[8493] in bugtraq
Re: tcpd -DPARANOID doesn't work, and never did
daemon@ATHENA.MIT.EDU (Wietse Venema)
Tue Nov 10 17:31:58 1998
Date: Tue, 10 Nov 1998 16:43:42 -0500
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199811100420.MAA02759@spinner.netplex.com.au> from Peter Wemm at
"Nov 10, 98 12:20:27 pm"
Peter Wemm:
> rshd and rlogind are safe (as far as I can
> tell) on all systems that are 4.3BSD-net2 (and later) derivatives. They
> don't need -DPARANOID at all.
Correction: the NET2 rshd/rlogind `paranoid' code is NOT ok.
NET2 code looks up the client name with gethostbyaddr(), checks
the address list from gethostbyname(), and then uses the hostname
result from gethostbyname(), which could be something different.
That's why TCPD demands that the hostname results from gethostbyaddr()
and gethostbyname() be identical, and doesn't even allow PTRs to
CNAMEs. Without this, it was just too easy to spoof your way in.
Unfortunately, the BSD-style `paranoid' check that ends up using
the wrong hostname has made its way into other programs as well.
Wietse
