From owner-freebsd-security Mon Feb 3 5:40:55 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7EFB37B401 for ; Mon, 3 Feb 2003 05:40:52 -0800 (PST) Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23BA743FB1 for ; Mon, 3 Feb 2003 05:40:52 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h13DemZh000978 for ; Mon, 3 Feb 2003 05:40:48 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h13DemWS000977 for security@FreeBSD.ORG; Mon, 3 Feb 2003 05:40:48 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Mon, 3 Feb 2003 05:40:48 -0800 From: David Schultz To: security@FreeBSD.ORG Subject: Many login.conf accounting and authentication options broken Message-ID: <20030203134047.GA475@HAL9000.homeunix.com> Mail-Followup-To: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Most of the accounting options in login.conf(5) and many examples in /etc/login.conf don't seem to work. I can't even find any evidence of a mechanism to support them. (Perhaps an old-timer can tell me where one used to exist, if it used to exist.) Please let me know if I'm missing something here. Some of these features are useful. For instance, it would be nice if passwd respected passwordtime when updating a password, rather than disabling password expiration whenever a user changes his password.[1] Others, such as autodelete and sessiontime, seem less useful. Do people have comments on any of the unimplemented items in the following list? I have a good mind to ask that the useless ones be removed from the documentation, and if I have time in the next few weeks I may implement some of the missing functionality. minpasswordlen (superseded by pam_passwdqc; needs doc update) minpasswordcase (superseded by pam_passwdqc; needs doc update) autodelete accounted bootfull daytime expireperiod graceexpire gracetime host.accounted host.exempt idletime monthtime passwordtime refreshtime refreshperiod sessiontime sessionlimit ttys.accounted ttys.exempt warntime weektime [1] Passwordtime works in 4.x, but support was apparently removed accidentally in the PAMification process. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 4 14:29:49 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22A4137B401 for ; Tue, 4 Feb 2003 14:29:48 -0800 (PST) Received: from lmail.actcom.co.il (lmail.actcom.co.il [192.114.47.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EDFD43F3F for ; Tue, 4 Feb 2003 14:29:46 -0800 (PST) (envelope-from lirandb@netvision.net.il) Received: from main1.netvision.net.il (main.retal.co.il [192.115.135.186]) by lmail.actcom.co.il (8.11.6/8.11.6) with ESMTP id h14MTcR19102 for ; Wed, 5 Feb 2003 00:29:39 +0200 Message-Id: <5.2.0.9.0.20030205002748.00c104d8@mail.netvision.net.il> X-Sender: lirandb@mail.netvision.net.il X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 05 Feb 2003 00:29:59 +0200 To: freebsd-security@freebsd.org From: Retal Subject: A Weird module msg, a security risk? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I mis-typed ifconfig xl0- alias ip, instead of ifconfig xl0 ip (without the "-") I got a weird msg : module_register: module miibus/ukphy already exists! linker_file_sysinit "miibus.ko" failed to register! 17 when i tried to re-mistake again, it didnt write it again, but each time i reboot and does that, first time, it writes it Is it a security risk? how do i fix it? -Retal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 4 18:45:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E7D537B401 for ; Tue, 4 Feb 2003 18:45:25 -0800 (PST) Received: from guava.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with SMTP id 4437343F79 for ; Tue, 4 Feb 2003 18:45:19 -0800 (PST) (envelope-from avleen@guava.silverwraith.com) Received: (qmail 37625 invoked by uid 1001); 5 Feb 2003 02:45:13 -0000 Date: Tue, 4 Feb 2003 18:45:13 -0800 From: Avleen Vig To: freebsd-security@freebsd.org Subject: Re: SSHD suddenly takes SIX MINUTES to authenticate Message-ID: <20030205024513.GA37185@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For reference, I am the owner of krb5-realm.com/.net/.org > > then krb5-realm.com. If the nameservers setup to host krb5-realm.com > > stop responding to requests, then these DNS lookups take a long time, > > waiting to eventually timeout. This doesn't happen very often either. The location they were being hosted is not hosting any more, so they were moved. > Right. And the DNS for krb5-realm.com is, to put it politely, a mess. I'm sorry it doesn't meet your distributed nameserver requirements. If you would like to provide a nameserver or two for me to use for these domains, I would be happy to set you up as a slave :-) > ISTR seeing something about changes to krb5-realm.com on nanog a couple > of weeks ago. You may want to check the archives. Yeah they did. I'm hosting them at home for the time, until I can arrange something more permanent. Just for clarification, I purchased the domains after I found the bug a couple of years ago with two colleagues of mine. I don't have any malicious intent, I just wanted the domains :-) They seem to have become a sort of novelty item now. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 4 18:47:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36CF737B694 for ; Tue, 4 Feb 2003 18:47:10 -0800 (PST) Received: from guava.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with SMTP id DA87E43F85 for ; Tue, 4 Feb 2003 18:47:09 -0800 (PST) (envelope-from avleen@guava.silverwraith.com) Received: (qmail 37936 invoked by uid 1001); 5 Feb 2003 02:47:09 -0000 Date: Tue, 4 Feb 2003 18:47:09 -0800 From: Avleen Vig To: freebsd-security@freebsd.org Subject: Re: krb5-realm.com Message-ID: <20030205024709.GC37185@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Feb 01, 2003 at 11:01:39AM +0100, bas wrote: > isnt it a bad thing if every sshd on the world ends up contacting > krb5-realm.com by default? is this also true for newer versions of > sshd > (with kerberos disabled)? i mean it may make the owners of > krb5-realm.com powerful beings. sounds a bit .NET to me. Well it could conceivably cause breakage (as described), but nothing worse. The krb5-realm.com domain administrator cannot possibly leverage the situation in order to subvert authentication. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 4 18:47:56 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5E6F37B401 for ; Tue, 4 Feb 2003 18:47:53 -0800 (PST) Received: from guava.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with SMTP id 36B9443F3F for ; Tue, 4 Feb 2003 18:47:53 -0800 (PST) (envelope-from avleen@guava.silverwraith.com) Received: (qmail 37954 invoked by uid 1001); 5 Feb 2003 02:47:52 -0000 Date: Tue, 4 Feb 2003 18:47:52 -0800 From: Avleen Vig To: freebsd-security@freebsd.org Subject: Re: krb5-realm.com Message-ID: <20030205024752.GD37185@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 03, 2003 at 03:34:12AM -0800, Jacques A. Vidrine wrote: > > isnt it a bad thing if every sshd on the world ends up contacting > > krb5-realm.com by default? is this also true for newer versions of > > sshd > > (with kerberos disabled)? i mean it may make the owners of > > krb5-realm.com powerful beings. sounds a bit .NET to me. > > Well it could conceivably cause breakage (as described), but nothing > worse. The krb5-realm.com domain administrator cannot possibly > leverage the situation in order to subvert authentication. And for what it is worth, neither would I want to :-) As I said in an earlier email, I do my best to make sure the NS is availible at all times. Unfortuantely sometimes outages happen and they cannot be avoided. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 4 19: 8:44 2003 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 0) id D875D37B401; Tue, 4 Feb 2003 19:08:36 -0800 (PST) To: freebsd-security@FreeBSD.ORG Subject: removing restriction on who can send email to freebsd-security Message-Id: <20030205030836.D875D37B401@hub.freebsd.org> Date: Tue, 4 Feb 2003 19:08:36 -0800 (PST) From: root@FreeBSD.ORG (Root hub.FreeBSD.ORG) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Folks, please take a look at the following emails...these were rejected from FreeBSD-security due to a policy of restricting to only those subscribed to the list at the address subscribed to the list. while well-intentioned, this policy has unintended results. i have removed the restriction. please contact me at postmaster@freebsd.org if you wish to discuss the matter....i am open to your responses. jmb From: Richard Nyberg To: freebsd-security@FreeBSD.org Subject: patch for broken krb5 telnet Message-ID: <20030131151944.GA335@gromit.it.su.se> Mail-Followup-To: Richard Nyberg , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Hi there! I just wanted yo make you aware that there is a patch for krb5 telnet from bg@sics.se available at http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/45397. With this patch telnet no longer dumps core and it uses subkeys properly. It'd be nice to have krb5 telnet work out of the box in FreeBSD; it's been broken for quite some time now :( --- Happy hacking! -Richard From: Kris Kennaway To: bas Cc: freebsd-security@FreeBSD.ORG Subject: Re: krb5-realm.com Message-ID: <20030201214607.GA16797@rot13.obsecurity.org> References: <3E3B1D71.21CFBD42@ursine.com> <20030201015129.GA27949@rfc822.net> <20030131181815.A42597@greg.cex.ca> <3E3B9B03. 6ACE7B96@xs4all.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline In-Reply-To: <3E3B9B03.6ACE7B96@xs4all.nl> User-Agent: Mutt/1.4i --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Feb 01, 2003 at 11:01:39AM +0100, bas wrote: > isnt it a bad thing if every sshd on the world ends up contacting > krb5-realm.com by default? is this also true for newer versions of sshd > (with kerberos disabled)? i mean it may make the owners of > krb5-realm.com powerful beings. sounds a bit .NET to me. What evidence do you have that this is true? Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 4 23:55: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FDEE37B405 for ; Tue, 4 Feb 2003 23:55:06 -0800 (PST) Received: from mail.lanworks.de (mailgate.lanworks.de [194.77.154.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B03343FD3 for ; Tue, 4 Feb 2003 23:55:05 -0800 (PST) (envelope-from ahuth@lanworks.de) Received: from miraculix.pinguintown.local (private-lan-address [192.168.100.207] (may be forged)) by mail.lanworks.de with ESMTP id h158tpH24684 for ; Wed, 5 Feb 2003 09:55:51 +0100 From: Alex Huth Organization: Lanworks AG To: freebsd-security@freebsd.org Subject: Passwords in Jails Date: Wed, 5 Feb 2003 08:43:30 +0100 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200302050843.30377.ahuth@lanworks.de> X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi guys! I have a machine with some jails. On the base machine i=B4ve changed the=20 passwords of root and the only existing user account. I also changed the=20 passwords on the machine from where i=B4m doing the remote administration. Now i can=B4t get into the jails via ssh. When i try to login i get the mes= sage Permission denied Public Key, password Where can I solve this problem or is there a possibility to manage=20 passwords/public keys of a jail from the basesystem? So long ... Alex Huth =2D-=20 Unix like TeePee no windows, no gates, Apache inside. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 4:59:28 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3039837B401 for ; Wed, 5 Feb 2003 04:59:27 -0800 (PST) Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 692E243E4A for ; Wed, 5 Feb 2003 04:59:26 -0800 (PST) (envelope-from mike@sentex.net) Received: from house.sentex.net (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.12.6/8.12.6) with ESMTP id h15CxL2Y052839; Wed, 5 Feb 2003 07:59:21 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 05 Feb 2003 07:57:17 -0500 To: Alex Huth From: Mike Tancsa Subject: Re: Passwords in Jails Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200302050843.30377.ahuth@lanworks.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:43 AM 2/5/2003 +0100, Alex Huth wrote: >Where can I solve this problem or is there a possibility to manage >passwords/public keys of a jail from the basesystem? Yes, just manipulate the master.passwd file directly from outside your jail, or cp your public key to the appropriate authorized_keys2 file, as you have access to the entire file system from the base system. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 5:15:35 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6793537B405 for ; Wed, 5 Feb 2003 05:15:34 -0800 (PST) Received: from altus-escon.com (altesco.xs4all.nl [213.84.124.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B7D243F3F for ; Wed, 5 Feb 2003 05:15:33 -0800 (PST) (envelope-from ben@altus-escon.com) Received: from giskard.altus-escon.com (giskard.altus-escon.com [193.78.231.1]) by altus-escon.com (8.12.6/8.12.6) with ESMTP id h15DFV4c042251 for ; Wed, 5 Feb 2003 14:15:31 +0100 (CET) (envelope-from ben) Received: (from ben@localhost) by giskard.altus-escon.com (8.9.3/8.9.3) id OAA19437 for security@FreeBSD.ORG; Wed, 5 Feb 2003 14:15:28 +0100 (MET) Message-Id: <200302051315.OAA19437@giskard.altus-escon.com> Content-Type: text/plain MIME-Version: 1.0 (NeXT Mail 3.3 v148.2.1) X-Nextstep-Mailer: Mail 3.3 (Enhance 2.0b6) Received: by NeXT.Mailer (1.148.2.1) From: Ben Stuyts Date: Wed, 5 Feb 2003 14:15:27 +0100 To: security@FreeBSD.ORG Subject: cvs security fix not in RELENG_4? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Regarding the security advisory concerning the remotely exploitable vulnerability in cvs server: I am running a 4-stable system with a cvs tag of RELENG_4 here. According to the advisory, this system is vulnerable. However, I cannot find a fix for this in the RELENG_4 branch. The affected file server.c has a cvs id of 1.13.2.5 dated 2003/01/21. Nothing else has been committed since on this branch. Am I overlooking something? Thanks, Ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 5:29:28 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A44E37B401 for ; Wed, 5 Feb 2003 05:29:26 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AE4C43F43 for ; Wed, 5 Feb 2003 05:29:26 -0800 (PST) (envelope-from nectar@celabo.org) Received: from opus.celabo.org (opus.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id A5A2A43; Wed, 5 Feb 2003 07:29:25 -0600 (CST) Received: by opus.celabo.org (Postfix, from userid 1001) id 6FDE45783; Wed, 5 Feb 2003 07:27:25 -0600 (CST) Date: Wed, 5 Feb 2003 07:27:25 -0600 From: "Jacques A. Vidrine" To: Ben Stuyts Cc: security@FreeBSD.ORG Subject: Re: cvs security fix not in RELENG_4? Message-ID: <20030205132725.GD65577@opus.celabo.org> References: <200302051315.OAA19437@giskard.altus-escon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200302051315.OAA19437@giskard.altus-escon.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Feb 05, 2003 at 02:15:27PM +0100, Ben Stuyts wrote: > Hi, > > Regarding the security advisory concerning the remotely exploitable > vulnerability in cvs server: > > I am running a 4-stable system with a cvs tag of RELENG_4 here. According to > the advisory, this system is vulnerable. The advisory says that RELENG_4 is NOT VULNERABLE as of `2003-01-21 22:26:46 UTC'. > However, I cannot find a fix for this in the RELENG_4 branch. Yes you can. :-) You found it: > The affected file server.c has a cvs id of 1.13.2.5 dated 2003/01/21. > Nothing else has been committed since on this branch. That revision contains the fix. Compare the diff with the one referenced from the advisory. > Am I overlooking something? The security problem was fixed with an upgrade to CVS 1.11.5 in -CURRENT and -STABLE. It was fixed with a simple patch in the security branches. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 5:33: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D24937B401; Wed, 5 Feb 2003 05:33:07 -0800 (PST) Received: from altus-escon.com (altesco.xs4all.nl [213.84.124.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F12243FBD; Wed, 5 Feb 2003 05:33:06 -0800 (PST) (envelope-from ben@altus-escon.com) Received: from giskard.altus-escon.com (giskard.altus-escon.com [193.78.231.1]) by altus-escon.com (8.12.6/8.12.6) with ESMTP id h15DX44c042499; Wed, 5 Feb 2003 14:33:04 +0100 (CET) (envelope-from ben) Received: (from ben@localhost) by giskard.altus-escon.com (8.9.3/8.9.3) id OAA19462; Wed, 5 Feb 2003 14:33:02 +0100 (MET) Message-Id: <200302051333.OAA19462@giskard.altus-escon.com> Content-Type: text/plain MIME-Version: 1.0 (NeXT Mail 3.3 v148.2.1) In-Reply-To: <20030205132725.GD65577@opus.celabo.org> X-Nextstep-Mailer: Mail 3.3 (Enhance 2.0b6) Received: by NeXT.Mailer (1.148.2.1) From: Ben Stuyts Date: Wed, 5 Feb 2003 14:33:00 +0100 To: "Jacques A. Vidrine" Subject: Re: cvs security fix not in RELENG_4? Cc: Ben Stuyts , security@FreeBSD.org References: <200302051315.OAA19437@giskard.altus-escon.com> <20030205132725.GD65577@opus.celabo.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 5 Feb 2003, "Jacques A. Vidrine" wrote: > On Wed, Feb 05, 2003 at 02:15:27PM +0100, Ben Stuyts wrote: > > > I am running a 4-stable system with a cvs tag of RELENG_4 here. According > > to the advisory, this system is vulnerable. > > The advisory says that RELENG_4 is NOT VULNERABLE as of `2003-01-21 > 22:26:46 UTC'. Duh! Thanks, I misread the advisory. (And yes, I am getting reading glasses.) Apologies for the noise. With kind regards, Ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 8: 2:20 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CBE737B401 for ; Wed, 5 Feb 2003 08:02:17 -0800 (PST) Received: from straylight.ringlet.net (sbnd.online.bg [217.75.129.196]) by mx1.FreeBSD.org (Postfix) with SMTP id 4C1A643F75 for ; Wed, 5 Feb 2003 08:02:11 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 11921 invoked by uid 1000); 5 Feb 2003 16:00:58 -0000 Date: Wed, 5 Feb 2003 18:00:58 +0200 From: Peter Pentchev To: Mike Tancsa Cc: Alex Huth , freebsd-security@FreeBSD.ORG Subject: Re: Passwords in Jails Message-ID: <20030205160058.GB373@straylight.oblivion.bg> Mail-Followup-To: Mike Tancsa , Alex Huth , freebsd-security@FreeBSD.ORG References: <200302050843.30377.ahuth@lanworks.de> <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3lcZGd9BuhuYXNfi" Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3lcZGd9BuhuYXNfi Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 05, 2003 at 07:57:17AM -0500, Mike Tancsa wrote: > At 08:43 AM 2/5/2003 +0100, Alex Huth wrote: > >Where can I solve this problem or is there a possibility to manage > >passwords/public keys of a jail from the basesystem? >=20 > Yes, just manipulate the master.passwd file directly from outside your=20 > jail, Of course, this had better be done using 'vipw -d /path/to/jail/etc/' :) > or cp your public key to the appropriate authorized_keys2 file, as=20 > you have access to the entire file system from the base system. This has always worked for me. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence would be seven words long if it were six words shorter. --3lcZGd9BuhuYXNfi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+QTU67Ri2jRYZRVMRAlwEAJ96ijLCeicZXm3Z1sDHPRPccSjAaQCfWH67 P6r3NTjEF7qcx9R74Yr4lws= =nKEO -----END PGP SIGNATURE----- --3lcZGd9BuhuYXNfi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 9:16:19 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A49E137B405 for ; Wed, 5 Feb 2003 09:16:18 -0800 (PST) Received: from dmz2.unixjunkie.com (adsl-65-70-175-249.dsl.rcsntx.swbell.net [65.70.175.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C4B743F93 for ; Wed, 5 Feb 2003 09:16:12 -0800 (PST) (envelope-from strgout@unixjunkie.com) Received: from mail.unixjunkie.com (mail [10.253.254.36]) by dmz2.unixjunkie.com (8.12.6/8.12.6) with ESMTP id h15HPNeA058327 for ; Wed, 5 Feb 2003 11:25:23 -0600 (CST) (envelope-from strgout@mail.unixjunkie.com) Received: from mail.unixjunkie.com (mail [10.253.254.36]) by mail.unixjunkie.com (8.12.6/8.12.6) with ESMTP id h15HPMZC058324 for ; Wed, 5 Feb 2003 11:25:22 -0600 (CST) (envelope-from strgout@mail.unixjunkie.com) Received: (from strgout@localhost) by mail.unixjunkie.com (8.12.6/8.12.6/Submit) id h15HPMwb058323 for freebsd-security@freebsd.org; Wed, 5 Feb 2003 11:25:22 -0600 (CST) (envelope-from strgout) Date: Wed, 5 Feb 2003 11:25:21 -0600 From: John To: freebsd-security@freebsd.org Subject: Re: Passwords in Jails Message-ID: <20030205172521.GA58302@mail.unixjunkie.com> References: <200302050843.30377.ahuth@lanworks.de> <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> <20030205160058.GB373@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030205160058.GB373@straylight.oblivion.bg> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just as a side note pw is a great util for managing jails. You can add/del/mod and all that jazz, just add -V /path/to/jail/etc You can also set passwords via pw (-h). On Wed, Feb 05, 2003 at 06:00:58PM +0200, Peter Pentchev wrote: > On Wed, Feb 05, 2003 at 07:57:17AM -0500, Mike Tancsa wrote: > > At 08:43 AM 2/5/2003 +0100, Alex Huth wrote: > > >Where can I solve this problem or is there a possibility to manage > > >passwords/public keys of a jail from the basesystem? > > > > Yes, just manipulate the master.passwd file directly from outside your > > jail, > > Of course, this had better be done using 'vipw -d /path/to/jail/etc/' :) > > > or cp your public key to the appropriate authorized_keys2 file, as > > you have access to the entire file system from the base system. > > This has always worked for me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 9:39:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A011D37B401 for ; Wed, 5 Feb 2003 09:39:38 -0800 (PST) Received: from straylight.ringlet.net (sbnd.online.bg [217.75.129.196]) by mx1.FreeBSD.org (Postfix) with SMTP id D423F43E4A for ; Wed, 5 Feb 2003 09:39:27 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 17851 invoked by uid 1000); 5 Feb 2003 17:04:44 -0000 Date: Wed, 5 Feb 2003 19:04:44 +0200 From: Peter Pentchev To: John Cc: freebsd-security@freebsd.org Subject: Re: Passwords in Jails Message-ID: <20030205170444.GA17546@straylight.oblivion.bg> Mail-Followup-To: John , freebsd-security@freebsd.org References: <200302050843.30377.ahuth@lanworks.de> <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> <20030205160058.GB373@straylight.oblivion.bg> <20030205172521.GA58302@mail.unixjunkie.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline In-Reply-To: <20030205172521.GA58302@mail.unixjunkie.com> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 05, 2003 at 11:25:21AM -0600, John wrote: > On Wed, Feb 05, 2003 at 06:00:58PM +0200, Peter Pentchev wrote: > > On Wed, Feb 05, 2003 at 07:57:17AM -0500, Mike Tancsa wrote: > > > At 08:43 AM 2/5/2003 +0100, Alex Huth wrote: > > > >Where can I solve this problem or is there a possibility to manage > > > >passwords/public keys of a jail from the basesystem? > > >=20 > > > Yes, just manipulate the master.passwd file directly from outside you= r=20 > > > jail, >=20 > Just as a side note pw is a great util for managing jails. > You can add/del/mod and all that jazz, just add -V /path/to/jail/etc > You can also set passwords via pw (-h). Sure, pw(8) will also work; my point was that this should NOT be done via direct editing of the master.passwd file... well, at least, not if you expect the system to notice the changes. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am not the subject of this sentence. --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+QUQs7Ri2jRYZRVMRAoKFAJ4h7KRbAye6We1rtImylmg6aDHYjgCfcW7W IYdijiF/ir/tES+ZzRh4Ogw= =Ini1 -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 10:21:43 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAB4837B405 for ; Wed, 5 Feb 2003 10:21:41 -0800 (PST) Received: from smtp.netcabo.pt (smtp.netcabo.pt [212.113.174.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id A215843FA3 for ; Wed, 5 Feb 2003 10:21:40 -0800 (PST) (envelope-from hununu@netcabo.pt) Received: from cheetah ([81.84.57.55]) by smtp.netcabo.pt with Microsoft SMTPSVC(5.0.2195.5329); Wed, 5 Feb 2003 18:18:13 +0000 From: "Bruno Afonso" Organization: Artists, Inc. To: freebsd-security@freebsd.org Date: Wed, 05 Feb 2003 18:20:50 -0000 MIME-Version: 1.0 Subject: Re: The way forward Reply-To: hununu@netcabo.pt Message-ID: <3E415602.30669.FF9FC2@localhost> In-reply-to: <20030130024520.GJ83557@smnolde.com> References: <20030128085617.L167@woody.ops.uunet.co.za> X-mailer: Pegasus Mail for Windows (v4.02a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-OriginalArrivalTime: 05 Feb 2003 18:18:13.0986 (UTC) FILETIME=[F280D420:01C2CD42] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 29 Jan 2003 at 21:45, Scott M. Nolde wrote: > Give ipf and ipfw a whirl and get the best out of both. I also hear > there's AltQ coming to ipf in FreeBSD and there are patches for it, if you want > to try it. Where did you read that? AltQ is not natively implemented in 5.0... the AltQ kernel patches are available, but I'd love ipf + Altq integration. At the moment, I envy pf + altq on openbsd. Bruno Miguel Afonso, Biological Eng. student. brunomiguel at dequim dot ist dot utl dot pt D.E.Q. @ I.S.T. - Portugal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 10:26: 4 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64BED37B401 for ; Wed, 5 Feb 2003 10:26:02 -0800 (PST) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1573243FA3 for ; Wed, 5 Feb 2003 10:26:02 -0800 (PST) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id D4D2BF80A; Wed, 5 Feb 2003 10:26:01 -0800 (PST) Date: Wed, 5 Feb 2003 10:26:01 -0800 From: Nicholas Esborn To: Bruno Afonso Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward Message-ID: <20030205182601.GA59212@carbon.berkeley.netdot.net> References: <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E415602.30669.FF9FC2@localhost> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here here on pf envy. It's not well tested yet, but pf's architecture and capabilities look better than both ipf and ipfw. -nick On Wed, Feb 05, 2003 at 06:20:50PM -0000, Bruno Afonso wrote: > On 29 Jan 2003 at 21:45, Scott M. Nolde wrote: > > > Give ipf and ipfw a whirl and get the best out of both. I also hear > > there's AltQ coming to ipf in FreeBSD and there are patches for it, if you want > > to try it. > > Where did you read that? AltQ is not natively implemented in 5.0... the AltQ kernel > patches are available, but I'd love ipf + Altq integration. At the moment, I envy pf + altq on > openbsd. > > > > > Bruno Miguel Afonso, Biological Eng. student. > brunomiguel at dequim dot ist dot utl dot pt > D.E.Q. @ I.S.T. - Portugal > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 10:57:59 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B05037B405 for ; Wed, 5 Feb 2003 10:57:57 -0800 (PST) Received: from mta9.srv.hcvlny.cv.net (mta9.srv.hcvlny.cv.net [167.206.5.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1BB443F43 for ; Wed, 5 Feb 2003 10:57:56 -0800 (PST) (envelope-from mspitze1@optonline.net) Received: from asv20.srv.hcvlny.cv.net (asv20.srv.hcvlny.cv.net [167.206.5.174]) by mta9.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.05 (built Nov 6 2002)) with ESMTP id <0H9U00AFRNCEXL@mta9.srv.hcvlny.cv.net> for freebsd-security@FreeBSD.ORG; Wed, 05 Feb 2003 13:57:50 -0500 (EST) Received: from bogomips (ool-18b868ca.dyn.optonline.net [24.184.104.202]) by asv20.srv.hcvlny.cv.net (8.12.6/8.11.6) with SMTP id h15IvPX9022524 for ; Wed, 05 Feb 2003 13:57:26 -0500 (EST) Date: Wed, 05 Feb 2003 14:05:32 -0500 From: Marc Spitzer Subject: Re: The way forward In-reply-to: <20030205182601.GA59212@carbon.berkeley.netdot.net> To: freebsd-security@FreeBSD.ORG Message-id: <20030205140532.4ff4390c.mspitze1@optonline.net> MIME-version: 1.0 X-Mailer: Sylpheed version 0.8.8claws (GTK+ 1.2.10; i386-portbld-freebsd4.7) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT References: <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> <20030205182601.GA59212@carbon.berkeley.netdot.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 05 Feb 2003 10:26:01 -0800 Nicholas Esborn wrote: > Here here on pf envy. It's not well tested yet, but pf's architecture > and capabilities look better than both ipf and ipfw. > > -nick > Could you share some details on that? marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 11:24:36 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8263637B401 for ; Wed, 5 Feb 2003 11:24:34 -0800 (PST) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2175943F85 for ; Wed, 5 Feb 2003 11:24:34 -0800 (PST) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id 8DD66F80A; Wed, 5 Feb 2003 11:24:33 -0800 (PST) Date: Wed, 5 Feb 2003 11:24:33 -0800 From: Nicholas Esborn To: Marc Spitzer Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward Message-ID: <20030205192433.GB59212@carbon.berkeley.netdot.net> References: <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> <20030205182601.GA59212@carbon.berkeley.netdot.net> <20030205140532.4ff4390c.mspitze1@optonline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030205140532.4ff4390c.mspitze1@optonline.net> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other than reading through OpenBSD's pf documentation, I found a paper at: http://www.benzedrine.cx/pf-slides.pdf I also like that you can use macros in its config files, and that it automatically structures your ruleset for you to some extent (I think this obsoletes head/group in ipf). And it can randomize TCP ISNs for OSes which do not. And you can use lists for ports or protocols. For example: wi_if = "hme1" wi_ip = "172.16.1.1/32" wi_net = "172.16.1.0/24" scrub in on $wi_if all pass in log quick on $wi_if proto udp from $wi_net to $wi_ip \ port {domain, bootpc, bootps, 5000} keep state I find pf to be as much of an improvement over ipf as I found ipf to be an over ipfw. And of course, there's less possibility of licensing surprises, because of OpenBSD's nearly militant adherence to the BSD license. Sadly, most of the discussion I've seen here about pf on FreeBSD is basically "Why would we need another packet filter?" -nick On Wed, Feb 05, 2003 at 02:05:32PM -0500, Marc Spitzer wrote: > On Wed, 05 Feb 2003 10:26:01 -0800 > Nicholas Esborn wrote: > > > Here here on pf envy. It's not well tested yet, but pf's architecture > > and capabilities look better than both ipf and ipfw. > > > > -nick > > > > Could you share some details on that? > > marc > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 11:32: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1636837B401 for ; Wed, 5 Feb 2003 11:31:59 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1253843F79 for ; Wed, 5 Feb 2003 11:31:58 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id GAA11248; Thu, 6 Feb 2003 06:31:50 +1100 (EST) From: Darren Reed Message-Id: <200302051931.GAA11248@caligula.anu.edu.au> Subject: Re: The way forward To: nick@netdot.net (Nicholas Esborn) Date: Thu, 6 Feb 2003 06:31:50 +1100 (Australia/ACT) Cc: mspitze1@optonline.net (Marc Spitzer), freebsd-security@FreeBSD.ORG In-Reply-To: <20030205192433.GB59212@carbon.berkeley.netdot.net> from "Nicholas Esborn" at Feb 05, 2003 11:24:33 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Nicholas Esborn, sie said: > > Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other > than reading through OpenBSD's pf documentation, I found a paper at: > > http://www.benzedrine.cx/pf-slides.pdf I'm pretty sure I could 'tune' ipfilter to be just as fast or faster than pf. I have some clues about why it's slower - the author of the paper doesn't (AFAIK) but I'm not in a rush to fix this. > I also like that you can use macros in its config files, and that it > automatically structures your ruleset for you to some extent (I think > this obsoletes head/group in ipf). But they've now gone and added anchors. groups are useful in ways beyond just optimising rule processing. > And you can use lists for ports or protocols. > For example: > > wi_if = "hme1" > wi_ip = "172.16.1.1/32" > wi_net = "172.16.1.0/24" > scrub in on $wi_if all > pass in log quick on $wi_if proto udp from $wi_net to $wi_ip \ > port {domain, bootpc, bootps, 5000} keep state Whether or not this is good or not is another thing. It obfuscates validating the kernel rules loaded with the configuration file you have in /etc. > I find pf to be as much of an improvement over ipf as I found ipf to > be an over ipfw. And of course, there's less possibility of licensing > surprises, because of OpenBSD's nearly militant adherence to the > BSD license. > > Sadly, most of the discussion I've seen here about pf on FreeBSD is > basically "Why would we need another packet filter?" Oh, IPFilter 4.0 will probably address all of your concerns and even go beyond what pf is currently providing. I suspect there is a certain amount of feature emulation currently happening (both ways). You just hear more about pf than ipf unless you're on the ipf list - there is currently no summary of "what's new" in 4.0 and it's kinda deliberate like that so there's no easy shopping list for someone to copy before I release it :) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 11:34:31 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C31237B401 for ; Wed, 5 Feb 2003 11:34:30 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7648743FB9 for ; Wed, 5 Feb 2003 11:34:25 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id GAA12228; Thu, 6 Feb 2003 06:34:21 +1100 (EST) From: Darren Reed Message-Id: <200302051934.GAA12228@caligula.anu.edu.au> Subject: Re: The way forward To: nick@netdot.net (Nicholas Esborn) Date: Thu, 6 Feb 2003 06:34:21 +1100 (Australia/ACT) Cc: hununu@netcabo.pt (Bruno Afonso), freebsd-security@FreeBSD.ORG In-Reply-To: <20030205182601.GA59212@carbon.berkeley.netdot.net> from "Nicholas Esborn" at Feb 05, 2003 10:26:01 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Nicholas Esborn, sie said: > > Here here on pf envy. It's not well tested yet, but pf's architecture > and capabilities look better than both ipf and ipfw. pf has no architecture - just go read the code and you'll see what I mean. > > Where did you read that? AltQ is not natively implemented in 5.0... > >the AltQ kernel > > patches are available, but I'd love ipf + Altq integration. At the > > moment, I envy pf + altq on openbsd. I haven't looked at altq at all, but if someone wants to do some work on making ipf work with altq in a similar manner to pf, it would be well received by myself. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 12:27:37 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D1E137B401 for ; Wed, 5 Feb 2003 12:27:36 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3C1643FA3 for ; Wed, 5 Feb 2003 12:27:35 -0800 (PST) (envelope-from nectar@celabo.org) Received: from opus.celabo.org (opus.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 23E5451; Wed, 5 Feb 2003 14:27:35 -0600 (CST) Received: by opus.celabo.org (Postfix, from userid 1001) id 6F07658D6; Wed, 5 Feb 2003 14:25:30 -0600 (CST) Date: Wed, 5 Feb 2003 14:25:30 -0600 From: "Jacques A. Vidrine" To: Nicholas Esborn Cc: Marc Spitzer , freebsd-security@FreeBSD.ORG Subject: Re: The way forward Message-ID: <20030205202530.GA75442@opus.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Nicholas Esborn , Marc Spitzer , freebsd-security@FreeBSD.ORG References: <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> <20030205182601.GA59212@carbon.berkeley.netdot.net> <20030205140532.4ff4390c.mspitze1@optonline.net> <20030205192433.GB59212@carbon.berkeley.netdot.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030205192433.GB59212@carbon.berkeley.netdot.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Feb 05, 2003 at 11:24:33AM -0800, Nicholas Esborn wrote: > Sadly, most of the discussion I've seen here about pf on FreeBSD is > basically "Why would we need another packet filter?" Why is that sad? It is perhaps the most important question. -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 13: 0: 7 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D139137B401 for ; Wed, 5 Feb 2003 13:00:05 -0800 (PST) Received: from ground0.paix.net (ground0.paix.net [128.177.247.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A06843F85 for ; Wed, 5 Feb 2003 13:00:05 -0800 (PST) (envelope-from larson@eng.paix.net) Received: (from larson@localhost) by ground0.paix.net (8.9.3/8.9.1) id NAA60203; Wed, 5 Feb 2003 13:00:05 -0800 (PST) env-from (larson@eng.paix.net) Date: Wed, 5 Feb 2003 13:00:05 -0800 (PST) From: Alan Larson Message-Id: <200302052100.NAA60203@ground0.paix.net> To: freebsd-security@freebsd.org Subject: encryption export Cc: larson@eng.paix.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I tried "security@freebsd.org", but apparently that doesn't work, there were no replies, so here goes again: I am looking to upgrade / install software in a system outside of the U.S. As such am concerned about the encryption export restrictions. I need to upgrade a FreeBSD system, and have procedures that will let me do a binary upgrade for that, but I need to know what must be done to move the software out of the U.S., and to work with it (remotely) once it is there. Similarly, I need to load a patched kerberos5 and ssh2 (not the FreeBSD kerberos or openssh) so it will all work with our kerberos5 world. Clearly, there is much encryption stuff there -- ssh/ssl/kerberos/ssh2 and more already on the disc or the packages discs. Any help you can offer would be appreciated. The bosses here want to be able to ssh to the remote box. Alan p.s. I was referred to this list, but am not a reader of it, so please send any comments back to me as well. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 13:14:23 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CE5537B413; Wed, 5 Feb 2003 13:13:41 -0800 (PST) Received: from yahoo.com (168-226-64-5.speedy.com.ar [168.226.64.5]) by mx1.FreeBSD.org (Postfix) with SMTP id D0EEE43F85; Wed, 5 Feb 2003 13:12:53 -0800 (PST) (envelope-from lijxsk@yahoo.com) From: a-group Subject: Биржевая торговля. Правила и практика. Reply-To: lijxsk@yahoo.com X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Organization: a-group Mime-Version: 1.0 Content-Type: text/html; charset="koi8-r" Date: Wed, 5 Feb 2003 23:13:43 +0200 Message-Id: <20030205211253.D0EEE43F85@mx1.FreeBSD.org> To: undisclosed-recipients: ; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org

Уважаемые Господа !
Представительство "Capital Standard Corporation" совместно с компанией "A-Group" приглашает Вас принять участие в семинаре на тему:
 

 
Практические аспекты биржевой торговли на международных финансовых рынках.

 
 

Семинар состоится: 14 февраля 2003г

По адресу: г. Киев, гостиница "Санкт-Перербург" (бульвар Т.Шевченко, 4)
 

 Цель семинара:

Получить наглядную информацию о международных финансовых, товарных и фондовых  рынках, о механизмах работы на примере Чикагской биржи, увидеть в реальном времени движение валют и узнать как можно правильно инвестировать и в дальнейшем приумножать свой капитал. Программа семинара предусматривает получение ответов на интересующие вопросы, консультации и доклады специалистов-практиков.

Лекторы и ведущие семинара: представляющий брокер CSCorp., специалист по биржевым операциям (Chicago Mercantile   Exchange, Chicago Board of Trade).

В программе:

  • Спекуляции – как способ приумножения капитала:
         Частные инвесторы;
    Корпоративные и другие участники рынка;
    Какой суммы достаточно для работы;
    Чем, где и как торговать.
  • Инструменты мировых товарных и финансовых рынков:
    Ценные бумаги;
    Международный рынок обмена валют;
    Фьючерсные и опционные контракты.
  • Технология и механизм биржевых внебиржевых операций:
    Законодательная база, правила и практика американской модели торговли;
    Валютный рынок “spot”;
    Биржевые торговые системы    ;
    Компьтеные торговые системы;
    Клиринговые (расчетные) системы по обслуживанию операций;
    Информационные системы и компьютерные технологии по обеспечению дилинговых операций.
  • «Дотижение» рынка:
    Брокерская компания;
    Принципал (маркет-мейкер);
    Торговый счет;
    Маржа;
    Кредитное плечо;
    Совершение сделки;
    Плюсы и минусы ”интернет-торговли”;
    Прибыльность операций.
  • Прогнозирование рыночных тенденций:
    Технический анализ;
    Фундаментальный анализ;
    Профессиональные компьютерные системы и программное обеспечение, используемое в работе дилеров.
  • Торговые стратегии и тактики:
    Спекулятивные операции;
    Управление портфелем;
    Хеджирование экспортно-импортных операций    .
    •

    Режим проведения семинара :

    09:30 - 19:00 - время проведения семинара, с перерывами на кофе и обед

    Стоимость участия в семинаре: 450 грн. за одного участника.

    Для участия необходимо:

  • Получить счет для оплаты по факсу ;
  • Оплатить счет ;
  • Иметь при себе паспорт и копию платежного документа.

    • Регистрация проводиться до 12 февряля (включительно)

    Скидки:

  • При оплате до 10 февраля - скидка 10 %;
  • При регистрации 2-х и более представителей с одного предприятия - скидка 10%;
  • Региональным компаниям - скидка 10 %.
    •

    Контактная информация и регистрация: (044) 269-82-31;269-97-54.

    Рассылка организована Украинским Центром Директ Мэйл. Извините если информация не заинтересовала вас. По вопросам организации рассылок, обращайтесь по тел. (044) 237 29 18. С уважением, Каролина Мендель.

    To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 18: 0: 5 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0FB937B401 for ; Wed, 5 Feb 2003 18:00:02 -0800 (PST) Received: from mail.tinkerbox.org (adsl-64-168-139-138.dsl.snfc21.pacbell.net [64.168.139.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45B4543FBF for ; Wed, 5 Feb 2003 17:59:57 -0800 (PST) (envelope-from bruno@tinkerbox.org) Received: from duron.bschwand.net (duron.bschwand.net [192.168.137.4]) by mail.tinkerbox.org (Postfix) with ESMTP id E941E19CE for ; Wed, 5 Feb 2003 18:14:41 -0800 (PST) Date: Wed, 5 Feb 2003 18:14:41 -0800 (PST) From: bruno schwander X-Sender: bruno@duron.bschwand.net To: freebsd-security@freebsd.org Subject: upgraded to 4.7, now can't ssh... (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just cvsup's/build-install world/kernel and now I can not connect to my box through ssh anymore. ssh -v shows thing to go well then suddenly the host closes the connection as shown below. I found in my logs the following message: sshd[190]: pam_start: malloc failed for pam_conv why is that failing ? if I enable telnetd in inetd, then I can telnet in, no problem. Of course I want sshd to work !! Anyone seen this happen before ? bruno OpenSSH_2.9 FreeBSD localisations 20020307, SSH protocols 1.5/2.0, OpenSSL 0x009 0601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1 debug1: Connecting to mail.dvart.com [64.168.139.141] port 22. debug1: temporarily_use_uid: 1001/1001 (e=1001) debug1: restore_uid debug1: temporarily_use_uid: 1001/1001 (e=1001) debug1: restore_uid debug1: Connection established. debug1: identity file /home/bruno/.ssh/id_rsa type -1 debug1: identity file /home/bruno/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 Free BSD-20030201 debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations 20020307 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 122/256 debug1: bits set: 1599/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'mail.dvart.com' is known and matches the DSA host key. debug1: Found key in /home/bruno/.ssh/known_hosts2:1 debug1: bits set: 1555/3191 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT Connection closed by 64.168.139.141 debug1: Calling cleanup 0x805971c(0x0) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 22:38: 2 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3376D37B409 for ; Wed, 5 Feb 2003 22:37:45 -0800 (PST) Received: from rockshows.com.br (200191011144-dial-user-BOL.acessonet.com.br [200.191.11.144]) by mx1.FreeBSD.org (Postfix) with SMTP id 3124943FBD for ; Wed, 5 Feb 2003 22:37:31 -0800 (PST) (envelope-from fatorcincoo@rockshows.com.br) From: "Banda Fator Cinco" To: Subject: DЙ uma ForГa ao Nosso Rock Nacional Mime-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Date: Thu, 6 Feb 2003 04:38:24 -0200 Content-Transfer-Encoding: 8bit Message-Id: <20030206063731.3124943FBD@mx1.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org

    Banda Fator Cinco
     
    Pedimos a vocЙ que esta recebendo este e-mail para dar uma forГa ao nosso rock nacional, a banda Fator Cinco teve uma de suas musicas veiculada na 89 FM (A RАdio Rock) e na KISS FM nЦo custa nada a gente pedir a mЗsica de novo e quem sabe ela poder entrar na programaГЦo destas rАdio. Vamos lА pessoal !!!
     
    A mЗsica chama-se 11 DE SETEMBRO e para pedi-la na 89FM mande um e-mail para avezdobrasil@89fm.com.br ou ligue para 252-6543 e para pedir na KISS FM mande um e-mail para kissfm@kissfm.com.br .  
     
    Vamos pedir a mЗsica novamente para fazer a Fator Cinco entrar na programaГЦo destas rАdios, contamos com sua ajuda . VALEU !!!
     
    VocЙ pode ouvir o trecho desta mЗsica e conhecer melhor a banda Fator Cinco acessando:
     
    Um grande abraГo da famМlia Fator Cinco
     
    INFORMATIVO
     
     

     Caso nЦo queira mais receber nossos informativos Click aqui

     

    To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 5 23: 7:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 461C737B401 for ; Wed, 5 Feb 2003 23:07:26 -0800 (PST) Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DDDC43FB1 for ; Wed, 5 Feb 2003 23:07:25 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h1677Oo0003900; Wed, 5 Feb 2003 23:07:24 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h1677Oem003899; Wed, 5 Feb 2003 23:07:24 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Wed, 5 Feb 2003 23:07:24 -0800 From: David Schultz To: Nicholas Esborn Cc: Marc Spitzer , freebsd-security@FreeBSD.ORG Subject: Re: The way forward Message-ID: <20030206070724.GA3760@HAL9000.homeunix.com> Mail-Followup-To: Nicholas Esborn , Marc Spitzer , freebsd-security@FreeBSD.ORG References: <20030128085617.L167@woody.ops.uunet.co.za> <3E415602.30669.FF9FC2@localhost> <20030205182601.GA59212@carbon.berkeley.netdot.net> <20030205140532.4ff4390c.mspitze1@optonline.net> <20030205192433.GB59212@carbon.berkeley.netdot.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030205192433.GB59212@carbon.berkeley.netdot.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Nicholas Esborn : > Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other > than reading through OpenBSD's pf documentation, I found a paper at: > > http://www.benzedrine.cx/pf-slides.pdf The server seems to be down right now. Do you have the title of the paper? > I also like that you can use macros in its config files The macroexpander for my firewall is already pretty good. It is called the Bourne shell. > and that it > automatically structures your ruleset for you to some extent (I think > this obsoletes head/group in ipf). What do you mean by this? It sounds interesting. Do you mean that it does some sort of static or dynamic optimization, or something else? > And it can randomize TCP ISNs for > OSes which do not. And you can use lists for ports or protocols. [...] > Sadly, most of the discussion I've seen here about pf on FreeBSD is > basically "Why would we need another packet filter?" Well, I'm sorry to disappoint you, but you haven't convinced me that I need another packet filter yet! FreeBSD randomizes ISNs, and ipfw now supports lists of ports or even IP addresses. The missing feature I personally would like to see is a flexible interface for application-level firewalling. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 1:25:15 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD7DF37B401 for ; Thu, 6 Feb 2003 01:25:14 -0800 (PST) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EC2F43FAF for ; Thu, 6 Feb 2003 01:25:14 -0800 (PST) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 85CC3536E; Thu, 6 Feb 2003 10:25:10 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: bruno schwander Cc: freebsd-security@freebsd.org Subject: Re: upgraded to 4.7, now can't ssh... (fwd) From: Dag-Erling Smorgrav Date: Thu, 06 Feb 2003 10:25:10 +0100 In-Reply-To: (bruno schwander's message of "Wed, 5 Feb 2003 18:14:41 -0800 (PST)") Message-ID: User-Agent: Gnus/5.090014 (Oort Gnus v0.14) Emacs/21.2 (i386--freebsd) References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org bruno schwander writes: > ssh -v shows thing to go well then suddenly the host closes the > connection as shown below. I found in my logs the following message: > > sshd[190]: pam_start: malloc failed for pam_conv Your sources aren't fresh. And you could have taken a minute to browse the -stable list before asking... DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 2:42:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64D9D37B405 for ; Thu, 6 Feb 2003 02:42:23 -0800 (PST) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7360043FAF for ; Thu, 6 Feb 2003 02:42:22 -0800 (PST) (envelope-from gemini@geminix.org) Received: from pd9e10760.dip.t-dialin.net ([217.225.7.96] helo=geminix.org) by geminix.org with asmtp (TLSv1:RC4-MD5:128) (Exim 3.36 #1) id 18gjTy-000I3d-00; Thu, 06 Feb 2003 11:42:14 +0100 Message-ID: <3E423C04.3060106@geminix.org> Date: Thu, 06 Feb 2003 11:42:12 +0100 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Passwords in Jails References: <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> In-Reply-To: <5.2.0.9.0.20030205075601.061cefe0@192.168.0.12> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Tancsa wrote: > At 08:43 AM 2/5/2003 +0100, Alex Huth wrote: > >> Where can I solve this problem or is there a possibility to manage >> passwords/public keys of a jail from the basesystem? > > Yes, just manipulate the master.passwd file directly from outside your > jail, or cp your public key to the appropriate authorized_keys2 file, as > you have access to the entire file system from the base system. You may want to make sure, though, that the Jail is not running before you do so. Writing to a Jail from the outside is a major security headache if it is inhabited by untrusted users. Imagine what happens when the user does this (or similar things) in his '/etc': ln -sf /etc/master.passwd master.passwd You'd end up changing the respective file in your base system. Stopping the Jail prevents races, so you can inspect files in a safe manner before you actually change them. Chrooting into the Jail and changing files from there might help as well: chroot /path/to/jail/root Uwe -- Uwe Doering Berlin, Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 2:59:52 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3463237B401 for ; Thu, 6 Feb 2003 02:59:51 -0800 (PST) Received: from 12-234-22-23.client.attbi.com (12-234-22-23.client.attbi.com [12.234.22.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC02B43F85 for ; Thu, 6 Feb 2003 02:59:50 -0800 (PST) (envelope-from DougB@FreeBSD.org) Received: from slave.gorean.org (vqyvnpark3uoqu9g@slave.gorean.org [10.0.0.1]) by 12-234-22-23.client.attbi.com (8.12.6/8.12.6) with ESMTP id h16AxXh9053308; Thu, 6 Feb 2003 02:59:38 -0800 (PST) (envelope-from DougB@FreeBSD.org) Date: Thu, 6 Feb 2003 02:59:33 -0800 (PST) From: Doug Barton To: Alan Larson Cc: freebsd-security@FreeBSD.org Subject: Re: encryption export In-Reply-To: <200302052100.NAA60203@ground0.paix.net> Message-ID: <20030206025750.Y40993@12-234-22-23.pyvrag.nggov.pbz> References: <200302052100.NAA60203@ground0.paix.net> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 5 Feb 2003, Alan Larson wrote: > I tried "security@freebsd.org", but apparently that doesn't work, there > were no replies, Not a valid assumption, sorry. :) See below. > I am looking to upgrade / install software in a system outside of the > U.S. As such am concerned about the encryption export restrictions. I > need to upgrade a FreeBSD system, and have procedures that will let me do > a binary upgrade for that, but I need to know what must be done to move > the software out of the U.S., and to work with it (remotely) once it is > there. You need to talk to a lawyer. We can't give, and you shouldn't be asking for legal advice on an internet mailing list. The issues and variables are simply too complex, and the risk to you is too great. Good luck, Doug -- If it's moving, encrypt it. If it's not moving, encrypt it till it moves, then encrypt it some more. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 5:23:46 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 589C737B401 for ; Thu, 6 Feb 2003 05:23:45 -0800 (PST) Received: from lmail.actcom.co.il (mail.actcom.co.il [192.114.47.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DD4C43F85 for ; Thu, 6 Feb 2003 05:23:43 -0800 (PST) (envelope-from lirandb@netvision.net.il) Received: from main1.netvision.net.il (main.retal.co.il [192.115.135.186]) by lmail.actcom.co.il (8.11.6/8.11.6) with ESMTP id h16DNaR11038 for ; Thu, 6 Feb 2003 15:23:36 +0200 Message-Id: <5.2.0.9.0.19920206152129.00c13d88@mail.netvision.net.il> X-Sender: lirandb@mail.netvision.net.il X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 06 Feb 1992 15:22:27 +0200 To: freebsd-security@freebsd.org From: Retal Subject: Re: upgraded to 4.7, now can't ssh... (fwd) In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It happened to me too, recvsup, and rebuild the ssh there is fix for it At 10:25 06/02/2003 +0100, Dag-Erling Smorgrav wrote: >bruno schwander writes: > > ssh -v shows thing to go well then suddenly the host closes the > > connection as shown below. I found in my logs the following message: > > > > sshd[190]: pam_start: malloc failed for pam_conv > >Your sources aren't fresh. And you could have taken a minute to >browse the -stable list before asking... > >DES >-- >Dag-Erling Smorgrav - des@ofug.org > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 5:26:54 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB43837B401 for ; Thu, 6 Feb 2003 05:26:52 -0800 (PST) Received: from lmail.actcom.co.il (smtp.actcom.co.il [192.114.47.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7964043FBD for ; Thu, 6 Feb 2003 05:26:51 -0800 (PST) (envelope-from lirandb@netvision.net.il) Received: from main1.netvision.net.il (main.retal.co.il [192.115.135.186]) by lmail.actcom.co.il (8.11.6/8.11.6) with ESMTP id h16DQnR12469 for ; Thu, 6 Feb 2003 15:26:49 +0200 Message-Id: <5.2.0.9.0.19920206152241.00c52cc0@mail.netvision.net.il> X-Sender: lirandb@mail.netvision.net.il X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 06 Feb 2003 15:25:39 +0200 To: freebsd-security@freebsd.org From: Retal Subject: Re: A Weird module msg, a security risk? In-Reply-To: <200302050925.27639.will@unfoldings.net> References: <5.2.0.9.0.20030205002748.00c104d8@mail.netvision.net.il> <5.2.0.9.0.20030205002748.00c104d8@mail.netvision.net.il> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well.. i built my kernel, and i still get this weird message when i first-type wrong interface.. : ifconfig fxp0- alias 10.0.0.4 module_register: module miibus/ukphy already exists! linker_file_sysinit "miibus.ko" failed to register! 17 Any ideas? i still afraid of a security issue, douno.. -Retal At 09:25 05/02/2003 +0200, you wrote: >On Wednesday 05 February 2003 00:29, Retal wrote: > > I mis-typed ifconfig xl0- alias ip, instead of ifconfig xl0 ip (without > > the "-") > > I got a weird msg : > > module_register: module miibus/ukphy already exists! > > linker_file_sysinit "miibus.ko" failed to register! 17 > > > > when i tried to re-mistake again, it didnt write it again, but each time > > i reboot and does that, first time, it writes it > > > > Is it a security risk? how do i fix it? > > > > > > -Retal > > > >Because you accidentally entered the interface wrong, the driver that >interfaces your network card with the MIIBUS interface tried to load again, >even though it was already in the kernel. This isn't a security risk, >however, I would recommend rebuilding your kernel with network device >drivers built right in, you can find information on this from the FreeBSD >Handbook, which should be in /usr/share/doc/handbook/index.html > >Will > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- >Willie Viljoen >Freelance IT Consultant > >214 Paul Kruger Avenue, Universitas >Bloemfontein >9321 >South Africa > >+27 51 522 15 60 >+27 51 522 44 36 (after hours) >+27 82 404 03 27 (mobile) > >will@unfoldings.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 6: 3:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C62A037B401 for ; Thu, 6 Feb 2003 06:03:20 -0800 (PST) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEAFF43FD7 for ; Thu, 6 Feb 2003 06:03:19 -0800 (PST) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.96]) by spxgate.servplex.com (8.12.6/8.12.6) with ESMTP id h16ELKU4064016; Thu, 6 Feb 2003 08:21:24 -0600 (CST) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.2.20030206080255.00bd9580@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 06 Feb 2003 08:03:35 -0600 To: bruno schwander From: Peter Elsner Subject: Re: upgraded to 4.7, now can't ssh... (fwd) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did you run Mergemaster afterwards? At 06:14 PM 2/5/2003 -0800, you wrote: >I just cvsup's/build-install world/kernel and now I can not connect to my >box through ssh anymore. > >ssh -v shows thing to go well then suddenly the host closes the >connection as shown below. I found in my logs the following message: > >sshd[190]: pam_start: malloc failed for pam_conv > >why is that failing ? >if I enable telnetd in inetd, then I can telnet in, no problem. Of course >I want sshd to work !! > >Anyone seen this happen before ? > >bruno > >OpenSSH_2.9 FreeBSD localisations 20020307, SSH protocols 1.5/2.0, OpenSSL >0x009 >0601f >debug1: Reading configuration data /etc/ssh/ssh_config >debug1: Applying options for * >debug1: Rhosts Authentication disabled, originating port will not be >trusted. >debug1: restore_uid >debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1 >debug1: Connecting to mail.dvart.com [64.168.139.141] port 22. >debug1: temporarily_use_uid: 1001/1001 (e=1001) >debug1: restore_uid >debug1: temporarily_use_uid: 1001/1001 (e=1001) >debug1: restore_uid >debug1: Connection established. >debug1: identity file /home/bruno/.ssh/id_rsa type -1 >debug1: identity file /home/bruno/.ssh/id_dsa type -1 >debug1: Remote protocol version 1.99, remote software version >OpenSSH_3.5p1 Free >BSD-20030201 >debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat ^OpenSSH >Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations >20020307 >debug1: SSH2_MSG_KEXINIT sent >debug1: SSH2_MSG_KEXINIT received >debug1: kex: server->client aes128-cbc hmac-md5 none >debug1: kex: client->server aes128-cbc hmac-md5 none >debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent >debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >debug1: dh_gen_key: priv key bits set: 122/256 >debug1: bits set: 1599/3191 >debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >debug1: Host 'mail.dvart.com' is known and matches the DSA host key. >debug1: Found key in /home/bruno/.ssh/known_hosts2:1 >debug1: bits set: 1555/3191 >debug1: len 55 datafellows 0 >debug1: ssh_dss_verify: signature correct >debug1: kex_derive_keys >debug1: newkeys: mode 1 >debug1: SSH2_MSG_NEWKEYS sent >debug1: waiting for SSH2_MSG_NEWKEYS >debug1: newkeys: mode 0 >debug1: SSH2_MSG_NEWKEYS received >debug1: done: ssh_kex2. >debug1: send SSH2_MSG_SERVICE_REQUEST >debug1: service_accept: ssh-userauth >debug1: got SSH2_MSG_SERVICE_ACCEPT >Connection closed by 64.168.139.141 >debug1: Calling cleanup 0x805971c(0x0) > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 9:34:37 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 324C737B401 for ; Thu, 6 Feb 2003 09:34:36 -0800 (PST) Received: from mail.tinkerbox.org (adsl-64-168-139-138.dsl.snfc21.pacbell.net [64.168.139.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD9AE43F93 for ; Thu, 6 Feb 2003 09:34:30 -0800 (PST) (envelope-from bruno@tinkerbox.org) Received: from duron.bschwand.net (duron.bschwand.net [192.168.137.4]) by mail.tinkerbox.org (Postfix) with ESMTP id A0A8219AD; Thu, 6 Feb 2003 09:49:17 -0800 (PST) Date: Thu, 6 Feb 2003 09:49:04 -0800 (PST) From: bruno schwander X-Sender: bruno@duron.bschwand.net To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: solved... Re: upgraded to 4.7, now can't ssh... (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I did search and read posts from the security mailling list, which seemed the most relevant, and spent quite some time on it. I'll make sure to check the other lists as well in the future. Thanks bruno > Your sources aren't fresh. And you could have taken a minute to > browse the -stable list before asking... > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 12:10:51 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBD4E37B401 for ; Thu, 6 Feb 2003 12:10:49 -0800 (PST) Received: from taiwan.com (TN210-200-122-99.fx.apol.com.tw [210.200.122.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86C2F43F85 for ; Thu, 6 Feb 2003 12:10:48 -0800 (PST) (envelope-from slc12@taiwan.com) From: slc12@taiwan.com To: freebsd-security@FreeBSD.org Subject: =?ISO-8859-1?B?pc6k36zdp7mz4SEhIS4uLi4u?= Reply-To: slc19681202@taiwan.com Date: 07 Feb 2003 04:12:08 +0800 Expiry-Date: 07 Sep 2002 08:00:00 +0800 MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Message-Id: <20030206201048.86C2F43F85@mx1.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ╞╛╠z╕о╕~

    ╞╛╠z╕о╕~


                        ╓@╕|╜╥╤╤║B╓Gюsдк╜╦║B╓T╕о╤}╝У║B
                        ╔|╘u╔╜╕w║B╓╜╨жа{╙Ы║B╓╩╓╩╓j╤╤║B
                        ╓C╛P╟╙╥с║B╓K╓Х╗с╟]║B╓E╓E╕P╓ъ║B
                        ╓Q╔Ч╓Q╛Э║A╛v╛v╠o╥N╧L╕n╕~


                              ****Ёл╕Ё╛║╓O╙╨------    -╓p╨╣╨╣

    To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 12:40:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4659137B50F for ; Thu, 6 Feb 2003 12:40:42 -0800 (PST) Received: from lmail.actcom.co.il (mail.actcom.co.il [192.114.47.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBF1243FBD for ; Thu, 6 Feb 2003 12:40:39 -0800 (PST) (envelope-from lirandb@netvision.net.il) Received: from main1.netvision.net.il (main.retal.co.il [192.115.135.186]) by lmail.actcom.co.il (8.11.6/8.11.6) with ESMTP id h16KeXR22467 for ; Thu, 6 Feb 2003 22:40:33 +0200 Message-Id: <5.2.0.9.0.20030206223905.00c5da88@mail.netvision.net.il> X-Sender: lirandb@mail.netvision.net.il X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 06 Feb 2003 22:39:24 +0200 To: freebsd-security@freebsd.org From: Retal Subject: Re: upgraded to 4.7, now can't ssh... (fwd) In-Reply-To: <3E42AD9E.3C0695D0@xs4all.nl> References: <5.2.0.9.0.19920206152129.00c13d88@mail.netvision.net.il> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org fixed At 19:46 06/02/2003 +0100, you wrote: >can you check your clock you sent a mail dated 06-02-1992 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 6 15: 9: 0 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7950237B401; Thu, 6 Feb 2003 15:08:58 -0800 (PST) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A1FA43FB1; Thu, 6 Feb 2003 15:08:57 -0800 (PST) (envelope-from campbell@localhost.neotext.ca) Received: from localhost.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.6/8.12.5) with ESMTP id h16NB5xg067181; Thu, 6 Feb 2003 16:11:08 -0700 (MST) (envelope-from campbell@localhost.neotext.ca) Received: (from campbell@localhost) by localhost.neotext.ca (8.12.6/8.12.5/Submit) id h16NB4HE067180; Thu, 6 Feb 2003 16:11:04 -0700 (MST) Date: Thu, 6 Feb 2003 16:11:04 -0700 From: Duncan Patton a Campbell To: Doug Barton Cc: larson@eng.paix.net, freebsd-security@FreeBSD.ORG Subject: Re: encryption export Message-Id: <20030206161104.4b13ddc2.campbell@neotext.ca> In-Reply-To: <20030206025750.Y40993@12-234-22-23.pyvrag.nggov.pbz> References: <200302052100.NAA60203@ground0.paix.net> <20030206025750.Y40993@12-234-22-23.pyvrag.nggov.pbz> Organization: Index Express Ltd. X-Mailer: Sylpheed version 0.8.6 (GTK+ 1.2.10; i386-unknown-freebsd4.7) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="=.1N(UsQI:/UHM:4" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.1N(UsQI:/UHM:4 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit I would suggest that the most salient advice is to read the laws regarding the subject. A lawyer is likely to be quite incapable of operating under the multiple legal modes required: most of them are incompetent in one system. The most useful advice at a technical layer is to aquire the sources from a site outside the US and to not install it anywhere that is under the Ban (say NKorea or Iraq). Dhu On Thu, 6 Feb 2003 02:59:33 -0800 (PST) Doug Barton wrote: > On Wed, 5 Feb 2003, Alan Larson wrote: > > > I tried "security@freebsd.org", but apparently that doesn't work, there > > were no replies, > > Not a valid assumption, sorry. :) See below. > > > I am looking to upgrade / install software in a system outside of the > > U.S. As such am concerned about the encryption export restrictions. I > > need to upgrade a FreeBSD system, and have procedures that will let me do > > a binary upgrade for that, but I need to know what must be done to move > > the software out of the U.S., and to work with it (remotely) once it is > > there. > > You need to talk to a lawyer. We can't give, and you shouldn't be asking > for legal advice on an internet mailing list. The issues and variables are > simply too complex, and the risk to you is too great. > > Good luck, > > Doug > > -- > > If it's moving, encrypt it. If it's not moving, encrypt > it till it moves, then encrypt it some more. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=.1N(UsQI:/UHM:4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE+QuuIXgQtJ7uBra8RAkNGAKC2BTZljoxOSvGoI/Dp42Shr8qrfwCgwHIz lSY2gO6S0bTTAkmJ6GI5vcs= =mk9x -----END PGP SIGNATURE----- --=.1N(UsQI:/UHM:4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 7 9:29:13 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BE4C37B401 for ; Fri, 7 Feb 2003 09:29:12 -0800 (PST) Received: from hotmail.com (oe66.pav1.hotmail.com [64.4.30.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20B4843F93 for ; Fri, 7 Feb 2003 09:29:12 -0800 (PST) (envelope-from jack_xiao99@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 7 Feb 2003 09:29:12 -0800 X-Originating-IP: [129.100.182.136] From: "Jack Xiao" To: Subject: hardware encryption under freebsd Date: Fri, 7 Feb 2003 12:29:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 07 Feb 2003 17:29:12.0024 (UTC) FILETIME=[6DC88D80:01C2CECE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, It's said "A new in-kernel cryptographic framework (see crypto(4) and crypto(9)) has been imported from OpenBSD. It provides a consistent interface to hardware and software implementations of cryptographic algorithms for use by the kernel and access to cryptographic hardware for user-mode applications. Hardware device drivers are provided to support hifn-based cards ( hifn(4)) and Broadcom-based cards ( ubsec(4))." "A FAST_IPSEC kernel option now allows the IPsec implementation to use the kernel crypto(4) framework, along with its support for hardware cryptographic acceleration. More information can be found in the fast_ipsec(4) manual page." In this case, if I want to use hardware encryption/decryption, should I use fast_ipsec instead of ipsec in the kenerl option? By the way, I am using FreeBSD 4.7 Release. I am also curious if anybody has such experience in this group before my trial. How's the performance? Thanks. Jack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 7 10:25:31 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C68537B40B for ; Fri, 7 Feb 2003 10:25:29 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3ACD343FB1 for ; Fri, 7 Feb 2003 10:25:28 -0800 (PST) (envelope-from sam@errno.com) Received: from melange (melange.errno.com [66.127.85.82]) (authenticated bits=0) by ebb.errno.com (8.12.5/8.12.1) with ESMTP id h17IPRnN074021 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 7 Feb 2003 10:25:27 -0800 (PST)?g (envelope-from sam@errno.com)° X-Authentication-Warning: ebb.errno.com: Host melange.errno.com [66.127.85.82] claimed to be melange Message-ID: <05d201c2ced6$49f96700$52557f42@errno.com> From: "Sam Leffler" To: "Jack Xiao" , References: Subject: Re: hardware encryption under freebsd Date: Fri, 7 Feb 2003 10:25:27 -0800 Organization: Errno Consulting MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > It's said "A new in-kernel cryptographic framework (see crypto(4) and > crypto(9)) has been imported from OpenBSD. It provides a consistent > interface to hardware and software implementations of cryptographic > algorithms for use by the kernel and access to cryptographic hardware for > user-mode applications. Hardware device drivers are provided to support > hifn-based cards ( hifn(4)) and Broadcom-based cards ( ubsec(4))." > > "A FAST_IPSEC kernel option now allows the IPsec implementation to use the > kernel crypto(4) framework, along with its support for hardware > cryptographic acceleration. More information can be found in the > fast_ipsec(4) manual page." > > In this case, if I want to use hardware encryption/decryption, should I use > fast_ipsec instead of ipsec in the kenerl option? By the way, I am using > FreeBSD 4.7 Release. I am also curious if anybody has such experience in > this group before my trial. How's the performance? 4.7-release does not have the new ipsec code. I can't recall if the crypto code got in. Performance depends on many factors. Give particulars about a configuration and the setup of the machine (e.g. firewall, client, server) and I can give you hints. In general I see 100% utilization of the crypto h/w under IPsec or user load when machines are connected back-to-back with gigE interfaces. Start loading the host with other duties (e.g. running ipfw rules) or changing the NIC's and I can't say what you'll get. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 7 12:21:32 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FE7637B401 for ; Fri, 7 Feb 2003 12:21:31 -0800 (PST) Received: from xmxpita.excite.com (nn3.excitenetwork.com [207.159.120.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8906E43FBF for ; Fri, 7 Feb 2003 12:21:30 -0800 (PST) (envelope-from dvaidya@excite.com) Received: by xmxpita.excite.com (Postfix, from userid 110) id CD4D73E5D; Fri, 7 Feb 2003 15:21:27 -0500 (EST) To: freebsd-security@FreeBSD.ORG Subject: Re: hardware encryption under freebsd Received: from [208.168.16.143] by xprdmailfe6.nwk.excite.com via HTTP; Fri, 07 Feb 2003 15:21:27 EST X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: ID = 2e692b0080fb3ee2157a2e976b3b868b Reply-To: dvaidya@excite.com From: "Deepak" MIME-Version: 1.0 X-Sender: dvaidya@excite.com X-Mailer: PHP Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Message-Id: <20030207202127.CD4D73E5D@xmxpita.excite.com> Date: Fri, 7 Feb 2003 15:21:27 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Would any one happen to know a source that you can get the Broadcom cards from? Hi/Fn cards can be had from http://www.soekris.com/, have not used any of the cards from Soekris, just came across the site on OpenBSD list. _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 7 12:52:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE8E537B401 for ; Fri, 7 Feb 2003 12:52:25 -0800 (PST) Received: from 12-218-77-128.client.mchsi.com (12-218-77-128.client.mchsi.com [12.218.77.128]) by mx1.FreeBSD.org (Postfix) with SMTP id 76C3344013 for ; Fri, 7 Feb 2003 12:52:07 -0800 (PST) (envelope-from hkuUeXt@rambler.ru) Received: from thebclub.freeserve.co.uk (3969370247 [141.134.91.185]) by thebclub.freeserve.co.uk (8.1.1/8.1.1) with ESMTP id 3969370247 for ; Fri, 7 Feb 2003 23:52:32 Subject: нОХЯЮМХЕ - FREEBSD-SECURITY From: To: FREEBSD-SECURITY X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-20000103-CURRENT i386) X-Priority: 1 X-MSMail-Priority: High Mime-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit Date: Fri, 7 Feb 2003 23:52:32 Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org с БЮЯ МЕР ГЮЙЮГНБ

    с БЮЯ МЕР ГЮЙЮГНБ? оЕПЕЯРЮКХ ГБНМХРЭ ЙКХЕМРШ? н бЮЬХУ СЯКСЦЮУ МХЙРН МЕ ГМЮЕР? мЕ УБЮРЮЕР ДЕМЕЦ МЮ ОПНБЕДЕМХЕ ЬХПНЙНЛЮЯЬРЮАМНИ ПЕЙКЮЛШ?

    бЯЕ ЩРХ ОПНАКЕЛШ ЛШ ЯЛНФЕЛ ПЕЬХРЭ БЯЕЦН ГЮ 300$. гЮ ЩРХ ДЕМЭЦХ С бЮЯ ОНЪБХРЭЯЪ БНГЛНФМНЯРЭ ПЮГНЯКЮРЭ ЯБНЕ ЯННАЫЕМХЕ МЮ 3.800.000 ОНКСВЮРЕКЕИ! рНКЭЙН БДСЛЮИРЕЯЭ Б ЩРС ЖХТПС! пЮЯЯШКЙЮ ДКХРЭЯЪ Б РЕВЕМХХ 1 ДМЪ. б АЮГС E-Mail ЮДПЕЯНБ ОНОЮКХ МЕ РНКЭЙН НПЦЮМХГЮЖХХ Х ОПЕДОПХЪРХЪ лНЯЙБШ Х пНЯЯХХ, МН Х БЯЕ ВЮЯРМШЕ КХЖЮ. бЯЪ АЮГЮ МЮ 100% БЕПХТХЖХПНБЮММЮЪ Х ЛШ ДЮЕЛ ЦЮПЮМРХЧ МЮ Е╦ ЙЮВЕЯРБН!

    окчя! гЮЙЮГЮБ С МЮЯ E-Mail ПЮЯЯШКЙС ЯЕИВЮЯ, бШ ЯЛНФЕРЕ БНЯОНКЭГНБЮРЭЯЪ МЮЬЕИ МЮЙНОХРЕКЭМНИ ЯХЯРЕЛНИ (ОНДПНАМНЯРХ ОПХ ГЮЙЮГЕ).

    гЮЙЮГЮРЭ ПЮЯЯШКЙС бШ ЯЛНФЕРЕ ГДЕЯЭ.

    вРНАШ СДЮКХРЭ ЯБНИ E-Mail, МЮФЛХРЕ ГДЕЯЭ.

    (Я) 2003 DEMETRIUS Software.

    To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 7 13: 5: 0 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D88037B401 for ; Fri, 7 Feb 2003 13:04:59 -0800 (PST) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FC8343FB1 for ; Fri, 7 Feb 2003 13:04:58 -0800 (PST) (envelope-from jason@shalott.net) Received: (qmail 23535 invoked by uid 1000); 7 Feb 2003 21:04:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Feb 2003 21:04:52 -0000 Date: Fri, 7 Feb 2003 13:04:52 -0800 (PST) From: Jason Stone X-X-Sender: To: Subject: Re: hardware encryption under freebsd In-Reply-To: <05d201c2ced6$49f96700$52557f42@errno.com> Message-ID: <20030207130102.N3350-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 4.7-release does not have the new ipsec code. I can't recall if the > crypto code got in. > > [...] In general I see 100% utilization of the crypto h/w under IPsec > or user load when machines are connected back-to-back with gigE > interfaces. What tools allow you to examine the utilization or performance of the crypto hardware? -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE+RB90swXMWWtptckRAkEeAKDFjijR21x9x8mfgKfqw8HMwkTb7gCgsQVj LK+jYNX5vIHjUUVF0X7zf7Y= =BN7f -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 7 13:30:57 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DED937B401 for ; Fri, 7 Feb 2003 13:30:56 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id D68D343F3F for ; Fri, 7 Feb 2003 13:30:55 -0800 (PST) (envelope-from sam@errno.com) Received: from melange (melange.errno.com [66.127.85.82]) (authenticated bits=0) by ebb.errno.com (8.12.5/8.12.1) with ESMTP id h17LUsnN075086 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 7 Feb 2003 13:30:55 -0800 (PST)?g (envelope-from sam@errno.com)° X-Authentication-Warning: ebb.errno.com: Host melange.errno.com [66.127.85.82] claimed to be melange Message-ID: <06fd01c2cef0$32890a70$52557f42@errno.com> From: "Sam Leffler" To: "Jason Stone" , References: <20030207130102.N3350-100000@walter> Subject: Re: hardware encryption under freebsd Date: Fri, 7 Feb 2003 13:30:54 -0800 Organization: Errno Consulting MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > 4.7-release does not have the new ipsec code. I can't recall if the > > crypto code got in. > > > > [...] In general I see 100% utilization of the crypto h/w under IPsec > > or user load when machines are connected back-to-back with gigE > > interfaces. > > What tools allow you to examine the utilization or performance of the > crypto hardware? I added code to timestamp crypto requests as they travel through the system. This is enabled/disabled with a sysctl. I then changed the cryptotest program found in the tools area to use this to collect "profiling" data when running tests. This, together with statistics collected by each driver, let me see how the h/w is performing. From certain of the times I can infer when the system is running at peak. If I correlate this with the system load I can tell farely well (I believe) whether the crypto h/w is fully utilized. The results of this work explain, for example, why the FreeBSD crypto code has diverged from OpenBSD and why it outperforms OpenBSD as much as 3x in some cases. I've also logged all the timestamp data and post-processed it to get useful data. I'm submitting a paper about this work soon. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 7 16:15:42 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD99737B401 for ; Fri, 7 Feb 2003 16:15:39 -0800 (PST) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8907243FBD for ; Fri, 7 Feb 2003 16:15:38 -0800 (PST) (envelope-from bmah@employees.org) Received: from bmah.dyndns.org (12-240-204-110.client.attbi.com[12.240.204.110]) by rwcrmhc52.attbi.com (rwcrmhc52) with ESMTP id <2003020800153705200jv4vte>; Sat, 8 Feb 2003 00:15:37 +0000 Received: from intruder.bmah.org (localhost [IPv6:::1]) by bmah.dyndns.org (8.12.6/8.12.6) with ESMTP id h180FbRG081898; Fri, 7 Feb 2003 16:15:37 -0800 (PST) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.6/8.12.6/Submit) id h180FbZx081897; Fri, 7 Feb 2003 16:15:37 -0800 (PST) (envelope-from bmah) Date: Fri, 7 Feb 2003 16:15:37 -0800 From: "Bruce A. Mah" To: Sam Leffler Cc: Jack Xiao , freebsd-security@freebsd.org Subject: Re: hardware encryption under freebsd Message-ID: <20030208001537.GA81860@intruder.bmah.org> References: <05d201c2ced6$49f96700$52557f42@errno.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline In-Reply-To: <05d201c2ced6$49f96700$52557f42@errno.com> User-Agent: Mutt/1.4i X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-url: http://www.employees.org/~bmah/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable If memory serves me right, Sam Leffler wrote: > > It's said "A new in-kernel cryptographic framework (see crypto(4) and > > crypto(9)) has been imported from OpenBSD. It provides a consistent > > interface to hardware and software implementations of cryptographic > > algorithms for use by the kernel and access to cryptographic hardware f= or > > user-mode applications. Hardware device drivers are provided to support > > hifn-based cards ( hifn(4)) and Broadcom-based cards ( ubsec(4))." > > > > "A FAST_IPSEC kernel option now allows the IPsec implementation to use = the > > kernel crypto(4) framework, along with its support for hardware > > cryptographic acceleration. More information can be found in the > > fast_ipsec(4) manual page." > > > > In this case, if I want to use hardware encryption/decryption, should I > use > > fast_ipsec instead of ipsec in the kenerl option? By the way, I am using > > FreeBSD 4.7 Release. I am also curious if anybody has such experience in > > this group before my trial. How's the performance? >=20 > 4.7-release does not have the new ipsec code. I can't recall if the cryp= to > code got in. No, it's a 4.7-STABLE thing. Note that the original poster quoted the release notes from 4.7-STABLE, even though he's running 4.7-RELEASE. Bruce. --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE+REwo2MoxcVugUsMRAoTvAKCV4MqjD/udxlHxjA6bHByIxiUZvwCeICKN 9M7Bh+0lhQxzcsJjDaeUUQA= =7o8Z -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message