[4679] in bugtraq
Re: rshd gives away usernames
daemon@ATHENA.MIT.EDU (Erik Troan)
Fri Jun 13 21:37:08 1997
Date: Fri, 13 Jun 1997 13:50:08 -0400
Reply-To: Erik Troan <ewt@REDHAT.COM>
From: Erik Troan <ewt@REDHAT.COM>
X-To: David Holland <dholland@EECS.HARVARD.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199706131117.HAA03109@burgundy.eecs.harvard.edu>
On Fri, 13 Jun 1997, David Holland wrote:
> Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'.
> The error reported is different.
>
> Therefore, it's possible to determine which account names are valid.
> This is an issue only for particularly paranoid sites that probably
> already have rshd disabled, but I thought it would be worth issuing a
> warning anyway.
The PAM version of Linux's rshd doesn't have this problem. Some of the
earlier ones did, but Red Hat 4.2 has this problem fixed.
I never sent the patches to David because they were PAM bugs, not
rshd bugs, and I never tested this against a non-PAM rshd (duh).
Erik
-------------------------------------------------------------------------------
| "Psychopaths kill for no reason: I kill for money." -- Grosse Pointe Blank |
| |
| Erik Troan = ewt@redhat.com = ewt@sunsite.unc.edu |
