Subject: Re: root password : security hole ?
To: Quentin Garnier <netbsd@quatriemek.com>
From: David Laight <david@l8s.co.uk>
List: netbsd-users
Date: 03/12/2003 10:49:35
> The problem lies in usr.bin/login/login.c, near line 492 :
> 
> /*
>  * If trying to log in as root without Kerberos,
>  * but with insecure terminal, refuse the login attempt.
>  */
> if (pwd && !rval && rootlogin && !rootterm(tty)) {
> 
> First of all, the comment preceding the test is misleading : Kerberos
> authentication doesn't skip the test since revision 1.29. It should be
> removed.

Should the 'pwd' be removed as well?
The fact that root doesn't have a password shouldn't mean you can login
from anywhere.

> IMHO, there should be a (rootlogin && !rootterm(tty)) test even before
> asking for a password, but at first we can remove the test of rval value.

Ask for the password first, but always report it as invalid.  That
way the hacker sits there trying other passwords instead of going to
a different system....

so something like:

		if (rootlogin && !rootterm(tty)) {
			if (hostname)
				syslog(LOG_NOTICE,
				    "LOGIN %s REFUSED FROM %s ON TTY %s",
				    pwd->pw_name, hostname, tty);
			else
				syslog(LOG_NOTICE,
				    "LOGIN %s REFUSED ON TTY %s",
				     pwd->pw_name, tty);
			rval = 1;
		}


	David

-- 
David Laight: david@l8s.co.uk