mfontana@eniac.seas.upenn.edu (Mark A Fontana) (04/18/91)
Here's a quick summary of the mail I received concerning the finger logging program. Unfortunately, nobody sent working programs. If I do receive any that work particularly well, I'll post them. - Mark Fontana /////////////////////////////////////////////////////////////////////////// From morrison@eniac.seas.upenn.edu Subject: Re: How do you keep your background process alive? [In response to my question on how to keep one's finger monitor running] to keep it running all the time you have to know what is killing it. Some one can kill it if they press ctl-C while it is sending out the information through pipe. In order to prevent this you have to trap the broken pipe signal that unix send your process. To do that you must include an interrupt handler and install it. Look under "man 3v signal" for this information. to keep it running when the system goes down I just put in my own cron entry. just man cron to find out more about that. Basically cron runs jobs at a specific time that you specify. My program tries to re-run itself every night at 2:00am. It checks to see if it is already running and if it is then the new copy quits. [filename] & is the correct way to run a program in the background. the easiest way to find out who is fingering you is to do a ps -augx | grep "finger yourname" this will find all the people who have run a finger process looking for you. There are problems with this which I haven't worked out, like, if two people finger you at the same time, what happens. you need the 'gx' to find that nasty nobody process that is someone fingering you from off of eniac. good luck! ----------------------------------------------------------------------------- From mrapple@quack.sac.ca.us Wed Apr 17 10:56:42 1991 From: Nick Sayer <nsayer@uop.uop.edu> >if there is any way to determine the login name of a remote fingerer, or >at least the name of the calling system. The only way is to use RFC931 authentication. Under RFC931, you open a TCP to the "auth" port on the remote machine, send the socket number on both ends of the tcp stream you are asking about, (it knows who it is and it knows who you are, so it has host and socket number for both ends now), and it will pass back a user identification string and close. There exists a libauthuser.a with routines to do this painlessly. RFC931 is pretty easy to spoof, since it relies on the remote system to provide authentication data. Also, not many sites provide RFC931. I personally hope it gains acceptance. The auth port is 113. For a demo, telnet uop.uop.edu 113, then stop telnet, use netstat to find out the socket numbers, then send them on one line separated by a comma. auth will cheerfully tell you who owns the stream on uop's end (it's probably going to be root), then exit. Finding the name of the other system is easy -- gethostbyaddr(). >Ultimately, I'd like to be able >to fetch the full name of a remote user, ie. (Mark A Fontana), so that >I could extend a customized greeting to foreign fingerers as well. Well, you could take the auth data and the hostname, finger the other end, and use the results, but if everyone did this, there'd be massive looping problems. --------------------------------------------------------------------------- From shein@ferdowsi.berkeley.edu Fri Apr 12 18:52:44 1991 Subject: Re: Finger logger: several questions Date: Fri, 12 Apr 91 15:52:06 -0700 I don't have any code to contribute -- the program I played around with, I got from Noam Mendelson (c60b-1eq@web.berkeley.edu) who got it from Andrew Choi (also at Berkeley, somewhere). Getting the name of the machine finger'ing you is "easy": In the setup I have (and probably most other finger monitors), .plan is a FIFO, and when the finger daemon wants to read, a netstat -n is done, and port 79 is grep'ed out. This gives the Internet address of the machine. You would have to strip of the trailing .79; then you can use the gethostbyaddr() call in C to get the name of the finger machine. I haven't done this, since I came across another problem: When I run my program on my workstation (ferdowsi), and people finger shein@ferdowsi, everything is great. When I'm fingered at the server (shein@robotics), however, the finger command never returns. I could run the program on the server instead, but then fingering me at ferdowsi, or any other workstation in the cluster, would never come back. --------------------------------------------------------------------------- From c60b-1eq@WEB.berkeley.edu Fri Apr 12 23:13:50 1991 Concerning your comp.unix.questions post: You can test which host fingerd is responding to by doing a netstat -n listing then searching for ".79 " (when a finger request is in progress). I.e., in the finger logging program, add a system() call which executes netstat -n and parse the output in your program. If you don't have netstat -n and you aren't into monitoring TCP ports on your own, then you're out of luck. Again, as I posted in c.u.q, there is no way to find the login name of the remote user. All you can do is guess by listing all of the users logged in (hint: look at idle times). If you have access to the remote machine, you could use ps, but then a finger request would take quite a while. --------------------------------------------------------------------------- From derge@paris.crd.ge.com Fri Apr 12 16:31:48 1991 There's really no general way to figure out the username of the person who's fingering you unless they do it on your local machine, and even then you can be a little uncertain if more than 1 finger process is running. This stems from the fact that only the hostname can be determined directly from the network packet. So all you can really tell for sure from ps and netstat is the hostname, if that. Of course, your monitor program will also get a little confused if more than one finger happens to be going on at once. The only way to combat this would be to rewrite the finger daemon itself to send you mail when it gets a connection (the daemon can tell what host the connection comes from). But even then, you wouldn't know who did it, and you wouldn't be able to avoid this next problem. To make things a little more complicated, a tricky user on machine xxx can always fool you by doing something like finger mfontana@eniac@otherhost1@otherhost2. What happens here is you get a chain of fingers going from xxx to otherhost2 to otherhost1 to eniac. Unless you trace that whole chain, you'll never find the person. There are, however, a few things you might try that will help under the right circumstances: 1. If you have an account on that remote machine, and your .rhosts is set up properly, you can rsh a "ps -auxwwww | grep finger" to the remote machine, and use that process information to figure out who's fingering you. 2. You could also just do something as simple as fingering @remote, and as long as only one person is logged on, you know who it was. Note, of course, that the above 2 methods do not follow the whole chain, and are therefore rather suspect. The bottom line is that you can come close, but you really can't ever be certain of who fingered you because of the finger a@b@c@d thing. If I know you're watching me, I can always fool your program by careful planning. --------------------------------------------------------------------------- That's it.