Re: tcpd -DPARANOID doesn't work, and never did

[imp () VILLAGE ORG (Warner Losh)]

In message <19981109062947.24560.qmail () cr yp to> "D. J. Bernstein" writes:
: Here's the combined procedure used by tcpd -DPARANOID and rshd/rlogind
: to check for trusted hosts:
:
:    (1) Use DNS PTR records to find a name for the remote IP address.
:
:    (2) Use DNS A records to find the IP addresses for that name.
:
:    (3) Drop the connection if the remote IP address is not one of the
:        IP addresses for that name.
:
:    (4) Use DNS PTR records to find a name for the remote IP address,
:        and check that the name is in a list of trusted host names.
:
: The A records for all trusted hosts can be controlled locally. With
: secure IP and secure DNS, there's no way for a trusted host name in #1
: to survive the check in #3 unless the remote IP address is listed as an
: A record for that name.

For local domains (and all domains when rshd is run -a), there is a
step 5 which is basically the same as step 2 as a cross check.  This
check appears to only be in rshd, but not rlogind.

:    * responds to the PTR query in #1 with a low-TTL name that points to
:      an A record under his control;
:
:    * pauses so that the PTR result is no longer cached;
:
:    * responds to the A query in #2 with his IP address; and then
:
:    * responds to the new PTR query in #4 with a trusted host name.

The cross check in step 5 (at least on the FreeBSD system that I just
now looked at) should catch this case because now the IPs don't match
what is in the gethostbyaddr data vs the gethostbyname stuff.

However, apparently, no such cross check exists in rlogind.  At least
I didn't see any in my 30 second gander at the sources.

Far be it from me to defent IP based authentication.  I don't run
services that use IP based authentication on machines that I care
about...

Warner