From owner-freebsd-security Wed Apr 23 20:10:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA11851 for security-outgoing; Wed, 23 Apr 1997 20:10:20 -0700 (PDT) Received: from usc.usc.unal.edu.co ([200.21.26.65]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id UAA11841 for ; Wed, 23 Apr 1997 20:10:08 -0700 (PDT) Received: from unalmodem15.usc.unal.edu.co by usc.usc.unal.edu.co (AIX 4.1/UCB 5.64/4.03) id AA145306; Wed, 23 Apr 1997 23:08:55 -0400 Message-Id: <335EEA4A.6450@fps.biblos.unal.edu.co> Date: Wed, 23 Apr 1997 22:06:19 -0700 From: Pedro Giffuni X-Mailer: Mozilla 3.0 (Win16; I) Mime-Version: 1.0 To: Robert N Watson Cc: security@freebsd.org Subject: Re: Possible security hole in 2.2 Release. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk My 2.2-Release has as .rhosts : # $Id: dot.rhosts,v 1.3 1996/09/21 21:35:47 wosch Exp $ # # .rhosts - trusted remote host name and user data base # # see hosts.equiv(5), rsh(1), rlogin(1), rcp(1) # # This file should NOT be group or other readable. # OtherMachine # OtherMachine myFriend + + # And here is (in part) the wtmp file: yonny ttyp0 invalid hostname Wed Apr 23 14:27 - 14:27 (00:00) pedro ttyp0 168.176.3.41 Wed Apr 23 14:11 - 14:11 (00:00) yonny ttyp0 invalid hostname Wed Apr 23 12:31 - 12:37 (00:06) yonny ftp invalid hostname Wed Apr 23 12:30 - 12:30 (00:00) yonny ttyp0 invalid hostname Wed Apr 23 11:23 - 11:24 (00:01) pedro ttyp0 168.176.3.43 Wed Apr 23 10:29 - 10:29 (00:00) yonny ttyp0 invalid hostname Wed Apr 23 10:10 - 10:12 (00:01) _______________________________ My .dot file is exactly like yours :(. Either my box was cracked and + + added to all users (two) or this is added someway by default. Pedro. Robert N Watson wrote: > > My 2.2.1 default dot.rhosts in /usr/share/skel reads as follows: > > # $Id: dot.rhosts,v 1.3 1996/09/21 21:35:47 wosch Exp $ > # > # .rhosts - trusted remote host name and user data base > # > # see hosts.equiv(5), rsh(1), rlogin(1), rcp(1) > # > # This file should NOT be group or other readable. > # OtherMachine > # OtherMachine myFriend > > This doesn't appear to include + +, which certainly would cause the > problem you identify :). BTW, I've read that the "#" at the beginning of > the line is a bad idea, as you can pursuade a DNS server to pass back "#" > as your host name, and spoof your way in. Do the r* service > authentication routines ignore # signs, really? :) > > ---- > Robert Watson > > On Wed, 23 Apr 1997, Pedro Giffuni wrote: > > > Howdy, > > One of my users reported rlogin didn't ask for a password when he tried > > to log from a remote box in another faculty. I haven't had the time to > > check this out (I am sick and in home). The problem was only detected > > from one Solaris box that doesn't has it's hostname correctly > > configured. > > The .rhosts files are from the standard distribution and include a line, > > "+ +" that may be causing the problem. > > I closed r* services on this box until I have a chance to check this > > thoroughly. > > > > Pedro. > >