA22205@crab.whistle.com> Subject: Re: Password files and virtual IP addresses In-Reply-To: from Julian Elischer at "Oct 23, 97 00:53:22 am" To: freebsd-hackers@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Date: Thu, 23 Oct 1997 09:13:56 -0700 (PDT) X-Mailer: ELM [version 2.4ME+ PL29 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Julian Elischer writes: | We have a whole virtual machine | using chroot, and a few other tricks such as a hacked inetd. | It was described recently on either hackers or questions (I forget which) | by Doug Ambrisko. (I think it was questions) I was a hacked natd-like program. "inetd" was fine as is. | On Wed, 22 Oct 1997, Charles Mott wrote: | | > Suppose that one wanted to create different virtual | > IP addresses with ifconfig alias, and when people telnet | > or ftp or access pop3/imap2 at a virtual address, a | > password file specific to that virtual address would be | > used. This would allow username re-use. | > | > Has this sort of thing been considered before? If not, | > what sort of things would have to be hacked? If password | > access routines could somehow be informed what virtual | > address they were being accessed from, then it would | > be possible to have multiple password files. | > | > Of course, there are always unintended security | > implications to doing these things... This is a pretty simple case since this services can be controled via inetd. Since inetd is well-behaved (ie uses /etc/services to figure out what ports to use), it is pretty easy to copy the stuff you need into a small chroot and then do a "chroot path /usr/sbin/inetd" to start your services that have been shifted via editing /etc/services in the chroot. The tricky part is to make connections that come in through the alias ip to do a "port shift" from the standard to the ones used in the chroot. This can be done with a hacked natd that does port translation instead of ip translation. Note this problem is simpler then the case I described before since only incoming connections are made so you don't have to worry about translating connections originating from the chroot such as sendmail delivering mail from inside the chroot. The translate code is based on some non-public Whistle code. Doug A.