From owner-freebsd-security Sun Feb 25 4:13: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from btclick.com (mta01.btfusion.com [62.172.195.11]) by hub.freebsd.org (Postfix) with ESMTP id 932AC37B401 for ; Sun, 25 Feb 2001 04:12:58 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: from fubar.closed-networks.com ([213.123.161.77]) by btclick.com (Netscape Messaging Server 4.05) with ESMTP id G9BB9J01.017 for ; Sun, 25 Feb 2001 12:12:55 +0000 Message-Id: <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> X-Sender: myphone@pop3.demon.co.uk X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sun, 25 Feb 2001 12:13:18 +0000 To: freebsd-security@FreeBSD.ORG From: Marc Rogers Subject: Re: /etc/rc.firewall fixes In-Reply-To: <3A982224.893F76AF@gorean.org> References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 13:05 24/02/2001 -0800, Doug Barton wrote: >Adam Laurie wrote: > > > > Doug Barton wrote: > > > > > > Mikel King wrote: > > > > > > > > rc.conf.local and rc.local weree deprecated around the release of 4.x. > > > > > > Don't be silly. Both are fully supported, and there is no > plan to remove > > > support at any time in the future (and I will vigorously oppose any > plan to > > > do so). The only thing that has actually changed is that the system no > > > longer ships with an rc.local file installed. > > > > so what's the point in putting it in there instead of rc.conf then? > > The original question I responded to suggested putting the > settings for >rc.firewall into a whole new conf file. My point was that there were >already several locations that would be more appropriate. > >Doug I agree. This thread seems to have gotten sidetracked. Im still going to chuck in my two-pence worth though.... "Typically, the /usr/local/etc/rc.d mechanism is used instead of rc.local these days but if you do want to use rc.local, /etc/rc still supports it. In this case, rc.local should source /etc/rc.conf and contain additional custom startup code for your system." - /usr/bin/man "The file /etc/rc.conf.local is used to override settings in /etc/rc.conf for historical reasons." - /usr/bin/man If my interpretation of that is correct, then rc.local and rc.conf.local have been left in to support people with existing setups so they don't have to move to the preferred rc.d mechanism immediately. The simple fact that they have been left in for historical reasons & alternative newer mechanisms suggested means to me that they have been depreciated. Thats just my interpretation though. Also, and more importantly rc.local / rc.conf.local / rc.d are there for "local" configurations. What we are discussing here is a potential commit to all FreeBSD configurations and as such would be far more appropriately placed within the rc.conf mechanism. anyway thats my two-pence worth on that. I would like to see configuration code for ipfw AND ipfilter placed into rc.conf (and thus ipnat as well as natd). Anyway I wont hold my breath for a commit. By the way keeping state on UDP connections is a bad idea. UDP is stateless. Tyring to make it otherwise opens you up to all kinds of abuse...... "Held UDP state is timed out, as is TCP state for entries added which do not have the SYN flag set. If an entry is created with the SYN flag set, any subsequent matching packet which doesn't have this flag set (ie a SYN-ACK) will cause it to be "timeless" (actually, the timeout defaults to 5 days), until either a FIN or RST is seen" -http://coombs.anu.edu.au/~avalon/examples.html#packetstate Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 4:52:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3BE0437B491 for ; Sun, 25 Feb 2001 04:52:08 -0800 (PST) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id NAA59954; Sun, 25 Feb 2001 13:52:06 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Marc Rogers Cc: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> From: Dag-Erling Smorgrav Date: 25 Feb 2001 13:52:05 +0100 In-Reply-To: Marc Rogers's message of "Sun, 25 Feb 2001 12:13:18 +0000" Message-ID: Lines: 15 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Marc Rogers writes: > "Typically, the /usr/local/etc/rc.d mechanism is used instead of rc.local > these days but if you do want to use rc.local, /etc/rc still supports > it. In this case, rc.local should source /etc/rc.conf and contain > additional custom startup code for your system." > - /usr/bin/man This is not true. /usr/local/etc/rc.d is for starting and stopping daemons. /etc/rc.local is for all kinds of weird shit that needs to be done once at boot time but isn't directly related to a daemon with a finite lifespan. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 12:18:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 44C3B37B503 for ; Sun, 25 Feb 2001 12:18:56 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 26065 invoked by uid 0); 25 Feb 2001 20:18:54 -0000 Received: from pd9508844.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.68) by mail.gmx.net (mail06) with SMTP; 25 Feb 2001 20:18:54 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id PAA09309 for freebsd-security@FreeBSD.ORG; Sun, 25 Feb 2001 15:47:36 +0100 Date: Sun, 25 Feb 2001 15:47:36 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <20010225154736.O20830@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> <3A982224.893F76AF@gorean.org> <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk>; from marcr@closed-networks.com on Sun, Feb 25, 2001 at 12:13:18PM +0000 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Feb 25, 2001 at 12:13 +0000, Marc Rogers wrote: > > I would like to see configuration code for ipfw AND ipfilter > placed into rc.conf (and thus ipnat as well as natd). Anyway I > wont hold my breath for a commit. Excuse me. What exactly do you mean by these words? What's missing? ipfw has been enabled there / gotten parameters from for quite some time, ipf got its hooks before 4.2-RELEASE. Plus this all only moved to an early stage in the boot process what you could accomplish by means of /usr/local/etc/rc.d/ipf.sh before. ----- from cvs log etc/rc.network ------------------------------- revision 1.74.2.10 date: 2000/11/11 20:33:39; author: jkh; state: Exp; lines: +32 -1 MFC: This brings support for IP Filter into rc.network and rc.conf with the appropriate documentation added to rc.conf(5). This has been tested in -current since Oct 6th. ----------------------------------------------------------------- If you need some more fine grained control than "enable it, there are the ruleset files" you might want to look at the preprocessor hook I added to ipf (PR bin/21989). When searching for it, consider its state -- it's closed. Darren strongly feels that it's not a task his userland interface to the kernel rules table (ipf(8)) has to care about and that these results can always be gained by changing the program's invocation. So this patch will never make it into ipfilter itself. Although you've been free since 4.2 to specify a different $ipfilter_program, which could be a script sourcing rc.conf again. This enables you to do some rc.firewall like things piping half a thousand echo commands with variable sustitutions into "ipf -f -". What is it that you cannot achieve with all the knobs you are provided with? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 12:33:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45]) by hub.freebsd.org (Postfix) with ESMTP id CC80137B491 for ; Sun, 25 Feb 2001 12:33:49 -0800 (PST) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id PAA66510; Sun, 25 Feb 2001 15:33:29 -0500 (EST) Date: Sun, 25 Feb 2001 15:33:28 -0500 (EST) From: To: Marc Rogers Cc: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes In-Reply-To: <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 25 Feb 2001, Marc Rogers wrote: > I would like to see configuration code for ipfw AND ipfilter placed into > rc.conf (and thus ipnat as well as natd). Anyway I wont hold my breath for > a commit. You do know that both ipf and ipfw are configurable in /etc/rc.conf right? It's been that way since 4.2. Unless you're suggesting we move /etc/rc.firewall into rc.conf? Surely you don't mean that. And UDP is stateless. I would be itnerested to know how you filter state with UDP. ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 12:43:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 893DB37B401 for ; Sun, 25 Feb 2001 12:43:14 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 67800 invoked by uid 1001); 25 Feb 2001 20:43:12 +0000 (GMT) To: scanner@jurai.net Cc: marcr@closed-networks.com, freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes From: sthaug@nethelp.no In-Reply-To: Your message of "Sun, 25 Feb 2001 15:33:28 -0500 (EST)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 25 Feb 2001 21:43:12 +0100 Message-ID: <67798.983133792@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > And UDP is stateless. I would be itnerested to know how you filter > state with UDP. ;) You punch a hole in the firewall for the port(s) in question and for a limited amount of time (say 30 seconds). Useful to allow for instance DNS queries from clients on the inside. Yes, of course you are somewhat vulnerable while you have this hole in the firewall. However, it's probably better than having everything wide open, while also being more *useful* than having all UDP closed. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 13:13:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45]) by hub.freebsd.org (Postfix) with ESMTP id 69D9437B401 for ; Sun, 25 Feb 2001 13:13:41 -0800 (PST) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id QAA67054; Sun, 25 Feb 2001 16:12:45 -0500 (EST) Date: Sun, 25 Feb 2001 16:12:45 -0500 (EST) From: To: sthaug@nethelp.no Cc: marcr@closed-networks.com, freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes In-Reply-To: <67798.983133792@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 25 Feb 2001 sthaug@nethelp.no wrote: > You punch a hole in the firewall for the port(s) in question and for a > limited amount of time (say 30 seconds). Useful to allow for instance > DNS queries from clients on the inside. Right filtering ports. Thats not quite the same as filtering on the state of a connection. > Yes, of course you are somewhat vulnerable while you have this hole in > the firewall. However, it's probably better than having everything wide > open, while also being more *useful* than having all UDP closed. Very true. And I have done this for DNS. And you are right when weighing the pro's/con's of full time UDP 53 and doing limited lifetime expires of clients doing udp dns communications. This might be a good modification to the existing default firewall rules. Assuming it breaks nothing. Although you would still need to add a rule for TCP with dns. But that you can filter by state and allow only established connections from the clients. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 13:19: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.volant.org (dickson.phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (Postfix) with ESMTP id BA8B137B401 for ; Sun, 25 Feb 2001 13:18:59 -0800 (PST) (envelope-from patl@Phoenix.Volant.ORG) Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with esmtp (Exim 1.92 #8) id 14X8ZF-0004Pg-00; Sun, 25 Feb 2001 13:18:57 -0800 Received: from localhost (localhost [127.0.0.1]) by asimov.phoenix.volant.org (8.9.3+Sun/8.9.3) with SMTP id NAA13451; Sun, 25 Feb 2001 13:17:50 -0800 (PST) From: patl@Phoenix.Volant.ORG Date: Sun, 25 Feb 2001 13:17:50 -0800 (PST) Reply-To: patl@Phoenix.Volant.ORG Subject: Re: Exim lookup support - was: Secure Servers (SMTP, POP3, FTP) To: Wes Peters Cc: Justin Stanford , Leon Breedt , freebsd-security@freebsd.org In-Reply-To: <3A897C30.782C3331@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was catching up on my mailing lists; and didn't see a response to this question On 13-Feb-01 at 11:06, Wes Peters (wes@softweyr.com) wrote: > Justin Stanford wrote: > > > > Exim and Qpop can also be made to use MySQL for virtual user tables and > > the like - a very effective system. > > Is MySQL hard-coded, or can you use another dbms like PostgreSQL? Exim has a general config syntax that supports a variety of lookup schemes from simple linear file to LDAP, MySQL, PostgreSQL, et. al. The choice of which ones are available is made at compile time. It also looks like adding a new one probably isn't very difficult. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 13:28: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip02.mx.aol.com (rly-ip02.mx.aol.com [152.163.225.160]) by hub.freebsd.org (Postfix) with ESMTP id BB02437B401 for ; Sun, 25 Feb 2001 13:27:54 -0800 (PST) (envelope-from js43064n@pace.edu) Received: from tot-to.proxy.aol.com (tot-to.proxy.aol.com [152.163.204.1]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id QAA09268 for ; Sun, 25 Feb 2001 16:27:33 -0500 (EST) Received: from winme (AC990566.ipt.aol.com [172.153.5.102]) by tot-to.proxy.aol.com (8.10.0/8.10.0) with SMTP id f1PLRVa14553 for ; Sun, 25 Feb 2001 16:27:32 -0500 (EST) Message-ID: <002901c09f72$66ebee40$660599ac@winme> From: "Jonathan Slivko" To: Subject: Possible Security Vulnerability Date: Sun, 25 Feb 2001 16:32:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Apparently-From: JMS19NYC@aol.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, I have been testing the security on my machine (FreeBSD 4.2-STABLE) and I noticed a bug that could potentially reboot a box from any type of user, root or regular user. What I did was I just gave the box a whole bunch of w commands like w;w;w;w;w, etc. and just let that run. A few seconds later, the box coredumped and rebooted. I got this to occur several times in a row. Is this some kind of known vulnerability or is this just something that will have to be investigated further? If interested in more details, please feel free to e-mail me. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 13:36:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ohm.physics.purdue.edu (ohm.physics.purdue.edu [128.210.146.32]) by hub.freebsd.org (Postfix) with ESMTP id 735DA37B491; Sun, 25 Feb 2001 13:36:29 -0800 (PST) (envelope-from TrimYourCc@physics.purdue.edu) Received: (from will@localhost) by ohm.physics.purdue.edu (8.11.2/8.9.3) id f1PLaaW04917; Sun, 25 Feb 2001 16:36:36 -0500 (EST) (envelope-from TrimYourCc@physics.purdue.edu) X-Authentication-Warning: ohm.physics.purdue.edu: will set sender to TrimYourCc@physics.purdue.edu using -f Date: Sun, 25 Feb 2001 16:36:36 -0500 From: Will Andrews To: Jonathan Slivko Cc: FreeBSD Stable Subject: Re: Possible Security Vulnerability Message-ID: <20010225163636.H767@ohm.physics.purdue.edu> Reply-To: FreeBSD Stable References: <002901c09f72$66ebee40$660599ac@winme> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Bqc0IY4JZZt50bUr" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002901c09f72$66ebee40$660599ac@winme>; from js43064n@pace.edu on Sun, Feb 25, 2001 at 04:32:04PM -0500 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Bqc0IY4JZZt50bUr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ moved to -stable ] On Sun, Feb 25, 2001 at 04:32:04PM -0500, Jonathan Slivko wrote: > I have been testing the security on my machine (FreeBSD 4.2-STABLE) a= nd > I noticed a bug that could potentially reboot a box from any type of user, > root or regular user. What I did was I just gave the box a whole bunch of= w > commands like w;w;w;w;w, etc. and just let that run. A few seconds later, > the box coredumped and rebooted. I got this to occur several times in a r= ow. > Is this some kind of known vulnerability or is this just something that w= ill > have to be investigated further? If interested in more details, please fe= el > free to e-mail me. Thanks. That's not a security vulnerability (ie defined as something which gives an attacker elevated privileges), that's a bug. Nevertheless, I can't reproduce it.. possibly because you've given next to nothing as far as details go. --=20 wca --Bqc0IY4JZZt50bUr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6mXrjF47idPgWcsURAm2UAKCLky6aMTc/XqyF3IGLW/TZnuP5ZwCeOYFP 0inewm+mPPjN4t4M77UQIWc= =Wq9A -----END PGP SIGNATURE----- --Bqc0IY4JZZt50bUr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 14: 3:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (secure.smtp.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 9475337B503; Sun, 25 Feb 2001 14:03:02 -0800 (PST) (envelope-from JHowie@msn.com) Received: from x86w2kw1 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Sun, 25 Feb 2001 14:03:01 -0800 Message-ID: <0b4b01c09f77$3c65c100$0101a8c0@development.local> From: "John Howie" To: Cc: "FreeBSD Stable" References: <002901c09f72$66ebee40$660599ac@winme> <20010225163636.H767@ohm.physics.purdue.edu> Subject: Re: Possible Security Vulnerability Date: Sun, 25 Feb 2001 14:06:42 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Will, I am afraid that I have to respectfully disagree with your sweeping statement that a DoS is not a security vulnerability and that a Security Vulnerability is defined as an elevation of privilege. A vulnerability is defined as 'anything that can be exploited to an advantage' and a Security Vulnerability is one that relates directly to the security and/or integrity of the system, in particular one that breaks the three 'A's - Authentication, Authorization, and Audit/Accountability. If a machine is used as a logging server (for syslog perhaps) and you could crash it prior to attempting an attack on another machine then yes, this is a security issue. Any DoS can be interpreted as a security issue depending on the environment and circumstances, and a standard Risk Assessment would identify it as such. However, you are 100% right that we do not have enough information to act further here. Perhaps the problem is an exhaustation of resources. Jonathon, please supply more information about the environment in which this occurred. And yes, this is probably better in another newsgroup and not -security. Regards, john... ----- Original Message ----- From: "Will Andrews" To: "Jonathan Slivko" Cc: "FreeBSD Stable" Sent: Sunday, February 25, 2001 1:36 PM Subject: Re: Possible Security Vulnerability [ moved to -stable ] On Sun, Feb 25, 2001 at 04:32:04PM -0500, Jonathan Slivko wrote: > I have been testing the security on my machine (FreeBSD 4.2-STABLE) and > I noticed a bug that could potentially reboot a box from any type of user, > root or regular user. What I did was I just gave the box a whole bunch of w > commands like w;w;w;w;w, etc. and just let that run. A few seconds later, > the box coredumped and rebooted. I got this to occur several times in a row. > Is this some kind of known vulnerability or is this just something that will > have to be investigated further? If interested in more details, please feel > free to e-mail me. Thanks. That's not a security vulnerability (ie defined as something which gives an attacker elevated privileges), that's a bug. Nevertheless, I can't reproduce it.. possibly because you've given next to nothing as far as details go. -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 25 20:13:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from lark.capnet.state.tx.us (lark.capnet.state.tx.us [204.65.39.249]) by hub.freebsd.org (Postfix) with ESMTP id E4BD737B503 for ; Sun, 25 Feb 2001 20:13:05 -0800 (PST) (envelope-from Bryan.Bradsby@capnet.state.tx.us) Received: from localhost (bbradsby@localhost) by lark.capnet.state.tx.us (8.11.2/8.10.0-NO UCE) with ESMTP id f1Q4D5v18421; Sun, 25 Feb 2001 22:13:05 -0600 (CST) Date: Sun, 25 Feb 2001 22:13:05 -0600 (CST) From: Bryan Bradsby To: Subject: Re: /etc/rc.firewall fixes In-Reply-To: <200102202005.f1KK5kv83619@medusa.kfu.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This thread veered off from the topic that interests me. I would also like to see comments on possible changes to the rc.firewall rules. Perhaps adding a category for a server (no nat or gateway) i.e. for a DNS, e-mail, pop3, or web server exposed to the big bad internet. Thank you, -bryan bradsby ================================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 2: 8:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 791ED37B503 for ; Mon, 26 Feb 2001 02:08:11 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([192.168.192.1]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id KAA00867; Mon, 26 Feb 2001 10:07:57 GMT Message-ID: <3A9A2AE7.DDD4E33B@algroup.co.uk> Date: Mon, 26 Feb 2001 10:07:35 +0000 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <200102202005.f1KK5kv83619@medusa.kfu.com> <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> <3A982224.893F76AF@gorean.org> <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> <20010225154736.O20830@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: > > On Sun, Feb 25, 2001 at 12:13 +0000, Marc Rogers wrote: > > > > I would like to see configuration code for ipfw AND ipfilter > > placed into rc.conf (and thus ipnat as well as natd). Anyway I > > wont hold my breath for a commit. > > Excuse me. What exactly do you mean by these words? What's > missing? ipfw has been enabled there / gotten parameters from > for quite some time, ipf got its hooks before 4.2-RELEASE. Plus > this all only moved to an early stage in the boot process what > you could accomplish by means of /usr/local/etc/rc.d/ipf.sh > before. uname -v FreeBSD 4.2-RELEASE #1: Mon Feb 19 14:46:17 GMT 2001 from /etc/rc.firewall: # set these to your network and netmask and ip net="192.0.2.0" mask="255.255.255.0" ip="192.0.2.1" update your rc.firewall and you lose your network setting. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 6:10:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from wasp.eng.ufl.edu (wasp.eng.ufl.edu [128.227.116.1]) by hub.freebsd.org (Postfix) with ESMTP id 63E5E37B401 for ; Mon, 26 Feb 2001 06:10:33 -0800 (PST) (envelope-from bob@eng.ufl.edu) Received: from eng.ufl.edu (scanner.engnet.ufl.edu [128.227.152.221]) by wasp.eng.ufl.edu (8.9.3/8.9.3) with ESMTP id JAA16172 for ; Mon, 26 Feb 2001 09:10:32 -0500 (EST) Message-ID: <3A9A63D8.D6C8881F@eng.ufl.edu> Date: Mon, 26 Feb 2001 09:10:32 -0500 From: Bob Johnson X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, eo MIME-Version: 1.0 To: security@freebsd.org Subject: SSH tutorial posted for comments Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've posted an SSH tutorial at http://www.afn.org/~ambient/sshfreebsd.html http://www.afn.org/~ambient/sshfreebsd.rtf (the RTF version has better formatting). It isn't ready for general distribution, but I'm soliciting suggestions for improvement. Once I have it cleaned it up I will submit it for inclusion in the FreeBSD Handbook (or the Handbook maintainers can take it now and run with it if they want to; that's fine with me). I'm primarily interested in feedback about factual accuracy or points that may be confusing, rather than grammatical issues. I will probably make substantial changes and there isn't much point in worrying about details until I've done that. In any case, feedback from both beginners and experienced ssh users would be helpful. Thanks, - Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 6:46:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id 62BF137B4EC for ; Mon, 26 Feb 2001 06:46:01 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 8956 invoked by uid 1000); 26 Feb 2001 14:42:24 -0000 Date: Mon, 26 Feb 2001 16:42:24 +0200 From: Peter Pentchev To: Adam Laurie Cc: Gerhard Sittig , freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <20010226164224.A435@ringworld.oblivion.bg> Mail-Followup-To: Adam Laurie , Gerhard Sittig , freebsd-security@FreeBSD.ORG References: <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> <3A982224.893F76AF@gorean.org> <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> <20010225154736.O20830@speedy.gsinet> <3A9A2AE7.DDD4E33B@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A9A2AE7.DDD4E33B@algroup.co.uk>; from adam@algroup.co.uk on Mon, Feb 26, 2001 at 10:07:35AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Feb 26, 2001 at 10:07:35AM +0000, Adam Laurie wrote: > Gerhard Sittig wrote: > > > > On Sun, Feb 25, 2001 at 12:13 +0000, Marc Rogers wrote: > > > > > > I would like to see configuration code for ipfw AND ipfilter > > > placed into rc.conf (and thus ipnat as well as natd). Anyway I > > > wont hold my breath for a commit. > > > > Excuse me. What exactly do you mean by these words? What's > > missing? ipfw has been enabled there / gotten parameters from > > for quite some time, ipf got its hooks before 4.2-RELEASE. Plus > > this all only moved to an early stage in the boot process what > > you could accomplish by means of /usr/local/etc/rc.d/ipf.sh > > before. > > uname -v > FreeBSD 4.2-RELEASE #1: Mon Feb 19 14:46:17 GMT 2001 > > from /etc/rc.firewall: > > # set these to your network and netmask and ip > net="192.0.2.0" > mask="255.255.255.0" > ip="192.0.2.1" > > update your rc.firewall and you lose your network setting. Uh.. isn't this what mergemaster is for? G'luck, Peter -- This sentence was in the past tense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 12:19:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.de [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id E20CB37B503 for ; Mon, 26 Feb 2001 12:19:52 -0800 (PST) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 10722 invoked by uid 0); 26 Feb 2001 20:19:51 -0000 Received: from p3ee21672.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.114) by mail.gmx.net (mp002-rz3) with SMTP; 26 Feb 2001 20:19:51 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id RAA11847 for freebsd-security@FreeBSD.ORG; Mon, 26 Feb 2001 17:50:56 +0100 Date: Mon, 26 Feb 2001 17:50:56 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes Message-ID: <20010226175056.R20830@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> <3A982224.893F76AF@gorean.org> <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> <20010225154736.O20830@speedy.gsinet> <3A9A2AE7.DDD4E33B@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A9A2AE7.DDD4E33B@algroup.co.uk>; from adam@algroup.co.uk on Mon, Feb 26, 2001 at 10:07:35AM +0000 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Feb 26, 2001 at 10:07 +0000, Adam Laurie wrote: > > uname -v > FreeBSD 4.2-RELEASE #1: Mon Feb 19 14:46:17 GMT 2001 > > from /etc/rc.firewall: > > # set these to your network and netmask and ip > net="192.0.2.0" > mask="255.255.255.0" > ip="192.0.2.1" > > update your rc.firewall and you lose your network setting. OK, then make these fallbacks in case rc.conf doesn't have better suited values. And feed back your improvement to the project. Alternatively wait for others to do it for you. But then don't moan when it won't happen or happens too slow ... You can make it happen faster if you contribute. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 12:49:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id D477437B491 for ; Mon, 26 Feb 2001 12:49:37 -0800 (PST) (envelope-from js43064n@stmail.pace.edu) Received: from stmail.pace.edu (205.232.111.7:4566) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A87496BA@smtp.pace.edu>; Mon, 26 Feb 2001 15:50:05 -0500 Date: Mon, 26 Feb 2001 15:49:31 -0500 Message-Id: <200102261549.AA1111556740@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: To: , Bob Johnson Subject: Re: SSH tutorial posted for comments X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bob, What versions of SSH does this manual cover? Please let me know so I can review it with a little better understanding. Thanks. -- Jonathan M. Slivko ---------- Original Message ---------------------------------- From: Bob Johnson Date: Mon, 26 Feb 2001 09:10:32 -0500 >I've posted an SSH tutorial at >http://www.afn.org/~ambient/sshfreebsd.html >http://www.afn.org/~ambient/sshfreebsd.rtf >(the RTF version has better formatting). > >It isn't ready for general distribution, but I'm soliciting suggestions >for improvement. Once I have it cleaned it up I will submit it for >inclusion in the FreeBSD Handbook (or the Handbook maintainers can take >it now and run with it if they want to; that's fine with me). > >I'm primarily interested in feedback about factual accuracy or points >that may be confusing, rather than grammatical issues. I will probably >make substantial changes and there isn't much point in worrying about >details until I've done that. > >In any case, feedback from both beginners and experienced ssh users >would be helpful. > >Thanks, > >- Bob > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Jonathan M. Slivko Global IRC Operator, AsylumNet IRC Network website: http://webpage.pace.edu/js43064n/ "Microsoft, is that some kind of toilet paper?" -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 12:56:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 9897737B401 for ; Mon, 26 Feb 2001 12:56:35 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f1QKu7Q49637; Mon, 26 Feb 2001 14:56:07 -0600 (CST) (envelope-from chris@jeah.net) Date: Mon, 26 Feb 2001 14:56:06 -0600 (CST) From: Chris Byrnes To: Jonathan Slivko Cc: , Bob Johnson Subject: Re: SSH tutorial posted for comments In-Reply-To: <200102261549.AA1111556740@stmail.pace.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > What versions of SSH does this manual cover? Please let me know so I > can review it with a little better understanding. Thanks. -- Jonathan > M. Slivko Heh. Why don't you simply go to the URL and read it? It's a basic SSH tutorial, covering SSH, in general. -Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 15:50:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from giroc.albury.net.au (giroc.albury.NET.AU [203.15.244.13]) by hub.freebsd.org (Postfix) with ESMTP id 05FFB37B401 for ; Mon, 26 Feb 2001 15:50:20 -0800 (PST) (envelope-from nicks@giroc.albury.net.au) Received: (from nicks@localhost) by giroc.albury.net.au (8.11.1/8.11.1) id f1QNoHp81829 for security@freebsd.org; Tue, 27 Feb 2001 10:50:17 +1100 (EST) Date: Tue, 27 Feb 2001 10:50:17 +1100 From: Nick Slager To: security@freebsd.org Subject: bugtraq inetd DoS exploit Message-ID: <20010227105017.A74709@albury.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The inetd shipped with FreeBSD appears vulnerable to the inetd DoS exploit posted on bugtraq. inetd logs the following: Feb 27 10:23:12 host inetd[5337]: ftp/tcp server failing (looping), service terminated System: % uname -v FreeBSD 4.2-STABLE #1: Fri Feb 9 11:27:05 EST 2001 nicks@lorien.slartibartfast.net:/usr/src/sys/compile/LORIEN4 As a workaround, start inetd with the -C flag. Nick -- Nick Slager | Quidquid latine dictum | sit, altum viditur. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 15:55:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (ns.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 8F00F37B401 for ; Mon, 26 Feb 2001 15:55:06 -0800 (PST) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk (socks-fw.aldigital.co.uk [192.168.254.10]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id XAA02319; Mon, 26 Feb 2001 23:54:57 GMT Message-ID: <3A9AEBD2.1E601ED9@algroup.co.uk> Date: Mon, 26 Feb 2001 23:50:42 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: /etc/rc.firewall fixes References: <3A93A9CC.BC1D39FB@algroup.co.uk> <3A93C2FB.3E160997@ocsinternet.com> <3A94AE05.965BC5E4@gorean.org> <3A9526AA.19D00D47@ocsinternet.com> <3A954152.C7887C3@gor.com> <3A97A4E6.C53ECF27@algroup.co.uk> <3A982224.893F76AF@gorean.org> <5.0.2.1.0.20010225114958.00b10858@pop3.demon.co.uk> <20010225154736.O20830@speedy.gsinet> <3A9A2AE7.DDD4E33B@algroup.co.uk> <20010226175056.R20830@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: > > On Mon, Feb 26, 2001 at 10:07 +0000, Adam Laurie wrote: > > > > uname -v > > FreeBSD 4.2-RELEASE #1: Mon Feb 19 14:46:17 GMT 2001 > > > > from /etc/rc.firewall: > > > > # set these to your network and netmask and ip > > net="192.0.2.0" > > mask="255.255.255.0" > > ip="192.0.2.1" > > > > update your rc.firewall and you lose your network setting. > > OK, then make these fallbacks in case rc.conf doesn't have better > suited values. And feed back your improvement to the project. > > Alternatively wait for others to do it for you. But then don't > moan when it won't happen or happens too slow ... You can make > it happen faster if you contribute. kindly don't lecture me on the etiquette of open source development. if you read the archives of this list you will see that i have tried several times to contribute improvements in this particular area, and indeed offered once again to contribute my "mobile" firewall settings on this very thread. the problem here seems to be that unless the area you are trying to improve is some third party port, it is impossible to achieve consensus on what needs doing... and until we reach consensus there is little point in submitting patches. cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 16:36:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (marius.org [216.88.115.170]) by hub.freebsd.org (Postfix) with ESMTP id 7FD9A37B401 for ; Mon, 26 Feb 2001 16:36:22 -0800 (PST) (envelope-from marius@marius.org) Received: (from marius@localhost) by marius.org (8.11.0/8.11.0) id f1R0aLe91369 for security@FreeBSD.ORG; Mon, 26 Feb 2001 18:36:21 -0600 (CST) Date: Mon, 26 Feb 2001 18:36:21 -0600 From: Marius Strom To: security@FreeBSD.ORG Subject: Re: bugtraq inetd DoS exploit *PFFT* Message-ID: <20010226183621.O12721@marius.org> Mail-Followup-To: security@FreeBSD.ORG References: <20010227105017.A74709@albury.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010227105017.A74709@albury.net>; from nicks@albury.net on Tue, Feb 27, 2001 at 10:50:17AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is not a "vulnerability", per se. inetd(8) will suspend a service for 10 minutes if a certain amount of them are started within a certain time, hence your log message. Not to deny that it's a limited DoS condition, but it was programmed that way. To update this on a per-service basis (say, your pop3 daemon takes lots of hits under normal traffic) do the following: pop3 stream tcp nowait.384 root /usr/local/libexec/ipop3d ipop3d Where 384 is the number to allow per one minute period. Verbatim from the ERROR MESSAGES section of the inetd(8) man page: The inetd server logs error messages using syslog(3). Important error messages and their explanations are: service/protocol server failing (looping), service terminated. The number of requests for the specified service in the past minute ex- ceeded the limit. The limit exists to prevent a broken program or a ma- licious user from swamping the system. This message may occur for sever- al reasons: 1. There are many hosts requesting the service within a short time period. 2. A broken client program is requesting the service too fre- quently. 3. A malicious user is running a program to invoke the service in a denial-of-service attack. 4. The invoked service program has an error that causes clients to retry quickly. Use the -R rate option, as described above, to change the rate limit. Once the limit is reached, the service will be reenabled automatically in 10 minutes. On Tue, Feb 27, 2001 at 10:50:17AM +1100, Nick Slager wrote: > > The inetd shipped with FreeBSD appears vulnerable to the inetd DoS > exploit posted on bugtraq. > > inetd logs the following: > > Feb 27 10:23:12 host inetd[5337]: ftp/tcp server failing (looping), service terminated > > System: > > % uname -v > FreeBSD 4.2-STABLE #1: Fri Feb 9 11:27:05 EST 2001 > nicks@lorien.slartibartfast.net:/usr/src/sys/compile/LORIEN4 > > As a workaround, start inetd with the -C flag. > > > Nick > > -- > Nick Slager | Quidquid latine dictum > | sit, altum viditur. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Marius Strom Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0x55DE53E4 "Never underestimate the bandwidth of a mini-van full of DLT tapes traveling down the highway at 65 miles per hour..." -Andrew Tanenbaum, "Computer Networks" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 26 16:52: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from giroc.albury.net.au (giroc.albury.NET.AU [203.15.244.13]) by hub.freebsd.org (Postfix) with ESMTP id 8A29137B491 for ; Mon, 26 Feb 2001 16:51:57 -0800 (PST) (envelope-from nicks@giroc.albury.net.au) Received: (from nicks@localhost) by giroc.albury.net.au (8.11.1/8.11.1) id f1R0ppE91094; Tue, 27 Feb 2001 11:51:51 +1100 (EST) Date: Tue, 27 Feb 2001 11:51:51 +1100 From: Nick Slager To: Marius Strom Cc: security@FreeBSD.ORG Subject: Re: bugtraq inetd DoS exploit *PFFT* Message-ID: <20010227115151.A85764@albury.net> References: <20010227105017.A74709@albury.net> <20010226183621.O12721@marius.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010226183621.O12721@marius.org>; from marius@marius.org on Mon, Feb 26, 2001 at 06:36:21PM -0600 X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thus spake Marius Strom (marius@marius.org): >On Tue, Feb 27, 2001 at 10:50:17AM +1100, Nick Slager wrote: >> >> The inetd shipped with FreeBSD appears vulnerable to the inetd DoS >> exploit posted on bugtraq. >> >> ... >> >> As a workaround, start inetd with the -C flag. > > This is not a "vulnerability", per se. inetd(8) will suspend a service > for 10 minutes if a certain amount of them are started within a certain > time, hence your log message. Not to deny that it's a limited DoS > condition, but it was programmed that way. > > To update this on a per-service basis (say, your pop3 daemon takes lots > of hits under normal traffic) do the following: [ snip inetd.conf entry and man page quote ] erm, thanks, I do realise this. The advantage of the -C flag is being able to specify the maximum times a given service can be invoked from a single IP, ensuring services are still available for other clients. Nick -- Nick Slager | Quidquid latine dictum nicks@albury.net | sit, altum viditur. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 0:54:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.technobank.com.by (www.technobank.com.by [212.98.162.59]) by hub.freebsd.org (Postfix) with ESMTP id 3A62737B719 for ; Tue, 27 Feb 2001 00:54:18 -0800 (PST) (envelope-from shupilov@technobank.com.by) Received: from 10.20.1.109 ([10.20.2.4]) by www.technobank.com.by (Lotus Domino Release 5.0.4) with ESMTP id 2001022710582913:3060 ; Tue, 27 Feb 2001 10:58:29 +0200 Date: Tue, 27 Feb 2001 10:54:25 +0200 From: jeff X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: jeff X-Priority: 3 (Normal) Message-ID: <9185502756.20010227105425@technobank.com.by> Subject: vlan In-reply-To: <3A9A63D8.D6C8881F@eng.ufl.edu> References: <3A9A63D8.D6C8881F@eng.ufl.edu> Mime-Version: 1.0 X-MIMETrack: Itemize by SMTP Server on WEB/TBK(Release 5.0.4 |June 8, 2000) at 27.02.2001 10:58:29, Serialize by Router on WEB/TBK(Release 5.0.4 |June 8, 2000) at 27.02.2001 10:59:04, Serialize complete at 27.02.2001 10:59:04 To: security@freebsd.org Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi! i'm strongly needet to set up vlan on my freebsd-box but unfortunately i can't find any clear instruction how to do it there are a lot of hearing that it is already impossible so, can anybody help me? thanks, Dmitry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 0:58:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.15]) by hub.freebsd.org (Postfix) with ESMTP id 975E037B71A for ; Tue, 27 Feb 2001 00:58:26 -0800 (PST) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id PAA09555; Tue, 27 Feb 2001 15:58:17 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id PAA14543; Tue, 27 Feb 2001 15:58:15 +0700 (ICT) Date: Tue, 27 Feb 2001 15:58:15 +0700 (ICT) Message-Id: <200102270858.PAA14543@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: shupilov@technobank.com.by Cc: security@FreeBSD.ORG In-reply-to: <9185502756.20010227105425@technobank.com.by> (message from jeff on Tue, 27 Feb 2001 10:54:25 +0200) Subject: Re: vlan References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, as I once heard a guy sayinf in a seminar about security, if you plan to deal with security, do NOT use vlan. Vlan only goal is to present broadcast packets to leak to every interface. Vlan should not be trusted beyond that. So maybe security list is not the best place to ask :) Olivier >i'm strongly needet to set up vlan on my freebsd-box >but unfortunately i can't find any clear instruction how to do it >there are a lot of hearing that it is already impossible To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 10: 5:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp11.singnet.com.sg (smtp11.singnet.com.sg [165.21.6.31]) by hub.freebsd.org (Postfix) with ESMTP id EF71137B719 for ; Tue, 27 Feb 2001 10:05:40 -0800 (PST) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.104.186.magix.com.sg [202.166.104.186]) by smtp11.singnet.com.sg (8.11.2/8.11.2) with SMTP id f1RI5b403439 for ; Wed, 28 Feb 2001 02:05:37 +0800 (SGT) Message-Id: <3.0.32.20010228021431.0194bdd0@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 28 Feb 2001 02:14:31 +0800 To: freebsd-security@freebsd.org From: Spades Subject: Re: firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I need some opinion on which firewall to obtain as I am setting up a new VPN and network router connecting 8 servers in the office on my DS3 line. Please advise of which kind of software or hardware should I be needing, and also preferably not too expensive ones :) P.S To purpose against intruders and ddos attacks attempt, filters. alarm system, detection, logging etc. Thanks. cheerios, Spades. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 10:14:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id BC3E837B718 for ; Tue, 27 Feb 2001 10:14:35 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f1RIEGi03065; Tue, 27 Feb 2001 10:14:16 -0800 Date: Tue, 27 Feb 2001 10:14:16 -0800 From: Brooks Davis To: Olivier Nicole Cc: shupilov@technobank.com.by, security@FreeBSD.ORG Subject: Re: vlan Message-ID: <20010227101416.B27373@Odin.AC.HMC.Edu> References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> <200102270858.PAA14543@banyan.cs.ait.ac.th> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <200102270858.PAA14543@banyan.cs.ait.ac.th>; from on@cs.ait.ac.th on Tue, Feb 27, 2001 at 03:58:15PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 27, 2001 at 03:58:15PM +0700, Olivier Nicole wrote: > Well, as I once heard a guy sayinf in a seminar about security, if you > plan to deal with security, do NOT use vlan. >=20 > Vlan only goal is to present broadcast packets to leak to every > interface. Vlan should not be trusted beyond that. >=20 > So maybe security list is not the best place to ask :) This is not really accurate. While there are a number of implemenations out there with this problem, modern vlan implementations are intended to be fully secure. For instance, Cisco intends their VLANs in conjunction with 802.1X (or a similar propriotary protocol) to allow things like having a visitor be able to plug their laptop in to get internet access but not end up behind the local firewall while an employee could plug their laptop into the same port and have local access. Cisco implements this switching functionality at the ASIC level. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6m+53XY6L6fI4GtQRAsKDAJ9pk+ZoL8rf0RJk/5X4DW9+hhTg/QCgw169 YTyTzhtt2Dr6iIbeVP+8+WI= =vIXP -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 14:23:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 9B8D437B71D for ; Tue, 27 Feb 2001 14:23:43 -0800 (PST) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: ftp access To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Tue, 27 Feb 2001 16:22:33 -0600 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 02/27/2001 04:16:09 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What do I use in passwd to allow ftp, but not shell access on account ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 14:40:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 72D8037B71B for ; Tue, 27 Feb 2001 14:40:17 -0800 (PST) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1RMcwZ83896; Tue, 27 Feb 2001 17:39:00 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Tue, 27 Feb 2001 17:38:58 -0500 (EST) From: Rob Simmons To: Cc: Subject: Re: ftp access In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org /sbin/nologin as the user's shell. You also have to add this shell to /etc/shells Robert Simmons Systems Administrator http://www.wlcg.com/ On Tue, 27 Feb 2001 George.Giles@mcmail.vanderbilt.edu wrote: > What do I use in passwd to allow ftp, but not shell access on account ? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 14:40:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual-voodoo.com (virtual-voodoo.com [204.120.165.254]) by hub.freebsd.org (Postfix) with ESMTP id 56E7237B718 for ; Tue, 27 Feb 2001 14:40:45 -0800 (PST) (envelope-from steve@virtual-voodoo.com) Received: (from steve@localhost) by virtual-voodoo.com (8.11.2/8.11.1) id f1RMdNX15654; Tue, 27 Feb 2001 17:39:23 -0500 (EST) (envelope-from steve) Date: Tue, 27 Feb 2001 17:39:23 -0500 From: Steve Ames To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <20010227173923.A36303@virtual-voodoo.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Tue, Feb 27, 2001 at 04:22:33PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Specify a "shell" that won't actually allow shell access. I believe /bin/true (or /sbin/nologin) would work but there are some specific ports that you can use to provide some info to the user when their telnet fails... From /usr/ports/sysutils/no-login/pkg-descr: This program will refuse login to a user, and make a note of it in the system logs (syslog). This is suitable for use as a "login shell" for a user that you want to temporarily deny access to. Just set that user's shell to /usr/local/sbin/nologin. -Steve On Tue, Feb 27, 2001 at 04:22:33PM -0600, George.Giles@mcmail.vanderbilt.edu wrote: > What do I use in passwd to allow ftp, but not shell access on account ? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 14:55:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 6F78D37B71B for ; Tue, 27 Feb 2001 14:55:29 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f1RMtCi20321; Tue, 27 Feb 2001 14:55:12 -0800 Date: Tue, 27 Feb 2001 14:55:12 -0800 From: Brooks Davis To: Rob Simmons Cc: George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <20010227145512.A13920@Odin.AC.HMC.Edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from rsimmons@wlcg.com on Tue, Feb 27, 2001 at 05:38:58PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 27, 2001 at 05:38:58PM -0500, Rob Simmons wrote: > /sbin/nologin as the user's shell. You also have to add this shell to > /etc/shells If you do this be sure to keep users from being able to access the system via ssh. Otherwise they can just use ssh to spawn a shell for themselves: ssh -t /bin/sh -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6nDBPXY6L6fI4GtQRAnBXAJ4/tzKot7bBL6yX4lCwWvaDl+w7/wCg1s/g 6gcs33Qyb7kKHw06b16JC+c= =f9fi -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 15: 2: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id D6E7437B718 for ; Tue, 27 Feb 2001 15:01:55 -0800 (PST) (envelope-from traviso@RapidNet.com) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id QAA08186; Tue, 27 Feb 2001 16:01:31 -0700 (MST) Date: Tue, 27 Feb 2001 16:01:31 -0700 (MST) From: "Travis [Admin Team]" To: Brooks Davis Cc: Rob Simmons , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access In-Reply-To: <20010227145512.A13920@Odin.AC.HMC.Edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Feb 2001, Brooks Davis wrote: > If you do this be sure to keep users from being able to access the system > via ssh. Otherwise they can just use ssh to spawn a shell for themselves: > > ssh -t /bin/sh Course I believe you disable it with a -T doncha? >;) Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 15:11: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id C088137B71B for ; Tue, 27 Feb 2001 15:10:54 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f1RNAjv22898; Tue, 27 Feb 2001 15:10:45 -0800 Date: Tue, 27 Feb 2001 15:10:44 -0800 From: Brooks Davis To: "Travis [Admin Team]" Cc: Rob Simmons , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <20010227151044.A21523@Odin.AC.HMC.Edu> References: <20010227145512.A13920@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from traviso@RapidNet.com on Tue, Feb 27, 2001 at 04:01:31PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 27, 2001 at 04:01:31PM -0700, Travis [Admin Team] wrote: > On Tue, 27 Feb 2001, Brooks Davis wrote: >=20 > > If you do this be sure to keep users from being able to access the syst= em > > via ssh. Otherwise they can just use ssh to spawn a shell for themselv= es: > >=20 > > ssh -t /bin/sh >=20 > Course I believe you disable it with a -T doncha? >;) I'm afraid I don't see your point. It's true that -T is the opposit of -t for the ssh client, but that doens't have anything to do with the fact that any user with a valid username and password can get a shell via ssh unless you don't allow them to run ANYTHING via sshd. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6nDP0XY6L6fI4GtQRAm0YAJ4w15oNBMxeapPCa00clxYYYhe/kwCcC1wF +KhVe2dxzv7hIs1GuWXVxwc= =1/G/ -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 18: 4:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from elisa.utopianet.net (elisa.utopianet.net [212.210.231.2]) by hub.freebsd.org (Postfix) with ESMTP id 2B5D837B719 for ; Tue, 27 Feb 2001 18:04:50 -0800 (PST) (envelope-from rlucia@iscanet.com) Received: from merlino.iscanet.com (root@[217.59.173.229]) by elisa.utopianet.net (8.9.1a/8.9.1) with ESMTP id DAA06967; Wed, 28 Feb 2001 03:04:35 +0100 (CET) Received: from [10.0.1.5] (adsl-156-135.38-151.net24.it [151.38.135.156]) (authenticated) by merlino.iscanet.com (8.11.2/8.11.2) with ESMTP id f1S24vh45674; Wed, 28 Feb 2001 03:04:58 +0100 (CET) (envelope-from rlucia@iscanet.com) Mime-Version: 1.0 X-Sender: rluciamac@imap.iscanet.com (Unverified) Message-Id: In-Reply-To: <9185502756.20010227105425@technobank.com.by> References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> Date: Wed, 28 Feb 2001 03:04:41 +0100 To: jeff , security@FreeBSD.ORG From: Rocco Lucia Subject: Re: vlan Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:54 +0200 27-02-2001, jeff wrote: >hi! > >i'm strongly needet to set up vlan on my freebsd-box >but unfortunately i can't find any clear instruction how to do it >there are a lot of hearing that it is already impossible > >so, can anybody help me? > >thanks, > >Dmitry > first you should add: pseudo-device vlan ... see LINT to your kernel configuration. Then you can use ifconfig to set your virtual vlan interfaces bound to the physical one/s. Assume you have xl0 physical interface and you want to setup 2 vlans on it (VLAN ID 1, VLAN ID 2), you configure interfaces with: ifconfig vlan0 inet 10.0.0.1 netmask 0xffffff00 vlan 2 vlandev xl0 and ifconfig vlan1 inet 10.0.1.1 netmask 0xffffff00 vlan 3 vlandev xl0 And you'll be set. Just remember to set up your network switch accordingly (e.g. allowing those vlan tags on the port). As for the link0 flag the ifconfig(8) manpage talks about, you should set it if your card supports vlan tags on its own, so the physical interface driver will do the thing. I think just Alteon ti(4) driver supports it. Have a nice 801.1Q'ing :-) -- Rocco Lucia - rlucia@iscanet.com Iscanet Internet Services http://elisa.utopianet.net/~rlucia System and Network Admin C6E6 AC9A 1361 FB38 B47A 2792 9FC4 C52F 7A68 4468 Free unices for a free world. Support *BSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 18:18:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx420564-b.tucson1.az.home.com (cx420564-b.tucson1.az.home.com [24.21.112.225]) by hub.freebsd.org (Postfix) with ESMTP id E467837B71A for ; Tue, 27 Feb 2001 18:18:53 -0800 (PST) (envelope-from fracture@cx420564-b.tucson1.az.home.com) Received: (from fracture@localhost) by cx420564-b.tucson1.az.home.com (8.11.1/8.11.1) id f1RJAkt56761 for freebsd-security@freebsd.org; Tue, 27 Feb 2001 19:10:46 GMT (envelope-from fracture) Date: Tue, 27 Feb 2001 19:09:26 +0000 From: Jordan DeLong To: freebsd-security@freebsd.org Subject: [fracture@allusion.net: Re: ftp access] Message-ID: <20010227190926.A56448@cx420564-b.tucson1.az.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dangit. my muttrc is broke, heheh. I meant to reply this to the list. ----- Forwarded message from Jordan DeLong ----- From: Jordan DeLong To: Rob Simmons Subject: Re: ftp access On Tue, Feb 27, 2001 at 05:38:58PM -0500, Rob Simmons wrote: > /sbin/nologin as the user's shell. You also have to add this shell to > /etc/shells > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > maybe I did this one wrong, but I had to set this up way back when: I made a /usr/local/sbin/ftponlylogin that's exactly like /sbin/nologin. that way I could add the ftponlylogin to /etc/shells (so ftp'll allow logins) and still have /sbin/nologin on my other accounts not allow logins at all. -Jordan ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 18:19:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from elisa.utopianet.net (elisa.utopianet.net [212.210.231.2]) by hub.freebsd.org (Postfix) with ESMTP id 1EAD237B718 for ; Tue, 27 Feb 2001 18:19:39 -0800 (PST) (envelope-from rlucia@iscanet.com) Received: from merlino.iscanet.com (root@[217.59.173.229]) by elisa.utopianet.net (8.9.1a/8.9.1) with ESMTP id DAA07362; Wed, 28 Feb 2001 03:19:25 +0100 (CET) Received: from [10.0.1.5] (adsl-156-135.38-151.net24.it [151.38.135.156]) (authenticated) by merlino.iscanet.com (8.11.2/8.11.2) with ESMTP id f1S2Jmh46003; Wed, 28 Feb 2001 03:19:49 +0100 (CET) (envelope-from rlucia@iscanet.com) Mime-Version: 1.0 X-Sender: rluciamac@imap.iscanet.com (Unverified) Message-Id: In-Reply-To: References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> Date: Wed, 28 Feb 2001 03:19:32 +0100 To: jeff , security@FreeBSD.ORG From: Rocco Lucia Subject: Re: vlan Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >vlans on it (VLAN ID 1, VLAN ID 2), you configure interfaces with: of course I meant to write VLAN ID 2, and VLAN ID 3, sorry :-) -- Rocco Lucia - rlucia@iscanet.com Iscanet Internet Services http://elisa.utopianet.net/~rlucia System and Network Admin C6E6 AC9A 1361 FB38 B47A 2792 9FC4 C52F 7A68 4468 Free unices for a free world. Support *BSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 20:22:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235]) by hub.freebsd.org (Postfix) with ESMTP id DEC7537B718 for ; Tue, 27 Feb 2001 20:22:15 -0800 (PST) (envelope-from sreid@sea-to-sky.net) Received: by grok.example.net (Postfix, from userid 1000) id 444A8213397; Tue, 27 Feb 2001 20:21:45 -0800 (PST) Date: Tue, 27 Feb 2001 20:21:45 -0800 From: Steve Reid To: Brooks Davis Cc: Rob Simmons , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access Message-ID: <20010227202145.A31471@grok.bc.hsia.telus.net> References: <20010227145512.A13920@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20010227145512.A13920@Odin.AC.HMC.Edu>; from Brooks Davis on Tue, Feb 27, 2001 at 02:55:12PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Feb 27, 2001 at 02:55:12PM -0800, Brooks Davis wrote: > If you do this be sure to keep users from being able to access the system > via ssh. Otherwise they can just use ssh to spawn a shell for themselves: > ssh -t /bin/sh Are you certain about this? I tried this on a 4.1.1-R box I operate and it didn't let me in. The box is set up with the ftp login shell set to "/nonexistent/ftponly", which is listed in /etc/shells but does not exist. I suspect sshd is trying to use the login shell to execute the supplied command, which will fail if the login shell doesn't exist. Either I'm not doing it right, or other ssh/sshd combinations are different, or you're wrong about it being possible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 20:47:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 0880B37B718 for ; Tue, 27 Feb 2001 20:47:33 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id FAA32244; Wed, 28 Feb 2001 05:47:16 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3A9C82D4.F1705B4@eboa.com> Date: Wed, 28 Feb 2001 05:47:16 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Rob Simmons Cc: George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rob Simmons wrote: > > /sbin/nologin as the user's shell. You also have to add this shell to > /etc/shells Alas, no. Not on 4.2 anyway. Just today - ok, technically yesterday, but who's counting? - I realized that the client was right after all. He could not log in indeed. Due to /sbin/nologin. When using regular ftpd. Using ProFTPd no problem. Ah, as a matter of fact, I was using inetd. Haven't tried daemon mode with 4.2 yet. Who knows? There might be hope, still. Roelof -- ----------------------------------------------------------------------- EBOAŽ web. http://EBOA.com/ P.O. Box 55 mail info@EBOA.com Weerd 24 est. 1982 8900 AB Leeuwarden tel. +31-58-2123014 The Netherlands fax. +31-58-2160293 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 20:53:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from shell.i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id B517537B71C for ; Tue, 27 Feb 2001 20:53:17 -0800 (PST) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.11.2/8.11.1) id f1S50w426213 for freebsd-security@freebsd.org; Tue, 27 Feb 2001 21:00:58 -0800 (PST) (envelope-from fasty) Date: Tue, 27 Feb 2001 21:00:58 -0800 From: faSty To: freebsd-security@freebsd.org Subject: concerned about apache 1.3.17 Message-ID: <20010227210058.A26164@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, I am not sure if this is security concern, I am getting spawn lot errors from httpd's error LOG. Any one have that kind experience problem with this errors and I need help how do I trace the errors originate?? any tips -- would be appericate. sample -- [Tue Feb 27 20:49:51 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:49:58 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:49:59 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:03 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:05 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:07 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:10 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:10 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:11 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:11 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:11 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:12 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:13 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:14 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:14 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:21 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:21 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:22 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:22 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:24 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:25 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:29 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:29 2001] [error] (54)Connection reset by peer: getsockname [Tue Feb 27 20:50:31 2001] [error] (54)Connection reset by peer: getsockname -- end sample thanks, -trev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 21:29:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from cc762335-a.ebnsk1.nj.home.com (cc762335-a.ebnsk1.nj.home.com [24.3.219.36]) by hub.freebsd.org (Postfix) with SMTP id F2F1D37B718 for ; Tue, 27 Feb 2001 21:29:30 -0800 (PST) (envelope-from damascus@home.com) Received: (qmail 81900 invoked from network); 28 Feb 2001 05:29:39 -0000 Received: from athena.faerunhome.com (HELO athena) (192.168.0.2) by cc762335-a.ebnsk1.nj.home.com with SMTP; 28 Feb 2001 05:29:39 -0000 Message-Id: <4.2.2.20010228002521.00c58340@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 28 Feb 2001 00:30:30 -0500 To: Roelof Osinga From: Carroll Kong Subject: Re: ftp access Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3A9C82D4.F1705B4@eboa.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:47 AM 2/28/01 +0100, Roelof Osinga wrote: >Rob Simmons wrote: > > > > /sbin/nologin as the user's shell. You also have to add this shell to > > /etc/shells > >Alas, no. > >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's >counting? - I realized that the client was right after all. He could >not log in indeed. Due to /sbin/nologin. > >When using regular ftpd. Using ProFTPd no problem. > >Ah, as a matter of fact, I was using inetd. Haven't tried >daemon mode with 4.2 yet. Who knows? There might be hope, still. > >Roelof That is odd. The reason why ftpd does not work is because........ man ftpd shows 4. The user must have a standard shell returned by getusershell(3). So, man getusershell shows The getusershell() function returns a pointer to a legal user shell as defined by the system manager in the file /etc/shells. If /etc/shells is unreadable or does not exist, getusershell() behaves as if /bin/sh and /bin/csh were listed in the file. This is very odd, unless I am forgetting something I did, I JUST did this with a client two days ago on 4.2-STABLE. Telnet results in "not authorized" or something like that, and ftpd lets them in happily. Same user name and all. Please look it over, I am outright positive it works! (ok, maybe 99.99999% sure). What is the error message? User denied? Check man ftpd for that list of "reasons why ftpd would tell your user to go away". -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 21:52:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.unila.ac.id (ns1.unila.ac.id [202.158.47.162]) by hub.freebsd.org (Postfix) with SMTP id 14BB837B71D for ; Tue, 27 Feb 2001 21:51:50 -0800 (PST) (envelope-from riki@maiser.unila.ac.id) Received: (qmail 1720 invoked from network); 28 Feb 2001 05:54:11 -0000 Received: from maiser.unila.ac.id (192.168.1.2) by ns1.unila.ac.id with SMTP; 28 Feb 2001 05:54:11 -0000 Received: from localhost (riki@localhost) by maiser.unila.ac.id (8.9.3/8.9.3) with ESMTP id MAA60460; Wed, 28 Feb 2001 12:49:55 +0700 (JAVT) (envelope-from riki@maiser.unila.ac.id) Date: Wed, 28 Feb 2001 12:49:54 +0700 (JAVT) From: Q Yai QQ To: Carroll Kong Cc: Roelof Osinga , freebsd-security@FreeBSD.ORG Subject: Re: ftp access In-Reply-To: <4.2.2.20010228002521.00c58340@netmail.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hai guys,... i try to do chpass user's shell,... to change his shell to /sbin/nologin it work,... but,.when i get access via ftp,.... the server not allow me,...just for a second i get in,.. then,. disconnect very fast,... what's wrong,... thank's for u'r respon,. On Wed, 28 Feb 2001, Carroll Kong wrote: > At 05:47 AM 2/28/01 +0100, Roelof Osinga wrote: > >Rob Simmons wrote: > > > > > > /sbin/nologin as the user's shell. You also have to add this shell to > > > /etc/shells > > > >Alas, no. > > > >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's > >counting? - I realized that the client was right after all. He could > >not log in indeed. Due to /sbin/nologin. > > > >When using regular ftpd. Using ProFTPd no problem. > > > >Ah, as a matter of fact, I was using inetd. Haven't tried > >daemon mode with 4.2 yet. Who knows? There might be hope, still. > > > >Roelof > > That is odd. The reason why ftpd does not work is because........ man ftpd > shows > > 4. The user must have a standard shell returned by > getusershell(3). > > So, man getusershell shows > > The getusershell() function returns a pointer to a legal user shell as > defined by the system manager in the file /etc/shells. If /etc/shells is > unreadable or does not exist, getusershell() behaves as if /bin/sh and > /bin/csh were listed in the file. > > This is very odd, unless I am forgetting something I did, I JUST > did this with a client two days ago on 4.2-STABLE. Telnet results in "not > authorized" or something like that, and ftpd lets them in happily. Same > user name and all. Please look it over, I am outright positive it > works! (ok, maybe 99.99999% sure). What is the error message? User > denied? Check man ftpd for that list of "reasons why ftpd would tell your > user to go away". > > -Carroll Kong > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > >>>>>>>>>>>>>>>>>*****<<<<<<<<<<<<<<<<< riki@unila.ac.id visit my homepage and sign my guestbook http://unilanet.unila.ac.id/~qq --------------------------------------- --------------------------------------- & __& &__ // \\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 22:21:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id E480337B719 for ; Tue, 27 Feb 2001 22:21:10 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id HAA32615; Wed, 28 Feb 2001 07:21:05 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3A9C98D1.C6919F6@eboa.com> Date: Wed, 28 Feb 2001 07:21:05 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Carroll Kong Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: <4.2.2.20010228002521.00c58340@netmail.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Carroll Kong wrote: > > > ... > >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's > >counting? - I realized that the client was right after all. He could > >not log in indeed. Due to /sbin/nologin. > > > >When using regular ftpd. Using ProFTPd no problem. > > > >Ah, as a matter of fact, I was using inetd. Haven't tried > >daemon mode with 4.2 yet. Who knows? There might be hope, still. > That is odd. The reason why ftpd does not work is because........ man ftpd > shows > > 4. The user must have a standard shell returned by > getusershell(3). > > So, man getusershell shows > > The getusershell() function returns a pointer to a legal user shell as > defined by the system manager in the file /etc/shells. If /etc/shells is > unreadable or does not exist, getusershell() behaves as if /bin/sh and > /bin/csh were listed in the file. > > This is very odd, unless I am forgetting something I did, I JUST > did this with a client two days ago on 4.2-STABLE. Telnet results in "not > authorized" or something like that, and ftpd lets them in happily. Same > user name and all. Please look it over, I am outright positive it > works! (ok, maybe 99.99999% sure). What is the error message? User > denied? Check man ftpd for that list of "reasons why ftpd would tell your > user to go away". You tellin' me. Here: nl:~/bin# tail -n 1 /etc/passwd tunicum:*:2002:2002:BWH Ontwerpers:/home/intraction/tunicum:/usr/local/bin/bash Works. Yet: nl:~/bin# tail -n 1 /etc/passwd tunicum:*:2002:2002:BWH Ontwerpers:/home/intraction/tunicum:/sbin/nologin Does not. As to error msgs. Well...: nisser:/home/www/Slak$ ftp tunicum.nl Connected to tunicum.nl. 220 nl.nisser.com FTP server (Version 6.00LS) ready. Name (tunicum.nl:roelof): tunicum 530 User tunicum access denied. ftp: Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> bye 221 Goodbye. nisser:/home/www/Slak$ The 530 should be indicative enough. But for the non-believers I could be convinced to draw a diagram ;). Present company excepted, of course. Not that I would not be willing to draw a diagram for you, mind; just that I think/hope it would not be needed! But, for the record, back to step 1: nisser:/home/www/Slak$ ftp tunicum.nl Connected to tunicum.nl. 220 nl.nisser.com FTP server (Version 6.00LS) ready. Name (tunicum.nl:roelof): tunicum 331 Password required for tunicum. Password: 230 User tunicum logged in, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 14 -rw------- 1 2002 2002 371 Feb 28 00:21 .bash_history -rw-r--r-- 1 2002 2002 100 Feb 26 20:58 .bash_profile -rw-r--r-- 1 2002 2002 628 Feb 26 20:58 .cshrc -rw-r--r-- 1 2002 2002 299 Feb 26 20:58 .login -rw-r--r-- 1 2002 2002 160 Feb 26 20:58 .login_conf -rw------- 1 2002 2002 371 Feb 26 20:58 .mail_aliases -rw-r--r-- 1 2002 2002 331 Feb 26 20:58 .mailrc drwxr-xr-x 2 2002 2002 512 Feb 26 20:58 .mutt -rw-r--r-- 1 2002 2002 722 Feb 26 20:58 .profile -rw------- 1 2002 2002 276 Feb 26 20:58 .rhosts -rw-r--r-- 1 2002 2002 852 Feb 26 20:58 .shrc drwx------ 4 2002 2002 512 Feb 26 20:58 Mail drwxr-xr-x 2 2002 2002 512 Feb 26 20:58 vmail drwxr-xr-x 4 2002 2002 512 Feb 28 00:12 www 226 Transfer complete. ftp> bye 221 Goodbye. nisser:/home/www/Slak$ As you can see, a lot more ASCII than before. But don't let me interupt you. You were saying "maybe 99.99999% sure"... . Ok, so how about that 0.00001% you were not sure about? ;) I agree, this isn't supposed to happen. But that's the story of my life. Yet I *am* alife! So, there you go. Roelof PS this is also a boon I would like to ask of the powers that be. I.e. to do 'as if' the "tunicum.nl" 'is it'. I.e. not to give the reverse DNS but just accept on face value. Marks love that kind of thing ;). To put a fine point on it: Connected to tunicum.nl. 220 nl.nisser.com ought to read: 220 tunicum.nl (yada, yada) Given the right startup parameters, naturally. Just to appease fine honed sensitivities. PPS in case that it matters... I'm using :ftpchrooted: or some sort of thing in login.conf for these classes. -- It's a dog's world @ http://cairni.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 27 23:56:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from klapaucius.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id 7C86F37B71A for ; Tue, 27 Feb 2001 23:56:07 -0800 (PST) (envelope-from gsutter@zer0.org) Received: by klapaucius.zer0.org (Postfix, from userid 1001) id 3822C239A4A; Tue, 27 Feb 2001 23:56:07 -0800 (PST) Date: Tue, 27 Feb 2001 23:56:07 -0800 From: Gregory Sutter To: Bob Johnson Cc: security@freebsd.org Subject: Re: SSH tutorial posted for comments Message-ID: <20010227235607.W656@klapaucius.zer0.org> References: <3A9A63D8.D6C8881F@eng.ufl.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A9A63D8.D6C8881F@eng.ufl.edu>; from bob@eng.ufl.edu on Mon, Feb 26, 2001 at 09:10:32AM -0500 Organization: daemonnews Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-02-26 09:10 -0500, Bob Johnson wrote: > I've posted an SSH tutorial at > http://www.afn.org/~ambient/sshfreebsd.html > http://www.afn.org/~ambient/sshfreebsd.rtf > (the RTF version has better formatting). > > It isn't ready for general distribution, but I'm soliciting suggestions > for improvement. Once I have it cleaned it up I will submit it for > inclusion in the FreeBSD Handbook (or the Handbook maintainers can take > it now and run with it if they want to; that's fine with me). Actually, I'd like to see it as a feature in Daemon News. Are you interested in having it published there? You retain all rights to your work, so after we published it you could certainly submit it for the Handbook. http://www.daemonnews.org/ Greg -- Gregory S. Sutter My reality check just bounced. mailto:gsutter@daemonnews.org hkp://wwwkeys.pgp.net/0x845DFEDD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 0: 2:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.157]) by hub.freebsd.org (Postfix) with ESMTP id BEE9037B71A for ; Wed, 28 Feb 2001 00:02:32 -0800 (PST) (envelope-from jen@comp.chem.msu.su) Received: (from jen@localhost) by comp.chem.msu.su (8.11.1/8.11.1) id f1S81wh19310; Wed, 28 Feb 2001 11:01:58 +0300 (MSK) (envelope-from jen) Date: Wed, 28 Feb 2001 11:01:58 +0300 From: Jen Linkova To: Rocco Lucia Cc: jeff , security@FreeBSD.ORG Subject: Re: vlan Message-ID: <20010228110158.A16617@comp.chem.msu.su> References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rlucia@iscanet.com on Wed, Feb 28, 2001 at 03:04:41AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! On Wed, Feb 28, 2001 at 03:04:41AM +0100, Rocco Lucia wrote: > >i'm strongly needet to set up vlan on my freebsd-box > >but unfortunately i can't find any clear instruction how to do it > > first you should add: > pseudo-device vlan ... see LINT > to your kernel configuration. Hmm...I'm afraid he will find nothing.. jen@comp:/usr/src/sys/i386/conf>grep vlan LINT jen@comp:/usr/src/sys/i386/conf>uname -a FreeBSD comp.chem.msu.su 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Thu Nov 30 20:06:23... > Then you can use ifconfig to set your virtual vlan interfaces > bound to the physical one/s. > ifconfig vlan0 inet 10.0.0.1 netmask 0xffffff00 vlan 2 vlandev xl0 And remember: xl0 must be UP at this time! (FreeBSD 4*, AFAIR) (http://www.FreeBSD.org/cgi/query-pr.cgi?pr=22179) And one more thing - using vlan, we can get trouble with MTU and need to apply patche on interface driver. (related discussions can be found in mailing lists archive). SY, Jen aka Furry ### I tell you: all done, all done, tomorrow we'll be there! ### To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 0: 8: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id AB43B37B719 for ; Wed, 28 Feb 2001 00:08:05 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.0/8.11.0) id f1S87ch29754; Wed, 28 Feb 2001 00:07:38 -0800 (PST) Date: Wed, 28 Feb 2001 00:07:38 -0800 From: Erick Mechler To: Jen Linkova Cc: security@FreeBSD.ORG Subject: Re: vlan Message-ID: <20010228000737.F29533@techometer.net> References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> <20010228110158.A16617@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010228110158.A16617@comp.chem.msu.su>; from Jen Linkova on Wed, Feb 28, 2001 at 11:01:58AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :: Hmm...I'm afraid he will find nothing.. :: jen@comp:/usr/src/sys/i386/conf>grep vlan LINT :: jen@comp:/usr/src/sys/i386/conf>uname -a :: FreeBSD comp.chem.msu.su 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Thu Nov 30 20:06:23... Your source is a bit out of date...it's in there now: [emechler@lucifer /]$ grep vlan sys/i386/conf/LINT pseudo-device vlan 1 #VLAN support [emechler@lucifer /]$ uname -a FreeBSD lucifer.techometer.net 4.2-STABLE FreeBSD 4.2-STABLE #2: Thu Feb 22 15:22:23 PST 2001 --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 0:10:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 151E337B71C for ; Wed, 28 Feb 2001 00:10:12 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-88-186.netcologne.de [213.168.88.186]) by mr200.netcologne.de (Mirapoint) with ESMTP id ABW40742; Wed, 28 Feb 2001 09:10:08 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.2/8.11.2) with ESMTP id f1S89oi39528; Wed, 28 Feb 2001 09:09:50 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Wed, 28 Feb 2001 09:09:49 +0100 (CET) From: Paul Herman To: Steve Reid Cc: Brooks Davis , Rob Simmons , , Subject: ssh -t /bin/sh trick (was Re: ftp access) In-Reply-To: <20010227202145.A31471@grok.bc.hsia.telus.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Feb 2001, Steve Reid wrote: > On Tue, Feb 27, 2001 at 02:55:12PM -0800, Brooks Davis wrote: > > If you do this be sure to keep users from being able to access the system > > via ssh. Otherwise they can just use ssh to spawn a shell for themselves: > > ssh -t /bin/sh > > Are you certain about this? > > I tried this on a 4.1.1-R box I operate and it didn't let me in. The > box is set up with the ftp login shell set to "/nonexistent/ftponly", > which is listed in /etc/shells but does not exist. This behaviour has changed over the years, which is why there are two conflicting reports. I remember the days (FreeBSD 2.2.6, or so, using ssh from ssh.com) of having to write a small script in /etc/sshrc which checks for invalid shells to prevent what Brooks was describing. Back then, it *did* work. Now (at least with OpenSSH_2_3_0), that trick doesn't work anymore. Don't know when/where/in which version this changed, but my inkling is that PAM is the culprit. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 0:23:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from cleopatra.aha.ru (cleopatra.zenon.net [195.2.72.69]) by hub.freebsd.org (Postfix) with ESMTP id 3E8E837B71B for ; Wed, 28 Feb 2001 00:23:23 -0800 (PST) (envelope-from mdh@zenon.net) Received: from [195.2.69.76] (HELO zenon.net) by cleopatra.aha.ru (CommuniGate Pro SMTP 3.4) with ESMTP id 1285711; Wed, 28 Feb 2001 11:23:21 +0300 Message-ID: <3A9CB579.46B9852B@zenon.net> Date: Wed, 28 Feb 2001 11:23:21 +0300 From: Andrey Podkolzin Organization: Zenon N.S.P. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: Jen Linkova Cc: security@FreeBSD.ORG Subject: Re: vlan References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> <20010228110158.A16617@comp.chem.msu.su> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, > grep vlan LINT pseudo-device vlan 1 #VLAN support > uname -r 4.2-STABLE Jen Linkova wrote: > Hmm...I'm afraid he will find nothing.. > jen@comp:/usr/src/sys/i386/conf>grep vlan LINT > jen@comp:/usr/src/sys/i386/conf>uname -a > FreeBSD comp.chem.msu.su 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Thu Nov 30 20:06:23... -- Andrey Podkolzin, Zenon N.S.P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 1:10:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.technobank.com.by (www.technobank.com.by [212.98.162.59]) by hub.freebsd.org (Postfix) with ESMTP id 3443337B719 for ; Wed, 28 Feb 2001 01:10:13 -0800 (PST) (envelope-from shupilov@technobank.com.by) Received: from 10.20.1.109 ([10.20.2.4]) by www.technobank.com.by (Lotus Domino Release 5.0.4) with ESMTP id 2001022810531902:1054 ; Wed, 28 Feb 2001 10:53:19 +0200 Date: Wed, 28 Feb 2001 10:49:12 +0200 From: Dmitry Shupilov X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: Dmitry Shupilov X-Priority: 3 (Normal) Message-ID: <60171590323.20010228104912@technobank.com.by> Subject: Re[2]: vlan In-reply-To: References: <3A9A63D8.D6C8881F@eng.ufl.edu> <9185502756.20010227105425@technobank.com.by> Mime-Version: 1.0 X-MIMETrack: Itemize by SMTP Server on WEB/TBK(Release 5.0.4 |June 8, 2000) at 28.02.2001 10:53:19, Serialize by Router on WEB/TBK(Release 5.0.4 |June 8, 2000) at 28.02.2001 11:14:58, Serialize complete at 28.02.2001 11:14:58 To: rlucia@iscanet.com, security@FreeBSD.ORG Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org RL> first you should add: RL> pseudo-device vlan ... see LINT RL> to your kernel configuration. WOW!!! it realy works!!! thanks a lot!!! but i looked through the LINT & i didn't find any mention about vlan pseudo-device ??? where is the info about it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 3:35:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from cobweb.example.org (par-ilm-dhcp1-vl132-24.cisco.com [144.254.57.219]) by hub.freebsd.org (Postfix) with SMTP id C73E737B71A for ; Wed, 28 Feb 2001 03:35:10 -0800 (PST) (envelope-from molter@tin.it) Received: (qmail 1907 invoked by uid 1000); 28 Feb 2001 11:35:00 -0000 Date: Wed, 28 Feb 2001 12:35:00 +0100 From: Marco Molteni To: freebsd-security@freebsd.org Subject: [dwheeler@IDA.ORG: DARPA BAA #01-24 - funding security research for open source OS's.] Message-ID: <20010228123500.B425@cobweb.example.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FYI Marco ----- Forwarded message from David Wheeler ----- From: David Wheeler Reply-To: David Wheeler To: SECPROG@SECURITYFOCUS.COM Date: Tue, 27 Feb 2001 10:26:22 -0500 Subject: DARPA BAA #01-24 - funding security research for open source OS's. FYI: If you're interested in doing security research for open source operating systems, the U.S. DARPA has released a "Broad Area Announcement" (BAA) requesting proposals for this kind of work. DARPA will select the "best" proposals and fund them. The solicitation is DARPA BAA #01-24, part of the "Composable High Assurance Trusted Systems" (CHATS) program. Proposals for this BAA should be for 12 to 24 months of base funding with the possibility of additional options. Multiple awards worth approximately $10 million over two years are expected to be made from this BAA. The full proposal (original and designated number of hard and electronic copies) must be submitted in time to reach DARPA by 4:00 PM (U.S. Eastern Time) Monday, March 5, 2001, in order to be considered; it CANNOT be sent by email or fax (they REQUIRE PHYSICAL COPIES). Proposals have a prescribed format, so if you want to submit a proposal, you must hurry to submit one in time. I don't have any particular relationship with this program (other than thinking it's a great idea), so please don't ask me about it. It appears that non-U.S.-citizens can apply, since DARPA normally permits this unless otherwise forbidden & I see no such prohibition in this case. You can get more information from: Commerce Business Daily (CBD) Reference: http://www.darpa.mil/ito/Solicitations/CBD_01-24.html Proposer Information Pamphlet (it's hard to find on the web site): http://www.darpa.mil/ito/Solicitations/PIP_01-24.html General Information on DARPA ITO Solicitations (especially their FAQ): http://www.darpa.mil/ito/solicitations.html Here's a brief summary (excerpted from the BAA): "DARPA is seeking to develop new security functionality for existing open source operating systems, leveraging the many years of operating systems development, and to demonstrate the value of useful security tools to the open source community. ... This BAA solicits proposals in the following technical topic areas of the Composable High Assurance Trusted Systems (CHATS) program: (1) Enhanced security and compatibility across open source operating systems; (2) System configuration and administration tools and methods; (3) Security audit/analysis/testing/documentation of open source systems; (4) Security policy, security services, critical applications, and hardware support; (5) Assurance methods and tools; and (6) Other innovative topics related to composable high assurance trusted open-source operating systems. ... Proposed research should investigate innovative approaches and techniques that lead to or enable revolutionary advances in the state-of-the-art. Proposals are not limited to the specific strategies listed above, and alternative visions will be considered. However, proposals should be for research that substantially contributes towards the goals stated, i.e. improving the security functionality of existing open source operating systems." ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 6:36:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from cc762335-a.ebnsk1.nj.home.com (cc762335-a.ebnsk1.nj.home.com [24.3.219.36]) by hub.freebsd.org (Postfix) with SMTP id D3C8137B71A for ; Wed, 28 Feb 2001 06:36:07 -0800 (PST) (envelope-from damascus@home.com) Received: (qmail 83426 invoked from network); 28 Feb 2001 14:36:16 -0000 Received: from athena.faerunhome.com (HELO athena) (192.168.0.2) by cc762335-a.ebnsk1.nj.home.com with SMTP; 28 Feb 2001 14:36:16 -0000 Message-Id: <4.2.2.20010228092524.00ba1b10@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 28 Feb 2001 09:37:06 -0500 To: Roelof Osinga From: Carroll Kong Subject: Re: ftp access Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3A9C98D1.C6919F6@eboa.com> References: <4.2.2.20010228002521.00c58340@netmail.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:21 AM 2/28/01 +0100, Roelof Osinga wrote: >Carroll Kong wrote: > > > > > ... > > >Not on 4.2 anyway. Just today - ok, technically yesterday, but who's > > >counting? - I realized that the client was right after all. He could > > >not log in indeed. Due to /sbin/nologin. > > > > > >When using regular ftpd. Using ProFTPd no problem. > > > > > >Ah, as a matter of fact, I was using inetd. Haven't tried > > >daemon mode with 4.2 yet. Who knows? There might be hope, still. > > > That is odd. The reason why ftpd does not work is because........ man ftpd > > shows > > > > 4. The user must have a standard shell returned by > > getusershell(3). > > > > So, man getusershell shows > > > > The getusershell() function returns a pointer to a legal user > shell as > > defined by the system manager in the file /etc/shells. If > /etc/shells is > > unreadable or does not exist, getusershell() behaves as if > /bin/sh and > > /bin/csh were listed in the file. > > > > This is very odd, unless I am forgetting something I did, I JUST > > did this with a client two days ago on 4.2-STABLE. Telnet results in "not > > authorized" or something like that, and ftpd lets them in happily. Same > > user name and all. Please look it over, I am outright positive it > > works! (ok, maybe 99.99999% sure). What is the error message? User > > denied? Check man ftpd for that list of "reasons why ftpd would tell your > > user to go away". > > >As you can see, a lot more ASCII than before. > >But don't let me interupt you. You were saying "maybe >99.99999% sure"... . > >Ok, so how about that 0.00001% you were not sure about? ;) > >I agree, this isn't supposed to happen. But that's the story >of my life. Yet I *am* alife! So, there you go. > >Roelof >Rob Simmons wrote: > > > > /sbin/nologin as the user's shell. You also have to add this shell to > > /etc/shells Well, if you want to be sly about it, how about you try reading what I wrote and what the others wrote? How about you do a cat /etc/shells | grep nologin. If that returns nothing, I think you just absolutely ignored our advice and ignored man ftpd and man getusershell which I posted quite clearly. Mine returns "/sbin/nologin" as an allowable shell, so getusershell returns a value pointer, so ftpd lets it through check point #4. That is my 99.999999% sure part talking, unless you got some other weirdo problem which I do not quite understand. The 99.999999% is also saying that your cat /etc/shells | grep nologin is going to return nothing. -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 7:45:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 6454237B719; Wed, 28 Feb 2001 07:45:06 -0800 (PST) (envelope-from nectar@nectar.com) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 4C6E718C91; Wed, 28 Feb 2001 09:45:05 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.2/8.9.3) id f1SFj5608424; Wed, 28 Feb 2001 09:45:05 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Wed, 28 Feb 2001 09:45:04 -0600 From: "Jacques A. Vidrine" To: Hajimu UMEMOTO Cc: Arjan.deVet@adv.iae.nl, rasputin@FreeBSD-uk.eu.org, stable@freebsd.org, freebsd-security@freebsd.org, darrenr@freebsd.org Subject: IPFILTER IPv6 support non-functional? (was Re: IPF and IPv6) Message-ID: <20010228094504.A56540@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Hajimu UMEMOTO , Arjan.deVet@adv.iae.nl, rasputin@FreeBSD-uk.eu.org, stable@freebsd.org, freebsd-security@freebsd.org, darrenr@freebsd.org References: <20010227152544.A69259@dogma.freebsd-uk.eu.org> <20010227210734.A27354@adv.devet.org> <20010228.185102.92589032.ume@imasy.or.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010228.185102.92589032.ume@imasy.or.jp>; from ume@imasy.or.jp on Wed, Feb 28, 2001 at 06:51:02PM +0900 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Feb 28, 2001 at 06:51:02PM +0900, Hajimu UMEMOTO wrote: > >>>>> On Tue, 27 Feb 2001 21:07:34 +0100 > >>>>> Arjan de Vet said: > > >In article <20010227152544.A69259@dogma.freebsd-uk.eu.org> you write: > > >Turning off ipf starts the traffic flowing instantly, so it's definitely > >the cause, as does: > > > IP-filter does not yet support IPv6 on -stable, see > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=25403 > > I heared from KAME guys that even though IP-filter has IPv6 code, it > doesn't work with IPv6 at all. It is not only for FreeBSD but also > NetBSD. Can someone confirm whether or not IPv6 rulesets work with IPFILTER on FreeBSD? I don't have an environment to test this at the moment, but I'm pretty sure this worked previously. By the way, if you are loading IPv4 and IPv6 rulesets, I think you must do something like this: % ipf -I -Fa % ipf -I -f /etc/ipf.conf # IPv4 rules % ipf -I -6 -f /etc/ipf6.conf # IPv6 rules % ipf -s I'd like to know before I MFC -DUSE_INET6 for the utilities. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 8: 4:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 8C95D37B718 for ; Wed, 28 Feb 2001 08:04:35 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id RAA34937; Wed, 28 Feb 2001 17:04:25 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3A9D2189.CB1BC694@eboa.com> Date: Wed, 28 Feb 2001 17:04:25 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Carroll Kong Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: <4.2.2.20010228002521.00c58340@netmail.home.com> <4.2.2.20010228092524.00ba1b10@netmail.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Carroll Kong wrote: > > ... > weirdo problem which I do not quite understand. The 99.999999% is also > saying that your cat /etc/shells | grep nologin is going to return nothing. Ah, whoopsie. Could have sworn I'd put it in there. Roelof - so sorry - Osinga To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 9:14:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by hub.freebsd.org (Postfix) with ESMTP id C485637B718; Wed, 28 Feb 2001 09:14:31 -0800 (PST) (envelope-from freebsd@dohd.org) Received: from nala.dohd.org (tunnel01.ipv6.stack.nl [2001:610:1108:5001::1]) by mailhost.stack.nl (Postfix) with ESMTP id 0D0B514F0C; Wed, 28 Feb 2001 18:14:30 +0100 (CET) Received: by nala.dohd.org (Postfix, from userid 1008) id 841A3D9C2; Wed, 28 Feb 2001 18:14:27 +0100 (MET) Date: Wed, 28 Feb 2001 18:14:26 +0100 From: Mark Huizer To: "Jacques A. Vidrine" Cc: Hajimu UMEMOTO , Arjan.deVet@adv.iae.nl, rasputin@FreeBSD-uk.eu.org, stable@freebsd.org, freebsd-security@freebsd.org, darrenr@freebsd.org Subject: Re: IPFILTER IPv6 support non-functional? (was Re: IPF and IPv6) Message-ID: <20010228181426.A9026@dohd.org> References: <20010227152544.A69259@dogma.freebsd-uk.eu.org> <20010227210734.A27354@adv.devet.org> <20010228.185102.92589032.ume@imasy.or.jp> <20010228094504.A56540@hamlet.nectar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010228094504.A56540@hamlet.nectar.com>; from n@nectar.com on Wed, Feb 28, 2001 at 09:45:04AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I heared from KAME guys that even though IP-filter has IPv6 code, it > > doesn't work with IPv6 at all. It is not only for FreeBSD but also > > NetBSD. > > Can someone confirm whether or not IPv6 rulesets work with IPFILTER > on FreeBSD? I don't have an environment to test this at the moment, > but I'm pretty sure this worked previously. > > By the way, if you are loading IPv4 and IPv6 rulesets, I think you > must do something like this: > > % ipf -I -Fa > % ipf -I -f /etc/ipf.conf # IPv4 rules > % ipf -I -6 -f /etc/ipf6.conf # IPv6 rules > % ipf -s > > I'd like to know before I MFC -DUSE_INET6 for the utilities. > I (and Guido van Rooij) had a look at this during a boring meeting some time ago, but it seems there were a few patches missing in the -current tree (something like the stuff in ipv6-patch in the FreeBSD-4.0 directory). But for the record: no, ipfilter doesn't work with filtering IPv6 in the current setup in FreeBSD -current Mark -- Nice testing in little China... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 9:36:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from link.mirror.org (link.mirror.org [216.38.7.35]) by hub.freebsd.org (Postfix) with ESMTP id 9A24137B718 for ; Wed, 28 Feb 2001 09:36:27 -0800 (PST) (envelope-from sgt@netcom.no) Received: from hal (32-d09-1.svg1.netcom.no [212.45.182.161]) by link.mirror.org (8.7.5/8.7.3) with ESMTP id MAA02122; Wed, 28 Feb 2001 12:34:40 -0500 Date: Wed, 28 Feb 2001 18:36:08 +0100 (CET) From: Torbjorn Kristoffersen X-Sender: To: Paul Herman Cc: Subject: Re: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp access)) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 28 Feb 2001, Paul Herman wrote: > On Tue, 27 Feb 2001, Steve Reid wrote: > > > On Tue, Feb 27, 2001 at 02:55:12PM -0800, Brooks Davis wrote: > > > If you do this be sure to keep users from being able to access the system > > > via ssh. Otherwise they can just use ssh to spawn a shell for themselves: > > > ssh -t /bin/sh > > > > Are you certain about this? > > > > I tried this on a 4.1.1-R box I operate and it didn't let me in. The > > box is set up with the ftp login shell set to "/nonexistent/ftponly", > > which is listed in /etc/shells but does not exist. > > This behaviour has changed over the years, which is why there are two > conflicting reports. > > I remember the days (FreeBSD 2.2.6, or so, using ssh from ssh.com) of > having to write a small script in /etc/sshrc which checks for invalid > shells to prevent what Brooks was describing. Back then, it *did* > work. > > Now (at least with OpenSSH_2_3_0), that trick doesn't work anymore. > Don't know when/where/in which version this changed, but my inkling is > that PAM is the culprit. > > -Paul. > Since the topic is 'ssh tricks', here's one that works with all versions of SSH I've used (openssh 2.3.0 as well): home$ ssh -l username site /bin/sh -i sh: can't access tty; job control turned off $ 6:14PM up 3 days, 7:22, 3 users, load averages: 0.19, 0.12, 0.11 USER TTY FROM LOGIN@ IDLE WHAT otheruser p0 microsoft.com Tue01PM 1:16 vi main.c $ tty not a tty $ Forcing the shell to behave interactively, makes the user hidden on 'who' (he's not allocated a tty), but you can still kill sshd or the sh process. But people adminstering big systems with hundreds of PIDs running might not check their process status tables for suspicious stuff as often as they should. Many just type w/who instead to see who's logged on. This feature of sh used together with ssh is probably well known, but I decided to mention it anyway. Cheers, Torbjorn Kristoffersen sgt@netcom.no sgt@digiweb.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 9:48:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 95D5237B718 for ; Wed, 28 Feb 2001 09:48:41 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA17635; Wed, 28 Feb 2001 10:47:43 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA13402; Wed, 28 Feb 2001 10:46:41 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15005.14720.989013.390180@nomad.yogotech.com> Date: Wed, 28 Feb 2001 10:46:40 -0700 (MST) To: Paul Herman Cc: Steve Reid , Brooks Davis , Rob Simmons , , Subject: Re: ssh -t /bin/sh trick (was Re: ftp access) In-Reply-To: References: <20010227202145.A31471@grok.bc.hsia.telus.net> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > If you do this be sure to keep users from being able to access the system > > > via ssh. Otherwise they can just use ssh to spawn a shell for themselves: > > > ssh -t /bin/sh > > > > Are you certain about this? > > > > I tried this on a 4.1.1-R box I operate and it didn't let me in. The > > box is set up with the ftp login shell set to "/nonexistent/ftponly", > > which is listed in /etc/shells but does not exist. > > This behaviour has changed over the years, which is why there are two > conflicting reports. > > I remember the days (FreeBSD 2.2.6, or so, using ssh from ssh.com) of > having to write a small script in /etc/sshrc which checks for invalid > shells to prevent what Brooks was describing. Back then, it *did* > work. Strange. I'm using an older setup (2.2.8 client, 3.4 server), both using SSH.com software, and it doesn't work. You have me worried for a moment.. :) > Now (at least with OpenSSH_2_3_0), that trick doesn't work anymore. > Don't know when/where/in which version this changed, but my inkling is > that PAM is the culprit. I'm not use OpenSSH and/or PAM with SSH on my box, and it doesn't work. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 9:50: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id BEE6537B71A for ; Wed, 28 Feb 2001 09:50:02 -0800 (PST) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.9.3/8.9.3) id MAA43171 for security@freebsd.org; Wed, 28 Feb 2001 12:50:02 -0500 (EST) (envelope-from mwlucas) Date: Wed, 28 Feb 2001 12:50:02 -0500 From: Michael Lucas To: security@freebsd.org Subject: skip & X Message-ID: <20010228125002.A43146@blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'd like to use a secure connection between my FreeBSD box and a SKIP VPN host. I don't have X installed on the FreeBSD box, and have no reason to do so. Is there some way to install the SKIP port without the whole mess of X? Or do I need to do this the old-fashioned way? Thanks, Michael -- Michael Lucas mwlucas@blackhelicopters.org http://www.blackhelicopters.org/~mwlucas/ Big Scary Daemons: http://www.oreillynet.com/pub/q/Big_Scary_Daemons To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 9:59: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 7893E37B71D for ; Wed, 28 Feb 2001 09:59:02 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4289F66EEB; Wed, 28 Feb 2001 09:59:02 -0800 (PST) Date: Wed, 28 Feb 2001 09:59:02 -0800 From: Kris Kennaway To: Torbjorn Kristoffersen Cc: Paul Herman , freebsd-security@FreeBSD.ORG Subject: Re: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp access)) Message-ID: <20010228095902.C7619@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sHrvAb52M6C8blB9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from sgt@netcom.no on Wed, Feb 28, 2001 at 06:36:08PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --sHrvAb52M6C8blB9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 28, 2001 at 06:36:08PM +0100, Torbjorn Kristoffersen wrote: > Since the topic is 'ssh tricks', here's one that works with all > versions of SSH I've used (openssh 2.3.0 as well): >=20 > home$ ssh -l username site /bin/sh -i This is actually an old rsh trick in new clothes :-) Kris --sHrvAb52M6C8blB9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6nTxlWry0BWjoQKURAr2oAJ9fbooj1s0bHt7vCpDkniW6wtBkWwCgpPql mvUeOJY/u5bnjpImiBHZ8Eo= =LPpo -----END PGP SIGNATURE----- --sHrvAb52M6C8blB9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 11:29:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id CAC4537B71B for ; Wed, 28 Feb 2001 11:29:22 -0800 (PST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.2/8.11.2) with ESMTP id f1SJT7r00579; Wed, 28 Feb 2001 14:29:08 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 28 Feb 2001 14:29:07 -0500 (EST) From: Matt Piechota To: Rob Simmons Cc: , Subject: Re: ftp access In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Feb 2001, Rob Simmons wrote: > /sbin/nologin as the user's shell. You also have to add this shell to > /etc/shells I though the idea of nologin was to deny access. Wouldn't you want to copy nologin to /sbin/ftponly (or something) and put that in /etc/shells? That way you have 3 step: telnet+ftp (tcsh, bash, etc), ftp only (/sbin/ftponly), and no access (/sbin/nologin). -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 11:50:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4]) by hub.freebsd.org (Postfix) with ESMTP id D4D6A37B718; Wed, 28 Feb 2001 11:50:40 -0800 (PST) (envelope-from Arjan.deVet@adv.iae.nl) Received: (from uucp@localhost) by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id UAA23247; Wed, 28 Feb 2001 20:49:16 +0100 (MET) Received: by adv.devet.org (Postfix, from userid 100) id A41E43EB9; Wed, 28 Feb 2001 20:49:03 +0100 (CET) Date: Wed, 28 Feb 2001 20:49:03 +0100 To: "Jacques A. Vidrine" , Mark Huizer Cc: Hajimu UMEMOTO , rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org Subject: Re: IPFILTER IPv6 support non-functional? (was Re: IPF and IPv6) Message-ID: <20010228204903.A7822@adv.devet.org> References: <20010227152544.A69259@dogma.freebsd-uk.eu.org> <20010227210734.A27354@adv.devet.org> <20010228.185102.92589032.ume@imasy.or.jp> <20010228094504.A56540@hamlet.nectar.com> <20010228181426.A9026@dohd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010228181426.A9026@dohd.org>; from freebsd@dohd.org on Wed, Feb 28, 2001 at 06:14:26PM +0100 From: Arjan.deVet@adv.iae.nl (Arjan de Vet) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark Huizer wrote: >I (and Guido van Rooij) had a look at this during a boring meeting some >time ago, but it seems there were a few patches missing in the -current >tree (something like the stuff in ipv6-patch in the FreeBSD-4.0 >directory). Indeed. That piece of code is not present in both -current and -stable. The ipv6-patch-4.1 file from the ipfilter distribution patches without problems and I've checked that the -stable kernel compiles with INET6 and IPFILTER enabled. I don't have an IPv6 setup myself so I cannot test it. >But for the record: no, ipfilter doesn't work with filtering >IPv6 in the current setup in FreeBSD -current The missing code from that patch would indeed explain that. Would the KAME people have problems integrating this patch to enable IPv6 for IP-filter? Arjan -- Arjan de Vet, Eindhoven, The Netherlands URL: http://www.iae.nl/users/devet/ for PGP key: finger devet@iae.nl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 12: 2:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 304FC37B718; Wed, 28 Feb 2001 12:02:49 -0800 (PST) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.2+3.4W/3.7W-light/smtpfeed 1.10) with UUCP id f1SK1br01095; Thu, 1 Mar 2001 05:01:37 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:HpR0Oasz/YnF9QDv6STQ4ew2RG2HHLYzEhjnBUDzL6O6jNMOcRAtet6gSNAZwrj0@peace.mahoroba.org [2001:200:301:0:200:f8ff:fe05:3eae]) by mail.mahoroba.org (8.11.2/8.11.2/chaos) with ESMTP/inet6 id f1SJwPB12338; Thu, 1 Mar 2001 04:58:25 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Thu, 01 Mar 2001 04:58:25 +0900 (JST) Message-Id: <20010301.045825.71113666.ume@mahoroba.org> To: Arjan.deVet@adv.iae.nl Cc: n@nectar.com, freebsd@dohd.org, rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org Cc: itojun@iijlab.net Subject: Re: IPFILTER IPv6 support non-functional? From: Hajimu UMEMOTO In-Reply-To: <20010228204903.A7822@adv.devet.org> References: <20010228094504.A56540@hamlet.nectar.com> <20010228181426.A9026@dohd.org> <20010228204903.A7822@adv.devet.org> X-Mailer: xcite1.38> Mew version 1.95b97 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> On Wed, 28 Feb 2001 20:49:03 +0100 >>>>> Arjan de Vet said: Arjan.deVet> Mark Huizer wrote: >I (and Guido van Rooij) had a look at this during a boring meeting some >time ago, but it seems there were a few patches missing in the -current >tree (something like the stuff in ipv6-patch in the FreeBSD-4.0 >directory). Arjan.deVet> Indeed. That piece of code is not present in both -current and -stable. Arjan.deVet> The ipv6-patch-4.1 file from the ipfilter distribution patches without Arjan.deVet> problems and I've checked that the -stable kernel compiles with INET6 Arjan.deVet> and IPFILTER enabled. I don't have an IPv6 setup myself so I cannot test Arjan.deVet> it. >But for the record: no, ipfilter doesn't work with filtering >IPv6 in the current setup in FreeBSD -current Arjan.deVet> The missing code from that patch would indeed explain that. Arjan.deVet> Would the KAME people have problems integrating this patch to enable Arjan.deVet> IPv6 for IP-filter? I believe KAME doesn't maintain IP-filter at all. But, itojun said that calculation of payload length is wrong. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 13:41:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from voyager.bxscience.edu (voyager.bxscience.edu [167.206.32.174]) by hub.freebsd.org (Postfix) with ESMTP id CEBA237B71B; Wed, 28 Feb 2001 13:41:50 -0800 (PST) (envelope-from chenkinj@voyager.bxscience.edu) Received: from voyager.bxscience.edu (localhost.bxscience.edu [127.0.0.1]) by voyager.bxscience.edu (8.10.0/8.10.0) with ESMTP id f1SLfoi89644; Wed, 28 Feb 2001 16:41:50 -0500 (EST) Message-Id: <200102282141.f1SLfoi89644@voyager.bxscience.edu> To: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Sshd having problems...? Date: Wed, 28 Feb 2001 16:41:49 -0500 From: Jared Chenkin Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I try to log into this machine via ssh and I get these messages: Feb 28 14:09:07 enterprise sshd[591]: fatal: PAM session setup failed[6]: Permission denied Feb 28 14:09:07 enterprise sshd[591]: no modules loaded for `sshd' service Whats going on? This is right out of the install, totally untouched. I have enabled sshd in rc.conf(5). Live Large, Jared Chenkin (AIM: DevNull24) Networked Systems Administrator Bronx Science Computing To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 13:44:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 3D55D37B718; Wed, 28 Feb 2001 13:44:45 -0800 (PST) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.1/8.11.0) with ESMTP id f1SLi5J20426; Wed, 28 Feb 2001 15:44:05 -0600 (CST) (envelope-from chris@jeah.net) Date: Wed, 28 Feb 2001 15:44:04 -0600 (CST) From: Chris Byrnes To: Jared Chenkin Cc: , Subject: Re: Sshd having problems...? In-Reply-To: <200102282141.f1SLfoi89644@voyager.bxscience.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi. > I try to log into this machine via ssh and I get these messages: > > Feb 28 14:09:07 enterprise sshd[591]: fatal: PAM session setup failed[6]: Permission denied > Feb 28 14:09:07 enterprise sshd[591]: no modules loaded for `sshd' service Add this to /etc/pam.conf: # SSH stuff sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so + Chris Byrnes, chris@JEAH.net + JEAH Communications + 1-866-AWW-JEAH (Toll-Free) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 13:46:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id D933037B71B; Wed, 28 Feb 2001 13:46:26 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.0/8.11.0) id f1SLkEb36393; Wed, 28 Feb 2001 13:46:14 -0800 (PST) Date: Wed, 28 Feb 2001 13:46:14 -0800 From: Erick Mechler To: Jared Chenkin Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: Sshd having problems...? Message-ID: <20010228134614.R34197@techometer.net> References: <200102282141.f1SLfoi89644@voyager.bxscience.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102282141.f1SLfoi89644@voyager.bxscience.edu>; from Jared Chenkin on Wed, Feb 28, 2001 at 04:41:49PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It sounds like you didn't install the necessary pam modules as outlined in UPDATING. Check that file and follow the instructions therein: 20010112: Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version. This requires adding the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so --Erick At Wed, Feb 28, 2001 at 04:41:49PM -0500, Jared Chenkin said this: :: Hi. :: I try to log into this machine via ssh and I get these messages: :: :: Feb 28 14:09:07 enterprise sshd[591]: fatal: PAM session setup failed[6]: Permission denied :: Feb 28 14:09:07 enterprise sshd[591]: no modules loaded for `sshd' service :: :: Whats going on? This is right out of the install, totally untouched. I have enabled sshd in rc.conf(5). :: :: :: Live Large, :: :: Jared Chenkin :: :: (AIM: DevNull24) :: Networked Systems Administrator :: Bronx Science Computing :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 13:53: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from voyager.bxscience.edu (voyager.bxscience.edu [167.206.32.174]) by hub.freebsd.org (Postfix) with ESMTP id 95C7137B71C for ; Wed, 28 Feb 2001 13:52:59 -0800 (PST) (envelope-from chenkinj@voyager.bxscience.edu) Received: from voyager.bxscience.edu (localhost.bxscience.edu [127.0.0.1]) by voyager.bxscience.edu (8.10.0/8.10.0) with ESMTP id f1SLqvi89999; Wed, 28 Feb 2001 16:52:57 -0500 (EST) Message-Id: <200102282152.f1SLqvi89999@voyager.bxscience.edu> To: Chris Byrnes , freebsd-security@freebsd.org Subject: Re: Sshd having problems...? In-reply-to: (Your message of Wed, 28 Feb 2001 15:44:04 CST.) Date: Wed, 28 Feb 2001 16:52:57 -0500 From: Jared Chenkin Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Chris Byrnes writes: >> Hi. >> I try to log into this machine via ssh and I get these messages: >> >> Feb 28 14:09:07 enterprise sshd[591]: fatal: PAM session setup failed[6]: Permission denied >> Feb 28 14:09:07 enterprise sshd[591]: no modules loaded for `sshd' service > >Add this to /etc/pam.conf: > ># SSH stuff >sshd auth sufficient pam_skey.so >sshd auth required pam_unix.so try_first_pass >sshd session required pam_permit.so > > > > >+ Chris Byrnes, chris@JEAH.net > + JEAH Communications > + 1-866-AWW-JEAH (Toll-Free) > > Whoops! Thanks alot! Sorry for wasting your time. Live Large, Jared Chenkin (AIM: DevNull24) Networked Systems Administrator Bronx Science Computing To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 16: 7:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 3310837B718 for ; Wed, 28 Feb 2001 16:07:48 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-72-57.netcologne.de [213.168.72.57]) by mr200.netcologne.de (Mirapoint) with ESMTP id ABX45128; Thu, 1 Mar 2001 01:07:46 +0100 (CET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.2/8.11.2) with ESMTP id f2107h060872; Thu, 1 Mar 2001 01:07:44 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Thu, 1 Mar 2001 01:07:42 +0100 (CET) From: Paul Herman To: Nate Williams Cc: Subject: Re: ssh -t /bin/sh trick (was Re: ftp access) In-Reply-To: <15005.14720.989013.390180@nomad.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 28 Feb 2001, Nate Williams wrote: > > I remember the days (FreeBSD 2.2.6, or so, using ssh from ssh.com) of > > having to write a small script in /etc/sshrc which checks for invalid > > shells to prevent what Brooks was describing. Back then, it *did* > > work. > > Strange. I'm using an older setup (2.2.8 client, 3.4 server), both > using SSH.com software, and it doesn't work. Back then the network was a mish-mash of FreeBSD and Linux servers. It could have just been a Linux sshd phenomenon. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 18: 9:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 145AE37B719 for ; Wed, 28 Feb 2001 18:09:11 -0800 (PST) (envelope-from agifford@infowest.com) Received: from jardan.infowest.com (jardan.infowest.com [216.190.28.251]) by ns1.infowest.com (Postfix) with SMTP id 47A5321128 for ; Wed, 28 Feb 2001 19:09:09 -0700 (MST) From: Aaron D.Gifford To: freebsd-security@freebsd.org Subject: RE: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp Date: Wed, 28 Feb 2001 19:09:49 -0700 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Message-Id: <01022819094900.04839@jardan.infowest.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since the topic strayed to SSH tricks, here's another to keep your eyes open for: Assuming that /sbin/ftponly is a hard link to /sbin/nologin and /sbin/ftponly is in /etc/shells on a FreeBSD 4.2-STABLE as of Jan. or Feb. 2001 system running FTP and SSH services (the built-in ones that are a part of FreeBSD), consider the following: user:password.:101:101::0:0:Some FTP User:/home/ftponly/user:/sbin/ftponly If this user attempts to log in using SSH to a shell, he/she will see the FreeBSD MOTD banner, then the line "This account is currently not available." after which the connection is terminated. With regard to the mentioned "ssh -t" trick, on my 4.2-STABLE box it does not work, giving the user just the single line message that the account is not available. So you think you're completely safe. Maybe you are... BUT... Are you aware that the FreeBSD SSH installation by default has TCP forwarding enabled? Are you completely aware of the implications? Smart admin. that you are, you completely understand that this FTP-only user can still do fun stuff like: ssh -l user your.ftp.server.host -L 7777:some.smtp.relay:25 -N The user then uses this forwarding to send spam via your FTP server, which spam looks like it came from your FTP server (it did, via the SSH forwarded TCP connection). And your logging might not catch it (depending on your how you have configured sshd logging) since utmp/wtmp won't show a thing. All sorts of other interesting possibilities exist too. Just another SSH trick/feature to be aware of when limiting shell access for accounts (like FTP-only, or chrsh). If there's anything I'm missing in the above, additional tricks I (and others) should watch out for, etc., please let me know. I love to learn new things. Aaron out. -- www.aarongifford.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 19:28: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id AA25837B719 for ; Wed, 28 Feb 2001 19:28:04 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id UAA26926; Wed, 28 Feb 2001 20:28:03 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id UAA16523; Wed, 28 Feb 2001 20:28:02 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15005.49602.104109.812735@nomad.yogotech.com> Date: Wed, 28 Feb 2001 20:28:02 -0700 (MST) To: "Aaron D.Gifford" Cc: freebsd-security@FreeBSD.ORG Subject: RE: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp In-Reply-To: <01022819094900.04839@jardan.infowest.com> References: <01022819094900.04839@jardan.infowest.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Are you aware that the FreeBSD SSH installation by default has TCP > forwarding enabled? Yep. Note, the commercial version SSH1 had the ability to turn on/off port forwarding on a per-user and/or a per-port options. So, you could disable/enable all ports but one, and then enable/disable the particular port for certain users. It was pretty nice for setting up 'truly' secure systems that still allowed some flexibility. Too bad this doesn't exist in OpenSSH (or if it does, I haven't found it). Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 20: 1:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id DCB4737B718; Wed, 28 Feb 2001 20:01:47 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W/smtpfeed 1.06) with ESMTP id NAA14302; Thu, 1 Mar 2001 13:01:39 +0900 (JST) To: Hajimu UMEMOTO Cc: Arjan.deVet@adv.iae.nl, n@nectar.com, freebsd@dohd.org, rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org In-reply-to: ume's message of Thu, 01 Mar 2001 04:58:25 JST. <20010301.045825.71113666.ume@mahoroba.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPFILTER IPv6 support non-functional? From: itojun@iijlab.net Date: Thu, 01 Mar 2001 13:01:39 +0900 Message-ID: <14300.983419299@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Would the KAME people have problems integrating this patch to enable >> IPv6 for IP-filter? >I believe KAME doesn't maintain IP-filter at all. But, itojun said >that calculation of payload length is wrong. yup, that is what i saw in the latest. also ipf does not chase extension headers, so even if you try to filter tcp, "tcp with routing header" will go through. not sure how should we model filter languages in presense of header chain. I guess it safer to enable it in main trunk, and get it tested against IPv6 traffic for some time. it looks that there's too little time for 4.3 to have IPv6 ipf enabled. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 20: 3:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id C9ECE37B718 for ; Wed, 28 Feb 2001 20:03:23 -0800 (PST) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f2143E301082; Wed, 28 Feb 2001 20:03:14 -0800 Date: Wed, 28 Feb 2001 20:03:14 -0800 From: Brooks Davis To: Paul Herman Cc: Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: ssh -t /bin/sh trick (was Re: ftp access) Message-ID: <20010228200314.B30666@Odin.AC.HMC.Edu> References: <15005.14720.989013.390180@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LpQ9ahxlCli8rRTG" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from pherman@frenchfries.net on Thu, Mar 01, 2001 at 01:07:42AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --LpQ9ahxlCli8rRTG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 01, 2001 at 01:07:42AM +0100, Paul Herman wrote: > Back then the network was a mish-mash of FreeBSD and Linux servers. > It could have just been a Linux sshd phenomenon. I believe I found the problem on IRIX in the first place. The way we found it what one of those nice default non-passworded accounts SGI ships with. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ncoBXY6L6fI4GtQRAkDiAJ4j/mUVLx1oSEjXeSz+m+smfxNwqwCcDId5 jWHsKA5GrthfUzyMnm2s8/0= =7lKj -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 21:44:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 8505137B719 for ; Wed, 28 Feb 2001 21:44:11 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 66353 invoked by alias); 1 Mar 2001 05:44:41 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 1 Mar 2001 05:44:41 -0000 Message-ID: <000801c0a212$90619840$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: Subject: sshd weirdness Date: Thu, 1 Mar 2001 00:43:37 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was upgrading my ports recently on a box that was upgraded from 4.1.1-Stable to 4.2-stable about a month ago, and saw the ssh 1.x port installed and in need of upgrade. Now, because i had built world with OpenSSH 2.3.0, i no longer needed the ssh 1.x port, so i deleted it using pkg_delete -f. The uptime on the box had been several weeks. I then remade a new kernel to incorporate some Alt-Q traffic shaper drivers. I didn't cvsup sources, nor did I remake world, I just patched my existing kernel source, and did a config, make depend, and make. I reboot the machine to use the new kernel, and 1. sshd is NOT running, because in rc.conf, sshd_enable is set to OFF for some reason, and 2. when i try to ssh in from a location on the same subnet, I am told the fingerprint has changed. Furthermore, because i deleted the ssh port, /usr/local/etc/rc.d/sshd.sh got removed, which is expected. I didn't know if "SSHD_ENABLED" was already set to "NO". My logs showed no new logins during the period of the kernel upgrades, and no other anomalous behavior has been detected. could my deleting the port have anything to do with OpenSSH starting? I checked /etc/ssh and all the keys have not been modified with a new timestamp. I have another box with locked down firewall in verbose logging on the same hub, and it did not detect any arp changes on the fully switched subnet (rapid arp shifts between 2 MACs is indicative of traffic sniffing and Man-in-middle attacks, since the man-in-middle must present himself as your router). this is puzzling... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 21:59:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id B641037B719 for ; Wed, 28 Feb 2001 21:59:49 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id QAA37893; Thu, 1 Mar 2001 16:59:48 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id QAA01865; Thu, 1 Mar 2001 16:59:48 +1100 (EST) Message-Id: <200103010559.QAA01865@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Peter C. Lai" Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd weirdness In-Reply-To: Message from "Peter C. Lai" of "Thu, 01 Mar 2001 00:43:37 CDT." <000801c0a212$90619840$1e9e6389@137.99.156.23> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 01 Mar 2001 16:59:48 +1100 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ummm, I could be wrong, but most of this seems consistent with what you did... > Now, because i had built world with OpenSSH 2.3.0, i no longer needed the > ssh 1.x port, so i deleted it using pkg_delete -f. The uptime on the box had > been several weeks. Fine. > I reboot the machine to use the new kernel, and 1. sshd is NOT running, > because in rc.conf, sshd_enable is set to OFF for some reason, and 2. when i > try to ssh in from a location on the same subnet, I am told the fingerprint > has changed. sshd_enable is set to OFF because you removed the package, I would assume... > Furthermore, because i deleted the ssh port, /usr/local/etc/rc.d/sshd.sh got > removed, which is expected. No, this is the bit that's wrong. This is the startup script for OpenSSH, and should not have been removed. > I didn't know if "SSHD_ENABLED" was already set to "NO". Since this controls whether sshd 1.x is running, it would have been changed when you removed the package. > could my deleting the port have anything to do with OpenSSH starting? Maybe, but you seem to have misunderstood which settings are for which SSH. > I checked /etc/ssh and all the keys have not been modified with a new > timestamp. That's because they belong to the version 1.x ssh, which you don't run any more. Look in /usr/local/etc for OpenSSH files. > this is puzzling... Not particularly... Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 22: 9:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id 2471037B719 for ; Wed, 28 Feb 2001 22:09:25 -0800 (PST) (envelope-from meshko@calliope.cs.brandeis.edu) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id BAA05006; Thu, 1 Mar 2001 01:09:04 -0500 Date: Thu, 1 Mar 2001 01:09:03 -0500 (EST) From: Mikhail Kruk To: Tony Landells Cc: "Peter C. Lai" , Subject: Re: sshd weirdness In-Reply-To: <200103010559.QAA01865@tungsten.austclear.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I reboot the machine to use the new kernel, and 1. sshd is NOT running, > > because in rc.conf, sshd_enable is set to OFF for some reason, and 2. when i > > try to ssh in from a location on the same subnet, I am told the fingerprint > > has changed. > > sshd_enable is set to OFF because you removed the package, I would assume... I think it was set off because he didn't use internal openssh before. It's probably just the default setting. Has nothing to do with the port. Port uses the script in balh/etc/rc.d > > removed, which is expected. > > No, this is the bit that's wrong. This is the startup script for OpenSSH, > and should not have been removed. no, from /usr/ports/security/ssh2/Makefile: @if [ "`grep ssh /etc/inetd.conf|grep -v ^#ssh`" = "" ]; then \ if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \ ${ECHO} "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \ ${SED} -e 's+!!PREFIX!!+${PREFIX}+' < ${FILESDIR}/sshd.sh \ > ${PREFIX}/etc/rc.d/sshd.sh; \ ${CHMOD} 751 ${PREFIX}/etc/rc.d/sshd.sh; \ fi; \ fi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 22:16:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 9623837B71A for ; Wed, 28 Feb 2001 22:16:49 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 66780 invoked by alias); 1 Mar 2001 06:17:19 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 1 Mar 2001 06:17:19 -0000 Message-ID: <000b01c0a216$a6ba95c0$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Mikhail Kruk" , "Tony Landells" Cc: References: Subject: Re: sshd weirdness Date: Thu, 1 Mar 2001 01:12:53 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ok so, to preserve the keys, i should go back in, and use the conversion util for ssh-keys to OpenSSH-keys? ----- Original Message ----- From: "Mikhail Kruk" To: "Tony Landells" Cc: "Peter C. Lai" ; Sent: Thursday, March 01, 2001 1:09 AM Subject: Re: sshd weirdness > > > I reboot the machine to use the new kernel, and 1. sshd is NOT running, > > > because in rc.conf, sshd_enable is set to OFF for some reason, and 2. when i > > > try to ssh in from a location on the same subnet, I am told the fingerprint > > > has changed. > > > > sshd_enable is set to OFF because you removed the package, I would assume... > > I think it was set off because he didn't use internal openssh before. It's > probably just the default setting. Has nothing to do with the port. Port > uses the script in balh/etc/rc.d > > > > > removed, which is expected. > > > > No, this is the bit that's wrong. This is the startup script for OpenSSH, > > and should not have been removed. > > no, from /usr/ports/security/ssh2/Makefile: > > @if [ "`grep ssh /etc/inetd.conf|grep -v ^#ssh`" = "" ]; then \ > if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \ > ${ECHO} "Installing ${PREFIX}/etc/rc.d/sshd.sh startup > file."; \ > ${SED} -e 's+!!PREFIX!!+${PREFIX}+' < ${FILESDIR}/sshd.sh > \ > > ${PREFIX}/etc/rc.d/sshd.sh; \ > ${CHMOD} 751 ${PREFIX}/etc/rc.d/sshd.sh; \ > fi; \ > fi > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 22:21:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 2DE5A37B719 for ; Wed, 28 Feb 2001 22:21:54 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id RAA37988; Thu, 1 Mar 2001 17:21:53 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id RAA02174; Thu, 1 Mar 2001 17:21:52 +1100 (EST) Message-Id: <200103010621.RAA02174@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Peter C. Lai" Cc: "Mikhail Kruk" , freebsd-security@FreeBSD.ORG Subject: Re: sshd weirdness In-Reply-To: Message from "Peter C. Lai" of "Thu, 01 Mar 2001 01:12:53 CDT." <000b01c0a216$a6ba95c0$1e9e6389@137.99.156.23> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 01 Mar 2001 17:21:52 +1100 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > ok so, to preserve the keys, i should go back in, and use the conversion > util for ssh-keys to OpenSSH-keys? That would be my plan. I'm pretty sure the exact steps have been covered in this list and freebsd-questions many times. Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 22:37:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from harmony.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 1203237B718; Wed, 28 Feb 2001 22:37:34 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.1/8.11.1) with ESMTP id f216bFd46489; Wed, 28 Feb 2001 23:37:15 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200103010637.f216bFd46489@harmony.village.org> To: Erick Mechler Subject: Re: Sshd having problems...? Cc: Jared Chenkin , freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG In-reply-to: Your message of "Wed, 28 Feb 2001 13:46:14 PST." <20010228134614.R34197@techometer.net> References: <20010228134614.R34197@techometer.net> <200102282141.f1SLfoi89644@voyager.bxscience.edu> Date: Wed, 28 Feb 2001 23:37:15 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010228134614.R34197@techometer.net> Erick Mechler writes: : It sounds like you didn't install the necessary pam modules as outlined in : UPDATING. Check that file and follow the instructions therein: : : 20010112: : Important new FreeBSD-version stuff: PAM support has been worked : in, partially from the "Unix" OpenSSH version. This requires : adding the following in pam.conf: : : sshd auth sufficient pam_skey.so : sshd auth required pam_unix.so try_first_pass : sshd session required pam_permit.so Running mergemaster also fixes this. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 23:18:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 7ABA137B71A for ; Wed, 28 Feb 2001 23:18:45 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id IAA38847; Thu, 1 Mar 2001 08:18:31 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3A9DF7C7.FF9361C2@eboa.com> Date: Thu, 01 Mar 2001 08:18:31 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Matt Piechota Cc: Rob Simmons , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Piechota wrote: > > On Tue, 27 Feb 2001, Rob Simmons wrote: > > > /sbin/nologin as the user's shell. You also have to add this shell to > > /etc/shells > > I though the idea of nologin was to deny access. Wouldn't you want to > copy nologin to /sbin/ftponly (or something) and put that in /etc/shells? > That way you have 3 step: telnet+ftp (tcsh, bash, etc), ftp only > (/sbin/ftponly), and no access (/sbin/nologin). Well, there is nologin and then there is nologin. nisse:/usr/local/www# apropos nologin login_auth(3), -(3) - auth_checknologin, auth_cat authentication style support l ibrary for login class capabilities database nologin(5) - disallow logins nologin(8) - politely refuse a login so we got nologin(5): DESCRIPTION Nologin disallows logins if the file /var/run/nologin exists. Programs display the contents of /var/run/nologin to the user and exit. and we got nologin(8): DESCRIPTION Nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled. Besides that we, of course, also got login(1): If the file /var/run/nologin exists, login displays its contents to the user and exits. This is used by shutdown(8) to prevent users from log- ging in when the system is about to go down. as well as ftpd(8): The file /var/run/nologin can be used to disable ftp access. If the file exists, ftpd displays it and exits. If the file /etc/ftpwelcome exists, ftpd prints it before issuing the ``ready'' message. If the file /etc/ftpmotd exists, ftpd prints it after a successful login. Note the motd file used is the one relative to the login environment. This means the one in ~ftp/etc in the anonymous user's case. So in general you are right. The goal of nologin is to define nologin. However, that havind been said, there is a slight difference between getting ones cake/login and eating (or not getting as the case might be) one cake/login. In itself there is much to be said for having a nologin binary which disallows logins, yet also having a ftpd which disallows logins provided the users shells is not a valid one as per /etc/shells. Thus one can have ones cake - i.e. disallowing shell access - whilest eating it too - i.e. allowing ftp access. In your stated case, providing - say - bash as shell allows both shell and ftp access; providing nologin+shell allows ftp access and, last but not least, providing just nologin allows nada. In the latter case providing /nada/niente serves the same purpose whilest keeping the previous door opened. Anyway, that's the theory as I understand it. The practice however... ;) Roelof -- It's a dogs life @ http://cairni.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 23:34:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 8B69B37B719; Wed, 28 Feb 2001 23:34:42 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W/smtpfeed 1.06) with ESMTP id QAA17942; Thu, 1 Mar 2001 16:34:37 +0900 (JST) To: Darren Reed Cc: ume@mahoroba.org, Arjan.deVet@adv.iae.nl, n@nectar.com, freebsd@dohd.org, rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org In-reply-to: darrenr's message of Thu, 01 Mar 2001 18:23:31 +1100. <200103010723.SAA10342@avalon.reed.wattle.id.au> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPFILTER IPv6 support non-functional? From: itojun@iijlab.net Date: Thu, 01 Mar 2001 16:34:37 +0900 Message-ID: <17940.983432077@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> yup, that is what i saw in the latest. also ipf does not chase >> extension headers, so even if you try to filter tcp, "tcp with >> routing header" will go through. not sure how should we model filter >> languages in presense of header chain. >Aren't TCP, UDP and ICMP required to be the "last header" ? That is, >they must be preceeded by routing headers, etc. that is what I was trying to mean. TCP/UDP/ICMP are the last header, routing headers are placed between IPv6 header and TCP headers. so a TCP packet with routing header will be like this: IPv6 routing TCP payload ip6_nxt is IPPROTO_ROUTING, and ip6e_nxt in routing header will be IPPROTO_TCP. fil.c:fr_check() does not seem to skip these intermediate headers, so the above packet will pass "drop tcp packets" filter. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 28 23:37:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id E115837B71C; Wed, 28 Feb 2001 23:37:29 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W/smtpfeed 1.06) with ESMTP id QAA18007; Thu, 1 Mar 2001 16:37:29 +0900 (JST) To: Darren Reed , ume@mahoroba.org, Arjan.deVet@adv.iae.nl, n@nectar.com, freebsd@dohd.org, rasputin@FreeBSD-uk.eu.org, freebsd-security@freebsd.org, darrenr@freebsd.org In-reply-to: itojun's message of Thu, 01 Mar 2001 16:34:37 JST. <17940.983432077@coconut.itojun.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPFILTER IPv6 support non-functional? From: itojun@iijlab.net Date: Thu, 01 Mar 2001 16:37:29 +0900 Message-ID: <18005.983432249@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org to clarify, i'm not blaming anything. i am saying that: - there's a hard problem about packet filter language design and IPv6 intermediate headers. sys/netinet6/ip6_fw.c chases header chain, however, i'm not sure if it is totally right thing to do. - we need IPv6 filter code get tested with care. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 0:19: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id B529337B719 for ; Thu, 1 Mar 2001 00:19:01 -0800 (PST) (envelope-from kuku@gilberto.physik.rwth-aachen.de) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.9.3/8.9.3) id JAA82842 for freebsd-security@freebsd.org; Thu, 1 Mar 2001 09:19:00 +0100 (CET) (envelope-from kuku) Date: Thu, 1 Mar 2001 09:19:00 +0100 (CET) From: Christoph Kukulies Message-Id: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de> To: freebsd-security@freebsd.org Subject: sshd - @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I installed a newer sshd recently on one machine in the network which I used to login before already via ssh. Now I'm getting this infamous @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Host key for host.domain has changed and you have requested strict checking. Do I have to worry about being compromised or is it 'normal' behaviour? -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 0:30:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from guardian.nanolink.com (guardian.nanolink.com [195.24.48.9]) by hub.freebsd.org (Postfix) with SMTP id 68E6F37B718 for ; Thu, 1 Mar 2001 00:30:45 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 2725 invoked from network); 1 Mar 2001 10:00:54 +0200 Received: from ringworld.nanolink.com (qmailr@195.24.48.13) by guardian.nanolink.com with SMTP; 1 Mar 2001 10:00:54 +0200 Received: (qmail 55903 invoked by uid 1000); 1 Mar 2001 08:29:58 -0000 Date: Thu, 1 Mar 2001 10:29:57 +0200 From: Peter Pentchev To: Christoph Kukulies Cc: freebsd-security@freebsd.org Subject: Re: sshd - @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ Message-ID: <20010301102957.B55211@ringworld.oblivion.bg> Mail-Followup-To: Christoph Kukulies , freebsd-security@freebsd.org References: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de>; from kuku@gilberto.physik.rwth-aachen.de on Thu, Mar 01, 2001 at 09:19:00AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 01, 2001 at 09:19:00AM +0100, Christoph Kukulies wrote: > > I installed a newer sshd recently on one machine in the network > which I used to login before already via ssh. > > Now I'm getting this infamous > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > It is also possible that the host key has just been changed. > Please contact your system administrator. > Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. > Host key for host.domain has changed and you have requested strict checking. > > Do I have to worry about being compromised or is it 'normal' behaviour? If you did not keep your /etc/ssh/ subdirectory, particularly the host key files in there, then yes, it's normal. In future upgrades, try to keep as many of the config files in /etc/ssh/ as possible. Okay, so /etc/ssh/ is OpenSSH-specific; the ssh.com SSH likes to keep those files in /etc, IIRC. G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 0:35:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id A686F37B718 for ; Thu, 1 Mar 2001 00:35:34 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 101CF66EEB; Thu, 1 Mar 2001 00:35:34 -0800 (PST) Date: Thu, 1 Mar 2001 00:35:33 -0800 From: Kris Kennaway To: "Peter C. Lai" Cc: Mikhail Kruk , Tony Landells , freebsd-security@FreeBSD.ORG Subject: Re: sshd weirdness Message-ID: <20010301003533.A14501@mollari.cthul.hu> References: <000b01c0a216$a6ba95c0$1e9e6389@137.99.156.23> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000b01c0a216$a6ba95c0$1e9e6389@137.99.156.23>; from sirmoo@cowbert.2y.net on Thu, Mar 01, 2001 at 01:12:53AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Mar 01, 2001 at 01:12:53AM -0500, Peter C. Lai wrote: > ok so, to preserve the keys, i should go back in, and use the conversion > util for ssh-keys to OpenSSH-keys? Yes. Kris --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ngnVWry0BWjoQKURAiV7AJoC4FkZrXgIxjBy+lMr1BZhC54KEgCfQnLb GwKJVvOsUBJ/jU934/DEx/U= =N6dy -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 0:44:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 0694737B719 for ; Thu, 1 Mar 2001 00:44:23 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E17FC66EEB; Thu, 1 Mar 2001 00:44:22 -0800 (PST) Date: Thu, 1 Mar 2001 00:44:22 -0800 From: Kris Kennaway To: Nate Williams Cc: "Aaron D.Gifford" , freebsd-security@FreeBSD.ORG Subject: Re: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp Message-ID: <20010301004422.B14501@mollari.cthul.hu> References: <01022819094900.04839@jardan.infowest.com> <15005.49602.104109.812735@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ADZbWkCsHQ7r3kzd" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15005.49602.104109.812735@nomad.yogotech.com>; from nate@yogotech.com on Wed, Feb 28, 2001 at 08:28:02PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ADZbWkCsHQ7r3kzd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 28, 2001 at 08:28:02PM -0700, Nate Williams wrote: > > Are you aware that the FreeBSD SSH installation by default has TCP > > forwarding enabled? >=20 > Yep. Note, the commercial version SSH1 had the ability to turn on/off > port forwarding on a per-user and/or a per-port options. >=20 > So, you could disable/enable all ports but one, and then enable/disable > the particular port for certain users. >=20 > It was pretty nice for setting up 'truly' secure systems that still > allowed some flexibility. >=20 > Too bad this doesn't exist in OpenSSH (or if it does, I haven't found > it). I can't even find mention of this in the ssh.com version - can you point me to it? Kris --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ngvmWry0BWjoQKURAlZwAJwPXa/4mcIqhwRUWv+JiJPQ4bAiCwCcDu8k ugNjNQdhv4OC9dcau9048gc= =04d1 -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 1: 6:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B132437B718 for ; Thu, 1 Mar 2001 01:06:19 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id SAA19525; Thu, 1 Mar 2001 18:06:06 +0900 (JST) To: Darren Reed Cc: freebsd-security@freebsd.org In-reply-to: darrenr's message of Thu, 01 Mar 2001 19:32:34 +1100. <200103010832.TAA10542@avalon.reed.wattle.id.au> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPFILTER IPv6 support non-functional? From: itojun@iijlab.net Date: Thu, 01 Mar 2001 18:06:06 +0900 Message-ID: <19523.983437566@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >But at the same time they WILL NOT MATCH "pass tcp packets" either. > >Generally, the policy should be "block everything, permit what you want" >and in that case you would end up dropping things with IPPROTO_ROUTING, >etc. Even a basic ruleset like: > >block in all >block out all >pass out proto tcp/udp all >pass in proto tcp/udp all > >will block all the IPv6 packets with routing headers, etc. but then what if you would like to permit packets with extension headers? or like only certain combinations? most of the existing packet filter languages have the same issue, btw. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 1:49:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 748CB37B718 for ; Thu, 1 Mar 2001 01:49:20 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id SAA20259; Thu, 1 Mar 2001 18:49:13 +0900 (JST) To: Darren Reed Cc: freebsd-security@freebsd.org In-reply-to: darrenr's message of Thu, 01 Mar 2001 20:41:38 +1100. <200103010941.UAA10618@avalon.reed.wattle.id.au> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPFILTER IPv6 support non-functional? From: itojun@iijlab.net Date: Thu, 01 Mar 2001 18:49:13 +0900 Message-ID: <20257.983440153@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> but then what if you would like to permit packets with extension >> headers? or like only certain combinations? >> most of the existing packet filter languages have the same issue, btw. >Or even, what if you want allow particular combinations or sequences or >maybe chains of a particular length ? >As it is, IP Filter can easily filter on whether a particular extension >header is there or not once I make it recognise them using a procedure >similar to looking for IP options in fr_makefrip(). What'll actually be >harder is looking for all the assumptions about the "final protocol >header" being the "next header" after the IPv{4,6} header and making >sure as much as possible goes into the *same* mbuf. Ugh. i highly recommend you to avoid m_pullup at all, and use m_copydata as necessary. m_pullup works only if the header part is smaller than MLEN (there's no upper bound in ip6 header length). once m_pullup fails, the packet will go away - this is not desirable. also, i remember that there are functions in fil.c that pass around memory regions without passing memory region length... i'd like to suggest to pass around mbuf *, but i know that the portability issue will not permit that to you. so i'd recommend to always pass around pairs >Anyway, once all that is sorted out, the filtering will be limited to >what can be done with IPv4 options - is that sufficient ? i guess so, but i'm not 100% certain. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 8:58:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 4801037B719 for ; Thu, 1 Mar 2001 08:58:47 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id JAA10035; Thu, 1 Mar 2001 09:58:40 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id JAA19164; Thu, 1 Mar 2001 09:58:39 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15006.32702.776614.341183@nomad.yogotech.com> Date: Thu, 1 Mar 2001 09:58:38 -0700 (MST) To: Kris Kennaway Cc: Nate Williams , "Aaron D.Gifford" , freebsd-security@FreeBSD.ORG Subject: Re: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp In-Reply-To: <20010301004422.B14501@mollari.cthul.hu> References: <01022819094900.04839@jardan.infowest.com> <15005.49602.104109.812735@nomad.yogotech.com> <20010301004422.B14501@mollari.cthul.hu> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Are you aware that the FreeBSD SSH installation by default has TCP > > > forwarding enabled? > > > > Yep. Note, the commercial version SSH1 had the ability to turn on/off > > port forwarding on a per-user and/or a per-port options. > > > > So, you could disable/enable all ports but one, and then enable/disable > > the particular port for certain users. > > > > It was pretty nice for setting up 'truly' secure systems that still > > allowed some flexibility. > > > > Too bad this doesn't exist in OpenSSH (or if it does, I haven't found > > it). > > I can't even find mention of this in the ssh.com version - can you > point me to it? It was in the commercial version of their SSH1 product. This was from at least 2 years ago, although I think I still have the product somewhere around here. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 9: 1: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id A22E437B719 for ; Thu, 1 Mar 2001 09:01:05 -0800 (PST) (envelope-from agifford@infowest.com) Received: from jardan.infowest.com (jardan.infowest.com [216.190.28.251]) by ns1.infowest.com (Postfix) with SMTP id 80B5E20F16 for ; Thu, 1 Mar 2001 10:01:03 -0700 (MST) From: Aaron D.Gifford To: freebsd-security@freebsd.org Subject: RE: ftp access Date: Thu, 1 Mar 2001 10:01:44 -0700 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Message-Id: <01030110014400.06418@jardan.infowest.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would caution folks from putting /sbin/nologin into /etc/shells in order to create FTP-only accounts. I would instead suggest you create a link to /sbin/nologin and call it something like /sbin/ftponly and put THAT shell in your /etc/shells file and use it as the shell for your FTP-only users. Why? This gives you the ability to have FTP-only users yet retain the full functionality of /sbin/nologin on other accounts (i.e. a mail-only account) that you DON'T want to grant FTP access to. Also if you're running SSH on the FTP server and you do NOT want your FTP users to be able to do port forwarding (it can be dangerous to allow unless you trust your FTP users greatly and trust that their cleartext passwords won't traverse an untrusted network) you should probably disable it in your sshd_config file. Aaron out. -- www.aarongifford.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 9:27:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id CFF8837B71C for ; Thu, 1 Mar 2001 09:27:07 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9391766EEB; Thu, 1 Mar 2001 09:27:07 -0800 (PST) Date: Thu, 1 Mar 2001 09:27:07 -0800 From: Kris Kennaway To: Nate Williams Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh tricks (was Re: ssh -t /bin/sh trick (was Re: ftp Message-ID: <20010301092707.C41149@mollari.cthul.hu> References: <01022819094900.04839@jardan.infowest.com> <15005.49602.104109.812735@nomad.yogotech.com> <20010301004422.B14501@mollari.cthul.hu> <15006.32702.776614.341183@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="CblX+4bnyfN0pR09" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15006.32702.776614.341183@nomad.yogotech.com>; from nate@yogotech.com on Thu, Mar 01, 2001 at 09:58:38AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --CblX+4bnyfN0pR09 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Mar 01, 2001 at 09:58:38AM -0700, Nate Williams wrote: > It was in the commercial version of their SSH1 product. This was from > at least 2 years ago, although I think I still have the product > somewhere around here. Okay. Kris --CblX+4bnyfN0pR09 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6noZqWry0BWjoQKURAmZgAJ0aKRvkKRu4AwAfGcfVnLex2W0m1QCghPgw /lX+gr3g3l3Fkgv2atzuOw8= =HZAD -----END PGP SIGNATURE----- --CblX+4bnyfN0pR09-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 9:30:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.inka.de (quechua.inka.de [212.227.14.2]) by hub.freebsd.org (Postfix) with ESMTP id AD41937B71A for ; Thu, 1 Mar 2001 09:30:28 -0800 (PST) (envelope-from daemon@mips.inka.de) Received: from kemoauc.mips.inka.de (uucp@) by mail.inka.de with local-bsmtp id 14YWuK-0007EM-00; Thu, 1 Mar 2001 18:30:28 +0100 Received: (from daemon@localhost) by kemoauc.mips.inka.de (8.11.2/8.11.1) id f21HAEk01712 for freebsd-security@freebsd.org; Thu, 1 Mar 2001 18:10:14 +0100 (CET) (envelope-from daemon) From: naddy@mips.inka.de (Christian Weisgerber) Subject: Re: ssh tricks Date: Thu, 1 Mar 2001 17:10:14 +0000 (UTC) Message-ID: <97lvpm$18a$1@kemoauc.mips.inka.de> References: <01022819094900.04839@jardan.infowest.com> Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Aaron D.Gifford wrote: > Are you aware that the FreeBSD SSH installation by default has TCP forwarding > enabled? Are you completely aware of the implications? Some time ago I realized that every OpenBSD anoncvs server out there could be (ab)used as an intermediary to bounce off TCP connections. That's why I added the AllowTcpForwarding option to OpenSSH. -- Christian "naddy" Weisgerber naddy@mips.inka.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 10:32:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.inka.de (quechua.inka.de [212.227.14.2]) by hub.freebsd.org (Postfix) with ESMTP id C1A6E37B71E for ; Thu, 1 Mar 2001 10:32:36 -0800 (PST) (envelope-from daemon@mips.inka.de) Received: from kemoauc.mips.inka.de (uucp@) by mail.inka.de with local-bsmtp id 14YXsR-0001K8-00; Thu, 1 Mar 2001 19:32:35 +0100 Received: (from daemon@localhost) by kemoauc.mips.inka.de (8.11.2/8.11.1) id f21HTpt02588 for freebsd-security@freebsd.org; Thu, 1 Mar 2001 18:29:51 +0100 (CET) (envelope-from daemon) From: naddy@mips.inka.de (Christian Weisgerber) Subject: Re: ssh tricks Date: Thu, 1 Mar 2001 17:29:51 +0000 (UTC) Message-ID: <97m0uf$2gj$1@kemoauc.mips.inka.de> References: <01022819094900.04839@jardan.infowest.com> <15005.49602.104109.812735@nomad.yogotech.com> <20010301004422.B14501@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > Yep. Note, the commercial version SSH1 had the ability to turn on/off > > port forwarding on a per-user and/or a per-port options. > > I can't even find mention of this in the ssh.com version Because Nate's wrong. Ylönen-SSH1 only has a global AllowTcpForwarding switch, as has OpenSSH. It's Ylönen-SSH2 that offers the more fine-grained {Allow,Deny}TcpForwardingFor{Users,Groups} option set. I don't see a way to control forwarding per port. I guess it wouldn't be very hard to add these options to OpenSSH, as you should be able to reuse the existing {Allow,Deny}{Users,Groups} and AllowTcpForwarding code. -- Christian "naddy" Weisgerber naddy@mips.inka.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 11:13:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 1993337B719 for ; Thu, 1 Mar 2001 11:13:52 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA12290; Thu, 1 Mar 2001 12:13:50 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA20194; Thu, 1 Mar 2001 12:13:49 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <15006.40813.304297.252608@nomad.yogotech.com> Date: Thu, 1 Mar 2001 12:13:49 -0700 (MST) To: naddy@mips.inka.de (Christian Weisgerber) Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh tricks In-Reply-To: <97m0uf$2gj$1@kemoauc.mips.inka.de> References: <01022819094900.04839@jardan.infowest.com> <15005.49602.104109.812735@nomad.yogotech.com> <20010301004422.B14501@mollari.cthul.hu> <97m0uf$2gj$1@kemoauc.mips.inka.de> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Yep. Note, the commercial version SSH1 had the ability to turn o= n/off > > > port forwarding on a per-user and/or a per-port options. > >=20 > > I can't even find mention of this in the ssh.com version >=20 > Because Nate's wrong. Yl=F6nen-SSH1 only has a global AllowTcpForwar= ding > switch, as has OpenSSH. Believe what you want. I've got sources that prove your wrong. The JD= K CVS repository was using this feature for 18 months (until I quit my former job) to only allow people to port forward CVS-Pserver requests, but disallow all other forwarding requests. FWIW, we used 'f-secure-ssh-1.3.2' .nr CO 1 .ie \n(CO .TH SSHD 8 "November 8, 1995" "F-SECURE SSH" "F-SECURE SSH" .el .TH SSHD 8 "November 8, 1995" "SSH" "SSH" [ SNIP ] .B AllowForwardingPort This keyword can be followed by any number of port numbers, separated [ SNIP ] .TP .B AllowForwardingTo This keyword can be followed by any number of hostname and port number [ SNIP ] .B DenyForwardingPort This keyword can be followed by any number of port numbers, separated [ SNIP ] .B DenyForwardingTo This keyword can be followed by any number of hostname and port number You *obviously* don't know what you're talking about. Be careful about= what you say on public mailing lists... > It's Yl=F6nen-SSH2 that offers the more > fine-grained {Allow,Deny}TcpForwardingFor{Users,Groups} option set. Unfortunately, the SSH2 product did *NOT* allow fine grained options to= be set in the version we bought, 'f-secure-ssh-2.0.12.1'. > I don't see a way to control forwarding per port. Well, since you claim to be an expert, I'll let you find it yourself. > I guess it wouldn't be very hard to add these options to OpenSSH, > as you should be able to reuse the existing {Allow,Deny}{Users,Groups= } > and AllowTcpForwarding code. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 13:30:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.inka.de (quechua.inka.de [212.227.14.2]) by hub.freebsd.org (Postfix) with ESMTP id 38C6637B71A for ; Thu, 1 Mar 2001 13:30:53 -0800 (PST) (envelope-from daemon@mips.inka.de) Received: from kemoauc.mips.inka.de (uucp@) by mail.inka.de with local-bsmtp id 14Yaex-0000KZ-01; Thu, 1 Mar 2001 22:30:51 +0100 Received: (from daemon@localhost) by kemoauc.mips.inka.de (8.11.2/8.11.1) id f21KjqF11502 for freebsd-security@freebsd.org; Thu, 1 Mar 2001 21:45:52 +0100 (CET) (envelope-from daemon) From: naddy@mips.inka.de (Christian Weisgerber) Subject: Re: ssh tricks Date: Thu, 1 Mar 2001 20:45:52 +0000 (UTC) Message-ID: <97mce0$b3r$1@kemoauc.mips.inka.de> References: <01022819094900.04839@jardan.infowest.com> <20010301004422.B14501@mollari.cthul.hu> <97m0uf$2gj$1@kemoauc.mips.inka.de> <15006.40813.304297.252608@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Originator: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams wrote: > > Because Nate's wrong. Ylönen-SSH1 only has a global AllowTcpForwarding > > switch, as has OpenSSH. > > Believe what you want. I've got sources that prove your wrong. I checked the ssh-1.2.27 and ssh-2.3.0 man pages (admittedly not the source) before posting. > FWIW, we used 'f-secure-ssh-1.3.2' Well, obviously you are talking about a different implementation. -- Christian "naddy" Weisgerber naddy@mips.inka.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 13:41:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 77FCC37B71A for ; Thu, 1 Mar 2001 13:40:57 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA14634; Thu, 1 Mar 2001 14:40:56 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id OAA20799; Thu, 1 Mar 2001 14:40:55 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <15006.49639.126654.880907@nomad.yogotech.com> Date: Thu, 1 Mar 2001 14:40:55 -0700 (MST) To: naddy@mips.inka.de (Christian Weisgerber) Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh tricks In-Reply-To: <97mce0$b3r$1@kemoauc.mips.inka.de> References: <01022819094900.04839@jardan.infowest.com> <20010301004422.B14501@mollari.cthul.hu> <97m0uf$2gj$1@kemoauc.mips.inka.de> <15006.40813.304297.252608@nomad.yogotech.com> <97mce0$b3r$1@kemoauc.mips.inka.de> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Because Nate's wrong. Yl=F6nen-SSH1 only has a global AllowTcpFo= rwarding > > > switch, as has OpenSSH. > >=20 > > Believe what you want. I've got sources that prove your wrong. >=20 > I checked the ssh-1.2.27 and ssh-2.3.0 man pages (admittedly not > the source) before posting. >=20 > > FWIW, we used 'f-secure-ssh-1.3.2' >=20 > Well, obviously you are talking about a different implementation. Read my original email. I was using the *commercial* version of SSH from ssh.com (vs. the free version from ssh.org). Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 13:51:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.snfc21.pbi.net (mta5.snfc21.pbi.net [206.13.28.241]) by hub.freebsd.org (Postfix) with ESMTP id 7255A37B718 for ; Thu, 1 Mar 2001 13:51:24 -0800 (PST) (envelope-from rjmcintire@earthlink.net) Received: from emilyd ([64.161.77.242]) by mta5.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0G9J00BTXGFAVN@mta5.snfc21.pbi.net> for freebsd-security@FreeBSD.ORG; Thu, 1 Mar 2001 13:45:10 -0800 (PST) Date: Thu, 01 Mar 2001 13:45:11 -0800 From: "Riley J. McIntire" Subject: RE: ftp access In-reply-to: <01030110014400.06418@jardan.infowest.com> To: "Aaron D.Gifford" , freebsd-security@FreeBSD.ORG Message-id: MIME-version: 1.0 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Priority: 3 (Normal) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Aaron D.Gifford > Sent: Thursday, March 01, 2001 9:02 AM > To: freebsd-security@FreeBSD.ORG > Subject: RE: ftp access > > I would caution folks from putting /sbin/nologin into /etc/shells > in order to > create FTP-only accounts. I would instead suggest you create a link to > /sbin/nologin and call it something like /sbin/ftponly and put > THAT shell in > your /etc/shells file and use it as the shell for your FTP-only users. Would this be a problem? root@aji# lls /sbin/ftp_only -rwxr-xr-x 1 root wheel - 48 Mar 1 13:23 /sbin/ftp_only* root@aji# cat /sbin/ftp_only echo This account is for ftp only ftp localhost root@aji# grep ftp_only /etc root@aji# grep ftp /etc/shells /sbin/ftp_only Then a telnet would show the motd and: This account is for ftp only Connected to localhost. 220 aji.wilshire.net FTP server (Version 6.00LS) ready. Name (localhost:username): To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 1 21:49:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.cluster.oleane.net (smtp1.cluster.oleane.net [195.25.12.16]) by hub.freebsd.org (Postfix) with ESMTP id 7B6C337B719 for ; Thu, 1 Mar 2001 21:49:28 -0800 (PST) (envelope-from rguyom@pobox.com) Received: from diabolic-cow.chatgris.net (dyn-1-1-017.Orl.dialup.oleane.fr [195.25.26.17]) by smtp1.cluster.oleane.net with ESMTP id f225nOk01456 for ; Fri, 2 Mar 2001 06:49:25 +0100 (CET) Received: by diabolic-cow.chatgris.net (Postfix, from userid 1000) id 0BEFA3D8; Fri, 2 Mar 2001 06:48:57 +0100 (CET) Date: Fri, 2 Mar 2001 06:48:57 +0100 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-security@freebsd.org Subject: Re: sshd - @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ Message-ID: <20010302064857.C54730@diabolic-cow.chatgris.net> References: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de> <20010301102957.B55211@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20010301102957.B55211@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Mar 01, 2001 at 10:29:57AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 01, 2001 at 10:29:57AM +0200, Peter Pentchev wrote: . > Okay, so /etc/ssh/ is OpenSSH-specific No, it's FreeBSD-specific. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 0: 9:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id 468E737B719 for ; Fri, 2 Mar 2001 00:09:20 -0800 (PST) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f228DLx06723 for ; Fri, 2 Mar 2001 00:13:22 -0800 (PST) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Fri, 2 Mar 2001 00:13:19 -0800 (PST) From: mudman To: Subject: /etc/pwd.db Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org About a month ago, a script kiddie took (a largely unsuccessful) shot at my box: They logged in anonymous ftp (I later on ended up disabling this to discourage them) and would then proceed to spam or packet-flood my box, much like a denial-of-service attack. At regular intervals, they would try to access /etc/pwd.db, and then flood me some more. Well, as it turns out, I never crashed, nor did they ever get /etc/pwd.db However, I think pwd.db is encrypted, right? Even then, since remote root login is not allowed (and I have no accounts in wheel to su to root), would having it do the assailant any good at all? Hypothetically, you could post your root password on the internet and it wouldn't be of much use if you were the only one with access to the console and no one can su to root. (Aside from compromising some users' accounts... in my case, I have no users with really anything important). Eventually, after a lot of other shots like some malformed packets, followed by more failures, the said script-kiddie got bored and gave up, or found somebody else to bother. Is there anything to be gained on such a system, other than a few user accounts, by getting pwd.db? I'm debating whether the attack was close to pointless, or whether there should be any cause for alarm here. So.... what do you guys think? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 0:15:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id BA30737B719 for ; Fri, 2 Mar 2001 00:15:24 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CF0D966EEB; Fri, 2 Mar 2001 00:15:23 -0800 (PST) Date: Fri, 2 Mar 2001 00:15:23 -0800 From: Kris Kennaway To: mudman Cc: freebsd-security@freebsd.org Subject: Re: /etc/pwd.db Message-ID: <20010302001523.A48384@mollari.cthul.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mudman@R181204.resnet.ucsb.edu on Fri, Mar 02, 2001 at 12:13:19AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Mar 02, 2001 at 12:13:19AM -0800, mudman wrote: > However, I think pwd.db is encrypted, right? Even then, since remote root No - it's just a binary database for faster access. It doesn't however contain any passwords, being generated from /etc/passwd (spwd.db is the one with the passwords, coming from master.passwd) Kris --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6n1abWry0BWjoQKURArEPAJ9gBBb/ZJbSyRsIIncF76fJI5lpHQCgjFod Q6d6B+M7lVatG2mtHSPBKeA= =B7Bf -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 2: 4:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (epsilon.lucida.ca [209.47.215.67]) by hub.freebsd.org (Postfix) with SMTP id 6411A37B71E for ; Fri, 2 Mar 2001 02:04:17 -0800 (PST) (envelope-from matt@LUCIDA.CA) Received: (qmail 71126 invoked by uid 1000); 2 Mar 2001 08:17:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Mar 2001 08:17:35 -0000 Date: Fri, 2 Mar 2001 03:17:34 -0500 (EST) From: Matt Heckaman To: mudman Cc: Subject: Re: /etc/pwd.db In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 2 Mar 2001, mudman wrote: ... : So.... what do you guys think? Better yet: pwd.db doesn't even contain any passwords! It's the functional equiv. of /etc/passwd. spwd.db contains the real passwords and is mode 0600 root:wheel. :) No worries, other than the annoying DoS attacks. Matt * Matt Heckaman - mailto:matt@lucida.ca http://www.lucida.ca/pgp * * GPG fingerprint - 53CA 8320 C8F6 32ED 9DDF 036E 3171 C093 4AD3 1364 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.ca/pgp iD8DBQE6n1cfMXHAk0rTE2QRAq49AJ9Izjy+WfbWhj7VglsJJ1QM34YjqQCgx4uz n4nSy2dcPLYWZPJ/QRium4w= =YD2M -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 2:15: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [193.219.211.5]) by hub.freebsd.org (Postfix) with ESMTP id 51BCC37B719 for ; Fri, 2 Mar 2001 02:15:00 -0800 (PST) (envelope-from domas.mituzas@delfi.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.1/8.11.1) with ESMTP id f22AE6O88313; Fri, 2 Mar 2001 12:14:06 +0200 (EET) Date: Fri, 2 Mar 2001 12:14:05 +0200 (EET) From: Domas Mituzas X-Sender: midom@axis.tdd.lt To: Matt Heckaman Cc: mudman , freebsd-security@FreeBSD.ORG Subject: Re: /etc/pwd.db In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Better yet: pwd.db doesn't even contain any passwords! It's the functional > equiv. of /etc/passwd. spwd.db contains the real passwords and is mode > 0600 root:wheel. :) actually if you keep some fake MD5 strings in $FTPROOT/etc/passwd it would be a nice trap for all wannabe's (and also will point out totally stupid clients ;-) Cheers, Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 4:24:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from hand.dotat.at (sfo-gw.covalent.net [207.44.198.62]) by hub.freebsd.org (Postfix) with ESMTP id E1ABD37B719 for ; Fri, 2 Mar 2001 04:24:49 -0800 (PST) (envelope-from fanf@dotat.at) Received: from fanf by hand.dotat.at with local (Exim 3.20 #3) id 14Yobe-00010P-00; Fri, 02 Mar 2001 12:24:22 +0000 Date: Fri, 2 Mar 2001 12:24:22 +0000 From: Tony Finch To: Domas Mituzas Cc: Matt Heckaman , mudman , freebsd-security@FreeBSD.ORG Subject: Re: /etc/pwd.db Message-ID: <20010302122422.F412@hand.dotat.at> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: Organization: Covalent Technologies, Inc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Domas Mituzas wrote: > >actually if you keep some fake MD5 strings in $FTPROOT/etc/passwd it would >be a nice trap for all wannabe's (and also will point out totally stupid >clients ;-) I remember once finding a password file on an FTP server which included a message in the salts taunting would-be hackers... Tony. -- f.a.n.finch fanf@covalent.net dot@dotat.at BAILEY: NORTHEASTERLY 5 OR 6. SNOW SHOWERS. MAINLY GOOD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 7: 7:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 1033537B71A for ; Fri, 2 Mar 2001 07:07:32 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14Yr9U-0005Hn-00 for freebsd-security@FreeBSD.ORG; Fri, 02 Mar 2001 10:07:28 -0500 Date: Fri, 2 Mar 2001 10:07:27 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: /etc/pwd.db Message-ID: <20010302100727.A20081@pir.net> Reply-To: security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010302122422.F412@hand.dotat.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010302122422.F412@hand.dotat.at>; from dot@dotat.at on Fri, Mar 02, 2001 at 12:24:22PM +0000 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tony Finch probably said: > I remember once finding a password file on an FTP server which > included a message in the salts taunting would-be hackers... You mean you don't put an /etc/passwd up with encrypted DES passwords, going down the list of "thanks" "for" "wasting" "your" "time" ? P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 7:30:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.ee.itb.ac.id (www.ee.itb.ac.id [167.205.48.209]) by hub.freebsd.org (Postfix) with SMTP id F19CB37B71A for ; Fri, 2 Mar 2001 07:30:37 -0800 (PST) (envelope-from doniac@ns3.itb.ac.id) Received: (qmail 2457 invoked by uid 1016); 2 Mar 2001 19:43:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Mar 2001 19:43:48 -0000 Date: Fri, 2 Mar 2001 19:43:48 +0000 (GMT) From: Doni Andri C To: freebsd-security@freebsd.org Subject: apache-1.3.12 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i have trouble with apache-1.3.12, it takes alot of swap memory to use. The server always ' core dumped' for any application for instead. Is this 'buggy' from apache or something wrong with my server?? - doni ac - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 7:48: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from shell.i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 17CF937B719 for ; Fri, 2 Mar 2001 07:48:00 -0800 (PST) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.11.2/8.11.1) id f22Ft9869545; Fri, 2 Mar 2001 07:55:09 -0800 (PST) (envelope-from fasty) Date: Fri, 2 Mar 2001 07:55:09 -0800 From: faSty To: Doni Andri C Cc: freebsd-security@freebsd.org Subject: Re: apache-1.3.12 Message-ID: <20010302075509.B68431@i-sphere.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from doniac@ns3.itb.ac.id on Fri, Mar 02, 2001 at 07:43:48PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you ought update your ports and the apache has new version 1.3.17. -trev On Fri, Mar 02, 2001 at 07:43:48PM +0000, Doni Andri C wrote: > > > i have trouble with apache-1.3.12, it takes alot of swap memory to use. > The server always ' core dumped' for any application for instead. > Is this 'buggy' from apache or something wrong with my server?? > > > - doni ac - > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 7:56:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from shell.i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id E018237B718 for ; Fri, 2 Mar 2001 07:56:32 -0800 (PST) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.11.2/8.11.1) id f22G4ZN69745; Fri, 2 Mar 2001 08:04:35 -0800 (PST) (envelope-from fasty) Date: Fri, 2 Mar 2001 08:04:35 -0800 From: faSty To: Juraj Lutter Cc: freebsd-security@freebsd.org Subject: Re: apache-1.3.12 Message-ID: <20010302080435.C68431@i-sphere.com> References: <20010302075509.B68431@i-sphere.com> <20010302165358.F78157@wilbury.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010302165358.F78157@wilbury.sk>; from otis@wilbury.sk on Fri, Mar 02, 2001 at 04:53:59PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org lol gee I ought update my ports also.. thanks otis :) -trev On Fri, Mar 02, 2001 at 04:53:59PM +0100, Juraj Lutter wrote: > apache has 1.3.19 already :-) > > otis > > On Fri, Mar 02, 2001 at 07:55:09AM -0800, faSty wrote: > > > > you ought update your ports and the apache has new version 1.3.17. > > > > -trev > > > > On Fri, Mar 02, 2001 at 07:43:48PM +0000, Doni Andri C wrote: > > > > > > > > > i have trouble with apache-1.3.12, it takes alot of swap memory to use. > > > The server always ' core dumped' for any application for instead. > > > Is this 'buggy' from apache or something wrong with my server?? > > > > > > > > > - doni ac - > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > Juraj Lutter > http://wilbury.sk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 8: 1: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4AFD837B718 for ; Fri, 2 Mar 2001 08:01:04 -0800 (PST) (envelope-from roam@orbitel.bg) Received: (qmail 49810 invoked by uid 1000); 2 Mar 2001 16:00:43 -0000 Date: Fri, 2 Mar 2001 18:00:43 +0200 From: Peter Pentchev To: faSty Cc: Juraj Lutter , freebsd-security@freebsd.org Subject: Re: apache-1.3.12 Message-ID: <20010302180043.I2609@ringworld.oblivion.bg> Mail-Followup-To: faSty , Juraj Lutter , freebsd-security@freebsd.org References: <20010302075509.B68431@i-sphere.com> <20010302165358.F78157@wilbury.sk> <20010302080435.C68431@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010302080435.C68431@i-sphere.com>; from fasty@i-sphere.com on Fri, Mar 02, 2001 at 08:04:35AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, he said that Apache has 1.3.19, not that our ports tree has 1.3.19. www/apache13 is still at 1.3.17, as can be seen on http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/apache13/Makefile/ G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. On Fri, Mar 02, 2001 at 08:04:35AM -0800, faSty wrote: > lol gee I ought update my ports also.. thanks otis :) > > -trev > > On Fri, Mar 02, 2001 at 04:53:59PM +0100, Juraj Lutter wrote: > > apache has 1.3.19 already :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 8: 3:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from daemon.wilbury.sk (daemon.wilbury.sk [195.168.1.69]) by hub.freebsd.org (Postfix) with SMTP id 9107737B719 for ; Fri, 2 Mar 2001 08:03:24 -0800 (PST) (envelope-from otis@wilbury.sk) Received: (qmail 84135 invoked by uid 1000); 2 Mar 2001 16:06:08 -0000 Date: Fri, 2 Mar 2001 17:06:08 +0100 From: Juraj Lutter To: Peter Pentchev Cc: faSty , freebsd-security@freebsd.org Subject: Re: apache-1.3.12 Message-ID: <20010302170607.G78157@wilbury.sk> Reply-To: otis@wilbury.sk References: <20010302075509.B68431@i-sphere.com> <20010302165358.F78157@wilbury.sk> <20010302080435.C68431@i-sphere.com> <20010302180043.I2609@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010302180043.I2609@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Mar 02, 2001 at 06:00:43PM +0200 X-GeekCode: GCS/O d- s++:++ a-- C+++ UL++++B++++O$ P--- L+++ E---- W N+ o-- K- w O- M- V- PS Y PGP+ t 5 X- R tv-- b+ DI D++ G e h* r- y+ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org apache13+ipv6 port has already 1.3.19 and a new ipv6 patch. otis otis@[pod-stolom /usr/ports/www/apache13+ipv6] # grep VERSION Makefile PORTVERSION= 1.3.19 On Fri, Mar 02, 2001 at 06:00:43PM +0200, Peter Pentchev wrote: > No, he said that Apache has 1.3.19, not that our ports tree has 1.3.19. > www/apache13 is still at 1.3.17, as can be seen on > > http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/apache13/Makefile/ > > G'luck, > Peter > > -- > I had to translate this sentence into English because I could not read the original Sanskrit. > > On Fri, Mar 02, 2001 at 08:04:35AM -0800, faSty wrote: > > lol gee I ought update my ports also.. thanks otis :) > > > > -trev > > > > On Fri, Mar 02, 2001 at 04:53:59PM +0100, Juraj Lutter wrote: > > > apache has 1.3.19 already :-) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Juraj Lutter http://wilbury.sk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 10:21:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 70A4D37B719 for ; Fri, 2 Mar 2001 10:21:44 -0800 (PST) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 24510BA2A; Fri, 2 Mar 2001 12:21:08 -0600 (CST) Message-ID: <001d01c0a345$58214460$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "faSty" Cc: References: <20010302075509.B68431@i-sphere.com> Subject: Re: apache-1.3.12 Date: Fri, 2 Mar 2001 12:19:38 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually it is up to 1.3.19. "Mostly" Win32 related differences. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "faSty" To: "Doni Andri C" Cc: Sent: Friday, March 02, 2001 9:55 AM Subject: Re: apache-1.3.12 > > you ought update your ports and the apache has new version 1.3.17. > > -trev > > On Fri, Mar 02, 2001 at 07:43:48PM +0000, Doni Andri C wrote: > > > > > > i have trouble with apache-1.3.12, it takes alot of swap memory to use. > > The server always ' core dumped' for any application for instead. > > Is this 'buggy' from apache or something wrong with my server?? > > > > > > - doni ac - > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 12: 0:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id D675437B71B for ; Fri, 2 Mar 2001 12:00:22 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id MAA06845; Fri, 2 Mar 2001 12:00:17 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103022000.MAA06845@gndrsh.dnsmgr.net> Subject: Re: /etc/pwd.db In-Reply-To: from Matt Heckaman at "Mar 2, 2001 03:17:34 am" To: matt@LUCIDA.CA (Matt Heckaman) Date: Fri, 2 Mar 2001 12:00:16 -0800 (PST) Cc: mudman@R181204.resnet.ucsb.edu (mudman), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, 2 Mar 2001, mudman wrote: > ... > : So.... what do you guys think? > > Better yet: pwd.db doesn't even contain any passwords! It's the functional > equiv. of /etc/passwd. spwd.db contains the real passwords and is mode > 0600 root:wheel. :) > > No worries, other than the annoying DoS attacks. Actually one minor worry, the possible reason they went after /etc/pwd.db is that they needed a list of user names to attempt other means of entry to the system. Remeber access control is via 2 tokens, username and password, if you gain a list of usernames your task at hacking can be much easier. A good reason for going after /etc/pwd.db is that it is a world readable file, and thus sometimes easier to get a hold of. Find a clueless Luser in that list and you got a big foot in the door... -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 14:38:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.ee.itb.ac.id (www.ee.itb.ac.id [167.205.48.209]) by hub.freebsd.org (Postfix) with SMTP id 4818537B71B for ; Fri, 2 Mar 2001 14:35:56 -0800 (PST) (envelope-from doniac@ns3.itb.ac.id) Received: (qmail 562 invoked by uid 1016); 3 Mar 2001 05:29:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Mar 2001 05:29:35 -0000 Date: Sat, 3 Mar 2001 05:29:35 +0000 (GMT) From: Doni Andri C To: Peter Pentchev Cc: Christoph Kukulies , torstenb@freebsd.org, freebsd-security@freebsd.org Subject: Re: ssh 1.2.31 - patch In-Reply-To: <20010223191734.F827@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sorry OOT, where can i have those patch to update my ports thx alot - doni ac - On Fri, 23 Feb 2001, Peter Pentchev wrote: > On Fri, Feb 23, 2001 at 06:13:13PM +0100, Christoph Kukulies wrote: > > > > Thorsten, > > > > have you heard of the sshd security hole recently? > > http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fmid%3D161448%26start%3D2001-02%2520-04%26list%3D1%26fromthread%3D0%26threads%3D0%26end%3D2001-02-10%26 > > > > It would be nice to have the pacth in ports and packages pre-applied. > > I think those were already fixed on Feb 09 by Kris Kennaway, in > files/patch-ay and files/patch-az for the security/ssh port. > > G'luck, > Peter > > -- > When you are not looking at it, this sentence is in Spanish. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 15: 4:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from shell.i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 65D2B37B718 for ; Fri, 2 Mar 2001 15:04:24 -0800 (PST) (envelope-from fasty@shell.i-sphere.com) Received: (from fasty@localhost) by shell.i-sphere.com (8.11.2/8.11.1) id f22NBiH76457; Fri, 2 Mar 2001 15:11:44 -0800 (PST) (envelope-from fasty) Date: Fri, 2 Mar 2001 15:11:44 -0800 From: faSty To: Doni Andri C Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh 1.2.31 - patch Message-ID: <20010302151144.B76003@i-sphere.com> References: <20010223191734.F827@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from doniac@ns3.itb.ac.id on Sat, Mar 03, 2001 at 05:29:35AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can get update via CVSUP or download from FTP /pub/FreeBSD/branches/-current/ports.tar.gz It's latest version ports.tar.gz daily. good luck :) -trev On Sat, Mar 03, 2001 at 05:29:35AM +0000, Doni Andri C wrote: > sorry OOT, where can i have those patch to update my ports > > thx alot > > - doni ac - > > On Fri, 23 Feb 2001, Peter Pentchev wrote: > > > On Fri, Feb 23, 2001 at 06:13:13PM +0100, Christoph Kukulies wrote: > > > > > > Thorsten, > > > > > > have you heard of the sshd security hole recently? > > > http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fmid%3D161448%26start%3D2001-02%2520-04%26list%3D1%26fromthread%3D0%26threads%3D0%26end%3D2001-02-10%26 > > > > > > It would be nice to have the pacth in ports and packages pre-applied. > > > > I think those were already fixed on Feb 09 by Kris Kennaway, in > > files/patch-ay and files/patch-az for the security/ssh port. > > > > G'luck, > > Peter > > > > -- > > When you are not looking at it, this sentence is in Spanish. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 16:26: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ohm.physics.purdue.edu (ohm.physics.purdue.edu [128.210.146.32]) by hub.freebsd.org (Postfix) with ESMTP id 9D4C137B719 for ; Fri, 2 Mar 2001 16:25:58 -0800 (PST) (envelope-from will@physics.purdue.edu) Received: (from will@localhost) by ohm.physics.purdue.edu (8.11.2/8.9.3) id f230QjA23781; Fri, 2 Mar 2001 19:26:45 -0500 (EST) (envelope-from will@physics.purdue.edu) X-Authentication-Warning: ohm.physics.purdue.edu: will set sender to will@physics.purdue.edu using -f Date: Fri, 2 Mar 2001 19:26:45 -0500 From: Will Andrews To: =?iso-8859-1?Q?R=E9mi_Guyomarch?= Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd - @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ Message-ID: <20010302192645.U17292@ohm.physics.purdue.edu> Reply-To: Will Andrews References: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de> <20010301102957.B55211@ringworld.oblivion.bg> <20010302064857.C54730@diabolic-cow.chatgris.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="L1jMvVksOaqpmjJm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010302064857.C54730@diabolic-cow.chatgris.net>; from rguyom@pobox.com on Fri, Mar 02, 2001 at 06:48:57AM +0100 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --L1jMvVksOaqpmjJm Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 02, 2001 at 06:48:57AM +0100, R=E9mi Guyomarch wrote: > No, it's FreeBSD-specific. No. It's OpenSSH-specific. Please, go login to some Linux box with OpenSSH installed and see for yourself. --=20 wca --L1jMvVksOaqpmjJm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6oDpFF47idPgWcsURAkleAKCF1GR9YsiembJT0m1C7rjuObI6GQCeJPy6 F05lTQ/plLf+7x4dEYFnuTE= =STS5 -----END PGP SIGNATURE----- --L1jMvVksOaqpmjJm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 19:33: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wzrd.com (mail.wzrd.com [206.99.165.3]) by hub.freebsd.org (Postfix) with ESMTP id 4EE1237B719 for ; Fri, 2 Mar 2001 19:33:03 -0800 (PST) (envelope-from danh@wzrd.com) Received: by mail.wzrd.com (Postfix, from userid 92) id 4CD7B68CC7; Fri, 2 Mar 2001 22:33:02 -0500 (EST) Date: Fri, 2 Mar 2001 22:33:02 -0500 From: Dan Harnett To: Will Andrews Cc: =?iso-8859-1?Q?R=E9mi_Guyomarch?= , freebsd-security@FreeBSD.ORG Subject: Re: sshd - @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ Message-ID: <20010302223302.A24506@mail.wzrd.com> References: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de> <20010301102957.B55211@ringworld.oblivion.bg> <20010302064857.C54730@diabolic-cow.chatgris.net> <20010302192645.U17292@ohm.physics.purdue.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i In-Reply-To: <20010302192645.U17292@ohm.physics.purdue.edu>; from will@physics.purdue.edu on Fri, Mar 02, 2001 at 07:26:45PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 02, 2001 at 07:26:45PM -0500, Will Andrews wrote: > On Fri, Mar 02, 2001 at 06:48:57AM +0100, Rémi Guyomarch wrote: > > No, it's FreeBSD-specific. > > No. It's OpenSSH-specific. Please, go login to some Linux box with > OpenSSH installed and see for yourself. > It's not OpenSSH-specific. OpenBSD puts it in /etc. It's really up to the distributor. -- Dan Harnett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 2 20:41:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsat.halenet.com.au (temp24.halenet.com.au [203.37.141.124]) by hub.freebsd.org (Postfix) with ESMTP id D5AE637B719 for ; Fri, 2 Mar 2001 20:41:24 -0800 (PST) (envelope-from timbo@halenet.com.au) Received: (from root@localhost) by mailsat.halenet.com.au (8.11.1/8.11.1) id f234pEr64097 for freebsd-security@freebsd.org; Sat, 3 Mar 2001 14:51:14 +1000 (EST) (envelope-from timbo@halenet.com.au) Received: from temp19 (modem-108-st.halenet.com.au [203.55.33.108]) by mailsat.halenet.com.au (8.11.1/8.11.1av) with SMTP id f234pAk64089 for ; Sat, 3 Mar 2001 14:51:12 +1000 (EST) (envelope-from timbo@halenet.com.au) Message-ID: <01f401c0a39c$85f92fe0$6500a8c0@halenet.com.au> From: "Tim McCullagh" To: Subject: Pam_radius readme Date: Sat, 3 Mar 2001 14:43:39 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, Can anyone tell me whether I am reading this incorrectly. In the Pam_mysql readme below. The sample config shows the username and password in plain text. How would I best make this much more secure in my /etc/pam.conf. If I enter this as the example shows, then if I am reading this correctly, all anyone will need to do is read my pam.conf to get access to this machine and any databases that may be specified. My /etc/pam.conf file permissions are 644. Is this incorrect? Can anyone give me some direction on how to best tighten any security, that would enable me to use the pam_mysql-4.7 port from where this readme has been copied Any links to directions how to set up PAM would also be appreciated Thanks for your input Tim PAM MYSQL README Pam_Mysql Version 0.4.5 To try this, you need PAM to already be installed and working and have a MySQL server up and running as well. I typically copy the pam_mysql.so to /lib/security and make the proper changes to /etc/pam.d/ and /etc/pam.conf An example of a config file: auth optional pam_mysql.so user=root passwd=password account required pam_mysql.so user=root passwd=password The options that it understands are: Defaults are in () user(nobody) -- The user with access to the open the connection to mysql and has permission to read the table with the passwords. passwd("") -- Password for the same. host(localhost) -- Machine that is running the sql server db(mysql) -- database that contents the table with the user/password combos table(user) -- table that you want to use for the user/password checking usercolumn(User) -- column that has the username field passwdcolumn(password) -- column that has the password field crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt() 0 = No encryption. Passwords in database in plaintext. NOT recommended! 1 = Use crypt 2 = Use MySQL PASSWORD() function where("") -- Used to specify additional criteria for the query. For example; where=enabled=1 Note, the where can NOT contain any spaces in this release and currently, only number columns appear to work. Both these problems will be investigated in due course :) BUGS Users names and passwords are logged in the clear to mysql.log if you log select statements... Current solution, don't log select statements. (Not sure why you'd want to anyway, slogs your system down badly!) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 3 1:24:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 5FFA637B71C for ; Sat, 3 Mar 2001 01:24:53 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14Z8S4-0000Du-00; Sat, 03 Mar 2001 02:35:48 -0700 Message-ID: <3AA0BAF4.B227DB5B@softweyr.com> Date: Sat, 03 Mar 2001 02:35:48 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roelof Osinga Cc: Matt Piechota , Rob Simmons , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: <3A9DF7C7.FF9361C2@eboa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roelof Osinga wrote: > > Matt Piechota wrote: > > > > On Tue, 27 Feb 2001, Rob Simmons wrote: > > > > > /sbin/nologin as the user's shell. You also have to add this shell to > > > /etc/shells > > > > I though the idea of nologin was to deny access. Wouldn't you want to > > copy nologin to /sbin/ftponly (or something) and put that in /etc/shells? > > That way you have 3 step: telnet+ftp (tcsh, bash, etc), ftp only > > (/sbin/ftponly), and no access (/sbin/nologin). > > Well, there is nologin and then there is nologin. > > nisse:/usr/local/www# apropos nologin > login_auth(3), -(3) - auth_checknologin, auth_cat authentication style support l > ibrary for login class capabilities database > nologin(5) - disallow logins > nologin(8) - politely refuse a login There is also no-login in ports/security, which behaves like nologin(8) but does not disclose that logins are disabled on the account (leaving you wondering if you guessed name or password wrong), and does log the attempted access. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 3 19:41: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from zogbe.tasam.com (hc6526bd1.dhcp.vt.edu [198.82.107.209]) by hub.freebsd.org (Postfix) with ESMTP id 09EA137B718 for ; Sat, 3 Mar 2001 19:41:00 -0800 (PST) (envelope-from clash@fireduck.com) Received: from battleship (hc6526bd1.dhcp.vt.edu [198.82.107.209]) by zogbe.tasam.com (8.11.2/8.11.2) with SMTP id f243ewh81362 for ; Sat, 3 Mar 2001 22:40:59 -0500 (EST) Message-ID: <000b01c0a45c$edec3280$0b2d2d0a@fireduck.com> From: "Joseph Gleason" To: Subject: random numbers Date: Sat, 3 Mar 2001 22:40:58 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would /dev/urandom be acceptable for use in a one time pad encryption system? Such a system is only as strong as the random number generator used to generate the keys. I get the feeling that /dev/random would be a much better choice, but key generation with that would be much slower. Does anyone know of any hardware that isn't to expensive and generates good random numbers? Thanks for your time. Joseph Gleason To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 3 20: 4:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id AA5B437B718 for ; Sat, 3 Mar 2001 20:04:37 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id FAA58103; Sun, 4 Mar 2001 05:04:01 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3AA1BEB1.F1F718A9@eboa.com> Date: Sun, 04 Mar 2001 05:04:01 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Wes Peters Cc: Matt Piechota , Rob Simmons , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: <3A9DF7C7.FF9361C2@eboa.com> <3AA0BAF4.B227DB5B@softweyr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > > ... > There is also no-login in ports/security, which behaves like nologin(8) > but does not disclose that logins are disabled on the account (leaving > you wondering if you guessed name or password wrong), and does log the > attempted access. Maybe the pkg-descr should state that feature as well. Roelof -- Me the dog @ http://Cairni.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 3 20:11:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id D5B8A37B718 for ; Sat, 3 Mar 2001 20:11:41 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 648B366B33; Sat, 3 Mar 2001 20:11:41 -0800 (PST) Date: Sat, 3 Mar 2001 20:11:40 -0800 From: Kris Kennaway To: Joseph Gleason Cc: freebsd-security@freebsd.org Subject: Re: random numbers Message-ID: <20010303201140.A75365@mollari.cthul.hu> References: <000b01c0a45c$edec3280$0b2d2d0a@fireduck.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000b01c0a45c$edec3280$0b2d2d0a@fireduck.com>; from clash@fireduck.com on Sat, Mar 03, 2001 at 10:40:58PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 03, 2001 at 10:40:58PM -0500, Joseph Gleason wrote: > Would /dev/urandom be acceptable for use in a one time pad encryption > system? Such a system is only as strong as the random number generator u= sed > to generate the keys. >=20 > I get the feeling that /dev/random would be a much better choice, but key > generation with that would be much slower. /dev/urandom would probably be okay, but for best results use /dev/random. > Does anyone know of any hardware that isn't to expensive and generates go= od > random numbers? I've read analyses of commercial RNG hardware which indicates they're often in fact not very good, in that the output isn't as random as claimed (but it's still fine to use as a source of entropy in a mixing function like what /dev/random does). YMMV. Kris --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ocB8Wry0BWjoQKURAiM2AJ4mYLaCDUXLHk41hw1s9s16EnMd5gCcC2qz jw6SaFiLxjhdw9EZyzjV0js= =9m4P -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 3 20:56:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from neptune.he.net (neptune.he.net [216.218.166.2]) by hub.freebsd.org (Postfix) with ESMTP id 0378637B71A for ; Sat, 3 Mar 2001 20:56:32 -0800 (PST) (envelope-from robinson@netrinsics.com) Received: from netrinsics.com ([61.135.21.69] (may be forged)) by neptune.he.net (8.8.6/8.8.2) with ESMTP id UAA19293 for ; Sat, 3 Mar 2001 20:56:39 -0800 Received: (from robinson@localhost) by netrinsics.com (8.11.2/8.11.1) id f244uSZ15443 for freebsd-security@outbound.freebsd.org.; Sun, 4 Mar 2001 12:56:28 +0800 (+0800) (envelope-from robinson) Date: Sun, 4 Mar 2001 12:56:28 +0800 (+0800) From: Michael Robinson Message-Id: <200103040456.f244uSZ15443@netrinsics.com> To: freebsd-security@freebsd.org Subject: Re: random numbers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Would /dev/urandom be acceptable for use in a one time pad encryption >system? Such a system is only as strong as the random number generator used >to generate the keys. > >I get the feeling that /dev/random would be a much better choice, but key >generation with that would be much slower. Caveat: last I checked, the /dev/[u]random device in -CURRENT was completely broken for crypto-grade randomness (it said as much in the source). >Does anyone know of any hardware that isn't to expensive and generates good >random numbers? Technically speaking, if you don't have one bit of entropy for each bit of pad, you don't have a true one-time pad. If you want to generate a lot of entropy cheaply, the common way to do it is take the digitized input of a sound card, make a conservative estimate of the number of bits of entropy per sample, and run as many samples as necessary through a cryptographic hash (e.g. SHA-1) until you have as many entropy bits in as hash bits out. If you aren't so insistant on a true one-time pad, you can always use the hash output to seed a Blum-Blum-Shub PRNG. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 3 21:15:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id E76E937B719 for ; Sat, 3 Mar 2001 21:15:19 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 6592 invoked by uid 1000); 4 Mar 2001 05:15:17 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Mar 2001 05:15:17 -0000 Date: Sat, 3 Mar 2001 23:15:17 -0600 (CST) From: Mike Silbersack To: Michael Robinson Cc: Subject: Re: random numbers In-Reply-To: <200103040456.f244uSZ15443@netrinsics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 4 Mar 2001, Michael Robinson wrote: > Caveat: last I checked, the /dev/[u]random device in -CURRENT was completely > broken for crypto-grade randomness (it said as much in the source). True a few weeks ago, but no longer: markm 2001/03/03 06:35:02 PST Modified files: sys/dev/random yarrow.c Log: Take down a comment that is no longer true. /dev/random is ready for prime time! Revision Changes Path 1.32 +1 -5 src/sys/dev/random/yarrow.c Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 3 21:34: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 931DD37B71C for ; Sat, 3 Mar 2001 21:33:56 -0800 (PST) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14ZRKM-0005hL-00; Sat, 03 Mar 2001 22:45:06 -0700 Message-ID: <3AA1D662.D8725A33@softweyr.com> Date: Sat, 03 Mar 2001 22:45:06 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Roelof Osinga Cc: Matt Piechota , Rob Simmons , George.Giles@mcmail.vanderbilt.edu, freebsd-security@FreeBSD.ORG Subject: Re: ftp access References: <3A9DF7C7.FF9361C2@eboa.com> <3AA0BAF4.B227DB5B@softweyr.com> <3AA1BEB1.F1F718A9@eboa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roelof Osinga wrote: > > Wes Peters wrote: > > > > ... > > There is also no-login in ports/security, which behaves like nologin(8) > > but does not disclose that logins are disabled on the account (leaving > > you wondering if you guessed name or password wrong), and does log the > > attempted access. > > Maybe the pkg-descr should state that feature as well. Yeah, probably so. It sort of assumes that you know what a 'nologin' program is, but shouldn't. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 3 22:45:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailin1.bigpond.com (unknown [139.134.6.21]) by hub.freebsd.org (Postfix) with ESMTP id 89BC637B718 for ; Sat, 3 Mar 2001 22:45:06 -0800 (PST) (envelope-from darrenr@reed.wattle.id.au) Received: from CPE-61-9-164-106.vic.bigpond.net.au ([139.134.4.54]) by mailin1.bigpond.com (Netscape Messaging Server 4.15) with SMTP id G9IJ5S01.FKO; Thu, 1 Mar 2001 19:46:40 +1000 Received: from CPE-61-9-164-181.vic.bigpond.net.au ([61.9.164.181]) by mail6.bigpond.com (Claudes-Caring-MailRouter V2.9c 11/5030797); 01 Mar 2001 19:41:57 Received: (from root@localhost) by CPE-61-9-164-106.vic.bigpond.net.au (8.11.0/8.11.0) id f219fqs00984; Thu, 1 Mar 2001 20:41:52 +1100 From: Darren Reed Message-Id: <200103010941.UAA10618@avalon.reed.wattle.id.au> Subject: Re: IPFILTER IPv6 support non-functional? In-Reply-To: <19523.983437566@coconut.itojun.org> from "itojun@iijlab.net" at "Mar 1, 1 06:06:06 pm" To: itojun@iijlab.net Date: Thu, 1 Mar 2001 20:41:38 +1100 Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL37 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some email I received from itojun@iijlab.net, sie wrote: > >But at the same time they WILL NOT MATCH "pass tcp packets" either. > > > >Generally, the policy should be "block everything, permit what you want" > >and in that case you would end up dropping things with IPPROTO_ROUTING, > >etc. Even a basic ruleset like: > > > >block in all > >block out all > >pass out proto tcp/udp all > >pass in proto tcp/udp all > > > >will block all the IPv6 packets with routing headers, etc. > > but then what if you would like to permit packets with extension > headers? or like only certain combinations? > most of the existing packet filter languages have the same issue, btw. Or even, what if you want allow particular combinations or sequences or maybe chains of a particular length ? As it is, IP Filter can easily filter on whether a particular extension header is there or not once I make it recognise them using a procedure similar to looking for IP options in fr_makefrip(). What'll actually be harder is looking for all the assumptions about the "final protocol header" being the "next header" after the IPv{4,6} header and making sure as much as possible goes into the *same* mbuf. Ugh. Anyway, once all that is sorted out, the filtering will be limited to what can be done with IPv4 options - is that sufficient ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message