From owner-freebsd-security  Wed Apr 23 18:46:27 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id SAA07088
          for security-outgoing; Wed, 23 Apr 1997 18:46:27 -0700 (PDT)
Received: from cmu1.acs.cmu.edu (CMU1.ACS.CMU.EDU [128.2.35.186])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA07080
          for <security@freebsd.org>; Wed, 23 Apr 1997 18:46:24 -0700 (PDT)
Received: from apriori.cc.cmu.edu (APRIORI.CC.CMU.EDU [128.2.72.117]) by cmu1.acs.cmu.edu (8.8.2/8.7.3) with SMTP id VAA04516; Wed, 23 Apr 1997 21:45:24 -0400
Date: Wed, 23 Apr 1997 21:45:23 -0400 (EDT)
From: Robert N Watson <rnw@andrew.cmu.edu>
X-Sender: rnw@apriori.cc.cmu.edu
To: Pedro Giffuni <pgiffuni@fps.biblos.unal.edu.co>
cc: security@freebsd.org
Subject: Re: Possible security hole in 2.2 Release.
In-Reply-To: <335E75CF.705E@fps.biblos.unal.edu.co>
Message-ID: <Pine.SUN.3.93l.970423214341.9918A-100000@apriori.cc.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


My 2.2.1 default dot.rhosts in /usr/share/skel reads as follows:

#       $Id: dot.rhosts,v 1.3 1996/09/21 21:35:47 wosch Exp $
#
# .rhosts - trusted remote host name and user data base
#
# see hosts.equiv(5), rsh(1), rlogin(1), rcp(1)
#
# This file should NOT be group or other readable.
# OtherMachine
# OtherMachine myFriend

This doesn't appear to include + +, which certainly would cause the
problem you identify :).  BTW, I've read that the "#" at the beginning of
the line is a bad idea, as you can pursuade a DNS server to pass back "#"
as your host name, and spoof your way in.  Do the r* service
authentication routines ignore # signs, really? :)

----
Robert Watson <rnw+@Andrew.cmu.edu>

On Wed, 23 Apr 1997, Pedro Giffuni wrote:

> Howdy,
> One of my users reported rlogin didn't ask for a password when he tried
> to log from a remote box in another faculty. I haven't had the time to
> check this out (I am sick and in home). The problem was only detected
> from one Solaris box that doesn't has it's hostname correctly
> configured.
> The .rhosts files are from the standard distribution and include a line,
> "+ +" that may be causing the problem.
> I closed r* services on this box until I have a chance to check this
> thoroughly.
> 
> 	Pedro.
>