[18629] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: analysis of auditable port scanning techniques

daemon@ATHENA.MIT.EDU (D. J. Bernstein)
Tue Jan 16 11:45:17 2001

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID:  <20010115220117.27275.qmail@cr.yp.to>
Date:         Mon, 15 Jan 2001 22:01:17 -0000
Reply-To: "D. J. Bernstein" <djb@CR.YP.TO>
From: "D. J. Bernstein" <djb@CR.YP.TO>
To: BUGTRAQ@SECURITYFOCUS.COM

Dan Harkless writes:
> Theo de Raadt just informed me via email that OpenBSD fixed their identd to
> only report SS_CONNECTOUT sockets in 1996.

The MTA and the FTP server and many other daemons will make outgoing TCP
connections upon request. This bogus ``fix'' does not achieve the stated
goal of keeping the daemon usernames secret. Meanwhile, it wipes out
useful logs for some portmap-style protocols. (Rare protocols, I agree.)

The correct approach is to encrypt the uid under a secret key. This has
been built into pidentd for years.

---Dan


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[18629] in bugtraq

Re: analysis of auditable port scanning techniques

daemon@ATHENA.MIT.EDU (D. J. Bernstein)Tue Jan 16 11:45:17 2001

daemon@ATHENA.MIT.EDU (D. J. Bernstein)
Tue Jan 16 11:45:17 2001