remote command execution & passwords
Jerry Aguirre
jerry at oliveb.olivetti.com
Thu Mar 17 06:55:25 AEST 1988
In article <860 at hsi.UUCP> stevens at hsi.UUCP (Richard Stevens) writes:
>While going through the source for rexec I found a function ruserpass()
>that called a function renv() that did the following: If you have an
>environment variable of the form
>
> MACH<host>=<username>,<cpassword>
>
>then if you're communicating with the specified <host>, it will set
>the corresponding <username> as the argument to be passed to the
>rexecd on the host. Also, it takes the supposedly encrypted <cpassword>
>and turns it into "clear text" by calling a function nbsdecrypt() that's
>also in the file. This clear text password is then passed to the rexecd
>on the other host. The comment at the top of this code is that it
>is "nbs.c stolen from Berknet". I can't find any reference to this
>MACH... environment variable in any of the man pages, and can't
>understand how it can claim to unencrypt a password. Anyone know
>what's going on here ?? Thanks.
This was from the "berknet" package (a batched star topology using tty
lines). A program was would prompt you for your password and then
output an encryped version that could be placed in the environment. The
idea was that the environment was more secure, as well as having faster
access, than a disk file (.netrc).
The encryption used an obvious key, I think it was the users login tty
name and the remote machine name. Thus a command could find out what
tty it was running on and use that to decrypt the password. The
encryption didn't provide much real security as finding out someone
else's tty is quite simple. It did provide limited protection against
someone accidently seeing a printenv or examining kmem. The main
protection was having it in your environment. (Doesn't ps have an
option to display the environment?)
If you have 4.2BSD check out /usr/src/ucb/berknet (I think that was
where it was). In 4.3BSD it is in /usr/src/old/berknet. The berknet
code had some nice user interfaces but internally it was a mess. We ran
over 30 systems on "berknet" here until we got our ethernet going. I
did bug fixes and tuning like adding a "raw" protocol to speed things
up.
Jerry Aguirre
More information about the Comp.unix.wizards
mailing list