Bugtraq mailing list archives
Re: tcpd -DPARANOID doesn't work, and never did
From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Tue, 10 Nov 1998 16:43:42 -0500
Peter Wemm:
rshd and rlogind are safe (as far as I can tell) on all systems that are 4.3BSD-net2 (and later) derivatives. They don't need -DPARANOID at all.
Correction: the NET2 rshd/rlogind `paranoid' code is NOT ok.
NET2 code looks up the client name with gethostbyaddr(), checks
the address list from gethostbyname(), and then uses the hostname
result from gethostbyname(), which could be something different.
That's why TCPD demands that the hostname results from gethostbyaddr()
and gethostbyname() be identical, and doesn't even allow PTRs to
CNAMEs. Without this, it was just too easy to spoof your way in.
Unfortunately, the BSD-style `paranoid' check that ends up using
the wrong hostname has made its way into other programs as well.
Wietse
Current thread:
- Re: xlock mishandles malformed .signature/.plan Jochen Thomas Bauer (Nov 06)
- Re: xlock mishandles malformed .signature/.plan Aaron Campbell (Nov 07)
- shadow problems. twiztah (Nov 08)
- tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 08)
- Re: tcpd -DPARANOID doesn't work, and never did Warner Losh (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Peter Wemm (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Warner Losh (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Chip Christian (Nov 10)
- <Possible follow-ups>
- Re: xlock mishandles malformed .signature/.plan tschweik () FIDUCIA DE (Nov 09)
- Re: xlock mishandles malformed .signature/.plan tschweik () FIDUCIA DE (Nov 11)