From owner-freebsd-security Tue Jun 11 02:17:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA16242 for security-outgoing; Tue, 11 Jun 1996 02:17:57 -0700 (PDT) Received: from spinner.DIALix.COM (spinner.DIALix.COM [192.203.228.67]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA16235 for ; Tue, 11 Jun 1996 02:17:48 -0700 (PDT) Received: from spinner.DIALix.COM (localhost.DIALix.oz.au [127.0.0.1]) by spinner.DIALix.COM (8.7.5/8.7.3) with ESMTP id QAA06691; Tue, 11 Jun 1996 16:53:19 +0800 (WST) Message-Id: <199606110853.QAA06691@spinner.DIALix.COM> X-Mailer: exmh version 1.6.6 3/24/96 To: guido@gvr.win.tue.nl (Guido van Rooij) cc: taob@io.org (Brian Tao), freebsd-security@freebsd.org Subject: Re: Root rlogins despite /etc/ttys In-reply-to: Your message of "Mon, 10 Jun 1996 11:25:39 +0200." <199606100925.LAA10677@gvr.win.tue.nl> Date: Tue, 11 Jun 1996 16:53:18 +0800 From: Peter Wemm Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Brian Tao wrote: >> Could someone confirm this for me? I noticed that I can rlogin as >> root into a 2.2-960501-SNAP server providing that the .rhosts is setup >> correctly. The tty assigned to the login session is not marked as >> secure in /etc/ttys. Previously, the password prompt would appear >> regardless, and root logins denied. > >I think this is caused by this commit: >revision 1.6 >date: 1995/11/20 23:25:35; author: peter; state: Exp; lines: +2 -3 >Stop rlogind from bogusly ignoring an explicit .rhosts file for root. >It still correctly ignores hosts.equiv. This is now consistant with rshd. > >I'll include the author in the Cc: and let him comment about this. >I agree that at least the tty needs to be checked on its secuirty in >the ttys file. > >-Guido Well, previously, if there was a .rhosts file, you could: rsh -l root hostname sh -i and get a stealth login that was not even on a terminal or logged in utmp/wtmp. 'secure' is pretty meaningless on network logins, especially if you bypass it by *explicitly* setting a root .rhosts entry. The only thing the 'secure' flag seems useful for these days over the network is to discourage the root password being typed in plaintext at the start of a network connection that can be so easily sniffed. ie: disallow telnet w/ plain text password, disallow rlogin with plain text password. But allow normal user to telnet/rlogin in, and at a significant amount of network traffic later, type the password. I don't think you can disallow root .rhosts for rsh, because people will be after your blood if they can no longer do remote backups the way they've been doing it for the last 10 years etc. And denying rlogin when rsh is allowed gives only a false sense of security since it's trivial to bypass. Personally, I think the real solution is something like ssh that uses real authentication (which incidently, completely ignores the 'secure' flag). Cheers, -Peter