Re: HP-UX tcp_random_seq

Casper Dik (casper@HOLLAND.SUN.COM)
Tue, 07 Oct 1997 12:12:24 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Lionel Cons: "X Security: a summary"
Previous message: KSR[T]: "KSR[T] Advisory #3: updatedb / crontabs"
Maybe in reply to: Aleph One: "HP-UX tcp_random_seq"

>I dont belive this is been given enough distribution. Under HP-UX you can
>configure it to use random TCP sequence numbers by setting the
>tcp_random_seq variable. The values are:
>
> 0 - old behavior (default)
> 1 - rand(3) bahavior
> 2 - rand48(3) behhavior
>
>The seed value for the rand*() functions is based on the time when
>tcp_init() (or nettune) is called, so dont make your uptime public
>(i.e. rstatd).
>

Solaris 2.x has a similar option.

ndd -set /dev/tcp tcp_string_iss <value>

It accepts three values (2 in 2.5*)

0 - old behaviour
1 - using random(3) [default]
2 - new in 2.6., RFC 1948 support
The password for this is set from root's /etc/shadow entry
using ndd -set /dev/tcp tcp_1948_phrase <shadow field>

The method to set this in 2.6 is editing /etc/default/inetinit and add
TCP_STRONG_ISS=2

If you have lots of clients with the same encrypted root password, you'd
want to find another way of setting the tcp_1948_phrase

Casper

Next message: Lionel Cons: "X Security: a summary"
Previous message: KSR[T]: "KSR[T] Advisory #3: updatedb / crontabs"
Maybe in reply to: Aleph One: "HP-UX tcp_random_seq"