Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Amanda-users] 'Idiots Guide' for configuring Amanda on Linux?

2008-10-24 22:55:58
Subject: Re: [Amanda-users] 'Idiots Guide' for configuring Amanda on Linux?
From: Gene Heskett <gene.heskett AT verizon DOT net>
To: amanda-users AT amanda DOT org
Date: Fri, 24 Oct 2008 22:51:48 -0400 
On Friday 24 October 2008, Dustin J. Mitchell wrote:
>On Fri, Oct 24, 2008 at 7:59 AM, Gene Heskett <gene.heskett AT verizon DOT 
>net> 
wrote:
>>>Amanda accept a hostname "localhost" that is comming over the network? If
>>> this is possible, shouldn't this be fixed? I think not the posibility to
>>> configure it is the security hole itself.
>>
>> I don't know & will let Dustin or Jean-Louis answer that.  I haven't ever
>> tried it myself.
>
>Sorry to contradict you, Gene, but using 'localhost' in .amandahosts
>is no more a security hole than using BSD* auth in general.
>
>When Amanda accepts a connection, it performs a reverse-DNS
>translation of that hostname (getnameinfo), and then
>forward-translates that name to be sure it matches
>(check_host_give_sockaddr).  This happens in
>common-src/security-util.c.
>
>So if another machine connects from, say, 132.17.28.228, and has
>spoofed the reverse DNS for that IP to translate to
>"localhost.localdomain", then the server will map the IP to the name,
>then try to map "localhost.localdomain" back to that IP.  As long as
>the server is correctly configured to map "localhost.localdomain" to
>"127.0.0.1", the server will reject the connection.
>
>There are some security problems with BSD-based authentication, as it
>relies on the network layer to provide correct return IP addresses.
>This is better with TCP than with UDP, since TCP connections are
>harder to spoof, but man-in-the-middle attacks are still possible.  In
>general, if you're using BSD* authentication, your servers should be
>protected from the open internet.

Thanks for that clarification.  And yes, these machines are all behind an x86 
box running dd-wrt as a router.  Its logs can make interesting reading, but 
no one has gotten through it to me yet.  That knocking sound?  Me, knocking 
on wood. :)

>We already have SSH authentication, but that's not always easy to set
>up because it requires usernames and home directories.  I'd like to
>add SSL authentication using certificates, but at present there's no
>spare developer time to work on that.  Anyone interested? :)
>
>Dustin



-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The Usenet news is out of date
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Amanda-users] 'Idiots Guide' for configuring Amanda on Linux?, Gene Heskett
Next by Date:  Problems with chg-manual changer script - Amanda 2.6.0p2, Gunnarsson, Gunnar
Previous by Thread:  Re: [Amanda-users] 'Idiots Guide' for configuring Amanda on Linux?, Dustin J. Mitchell
Next by Thread:  [Amanda-users] 'Idiots Guide' for configuring Amanda on Linux?, dceola
Indexes:  [Date] [Thread] [Top] [All Lists]