It is currently Wed Jul 26, 2017 11:43 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Re: RPC security concern
PostPosted: Mon Sep 13, 2010 8:25 am 
Site Admin

Joined: Sun Jul 27, 2008 1:39 pm
Posts: 122
bircoph wrote:
Hello,

present version of l2tpconfig and openl2tpd with RPC enable (from openl2tpd-1.7) seems to be very unsecure for me. Even with network access by default in openl2tpd, there are no local permission checks, thus effectively any local user may do anything with running openl2tpd and its connections.

OpenL2TP was originally designed for use in closed systems (i.e. telecoms equipment) where RPC could be used to control several OpenL2TP instances on different line cards over a network within the chassis. The possibility of a malicious local user was ignored in the design. :-(

bircoph wrote:
So, please, please, please! Implement at least a basic RPC access control like username/password. The better way is to engage PAM and the best way is to enable SSL/TLS support for network control. I know, I ask for a lot of work, but at least login/passwd RPC access control will do a great job.

This would be a great project. We don't have resources to put on it right now. If anyone is interested in working on it, please let us know.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group