Re: Sun's TTSESSION Vulnerability

[charlieg () IC SUNYSB EDU (Charlie Giannetto)]

On Wed, 29 Sep 1999, Richard L. Goerwitz wrote:

> "Bauer, Rich" wrote:
> > One of our systems administrators recently told us that Sun's fix for the
> > TTSESSION vulnerability (running ttsession with DES) prohibits root from
> > using CDE in an NISPLUS environment, and prohibits any user from using CDE
> > in a stand-alone environment.  Is there a patch forthcoming or some other
> > work-around that doesn't have these limitations ?
>
> For us the key is that CDE is essentially useless in a stand-alone en-
> vironment, or any environment in which NIS(+) is not being used.  This
> is certainly not how Sun intended the product to function.

  It does work without NIS/NIS+ (well sort of), it's just that you have to
create an /etc/netid (see man netid for details) and /etc/publickey (man
-s 4 publickey) files.  However, certain applications (dtpad, dtmail,
mailtool, and some others) still won't run.  Also, I couldn't get a
console root login to work under CDE either ... although some might
consider this a plus.

  Now, I can't take credit for discovering this, that goes to Dan
Astoorian who pointed this out to me in a related discussion.

  Also, Sun has issued the following bug id assoiciated with running
ttsessoin with DES: 4272834