Bugtraq mailing list archives
Re: Sun's TTSESSION Vulnerability
From: charlieg () IC SUNYSB EDU (Charlie Giannetto)
Date: Thu, 30 Sep 1999 14:19:01 -0400
On Wed, 29 Sep 1999, Richard L. Goerwitz wrote:
"Bauer, Rich" wrote:One of our systems administrators recently told us that Sun's fix for the TTSESSION vulnerability (running ttsession with DES) prohibits root from using CDE in an NISPLUS environment, and prohibits any user from using CDE in a stand-alone environment. Is there a patch forthcoming or some other work-around that doesn't have these limitations ?For us the key is that CDE is essentially useless in a stand-alone en- vironment, or any environment in which NIS(+) is not being used. This is certainly not how Sun intended the product to function.
It does work without NIS/NIS+ (well sort of), it's just that you have to create an /etc/netid (see man netid for details) and /etc/publickey (man -s 4 publickey) files. However, certain applications (dtpad, dtmail, mailtool, and some others) still won't run. Also, I couldn't get a console root login to work under CDE either ... although some might consider this a plus. Now, I can't take credit for discovering this, that goes to Dan Astoorian who pointed this out to me in a related discussion. Also, Sun has issued the following bug id assoiciated with running ttsessoin with DES: 4272834
Current thread:
- Re: Sun's TTSESSION Vulnerability Charlie Giannetto (Sep 30)