From ciaran@aldhfn.aldhfn.org  Sat Nov 23 06:43:02 1996
Received: from aldhfn.aldhfn.org (root@aldhfn.aldhfn.org [198.17.116.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id GAA28455
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 23 Nov 1996 06:43:02 -0800 (PST)
Received: (from ciaran@localhost) by aldhfn.aldhfn.org (8.6.12/8.6.11.1) id JAA04480; Sat, 23 Nov 1996 09:40:12 -0500
Message-Id: <199611231440.JAA04480@aldhfn.aldhfn.org>
Date: Sat, 23 Nov 1996 09:40:12 -0500
From: Skip Watson <ciaran@aldhfn.aldhfn.org>
Reply-To: ciaran@aldhfn.aldhfn.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: rlogind not using passwords
X-Send-Pr-Version: 3.2

>Number:         2092
>Category:       bin
>Synopsis:       rlogind not using passwords
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 23 06:50:03 PST 1996
>Closed-Date:    Mon Feb 17 06:53:07 PST 1997
>Last-Modified:  Mon Feb 17 06:53:38 PST 1997
>Originator:     Skip Watson
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
Skip
--
Auldhaefen Online Services		automated info: info@aldhfn.org
330 745-9380 voice			     questions: support@aldhfn.org
330 753-8791 bbs/fax			        person: ciaran@aldhfn.org
330 745-7624 data		                   WWW: http://www.ald.net
>Environment:

FreeBSD aldhfn.aldhfn.org 2.1.0-RELEASE FreeBSD 2.1.0-RELEASE #0: Mon Nov 20 13:22:52 EST 1995     ciaran@aldhfn.aldhfn.org:/usr/src/sys/compile/ALDHFN  i386

and

FreeBSD arachne.aldhfn.org 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #0: Thu Jul 18 02:24:53 EDT 1996     root@arachne.aldhfn.org:/usr/src/sys/compile/ARACHNE  i386

>Description:

	When using rlogin from a remote site, rlogind does not use passwords 
on the local machine. As an example, user "timmy" has an account on our 
machine (aldhfn.aldhfn.org) with a password of "letmein". He also has an 
account of "timmy" at xyz.com with a password of "whocares". "timmy" logins 
into "xyz.com" and then rlogin to our machine. rlogind logs him directly 
into our machine without asking for his password on our machine. Since the 
two passwords are different it should be authenticating him rather logging 
him in directly.
	This is a major problem since anyone can login as anyone else, even 
root.
	The same thing is occuring with arachne.aldhfn.org which is running 
2.1.5. I have gotten in 2.1.6 but haven't had time to install it. I don't know
if 2.1.6 will solve this problem or not. 

>How-To-Repeat:

	It happens all of the time. There's nothing special that needs to be 
done.

>Fix:
	
	Don't know.	

>Release-Note:
>Audit-Trail:

From: Poul-Henning Kamp <phk@critter.tfs.com>
To: ciaran@aldhfn.aldhfn.org
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/2092: rlogind not using passwords 
Date: Sat, 23 Nov 1996 16:27:55 +0100

 >>How-To-Repeat:
 >
 >	It happens all of the time. There's nothing special that needs to be 
 >done.
 
 Please take a peek in the manpage for ruserok() and see if you didn't
 overlook something...
 
 --
 Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
 http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
 whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
 Future will arrive by its own means, progress not so.

From: Skip Watson <ciaran@aldhfn.aldhfn.org>
To: Poul-Henning Kamp <phk@critter.tfs.com>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/2092: rlogind not using passwords 
Date: Sat, 23 Nov 1996 11:20:16 -0500 (EST)

 On Sat, 23 Nov 1996, Poul-Henning Kamp wrote:
 
 > >>How-To-Repeat:
 > >
 > >	It happens all of the time. There's nothing special that needs to be 
 > >done.
 > 
 > Please take a peek in the manpage for ruserok() and see if you didn't
 > overlook something...
 
 From the man page (but you know this ;-)).
 ------------
      The iruserok() and ruserok() functions take a remote host's IP address or
      name, as returned by the gethostbyname(3) routines, two user names and a
      flag indicating whether the local user's name is that of the super-user.
      Then, if the user is NOT the super-user, it checks the /etc/hosts.equiv
      file.  If that lookup is not done, or is unsuccessful, the .rhosts in the
      local user's home directory is checked to see if the request for service
      is allowed.
      If this file does not exist, is not a regular file, is owned by anyone
      other than the user or the super-user, or is writeable by anyone other
      than the owner, the check automatically fails.  Zero is returned if the
      machine name is listed in the ``hosts.equiv'' file, or the host and re-
      mote user name are found in the ``.rhosts'' file; otherwise iruserok()
      and ruserok() return -1.  If the local domain (as obtained from
      gethostname(2))  is the same as the remote domain, only the machine name
      need be specified.
 -----------
 	The user is not the super-user. The remote site is not in 
 /etc/hosts.equiv and the user has no .rhosts file. It should fail.
 
 	I'm not a programmer so I can't go in and check things :-(.
 	I did install tcp_wrapper to see if that made any difference. For what 
 it is worth, it didn't.
  
 Skip
 --
 Auldhaefen Online Services		automated info: info@aldhfn.org
 330 745-9380 voice			     questions: support@aldhfn.org
 330 753-8791 bbs/fax			        person: ciaran@aldhfn.org
 330 745-7624 data		                   WWW: http://www.ald.net
 

From: Poul-Henning Kamp <phk@critter.tfs.com>
To: Skip Watson <ciaran@aldhfn.aldhfn.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/2092: rlogind not using passwords 
Date: Sat, 23 Nov 1996 17:43:43 +0100

 Are you sure your system hasn't been hacked ?
 
 --
 Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
 http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
 whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
 Future will arrive by its own means, progress not so.
State-Changed-From-To: open->feedback 
State-Changed-By: joerg 
State-Changed-When: Sun Dec 22 15:10:13 MET 1996 
State-Changed-Why:  
The behaviour described in this PR cannot be seen on any other FreeBSD system 
around.  Please make sure that your sysstem has not been hacked. 

Try adding some debugging syslog() lines to rlogind, to make sure 
what's happening.  REplace the function do_rlogin() in 
/usr/src/libexec/rlogind/rlogind.c with: 

int 
do_rlogin(dest) 
struct sockaddr_in *dest; 
{ 
int rv; 

getstr(rusername, sizeof(rusername), "remuser too long"); 
getstr(lusername, sizeof(lusername), "locuser too long"); 
getstr(term+ENVSIZE, sizeof(term)-ENVSIZE, "Terminal type too long"); 

pwd = getpwnam(lusername); 
if (pwd == NULL) 
return (-1); 
/* XXX why don't we syslog() failure? */ 
rv = (iruserok(dest->sin_addr.s_addr, pwd->pw_uid == 0, 
rusername, lusername)); 
syslog(LOG_DEBUG, 
"do_rlogin(): from %s, ruser %s, luser %s, iruserok(): %d", 
inet_ntoa(dest->sin_addr.s_addr), rusername, 
lusername, rv); 
return (rv); 
} 


Make sure to catch the syslog output somewhere, prefarably on 
another host.  You might want to make the logging conditional 
on some username or IP address. 
State-Changed-From-To: feedback->closed 
State-Changed-By: mpp 
State-Changed-When: Mon Feb 17 06:53:07 PST 1997 
State-Changed-Why:  
The originator reports that the problem disappeared after 
an upgrade. 
>Unformatted:
