|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Clifton Royston (cliftonr
lava.net)Date: Fri Sep 21 2001 - 13:53:06 CDT
On Fri, Sep 21, 2001 at 09:45:52AM -0700, Seth Arnold wrote:
> On Fri, Sep 21, 2001 at 12:31:12PM +0300, Rumen Telbizov wrote:
> > I tried the above vunlarability on 2 FreeBSD 4.3-RELEASE
> > boxes and it worked out! I tried this on one Linux RH6.2 box
> > with OpenSSH installed on it and it DID NOT work.
>
> This latest vulnerability is specific to systems that have implemented
> the BSD authentication class scheme. So, as far as I know, the only
> systems that could be vulnerable to this particular problem are BSDi,
> FreeBSD, OpenBSD, and possibly NetBSD.[1] So far, there have been
> confirmations of FreeBSD vulnerability, a compellingly good description
> of why OpenBSD is not vulnerable, and (as far as I remember) no feedback
> from BSDi or NetBSD.
According to its documentation BSD/OS (BSDi) only supports the primary
/etc/login.conf, and does not support the user-level ~/login.conf
construct, as of BSD/OS 4.1 (haven't checked 4.2 yet). This seems to
render the whole issue irrelevant for BSD/OS.
I've tested and confirmed this on one BSD/OS 4.1 system. Unless my
test is incorrect, it doesn't appear I can override or set anything at
all from ~/login.conf.
-- Clifton
-- Clifton Royston -- LavaNet Systems Architect -- cliftonr
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]