Eric B. wrote:
I've been working at getting a tftp server up an running in a chroot jail, and I have finally succeed getting almost everything working. The server itself works fine, however, it is implemented as a tcpwrapper application (ie: in.tftpd) and I am having trouble getting it to resolve DNS names. I copied my /etc/hosts.allow and /etc/hosts.deny in my chroot/etc folder, however, they only work properly if I provide IP addresses. If I use FQDN, they fail.
For instance, in hosts.allow: in.tfptd: 192.168.1.101 allow
works fine
But the following fails in.tftptd: eric.test.com allow
I'm assuming I am missing a library/libraries in my chroot jail, but am not sure which ones. I've got all the libs req'd by ldd, but I am guessing there is something else that I am missing.
---------- End Original Message ----------
from a security standpoint i don't think you want to control access by fqdn. the name being given access is based on the inverse-map lookup (in-addr.arpa) on the inbound ipnumber - not the forward lookup. so, this isn't controlled by the keepers of the "test.com" zone, rather, anyone can set up "eric.test.com" as an inverse entry for an ipnumber for which they control the in-addr.arpa records.
If hosts.allow and friends use the fqdn without reverse validation, then I consider this a huge bug. The original tcp wrappers will set the hostname to "unknown" if the reverse and rdns do not match (ip -> rdns -> ip must return the original IP). I am certain this is still the case in the current implementations.
i.e., putting an fqdn in the hosts.allow file only gives security by obscurity. if someone figures out the fqdns that you're giving access to, and has control of the in-addr.arpa for an ipnumber range they can connect from, they can gain access to your system.
- Rick
Thanks for the feedback Rick. I didn't realize that security implication. However I'm already running this on a machine that is heavily firewalled on a VPN so I am fairly sure that no one will be accessing this externally, but I still would like to restrict access to particular machines. Ideally, would rather use FQDN to make life easier for me to administer. I have created my additional reverse-dns pointer but I am still having problems with it.
nslookup from the server gives me: # nslookup 192.168.3.103 Server: 192.168.1.67 Address: 192.168.1.67#53
103.3.168.192.in-addr.arpa name = eric.test.com.3.168.192.in-addr.arpa.
It looks like there is a missing trailing dot in your DNS zone configuration. I doubt you are authoritative for the in-addr.arpa zone.
in your zone file, you should have something like 103 IN PTR eric.test.example. (notice the last dot). Otherwise, the zone name (@ORIGIN) will be added.
make sure you have a matching reverse _and_ forward resolution. you should get something like:
192.168.3.103 => eric.test.example _and_ eric.test.example => 192.168.3.103
If you only have the reverse lookup, the result is untrusted and sane applications should ignore it.
However, when I try to connect to the tftp server, my connection is still refused, and I get the following in the log msgs:
Jan 14 12:49:19 apollo atftpd[15302]: Connection refused from 192.168.103.103
I am obviously doing something still incorrect, but not sure what.
Can you help point me in the right direction please? Is my reverse DNS incorrectly set up?