[12084] in bugtraq
Re: Sun's TTSESSION Vulnerability
daemon@ATHENA.MIT.EDU (Charlie Giannetto)
Fri Oct 1 14:23:27 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.10.9909301407400.21448-100000@babylon5>
Date: Thu, 30 Sep 1999 14:19:01 -0400
Reply-To: Charlie Giannetto <charlieg@IC.SUNYSB.EDU>
From: Charlie Giannetto <charlieg@IC.SUNYSB.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <37F262C5.68F43BB@goon.stg.brown.edu>
On Wed, 29 Sep 1999, Richard L. Goerwitz wrote:
> "Bauer, Rich" wrote:
> >
> > One of our systems administrators recently told us that Sun's fix for the
> > TTSESSION vulnerability (running ttsession with DES) prohibits root from
> > using CDE in an NISPLUS environment, and prohibits any user from using CDE
> > in a stand-alone environment. Is there a patch forthcoming or some other
> > work-around that doesn't have these limitations ?
>
> For us the key is that CDE is essentially useless in a stand-alone en-
> vironment, or any environment in which NIS(+) is not being used. This
> is certainly not how Sun intended the product to function.
It does work without NIS/NIS+ (well sort of), it's just that you have to
create an /etc/netid (see man netid for details) and /etc/publickey (man
-s 4 publickey) files. However, certain applications (dtpad, dtmail,
mailtool, and some others) still won't run. Also, I couldn't get a
console root login to work under CDE either ... although some might
consider this a plus.
Now, I can't take credit for discovering this, that goes to Dan
Astoorian who pointed this out to me in a related discussion.
Also, Sun has issued the following bug id assoiciated with running
ttsessoin with DES: 4272834
