Great Circle Associates Firewalls
(February 1993)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: rlogin vs telnet
From: chk @ alias . com (C. Harald Koch)
Date: Fri, 26 Feb 1993 11:08:31 -0500
To: firewalls @ GreatCircle . COM
In-reply-to: <9302252155 . AA24890 @ mycroft . GreatCircle . COM> from "smb @ research . att . com" at Feb 25, 93 04:54:24 pm

> There are two issues.  First, rlogin uses a very weak form of authentication;
> it's sometimes possible to spoof it.  Second, the *source* port for rlogin
> is a random ``privileged'' port, and you probably don't want to allow
> unrestricted access in that range.

It's especially easy when you have 'non-secure' machines on your network,
such as PCs or Macs. Since there's no such thing as a privileged port on a
PC, it's trivial to create an rlogin session that specifies an arbitrary
user name.

I've seen similar problems with NFS clients on PCs. Many NFS implementations
I've seen allow you to specify an arbitrary userid as your 'client ID',
without any athentication by the server. So, for example, you can mount a
remote filesystem as user 'bin', and replace any arbitrary files
(/usr/bin/atrun is fast way to get root...)

The moral of this convoluted digression is that when it comes to security,
you *cannot* trust any information about the remote machine. Privileged
ports aren't, usernames and userids can be spoofed, and so on.

Main's Law: For every       | C. Harald Koch  Alias Research, Inc. Toronto, ON
action, there is an equal   | chk @
 alias .
 com                (work-related mail)
and opposite goverment      | chk @
 gpu .
 utcs .
 utoronto .
 ca     (permanent address)
program.                    | VE3TLA @
 VE3OY .
 #SCON .
 ON .
 CA .
 NA            (AMPRNet)

Indexed By Date Previous: Proxy Software
From: jbezek @ rosedale . org
Next: Re: Proxy Software
From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Thread Previous: Re: rlogin vs telnet
From: smb @ research . att . com
Next: Re: rlogin vs telnet
From: Rahul Dhesi <dhesi @ rahul . net>

Search Internet Search