Firewall Wizards mailing list archives
Re: Hardware tokens for remote access authentication
From: ArkanoiD <ark () eltex net>
Date: Thu, 15 Jul 2004 13:19:12 +0400
nuqneH, On Mon, Jul 12, 2004 at 07:33:15PM -0400, Marcus J. Ranum wrote:
Vin McLellan wrote:See Kevin Kadow's April '99 post to Bugtraq, "FWTK, Gauntlet 'random seed' security >problem," at: <http://www.securityfocus.com/archive/1/19990416203627.15201.qmail>.Kadow's attack is heavily reliant on shell-level access to the auth server. Anyone who gave shell-level access to their auth server has already voided the warranty. ;) You're not supposed to do that!!! Kadow's at least intellectually honest enough to mention in his writeup that normal FWTK/Gauntlet configuration practice is to only allow connections to authsrv on the loopback port, which completely defeats the attack unless the attacker is ON the machine. That's how it was designed to be run, and that's how it was configured in Gauntlet. In other words, the attack would never work against a system that had not already been misconfigured to the point of stupidity.
BTW, not really completely, unless you use encryption patch. There may be ways to trick some proxy to connect to loopback interface (unless explicitly denied in netperm-table). That's why we included unix socket support in our authsrv replacement. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hardware tokens for remote access authentication Bill Kyle (Jul 08)
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 08)
- Message not available
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Re: Hardware tokens for remote access authentication Vin McLellan (Jul 13)
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Re: Hardware tokens for remote access authentication Vin McLellan (Jul 13)
- Re: Hardware tokens for remote access authentication ArkanoiD (Jul 15)
- Re: Hardware tokens for remote access authentication ArkanoiD (Jul 15)
- Message not available
- Re: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 08)
- <Possible follow-ups>
- RE: Hardware tokens for remote access authentication Woeltje, Don (Jul 10)
- Message not available
- RE: Hardware tokens for remote access authentication Marcus J. Ranum (Jul 13)
- Message not available