openl2tp.org
http://forums.openl2tp.org/

RPC security concern
http://forums.openl2tp.org/viewtopic.php?f=4&t=41
Page 1 of 1

Author:  jchapman [ Mon Sep 13, 2010 8:25 am ]
Post subject:  Re: RPC security concern

bircoph wrote:
Hello,

present version of l2tpconfig and openl2tpd with RPC enable (from openl2tpd-1.7) seems to be very unsecure for me. Even with network access by default in openl2tpd, there are no local permission checks, thus effectively any local user may do anything with running openl2tpd and its connections.

OpenL2TP was originally designed for use in closed systems (i.e. telecoms equipment) where RPC could be used to control several OpenL2TP instances on different line cards over a network within the chassis. The possibility of a malicious local user was ignored in the design. :-(

bircoph wrote:
So, please, please, please! Implement at least a basic RPC access control like username/password. The better way is to engage PAM and the best way is to enable SSL/TLS support for network control. I know, I ask for a lot of work, but at least login/passwd RPC access control will do a great job.

This would be a great project. We don't have resources to put on it right now. If anyone is interested in working on it, please let us know.

Page 1 of 1 All times are UTC [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/