On Wed, 26 Nov 1997 Eric Augustus (augustusat_private) posted a message on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP connections from any host. As you know, this can be used to get a login screen on any host and therefore get around access control mechanisms like tcpwrapper and root login restriction to the console. However, this warning seemed to have little effect as (at least) Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still (1.5 years later) shipped with this default Xaccess file. It is somehow ironic that e.g. SuSE now uses tcpwrappers by default on most TCP services in it's distribution and describes the use of tcpwrappers in the manual in a special chapter about security, but fails to close (or even mention) that way to circumvent login restrictions. By the way, If you think that using the cryptographically secured remote management channels with access limited to authorized hosts on your AltaVista Firewall under Digital Unix is the only way of doing remote administration of the firewall, then you should take a close look at your Xaccess file ;-) -- Jochen Bauer ************************************************************ *Network Security Team * *Computer Center of the University of Stuttgart * *Germany * * * *Email: jtbat_private-stuttgart.de * * jochen.bauerat_private-stuttgart.de * * * *PGP Public Key: * * http://www.theo2.physik.uni-stuttgart.de/jtb.html * ************************************************************
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:54 PDT