[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius [ssh etc..]

Cristian Gafton wrote:
> On Fri, 28 Feb 1997, Michael K. Johnson wrote:
> > things that are part of the Red Hat Linux distribution.  There's no
> > chance with current ITAR that we could ship anything like ssh/sshd.
> ... But you can amke a patch and a package will magically show up on
> ftp.replay.com.... :-)

Its not really the same level of security, and again it is not really the
domain of PAM to be looking at things like this, but pam_filter has a few
possibilities in this area..

Consider the following scheme:

Take something like "xsh" out of the Linux-PAM source tree. It does not do
much but for the purposes of an example the important point is that it goes
through the motions of talking with PAM and then invokes a shell.

If you add a session line:

xsh	session required 	pam_filter.so run1 /sbin/pam_filter/upperLOWER

to your pam.conf file you will find that the shell gets very confused about
what you type: transcribing upper to lower case letters and the reverse.
Actually, the shell is not confused at all. You are the one that will be.

Now consider the consequence of doing something like:


the shell of course understands this as "rlogin localhost", and duely
executes it.  The next thing you see is:

        pASSWORD: _

Which of course is what you'ld expect, since the upperLOWER filter is doing
its thing.

So what happens if you repeat the above test after adding the following line
to the _top_ of the rlogin auth stack?:

rlogin	auth required 	pam_filter.so run1 /sbin/pam_filter/upperLOWER

As the mathmaticians would say, upperLOWER is its own inverse...

If you think about it, the data stream emerging from xsh and being fed to
in.rlogind is transposed (case-wise). However, what you _see_ from
"localhost" gives the impression that nothing strange is happenning.

The point I am trying to make is that it might be easy for someone in
Finland or Australia or anywhere to write themselves a filter that alters
the "internet visible" look of their text (compresses it for example ;^) in
such a way that a similar filter on the other end could undo this...

I wonder where that might lead?

Just thought I'd mention it.


               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
       [ For those that prefer FTP  ---  ftp://ftp.lalug.org/morgan ]

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []