Re: tcpd -DPARANOID doesn't work, and never did

[peter () NETPLEX COM AU (Peter Wemm)]

Warner Losh wrote:
> In message <19981109062947.24560.qmail () cr yp to> "D. J. Bernstein" writes:
> : Here's the combined procedure used by tcpd -DPARANOID and rshd/rlogind
> : to check for trusted hosts:
> :
> :    (1) Use DNS PTR records to find a name for the remote IP address.
> :
> :    (2) Use DNS A records to find the IP addresses for that name.
> :
> :    (3) Drop the connection if the remote IP address is not one of the
> :        IP addresses for that name.
> :
> :    (4) Use DNS PTR records to find a name for the remote IP address,
> :        and check that the name is in a list of trusted host names.
> :
> : The A records for all trusted hosts can be controlled locally. With
> : secure IP and secure DNS, there's no way for a trusted host name in #1
> : to survive the check in #3 unless the remote IP address is listed as an
> : A record for that name.
>
> For local domains (and all domains when rshd is run -a), there is a
> step 5 which is basically the same as step 2 as a cross check.  This
> check appears to only be in rshd, but not rlogind.

The test in rshd appears redundant..  The real test is in libc in
ruserok() and iruserok().  rshd and rlogind are safe (as far as I can
tell) on all systems that are 4.3BSD-net2 (and later) derivatives.  They
don't need -DPARANOID at all.  I've seen the net2 and Lite code integrated
with some commercial systems (notably SCO), and I believe the likes of AIX
have it too.  The main ones I do not know about are Solaris and all the
different Linux distributions.

> Far be it from me to defent IP based authentication.  I don't run
> services that use IP based authentication on machines that I care
> about...

Amen to that!

> Warner

Cheers,
-Peter