On Friday 24 October 2008, Dustin J. Mitchell wrote: >On Fri, Oct 24, 2008 at 7:59 AM, Gene Heskett <[EMAIL PROTECTED]> wrote: >>>Amanda accept a hostname "localhost" that is comming over the network? If >>> this is possible, shouldn't this be fixed? I think not the posibility to >>> configure it is the security hole itself. >> >> I don't know & will let Dustin or Jean-Louis answer that. I haven't ever >> tried it myself. > >Sorry to contradict you, Gene, but using 'localhost' in .amandahosts >is no more a security hole than using BSD* auth in general. > >When Amanda accepts a connection, it performs a reverse-DNS >translation of that hostname (getnameinfo), and then >forward-translates that name to be sure it matches >(check_host_give_sockaddr). This happens in >common-src/security-util.c. > >So if another machine connects from, say, 132.17.28.228, and has >spoofed the reverse DNS for that IP to translate to >"localhost.localdomain", then the server will map the IP to the name, >then try to map "localhost.localdomain" back to that IP. As long as >the server is correctly configured to map "localhost.localdomain" to >"127.0.0.1", the server will reject the connection. > >There are some security problems with BSD-based authentication, as it >relies on the network layer to provide correct return IP addresses. >This is better with TCP than with UDP, since TCP connections are >harder to spoof, but man-in-the-middle attacks are still possible. In >general, if you're using BSD* authentication, your servers should be >protected from the open internet.
Thanks for that clarification. And yes, these machines are all behind an x86 box running dd-wrt as a router. Its logs can make interesting reading, but no one has gotten through it to me yet. That knocking sound? Me, knocking on wood. :) >We already have SSH authentication, but that's not always easy to set >up because it requires usernames and home directories. I'd like to >add SSL authentication using certificates, but at present there's no >spare developer time to work on that. Anyone interested? :) > >Dustin -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) The Usenet news is out of date
