From owner-freebsd-isp Tue Nov 4 19:20:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA04352 for isp-outgoing; Tue, 4 Nov 1997 19:20:50 -0800 (PST) (envelope-from owner-freebsd-isp) Received: from roguetrader.com (brandon@cold.org [206.81.134.103]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA04339 for ; Tue, 4 Nov 1997 19:20:41 -0800 (PST) (envelope-from brandon@roguetrader.com) Received: from localhost (brandon@localhost) by roguetrader.com (8.8.5/8.8.5) with SMTP id UAA02353 for ; Tue, 4 Nov 1997 20:20:43 -0700 (MST) Date: Tue, 4 Nov 1997 20:20:43 -0700 (MST) From: Brandon Gillespie To: freebsd-isp@freebsd.org Subject: Security problem/oversight with user PPP! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This isn't really a bug or anything--as it is just a standard feature of how user PPP works. You can just telnet to port '3000' on any machine running user PPP and have full access to the ppp session--assuming they havn't setup ppp.secret. I really find this disconcerting, since the manual just 'suggests' setting up ppp.secret. Frankly, if there is no ppp.secret it should NOT bind to port 3000! I don't want to bother with passwords in my PPP config system, because frankly, I dont care--I'm the only one using it. But suddenly I find the new PPP is allowing anybody in the world to diddle with my ppp and its irritating! (that doesn't sound good :) Talk about a horrid default. At the very least it should bind to port 3000 on LOCALHOST, why does there need to be global access to it? -Brandon Gillespie