current-users: Re: rexecd does not log failed authentications

Subject: Re: rexecd does not log failed authentications
To: None <current-users@NetBSD.ORG>
From: Simon J. Gerraty <sjg@quick.com.au>
List: current-users
Date: 06/26/1996 23:53:35
VaX#n8 <vax@linkdead.paranoia.com> writes:
>Like the title says, rexecd does not log failed authentications, allowing
>a user to brute-force accounts until the cows come home.

Yes the default r* commands probably should be disabled.

Fear not, you can have r* convenience with less risk.
For fans of SSL, I've implemented SSLrsh and SSLrdist over SSL.

Yes I have heard of ssh and believe it works well, but I prefer the
key management issues associated with digitally signed certificates as
used by SSL.  Also your same cert can be used for HTTPS etc.

I hope to have this lot publicly available in the next few weeks - at
the moment you need the BSD make (no problem in this group I know :-)

--sjg

FYI...

For SSLrshd's authentication you have a file /etc/ssl.users like:
# user[,user,...]:cert_summary
sjg:/C=AU/SP=Victoria/O=QuickMode Pty Ltd/CN=sjg/Email=sjg@quick.com.au
sjg:/C=AU/SP=Victoria/O=QuickMode Pty Ltd/CN=zen.quick.com.au/Email=root@zen.quick.com.au

The first cert is an idividual one which would have an encrypted
private key - ie user must type in a passwd to use the
certificate. The 2nd is a host cert which typically has an
un-encrypted private key.  These can be used easily from cron jobs -
but your security is reliant on the host cert being protected from
random users by the file system.  SSLrshd will only accept a host cert
if the FQDN of the caller matches the /CN field, not strong but if you
don't like it - you don't have to list any host certs in ssl.users :-)

The client provides his cert which must be verifyable and if ok, the
user list is compared against the desired local user. If a match is
found or the cert is allowed root access, then away you go.

Logging is copious as is:

Jun 26 23:40:24 zen SSLrshd[5011]: SSL: user 'root' cert '/C=AU/SP=Victoria/O=QuickMode Pty Ltd/OU=quick.com.au/CN=not.quick.com.au/Email=root@quick.com.au' REJECTED
Jun 26 23:40:30 zen SSLrshd[5011]: root@not.quick.com.au (/CN=not.quick.com.au) as root: DENIED (cert denied permission)

Jun 26 23:41:55 zen SSLrshd[5032]: sjg@zen.quick.com.au (/CN=sjg) as sjg: OK
Jun 26 23:41:55 zen SSLrshd[5032]: sjg@zen.quick.com.au as sjg: cmd='date'

If you log at info level you also get:
Jun 26 23:41:50 zen SSLrshd[5032]: verify: depth=0,xs=/C=AU/SP=Victoria/O=QuickMode Pty Ltd/OU=quick.com.au/CN=sjg/Email=sjg@quick.com.au
Jun 26 23:41:50 zen SSLrshd[5032]: verify: depth=1,xs=/C=AU/SP=Victoria/O=QuickMode Pty Ltd/OU=quick.com.au/CN=Quick CA/Email=certs@quick.com.au
Jun 26 23:41:55 zen SSLrshd[5032]: SSL: user 'sjg' cert '/C=AU/SP=Victoria/O=QuickMode Pty Ltd/OU=quick.com.au/CN=sjg/Email=sjg@quick.com.au' OK