Re: rshd gives away usernames

Eric (eric@AIMNET.NET)
Fri, 13 Jun 1997 10:59:40 -0700

Well sendmail has always done the more or less the same thing.

say I telnetted to port 25 of some.mailhost.com

220 some.mailhost.com ESMTP Sendmail 8.8.5/8.7.1; Fri, 13 Jun 1997
10:56:20 -0700 (PDT)

HELO A
250 some.mailhost.com Hello userid@some.mailor.com [1.2.3.4], pleased to
meet you

MAIL FROM:me
250 me... Sender ok

RCPT TO:nosuchguy
550 nosuchguy... User unknown

RCPT TO:root
250 root... Recipient ok

....

So how would you propose that get fixed? Patch up sendmail so people
don't know if they mailed the wrong address?

---
Eric Kmetz                             Phone - 408/567.3800
Systems Programmer                    E-Mail - eric@aimnet.net
Aimnet Corporation

On Fri, 13 Jun 1997, David Holland wrote:

> Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'. > The error reported is different. > > Therefore, it's possible to determine which account names are valid. > This is an issue only for particularly paranoid sites that probably > already have rshd disabled, but I thought it would be worth issuing a > warning anyway. > > A cursory investigation of some local machines showed the following: > > Affected: Linux, NetBSD, Digital Unix 4.0 > Not affected: HP-UX, Solaris > > Linux's rsh client also seems to have a bug where the second of the > above cases prints random error strings. This will all be fixed in the > next release (unfortunately, not yesterday's release...) > > -- > - David A. Holland | VINO project home page: > dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino >