[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: new module request: pam_ident



On Mon, 27 Oct 1997, Andrew Morgan wrote:

> On these grounds, nothing in PAM (as distributed) is worth much over a
> network.  All those clear text passwords, rhosts authentication...: we
> may as well just go home and forget about it. ;^)

No. You miss understand. If I telnet into a box and present it with a
username and password it means either a) I am who I claim I am or b) I've
had enough control over the network to sniff the password off the wire. If
b is the case I dont even need to sniff the password I can simply highjack
the session.

Now if you use I dent for identification (which it was not meant to be
used for, read the RFC) it only means I have control over the ident port.
I could claim to be anyone I want to, even root. And if the server has
pretictable sequence number I dont even need to to on your local network
segment. This has all the same problems as any of the r-commands.

> Identd is part of the tcp-wrappers suite it has an RFC of its own and
> it is now commonly used by many commercial applications.  Its another
> layer: ideal for a module...  And after all PAM _is_ about choice.

Actually identd is does not come with tcp wrappers as of 7.6. It does come
with support for querying the server but it is only of value if the
attacker is stupid enough not to either a) disable ident or b) substitue
ident with something that lies. Choices are good. But giving people the
choice to shoot themselves in the foot is not. I rather see some PAM
modules that implement SASL, although it may not fit the PAM model as
well.

ftp://ds.internic.net/internet-drafts/*sasl*

> But mostly, I'd like to see a simple network-aware PAM written.  A
> secure user@host<->user@host authentication module could be created by
> someone with little understanding of PAM if there was some simple-to-
> understand code available as a reference.

As long as you could create a secure replacement for the ident, sure.
ident over SSL comes to mind. 

> Best wishes
> 
> Andrew
> -- 
> new job - new sig file under construction...
> 
> -- 
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
> 

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []