[11451] in bugtraq
Re: XDM Insecurity revisited
daemon@ATHENA.MIT.EDU (Martin K. Petersen)
Sat Aug 21 00:59:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <yq1so5g9ktd.fsf@jaguar.socsci.auc.dk>
Date: Thu, 19 Aug 1999 11:33:18 +0200
Reply-To: "Martin K. Petersen" <mkp@SUNSITE.AUC.DK>
From: "Martin K. Petersen" <mkp@SUNSITE.AUC.DK>
X-To: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Jochen Bauer's message of "Wed, 18 Aug 1999 12:26:20 +0200"
>>>>> "Jochen" == Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> writes:
Jochen> However, this warning seemed to have little effect as (at
Jochen> least) Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0
Jochen> are still (1.5 years later) shipped with this default Xaccess
Jochen> file.
Same story for Solaris, HP/UX and (iirc) Irix...
Jochen> It is somehow ironic that e.g. SuSE now uses tcpwrappers by
Jochen> default on most TCP services in it's distribution and
Jochen> describes the use of tcpwrappers in the manual in a special
Jochen> chapter about security, but fails to close (or even mention)
Jochen> that way to circumvent login restrictions.
Incidentally, the Gnome Display Manager which is also included in Red
Hat 6.0 uses tcpwrappers for access control (Unfortunately it is
slightly broken wrt. XDMCP in the shipped version -- mea culpa). GDM
also has an option to disallow root logins and makes extensive use of
PAM for authentication.
In general, I'd advise anyone running XDM or derivatives (like dtlogin
from CDE) to block UDP port 177 on their firewall. It's an extremely
good idea. Believe me...
--
Martin Kasper Petersen BOFH, IC1&2, Aalborg University, DK
