NetBSD Problem Report #29720

From hubert@feyrer.de  Thu Mar 17 00:09:12 2005
Return-Path: <hubert@feyrer.de>
Received: from miyu.feyrer.net (p5480546B.dip.t-dialin.net [84.128.84.107])
	by narn.netbsd.org (Postfix) with ESMTP id 5708463B117
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 17 Mar 2005 00:09:11 +0000 (UTC)
Message-Id: <200503170009.j2H09AkB028451@miyu.feyrer.net>
Date: Thu, 17 Mar 2005 01:09:10 +0100 (MET)
From: hubert@feyrer.de
Reply-To: hubert@feyrer.de
To: gnats-bugs@netbsd.org
Subject: telnetd noise after PAM(?): SRA?
X-Send-Pr-Version: 3.95

>Number:         29720
>Category:       bin
>Synopsis:       telnetd noise after PAM(?): SRA?
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 17 00:10:00 +0000 2005
>Last-Modified:  Fri Mar 25 15:00:02 +0000 2005
>Originator:     Hubert Feyrer
>Release:        NetBSD 2.99.16
>Organization:
bla!
>Environment:


Architecture: i386
Machine: i386
>Description:
	After upgradind a machine to -current and playing with various
	PAM related things, I found that the "telnet localhost" dialog
	looks a lot different these days.

	On 2.0 this is:

		miyu% telnet localhost
		Trying 127.0.0.1...
		Connected to localhost.
		Escape character is '^]'.

		NetBSD/i386 (miyu) (ttypa)

		login: feyrer
		Password:
		Last login: Wed Mar 16 19:37:04 2005 from :0.0 on ttyp7
		...

	On -current, this is:

		qemu: {1} telnet localhost
		Trying ::1...
		Connected to localhost.
		Escape character is '^]'.
===>		Trying SRA secure login:
===>		User (feyrer): 
		Password: 
===>		[ SRA accepts you ]

===>		NetBSD/i386 (qemu) (ttyp1)

		Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
		    The NetBSD Foundation, Inc.  All rights reserved.
		Copyright (c) 1982, 1986, 1989, 1991, 1993
		    The Regents of the University of California.  All rights reserved.

		NetBSD 2.99.16 (GENERIC) #2: Sun Mar 13 01:29:31 MET 2005

		Welcome to NetBSD!


	Several things can be observed here:
	1) I have no idea what "Trying SRA secure login" means
	2) There's no more "NetBSD/$arch ($hostname) ($tty)" banner printed
  	   any more
	3) The traditional "login:" prompt was changed to "User", plus
	   a display of the local username. Confusing!
 	4) After password entry, one wonders who SRA is to accept one :)
	5) There's no "Last login ..." line! Playing around with this
 	   got some errors about lastloginx being of inappropriate
	   file type. /var/log/lastloginx was an empty file of mode 664,
	   owned by root/wheel. No idea what that is.

>How-To-Repeat:
	Enable telnet in /etc/inetd.conf
	telnet localhost
	login

>Fix:
	Make it behave like 2.0 again please (no SRA noise, "login:" prompt,
	"Last login ..." display).

>Audit-Trail:
From: Igor Sobrado <igor@string1.ciencias.uniovi.es>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/29720
Date: Fri, 25 Mar 2005 13:30:51 +0100

 Hi Hubert.

 I understand that you find this ssh-like behaviour on telnetd(8)
 a bit annoying but, IMHO it is right.  PAM is a nice improvement
 for the operating system and a "secure telnet listener" really was
 a requirement for those administrators that want to offer standard
 telnet access to their systems yet.

 I understand that if a secure SRA login is not possible, it will
 revert to the old unsecure behaviour.  I am not wrong, right?

 The "User" prompt certainly recalls the OpenVMS's "Username" prompt.
 Surely it is a bit annoying for people using PPP chat scripts to
 log into remote NetBSD machines.  But the change on the scripts is
 not difficult to implement.  Perhaps returning to the old "login"
 prompt (with all the "SRA related noise" being shown before the
 login prompt) will make the new daemon more compatible with all
 those dialup chat scripts.

 Cheers,
 Igor.

From: Igor Sobrado <igor@string1.ciencias.uniovi.es>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/29720
Date: Fri, 25 Mar 2005 13:46:20 +0100

 I did not answer to issue number 2 in the previous email.  IMHO, printing
 the "NetBSD/$arch ($hostname) ($tty)" banner _after_ logging to the system
 is a requirement to make the computer system more secure.

 Sadly, we cannot trust on people with access to Internet.  Information
 provided in that banner can be helpful to both system managers and
 users (it is a way to track how updated is a system and where we are
 connected -what tty we are using for a given connection-), but it is
 a powerful tool for crackers too; consequently, this information should
 not be provided before authenticating users.  :-(

 Igor.

From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, <netbsd-bugs@netbsd.org>
Subject: Re: bin/29720
Date: Fri, 25 Mar 2005 06:58:59 -0800 (PST)

 On Fri, 25 Mar 2005, Igor Sobrado wrote:

 >  I did not answer to issue number 2 in the previous email.  IMHO, printing
 >  the "NetBSD/$arch ($hostname) ($tty)" banner _after_ logging to the system
 >  is a requirement to make the computer system more secure.

 I think that should be up to the administrator to choose to set this in
 /etc/gettytab as desired.

   im=\r\n%s/%m (%h) (%t)\r\n\r\n

 Also maybe there could be some option to decide when or how this is
 displayed.

 Some telnet servers use /etc/issue and some use BANNER_FILE.

 >  Sadly, we cannot trust on people with access to Internet.  Information
 >  provided in that banner can be helpful to both system managers and
 >  users (it is a way to track how updated is a system and where we are
 >  connected -what tty we are using for a given connection-), but it is
 >  a powerful tool for crackers too; consequently, this information should
 >  not be provided before authenticating users.  :-(

 I think it is more useful than dangerous. And anyways, we should be able
 to define what is displayed.


  Jeremy C. Reed

  	  	 	 BSD News, BSD tutorials, BSD links
 	  	 	 http://www.bsdnewsletter.com/

>Unformatted:

Home	PR Database Search