In message <199701031916.LAA15717@precipice.shockwave.com>, Paul Traina writes:
>To start the ball rolling, let me just suggest the following. I know it's
>not pretty, and I'm not so sure that the remote ssh key belongs in utmp,
Actually it should probably be a more generic "authentication" field that
documents how this session got authenticated, ie, kerberos and /bin/login
would also have things to put here.
>but this is what I conceive as changing. The big thing is I'd like to fix
>the size of the utmp structure once and for all, and define the reserved
>area as must-be-zero so we don't get in the mess we just got in ever again. :-
>#define UT_HADDRSIZE 16 /* remote host address */
If this is binary shouldn't we make it contain the entire result
from the getpeername() ? Ie port and proto as well ?
How big is a IPv6 sock_addr anyway ?
>#define UT_KEYSIZE 16 /* for ssh key? hmmm... I'm not so sure
Make it:
#define UT_AUTHSIZE 64
And make it contain "<proto>\040<method>\040<information>"
for instance:
"telnet passwd phk"
"ftp skey phk"
"ssh rsa phk@critter.tfs.com"
"ssh passwd phk"
"rsh rhosts critter.dk.tfs.com phk"
"rlogin equiv spatter.freebsd.org phk"
"telnet kerbIV mumble mumble mumble"
It is of course a double edged sword to store this info, but in the
case where a user account has been compromised, it provides valuable
information about what got compromised. In the case of a compromised
root all bets are off of course.
--
Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox.
whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc.
Power and ignorance is a disgusting cocktail.