On Fri, Oct 24, 2008 at 7:59 AM, Gene Heskett <gene.heskett AT verizon DOT net> 
wrote:
>>Amanda accept a hostname "localhost" that is comming over the network? If
>> this is possible, shouldn't this be fixed? I think not the posibility to
>> configure it is the security hole itself.
>
> I don't know & will let Dustin or Jean-Louis answer that.  I haven't ever
> tried it myself.

Sorry to contradict you, Gene, but using 'localhost' in .amandahosts
is no more a security hole than using BSD* auth in general.

When Amanda accepts a connection, it performs a reverse-DNS
translation of that hostname (getnameinfo), and then
forward-translates that name to be sure it matches
(check_host_give_sockaddr).  This happens in
common-src/security-util.c.

So if another machine connects from, say, 132.17.28.228, and has
spoofed the reverse DNS for that IP to translate to
"localhost.localdomain", then the server will map the IP to the name,
then try to map "localhost.localdomain" back to that IP.  As long as
the server is correctly configured to map "localhost.localdomain" to
"127.0.0.1", the server will reject the connection.

There are some security problems with BSD-based authentication, as it
relies on the network layer to provide correct return IP addresses.
This is better with TCP than with UDP, since TCP connections are
harder to spoof, but man-in-the-middle attacks are still possible.  In
general, if you're using BSD* authentication, your servers should be
protected from the open internet.

We already have SSH authentication, but that's not always easy to set
up because it requires usernames and home directories.  I'd like to
add SSL authentication using certificates, but at present there's no
spare developer time to work on that.  Anyone interested? :)

Dustin

-- 
Storage Software Engineer
http://www.zmanda.com