[18338] in Athena Bugs
[Evan M Fortunato ] Re: 6.2 athena security controls
daemon@ATHENA.MIT.EDU (Aaron M. Ucko)
Sun Sep 24 17:51:18 2000
To: bugs@mit.edu
From: amu@MIT.EDU (Aaron M. Ucko)
Date: 24 Sep 2000 17:51:11 -0400
Message-ID: <udln1gxv4q8.fsf@mary-kay-commandos.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Anyone?
To: linux-help@MIT.EDU
Subject: Re: 6.2 athena security controls
Date: Sun, 24 Sep 2000 17:21:38 -0400
From: Evan M Fortunato <evanmf@MIT.EDU>
Aaron M. Ucko, <amu@mit.edu> writes:
>That's odd. Did you restart inetd after making those changes?
>(Athena's version of inetd is linked directly against the TCP
>wrappers, so it reads their configuration files only on startup.)
Yes, I have restarted inetd, and in fact here are the current files
and results after a full system reboot:
/etc/hosts.deny
__________________________________________________
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL:ALL
__________________________________________________
/etc/hosts.allow
__________________________________________________
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
#telnetd: 192.9.200.
#ftpd: 192.9.200.
portmap: 18.77.2.125, 18.77.2.126, 18.77.2.127, 18.77.2.128, \
18.77.0.116, 18.77.0.117, 18.77.0.118, 18.77.0.119, 18.77.0.120, \
18.77.0.103, 18.77.0.152, 18.77.1.232, 18.77.1.233, 192.9.200.
sshd: 18.77.2.125, 18.77.2.126, 18.77.0.119, 18.77.0.103, \
18.77.1.232, 18.77.1.233, 192.9.200.
__________________________________________________
/etc/sshd_config
__________________________________________________
# $Id: sshd_config,v 1.2 1998/04/25 23:37:04 danw Exp $
# Athena sshd configuration file
PidFile /var/athena/sshd.pid
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no
StrictModes no
KerberosOrLocalPasswd yes
CheckMail no
AllowUsers evanmf praviam
__________________________________________________
/etc/athena/inetd.conf
__________________________________________________
#
# Internet server configuration database
# MIT Project Athena
#
# Note that the Athena inetd has built-in libwrap functionality. So
# there is no need to use tcp_wrappers in this file.
#
#
ftp stream tcp nowait switched root /usr/athena/etc/ftpd ftpd -C -u 007 -t 3600
telnet stream tcp nowait switched root /etc/athena/telnetd telnetd -a cred
#kshell stream tcp nowait switched root /usr/athena/etc/kshd kshd -k
#klogin stream tcp nowait switched root /usr/athena/etc/klogind klogind -k
#eklogin stream tcp nowait switched root /usr/athena/etc/klogind klogind -k -e
#rkinit stream tcp nowait switched root /usr/athena/etc/rkinitd rkinitd
#write stream tcp nowait unswitched root /usr/athena/etc/writed writed
#busypoll dgram udp wait unswitched nobody /etc/athena/busyd busyd
#athinfo stream tcp nowait unswitched root /etc/athena/athinfod athinfod
#gshell stream tcp nowait unswitched root /afs/net/system/gsh/bin/gshd gshd
#time stream tcp nowait unswitched root internal internal
#time dgram udp nowait unswitched root internal internal
#daytime stream tcp nowait unswitched root internal internal
#daytime dgram udp nowait unswitched root internal internal
__________________________________________________
Now I go to kristen.mit.edu (one of the machines that should have sshd access but
not telnet access):
cory1> ssh kristen
evanmf@ATHENA.MIT.EDU@kristen's password:
Last login: Sun Sep 24 16:47:53 2000 from cory1.mit.edu
kristen> ssh cory1
evanmf@ATHENA.MIT.EDU@cory1's password:
cory1> exit
logout
kristen> telnet cory1
Trying 18.77.2.125...
Connected to CORY1.MIT.EDU (18.77.2.125).
Escape character is '^]'.
cory1 (Linux release 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000) (5)
Warning: this session is NOT encrypted!
login: evanmf
Password for evanmf:
Last login: Sun Sep 24 17:07:16 from kristen.mit.edu
Athena Workstation (linux) Version Layered Sat Sep 23 12:06:31 EDT 2000
Running standard startup activities ...
X11 connection rejected because of wrong authentication at Sun Sep 24 17:12:28 2000.
a
Rejected connection at Sun Sep 24 17:12:28 2000: X11 connection from cory1.mit.edu port
1032
X connection to kristen:1.0 broken (explicit kill or server shutdown).
Running custom startup activities listed in ~/.startup.tty ...
cory1> exit
logout
______________________________________________
So clearly I am doing something wrong because it is still allowing
telnet from anywhere.
Any recommendations?
