home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: alt.security
- From: ckd@eff.org (Christopher Davis)
- Subject: Re: .rhosts -- disallowing
- Message-ID: <CKD.91Oct10140718@eff.org>
- Sender: ckd@eff.org (Christopher Davis)
- Organization: Electronic Frontier Foundation Tech Central
- References: <1991Oct8.062922.11268@nntp.uoregon.edu>
- <DERAADT.91Oct10034753@fsa.cpsc.ucalgary.ca>
- Date: Thu, 10 Oct 1991 18:07:24 GMT
-
- TdR> == Theo de Raadt <deraadt@cpsc.ucalgary.ca>
-
- TdR> In fact, if your site uses the name daemon, and the intruder can guess
- TdR> what just one line in your .rhosts file says, he can get into your
- TdR> account very easily. Yeah, yeah, CERT & gang have been told.
-
- TdR> Unfortunately, .rhosts is almost indispensable. It would be great
- TdR> if the address->hostname translation process would be bullet-proof.
- TdR> <tdr.
-
- Sun actually got this one right, though they did it in the wrong place ;-)
-
- Sun's resolver library won't return a name on a gethostbyaddr() unless
- an A record lookup on that name returns that address. This is great for
- r-access, but not so hot for stuff like traceroute, since *some* people
- (hi NSF) don't have proper A records matching their PTRs.
-
- There's also she host_access package (look for log_tcp with archie) that
- has a define, -DPARANOID, which does the same thing (disallows
- connections from sites that don't match properly) and can be added on to
- any system. It can also block telnet/rlogin/whatever from sites you
- don't want to hear from (open terminal servers at someone else's site,
- perhaps ;-)
-
- --Chris
- --
- Christopher Davis <ckd@eff.org> | WEIRD QUOTES OF THE WEEK:
- System Manager & Postmaster | "Carpe grepem."
- Electronic Frontier Foundation | "Seize the WAIS?"
- +1 617 864 0665 NIC: [CKD1] | -- two overworked technodweebs
-
-
