paul@DELRIO.CC.UMICH.EDU ('da Kingfish) (06/08/88)
------- Forwarded Message
Date: Thu, 02 Jun 88 14:19:57 -0700
From: NKARIMI@gpvax.JPL.NASA.GOV
To: apollo%yale.arpa@jpl-mil.ARPA
Subject: Security on APOLLO TCP/IP network
Hello,
I have a question about TCP/IP network security on the APOLLO
workstations. Does APOLLO sell any off-the-shelf
software/hardware products that has some kind of
encryption technique for when you are doing TELNET
or FTP ? Except the Userid/Password protection, is
there any other way I can make sure unauthorized people
can not access our workstations ?
Also recently I came across something that looked like a
major security issue to me on the APOLLO workstation.
Try this experiment:
1) TELNET to an APOLLO workstation that is running the
AEGIS TCP/IP network software.
2) for the USERID, type in : USER
3) for the password, type in some junk characters
The telnet_server on the other machine comes back with
the message:
Invalid attempt to log in
l name [project [org]] [-p] [-h]
-p will allow you to change your password
-h will allow you to change your home directory
% may be used as wildcard for project or org
Please log in:
( so far everything is fine. )
4) at the "Please log in: " prompt type in: USER again
5) for the password; type in ^C (control-C)
you will get logged in as user.none.none !!
If you don't believe me, the exact session follows:
- ---------------------------------------------------
$ telnet xxx.xxx.x.xxx
Trying...
Open
Apollo Telnet Daemon
Erase is ^H and Kill is ^U
Please log in: user
Password:
Invalid attempt to log in
l name [project [org]] [-p] [-h]
-p will allow you to change your password
-h will allow you to change your home directory
% may be used as wildcard for project or org
Please log in: user
Password: Using local registry. Can't use network registry:
- process interrupt (from OS / fault handler)
Logged in as user.none.none on 1988/06/02 Thu 12:29 (PST).
$
- ----------------------------------------------------
NOW, THAT TO ME IS A MAJOR SECURITY BREAK.
So, I called in some of the APOLLO people that I knew, and the
response I got back was this: "Well, it is basically a feature that
APOLLO has included so that if by any chance you mess-up your
registries and there is no way that you can get in to your system,
then you can get logged in as user.none and try to recover your
registries". I was told the solution to this problem is to
delete the user.none.none entry from our registries and then the
problem should be fixed.
So a warning to all APOLLO users that are running the AEGIS TCP/IP
network software: delete your user.none.none or anybody can login
to your system. Now, why hasn't this FEATURE been documented
anywhere ?
Note: the above problem does not exist on the workstations that are
running DOMAIN/IX.
Thanks for listening
Nader Karimi
------- End of Forwarded Messagekrowitz@RICHTER.MIT.EDU (David Krowitz) (06/10/88)
You know, I could have sworn that I removed the 'user' accounts from our network registries when I last cleaned up our registries, and yet I just checked, and there was a whole slew of them (including a locksmith account!) appended to the end of uour registries. Did the SR9.7 installation add these? -- David Krowitz krowitz@richter.mit.edu (18.83.0.109) krowitz%richter@eddie.mit.edu krowitz%richter@athena.mit.edu krowitz%richter.mit.edu@mitvma.bitnet (in order of decreasing preference)