*BSD News Article 10715


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA531 ; Thu, 04 Feb 93 16:00:34 EST
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!yale.edu!ira.uka.de!Germany.EU.net!news.Hamburg.Germany.EU.net!abqhh!encap.hanse.de!not-for-mail
From: maverick@encap.hanse.de (Jan-Oliver Neumann)
Newsgroups: comp.unix.bsd
Subject: *Big* security leak for users w/o crypt.
Date: 2 Feb 1993 18:59:55 +0100
Organization: Hanse Networking e.V., Hamburg, Germany.
Lines: 20
Message-ID: <1kmcqrINN4l@encap.hanse.de>
NNTP-Posting-Host: encap.hanse.de

Hello.
Although a system w/o a working version of crypt() (it was excluded from
the 386BSD Distributions because of U.S. export regulations) is already
insecure, anyone can now login as "bin" or "daemon". 
The passwords of these accounts contain a "*" that is not used by the DES
algorithm. So nobody can login as "bin" or "daemon" if the DES encryption
is included. But for a system w/o crypt(), anybody can enter "*" as the
password and will be logged in.
So, I strongly recommend that you don't but a 386BSD w/o crypt() on a 
dial-up line. (Actually, also without this leak you shouldn't do that, 
either).

Greetings, Jan

PS: I'm using pcvt, but I don't think the keyboard driver has any impact
    on this.
-- 
Jan-Oliver Neumann                                     <maverick@encap.hanse.de>
Gegen Rassismus und Extremismus ------------------- Against racism and extremism
XXXXXXXXXXXXXXXXXXXXX Kopiere mich in deine Signature XXXXXXXXXXXXXXXXXXXXXXXXXX