Re: Hardware tokens for remote access authentication

[ArkanoiD <ark () eltex net>]

nuqneH,

On Mon, Jul 12, 2004 at 07:33:15PM -0400, Marcus J. Ranum wrote:
> Vin McLellan wrote:
> > See Kevin Kadow's April '99 post to Bugtraq, "FWTK, Gauntlet 'random seed' security >problem," at: 
> > <http://www.securityfocus.com/archive/1/19990416203627.15201.qmail>.
>
>       Kadow's attack is heavily reliant on shell-level access to the
>       auth server. Anyone who gave shell-level access to their auth
>       server has already voided the warranty. ;) You're not supposed
>       to do that!!!  Kadow's at least intellectually honest enough to
>       mention in his writeup that normal FWTK/Gauntlet configuration
>       practice is to only allow connections to authsrv on the loopback
>       port, which completely defeats the attack unless the attacker
>       is ON the machine. That's how it was designed to be run, and
>       that's how it was configured in Gauntlet. In other words, the
>       attack would never work against a system that had not already
>       been misconfigured to the point of stupidity.

BTW, not really completely, unless you use encryption patch. There may be
ways to trick some proxy to connect to loopback interface (unless explicitly
denied in netperm-table).

That's why we included unix socket support in our authsrv replacement.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards