Path: utzoo!attcan!uunet!lll-winken!lll-lcc!ncis.llnl.gov!ncis!helios.ee.lbl.gov!pasteur!ucbvax!decwrl!purdue!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: scs@lokkur.uucp (Steve Simmons)
Newsgroups: comp.sys.sun
Subject: YP, Netgroups, And Fixing Insecure hosts.equiv
Message-ID: <705@lokkur.UUCP>
Date: 19 Jan 89 08:39:52 GMT
Sender: usenet@rice.edu
Organization: Inland Sea Software, Ltd.
Lines: 45
Approved: Sun-Spots@rice.edu
Original-Date: 14 Jan 89 16:11:39 GMT
X-Sun-Spots-Digest: Volume 7, Issue 112, message 7 of 14

Douglas M. Bates writes:
>Bernard Silver writes:
>> A (hopefully) harmless intrusion brought to our notice the default
>> /etc/hosts.equiv in 3.5 and 4.0 The default consists of a single "+",
>> which in this context means ALL known hosts are trusted.
>
>This can be a bad security hole in some configurations.

Try "in all configurations where you attach to machines you don't
control".  Fortunately there is something you can do about it.  Take the
following with a grain of salt as it's all from memory (ie, go RTFM).
However:

YP has a db called netgroups.  It allows you to define arbitrary
collections of users, machines, and domains (domain in this case means YP
domain, not Internet domain).  You define a name followed by a list of
triplets of user, host, domain.  Leaving one of the three blank means
"none", putting in a star means "any" (again, RTFM on this, OK?).  So you
could define a list of all the machines in your domain by (trusted_hosts)
(*,host1,my_domain) (*,host2,my_domain) . . .  Now put whatever hosts you
want into the YP hosts db, but don't put them into trusted_hosts unless
they're really in your domain.

Now change your hosts.equiv files from '+' to '+@trusted_hosts'.  Voila!
You've locked out other machines from rlogin, rcp, rsh, etc.

You can use the same technique for password files and login management.
We created a 'staff' group like

  staff (scs,*,my_domain) (wnl,*,my_domain) . . .

We also created a 'everybody' group.  On machines we wanted only staff
people on, the bottom of the password file looked like:

  +@staff
  -@everybody
  +:: (std yp passwd end)

Worked fine.

Warning!  Experiment very carefully before installing a lot of this stuff.
Also, it can add to your YP overhead.

Steve Simmons, Inland Sea Software, Ltd.         scs@lokkur.dexter.mi.us
   9353 Hidden Lake, Dexter, MI. 48130                   313-426-8981