e07@nikhefh.nikhef.nl (Eric Wassenaar) (01/16/91)
If you want to do some internet address authentication, the following is a simple way to proceed. It is obvious that authentication must NOT be done within gethostbyaddr(). This is, and should be, only an interface to interrogate the nameserver. You don't need to implement the authentication checking in individual daemons like rlogind, telnetd, ftpd, etc. It can be done at an even higher level, and it does not require any source code adaptation. You write a little program of your own, call it tcpconn, and let it be invoked by inetd for every tcp connection. This program can do a getpeername(), gethostbyaddr(), and gethostbyname() to check if the peer address maps to a host, and if the address belongs to that host, if you are very security minded. You can also log connections via syslog. If you decide to accept the connection, the program execs the 'real' daemon, given by argv[0]. You may even adapt the strategy depending on the service. Your inetd.conf has entries like: # service mode proto state user pathname program ftp stream tcp nowait root /etc/tcpconn ftpd telnet stream tcp nowait root /etc/tcpconn telnetd login stream tcp nowait root /etc/tcpconn rlogind finger stream tcp nowait nobody /etc/tcpconn fingerd Eric Wassenaar -- Organization: NIKHEF-H, National Institute for Nuclear and High-Energy Physics Address: Kruislaan 409, P.O. Box 41882, 1009 DB Amsterdam, the Netherlands Phone: +31 20 592 0412, Home: +31 20 909449, Telefax: +31 20 592 5155 Internet: e07@nikhef.nl
galvin@TIS.COM (James M Galvin) (01/17/91)
If you want to do some internet address authentication, the following is a simple way to proceed. I am troubled by this thread. The very idea that the existence of an A record is somehow more secure is misleading at best and ludicrous in general. The database itself is completely untrusted, and thus, strictly speaking, you have no confidence in any data value that is returned. As a practical matter, I understand why we believe the DNS, but I can only hope that Sun does not advertise this "feature" as a "security enhancement". Jim