Re: netatalk security vs. ftp, ssh

Subject: Re: netatalk security vs. ftp, ssh
From: Ron Chmara (ron@opus1.com)
Date: Mon Jul 31 2000 - 16:59:01 EDT

• Next message: Reed Loefgren: "What Corruption Problem: Re: asun2.1.4pre39-5mdk (file damage)"
• Previous message: Jürgen Weltzer: "Re: asun2.1.4pre39-5mdk (file damage)"
• In reply to: Tom Fitzgerald: "Re: netatalk security vs. ftp, ssh"
• Next in thread: andrew morgan: "Re: netatalk security vs. ftp, ssh"
• Reply: Ron Chmara: "Re: netatalk security vs. ftp, ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tom Fitzgerald wrote:
>
> > My personal fave Mac security hole: There is no stored key, authentication,
> > _whatever_, to guarantee that a server is the same entity from session to
> > session....Last time I spoke with apple about this, newer clients could
> > be tuned to _not_ fall back to cleartext, but most clients will happily
> > fail to recognize a server randnum or DHX, and fall back to cleartext.
> For what it's worth, users with clues will see this immediately since
> the "cleartext password" notice shows up next to the username/password
> prompt.

"With clues" is an important qualifier. :-)

> It'll also be obvious that valid username/password combinations aren't
> working. It should be clear to everyone that an attack is happening
> and it might be time for a global password change.

Or that the server is just "doing something funny"....and "needs to be
rebooted"... most folks never even look that closely at their prompting.

> > Here's how an inside attack works:
> > 1. Badguy with a laptop sets up netatalk, configures the machine to have
> > the same server name. Doesn't set up any password login besides cleartext.
> > 2. Badguy laptop jacks into network, SYN's the valid appleshare server into
> > silence, thus making the mac users select -his- machine in the chooser.
> This doesn't sound right..... SYN-bombing will keep the appleshare server
> from accepting AS/IP connections, but it won't affect what appears in the
> chooser since that's coming directly over the appletalk protocol, not IP.

Depends on the OT version... the individual DoS attack details may vary,
but the point is: "take the valid server out of the LAN". Flood ping it,
whatever.

> In fact, won't the appletalk routers start screaming when two appletalk
> servers start advertising the same server name?

Nope.

-Bop

--
Brought to you from boop!, the dual boot Linux/Win95 Compaq Presario 1625
laptop, currently running RedHat 6.1. Your bopping may vary.

• Next message: Reed Loefgren: "What Corruption Problem: Re: asun2.1.4pre39-5mdk (file damage)"
• Previous message: Jürgen Weltzer: "Re: asun2.1.4pre39-5mdk (file damage)"
• In reply to: Tom Fitzgerald: "Re: netatalk security vs. ftp, ssh"
• Next in thread: andrew morgan: "Re: netatalk security vs. ftp, ssh"
• Reply: Ron Chmara: "Re: netatalk security vs. ftp, ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Wed Jan 17 2001 - 14:31:45 EST