NetBSD Problem Report #29720
From hubert@feyrer.de Thu Mar 17 00:09:12 2005
Return-Path: <hubert@feyrer.de>
Received: from miyu.feyrer.net (p5480546B.dip.t-dialin.net [84.128.84.107])
by narn.netbsd.org (Postfix) with ESMTP id 5708463B117
for <gnats-bugs@gnats.NetBSD.org>; Thu, 17 Mar 2005 00:09:11 +0000 (UTC)
Message-Id: <200503170009.j2H09AkB028451@miyu.feyrer.net>
Date: Thu, 17 Mar 2005 01:09:10 +0100 (MET)
From: hubert@feyrer.de
Reply-To: hubert@feyrer.de
To: gnats-bugs@netbsd.org
Subject: telnetd noise after PAM(?): SRA?
X-Send-Pr-Version: 3.95
>Number: 29720
>Category: bin
>Synopsis: telnetd noise after PAM(?): SRA?
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Mar 17 00:10:00 +0000 2005
>Last-Modified: Fri Mar 25 15:00:02 +0000 2005
>Originator: Hubert Feyrer
>Release: NetBSD 2.99.16
>Organization:
bla!
>Environment:
Architecture: i386
Machine: i386
>Description:
After upgradind a machine to -current and playing with various
PAM related things, I found that the "telnet localhost" dialog
looks a lot different these days.
On 2.0 this is:
miyu% telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
NetBSD/i386 (miyu) (ttypa)
login: feyrer
Password:
Last login: Wed Mar 16 19:37:04 2005 from :0.0 on ttyp7
...
On -current, this is:
qemu: {1} telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
===> Trying SRA secure login:
===> User (feyrer):
Password:
===> [ SRA accepts you ]
===> NetBSD/i386 (qemu) (ttyp1)
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
NetBSD 2.99.16 (GENERIC) #2: Sun Mar 13 01:29:31 MET 2005
Welcome to NetBSD!
Several things can be observed here:
1) I have no idea what "Trying SRA secure login" means
2) There's no more "NetBSD/$arch ($hostname) ($tty)" banner printed
any more
3) The traditional "login:" prompt was changed to "User", plus
a display of the local username. Confusing!
4) After password entry, one wonders who SRA is to accept one :)
5) There's no "Last login ..." line! Playing around with this
got some errors about lastloginx being of inappropriate
file type. /var/log/lastloginx was an empty file of mode 664,
owned by root/wheel. No idea what that is.
>How-To-Repeat:
Enable telnet in /etc/inetd.conf
telnet localhost
login
>Fix:
Make it behave like 2.0 again please (no SRA noise, "login:" prompt,
"Last login ..." display).
>Audit-Trail:
From: Igor Sobrado <igor@string1.ciencias.uniovi.es>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/29720
Date: Fri, 25 Mar 2005 13:30:51 +0100
Hi Hubert.
I understand that you find this ssh-like behaviour on telnetd(8)
a bit annoying but, IMHO it is right. PAM is a nice improvement
for the operating system and a "secure telnet listener" really was
a requirement for those administrators that want to offer standard
telnet access to their systems yet.
I understand that if a secure SRA login is not possible, it will
revert to the old unsecure behaviour. I am not wrong, right?
The "User" prompt certainly recalls the OpenVMS's "Username" prompt.
Surely it is a bit annoying for people using PPP chat scripts to
log into remote NetBSD machines. But the change on the scripts is
not difficult to implement. Perhaps returning to the old "login"
prompt (with all the "SRA related noise" being shown before the
login prompt) will make the new daemon more compatible with all
those dialup chat scripts.
Cheers,
Igor.
From: Igor Sobrado <igor@string1.ciencias.uniovi.es>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/29720
Date: Fri, 25 Mar 2005 13:46:20 +0100
I did not answer to issue number 2 in the previous email. IMHO, printing
the "NetBSD/$arch ($hostname) ($tty)" banner _after_ logging to the system
is a requirement to make the computer system more secure.
Sadly, we cannot trust on people with access to Internet. Information
provided in that banner can be helpful to both system managers and
users (it is a way to track how updated is a system and where we are
connected -what tty we are using for a given connection-), but it is
a powerful tool for crackers too; consequently, this information should
not be provided before authenticating users. :-(
Igor.
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, <netbsd-bugs@netbsd.org>
Subject: Re: bin/29720
Date: Fri, 25 Mar 2005 06:58:59 -0800 (PST)
On Fri, 25 Mar 2005, Igor Sobrado wrote:
> I did not answer to issue number 2 in the previous email. IMHO, printing
> the "NetBSD/$arch ($hostname) ($tty)" banner _after_ logging to the system
> is a requirement to make the computer system more secure.
I think that should be up to the administrator to choose to set this in
/etc/gettytab as desired.
im=\r\n%s/%m (%h) (%t)\r\n\r\n
Also maybe there could be some option to decide when or how this is
displayed.
Some telnet servers use /etc/issue and some use BANNER_FILE.
> Sadly, we cannot trust on people with access to Internet. Information
> provided in that banner can be helpful to both system managers and
> users (it is a way to track how updated is a system and where we are
> connected -what tty we are using for a given connection-), but it is
> a powerful tool for crackers too; consequently, this information should
> not be provided before authenticating users. :-(
I think it is more useful than dangerous. And anyways, we should be able
to define what is displayed.
Jeremy C. Reed
BSD News, BSD tutorials, BSD links
http://www.bsdnewsletter.com/
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.