[197] in linux-security and linux-alert archive
Hash signs in hosts.equiv
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Fri Apr 7 20:35:40 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@majordomo.linux.nrao.edu
Date: Fri, 7 Apr 1995 18:05:43 +0200 (MET DST)
Cc: linux-alert@tarsier.cv.nrao.edu
Reply-To: linux-security@tarsier.cv.nrao.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hello,
As has been reported, the ruserok() function in libc (up to at least
version 4.6.27, didn't check the latest ones) does not take care of
hash signs in hosts.equiv and .rhosts. If someone injects a bogus PTR
record into their DNS, this could be dangerous for some extremely old
Linux systems. Most machines I've seen however run a version of rlogin
that does a spoof check on the host name obtained from gethostbyaddr.
At the least, version 5.53 of rlogind is immune against this type of
attack. You can check which version you have by running the strings command
on the binary. As I don't have the source for rshd handy at the moment,
I can't tell which versions of rshd are vulnerable and which aren't.
If you are not sure if your rlogind/rshd binary is vulnerable, you
have the following options:
* Put the line
nospoof on
in your /etc/host.conf file. This rejects all hosts who have
no or broken reverse mapping records in their DNS.
* If you don't want to block all services for hosts with broken
reverse mapping, get a newer version of tcpd (tcp_wrapper-6.3 or
later) and add a line like this to /etc/hosts.deny:
ALL except ftpd: UNKNOWN
This rejects all hosts with missing or bad PTR entries for all
services except FTP. Of course, you also have to make sure
inetd actually invokes tcpd for this service. The appropriate
entry in /etc/inetd.conf looks like this:
login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind
Regards,
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBL4ViqeFnVHXv40etAQGbcQP+OTewrPRUBpX374nMlLzk0h+Pc6zCpc9t
NhEjvo1uQ23q0orCBszIVc88yIBXGGIOwuvik+zYXcZl5N/cA+OhdrDokaQsR4lV
xOWPCINis9LApZCxbZi5YswrdCH1Lzn2xSid3XEOa9qbrJKDuu4PlGQfSS1LQHQ0
Qk2w9L/5qSw=
=wZGH
-----END PGP SIGNATURE-----
