On Friday 24 October 2008, Dustin J. Mitchell wrote:
>On Fri, Oct 24, 2008 at 7:59 AM, Gene Heskett <gene.heskett AT verizon DOT
>net>
wrote:
>>>Amanda accept a hostname "localhost" that is comming over the network? If
>>> this is possible, shouldn't this be fixed? I think not the posibility to
>>> configure it is the security hole itself.
>>
>> I don't know & will let Dustin or Jean-Louis answer that. I haven't ever
>> tried it myself.
>
>Sorry to contradict you, Gene, but using 'localhost' in .amandahosts
>is no more a security hole than using BSD* auth in general.
>
>When Amanda accepts a connection, it performs a reverse-DNS
>translation of that hostname (getnameinfo), and then
>forward-translates that name to be sure it matches
>(check_host_give_sockaddr). This happens in
>common-src/security-util.c.
>
>So if another machine connects from, say, 132.17.28.228, and has
>spoofed the reverse DNS for that IP to translate to
>"localhost.localdomain", then the server will map the IP to the name,
>then try to map "localhost.localdomain" back to that IP. As long as
>the server is correctly configured to map "localhost.localdomain" to
>"127.0.0.1", the server will reject the connection.
>
>There are some security problems with BSD-based authentication, as it
>relies on the network layer to provide correct return IP addresses.
>This is better with TCP than with UDP, since TCP connections are
>harder to spoof, but man-in-the-middle attacks are still possible. In
>general, if you're using BSD* authentication, your servers should be
>protected from the open internet.
Thanks for that clarification. And yes, these machines are all behind an x86
box running dd-wrt as a router. Its logs can make interesting reading, but
no one has gotten through it to me yet. That knocking sound? Me, knocking
on wood. :)
>We already have SSH authentication, but that's not always easy to set
>up because it requires usernames and home directories. I'd like to
>add SSL authentication using certificates, but at present there's no
>spare developer time to work on that. Anyone interested? :)
>
>Dustin
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The Usenet news is out of date
|