Subject: Re: rexecd does not log failed authentications
To: None <current-users@NetBSD.ORG>
From: Simon J. Gerraty <firstname.lastname@example.org>
Date: 06/26/1996 23:53:35
VaX#n8 <email@example.com> writes:
>Like the title says, rexecd does not log failed authentications, allowing
>a user to brute-force accounts until the cows come home.
Yes the default r* commands probably should be disabled.
Fear not, you can have r* convenience with less risk.
For fans of SSL, I've implemented SSLrsh and SSLrdist over SSL.
Yes I have heard of ssh and believe it works well, but I prefer the
key management issues associated with digitally signed certificates as
used by SSL. Also your same cert can be used for HTTPS etc.
I hope to have this lot publicly available in the next few weeks - at
the moment you need the BSD make (no problem in this group I know :-)
For SSLrshd's authentication you have a file /etc/ssl.users like:
sjg:/C=AU/SP=Victoria/O=QuickMode Pty Ltd/CN=sjg/Emailfirstname.lastname@example.org
sjg:/C=AU/SP=Victoria/O=QuickMode Pty Ltd/CN=zen.quick.com.au/Emailemail@example.com
The first cert is an idividual one which would have an encrypted
private key - ie user must type in a passwd to use the
certificate. The 2nd is a host cert which typically has an
un-encrypted private key. These can be used easily from cron jobs -
but your security is reliant on the host cert being protected from
random users by the file system. SSLrshd will only accept a host cert
if the FQDN of the caller matches the /CN field, not strong but if you
don't like it - you don't have to list any host certs in ssl.users :-)
The client provides his cert which must be verifyable and if ok, the
user list is compared against the desired local user. If a match is
found or the cert is allowed root access, then away you go.
Logging is copious as is:
Jun 26 23:40:24 zen SSLrshd: SSL: user 'root' cert '/C=AU/SP=Victoria/O=QuickMode Pty Ltd/OU=quick.com.au/CN=not.quick.com.au/Emailfirstname.lastname@example.org' REJECTED
Jun 26 23:40:30 zen SSLrshd: email@example.com (/CN=not.quick.com.au) as root: DENIED (cert denied permission)
Jun 26 23:41:55 zen SSLrshd: firstname.lastname@example.org (/CN=sjg) as sjg: OK
Jun 26 23:41:55 zen SSLrshd: email@example.com as sjg: cmd='date'
If you log at info level you also get:
Jun 26 23:41:50 zen SSLrshd: verify: depth=0,xs=/C=AU/SP=Victoria/O=QuickMode Pty Ltd/OU=quick.com.au/CN=sjg/Emailfirstname.lastname@example.org
Jun 26 23:41:50 zen SSLrshd: verify: depth=1,xs=/C=AU/SP=Victoria/O=QuickMode Pty Ltd/OU=quick.com.au/CN=Quick CA/Emailemail@example.com
Jun 26 23:41:55 zen SSLrshd: SSL: user 'sjg' cert '/C=AU/SP=Victoria/O=QuickMode Pty Ltd/OU=quick.com.au/CN=sjg/Emailfirstname.lastname@example.org' OK