Date: Wed, 23 Apr 1997 22:06:19 -0700 From: Pedro Giffuni <pgiffuni@fps.biblos.unal.edu.co> To: Robert N Watson <rnw@andrew.cmu.edu> Cc: security@freebsd.org Subject: Re: Possible security hole in 2.2 Release. Message-ID: <335EEA4A.6450@fps.biblos.unal.edu.co> References: <Pine.SUN.3.93l.970423214341.9918A-100000@apriori.cc.cmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
My 2.2-Release has as .rhosts : # $Id: dot.rhosts,v 1.3 1996/09/21 21:35:47 wosch Exp $ # # .rhosts - trusted remote host name and user data base # # see hosts.equiv(5), rsh(1), rlogin(1), rcp(1) # # This file should NOT be group or other readable. # OtherMachine # OtherMachine myFriend + + # And here is (in part) the wtmp file: yonny ttyp0 invalid hostname Wed Apr 23 14:27 - 14:27 (00:00) pedro ttyp0 168.176.3.41 Wed Apr 23 14:11 - 14:11 (00:00) yonny ttyp0 invalid hostname Wed Apr 23 12:31 - 12:37 (00:06) yonny ftp invalid hostname Wed Apr 23 12:30 - 12:30 (00:00) yonny ttyp0 invalid hostname Wed Apr 23 11:23 - 11:24 (00:01) pedro ttyp0 168.176.3.43 Wed Apr 23 10:29 - 10:29 (00:00) yonny ttyp0 invalid hostname Wed Apr 23 10:10 - 10:12 (00:01) _______________________________ My .dot file is exactly like yours :(. Either my box was cracked and + + added to all users (two) or this is added someway by default. Pedro. Robert N Watson wrote: > > My 2.2.1 default dot.rhosts in /usr/share/skel reads as follows: > > # $Id: dot.rhosts,v 1.3 1996/09/21 21:35:47 wosch Exp $ > # > # .rhosts - trusted remote host name and user data base > # > # see hosts.equiv(5), rsh(1), rlogin(1), rcp(1) > # > # This file should NOT be group or other readable. > # OtherMachine > # OtherMachine myFriend > > This doesn't appear to include + +, which certainly would cause the > problem you identify :). BTW, I've read that the "#" at the beginning of > the line is a bad idea, as you can pursuade a DNS server to pass back "#" > as your host name, and spoof your way in. Do the r* service > authentication routines ignore # signs, really? :) > > ---- > Robert Watson <rnw+@Andrew.cmu.edu> > > On Wed, 23 Apr 1997, Pedro Giffuni wrote: > > > Howdy, > > One of my users reported rlogin didn't ask for a password when he tried > > to log from a remote box in another faculty. I haven't had the time to > > check this out (I am sick and in home). The problem was only detected > > from one Solaris box that doesn't has it's hostname correctly > > configured. > > The .rhosts files are from the standard distribution and include a line, > > "+ +" that may be causing the problem. > > I closed r* services on this box until I have a chance to check this > > thoroughly. > > > > Pedro. > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?335EEA4A.6450>