From owner-freebsd-security Sun Dec 30 15:33:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (afgate.speednet.com.au [202.135.188.244]) by hub.freebsd.org (Postfix) with ESMTP id 8AE5937B416 for ; Sun, 30 Dec 2001 15:33:17 -0800 (PST) Received: from backup.af.speednet.com.au (backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.11.6/8.11.6) with ESMTP id fBUNWfA28870; Mon, 31 Dec 2001 10:32:47 +1100 (EST) (envelope-from andyf@speednet.com.au) Date: Mon, 31 Dec 2001 10:32:41 +1100 (EST) From: Andy Farkas X-X-Sender: To: Bill Vermillion Cc: Subject: Re: MS5 password salt calculation In-Reply-To: <20011230013854.A39364@wjv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 30 Dec 2001, Bill Vermillion wrote: > ... You should also not[e] that the > next $ is the salt separator, and on my system there are typically 8 > digits after $1$ and before the next $, for 2trillion+ salts. > > Bill Its interesting that my master.passwd file circa 2.2.x days has only 5 chars between the $'s, yet more recent ones have 8. -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 1: 5:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.uskonet.com (mail.uskonet.com [196.3.164.41]) by hub.freebsd.org (Postfix) with ESMTP id CD58137B41D; Mon, 31 Dec 2001 01:05:06 -0800 (PST) Received: from M4DC0W ([196.35.242.9]) by mail.uskonet.com (8.11.0/8.11.0) with SMTP id fBV92bP31469; Mon, 31 Dec 2001 11:02:37 +0200 Message-ID: <00b501c191d9$c6d3bae0$09f223c4@M4DC0W> From: "Etienne Ledoux" To: Cc: Subject: Problems getting isakmpd working on FreeBSD. Date: Mon, 31 Dec 2001 11:01:41 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, Anybody got a working example of isakmpd on FreeBSD. I've been following guides mainly intended for OpenBSD it seems (due to a lack of finding any for FreeBSD). I used the conf and policy files of various working examples. http://www.allard.nu/openbsd/isakmpd.conf http://www.allard.nu/openbsd/isakmpd.policy and others... But when I start isakmpd I get the following errors: 094416.943999 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE 094416.944033 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL 094416.944063 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM 094416.944096 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD 094416.944128 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION 094416.944160 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 .. ..the list continues. The only thing I haven't done that is mentioned in the documentation(s) (http://www.allard.nu/openbsd/openbsd.shtml, etc.) available. Edit your /etc/sysctl.conf to include the things below (reboot afterwards): net.inet.ip.forwarding=1 # 1=Permit forwarding net.inet.esp.enable=1 # 1=Enable the ESP IPSec protocol and if you are running 2.7 you need this aswell: net.inet.ip.ipsec-acl=0 # 0=disable IPsec ingress ACL checking Would these values be the same for FreeBSD? (Stupid question maybe) I tried adding these values using : sysctl = ### [root@bbmwall root]# sysctl net.inet.esp.enable=1 sysctl: unknown oid 'net.inet.esp.enable' ### Maybe this is my problem ? Any ideas. tx in advance. Etienne. Any Help would be appreciated with regards to getting isakmp working on FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 11: 4:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from draco.over-yonder.net (draco.over-yonder.net [198.78.58.61]) by hub.freebsd.org (Postfix) with ESMTP id C34BD37B41D for ; Mon, 31 Dec 2001 11:04:17 -0800 (PST) Received: by draco.over-yonder.net (Postfix, from userid 100) id B5C1FFC2; Mon, 31 Dec 2001 13:04:16 -0600 (CST) Date: Mon, 31 Dec 2001 13:04:16 -0600 From: "Matthew D. Fuller" To: Andy Farkas Cc: Bill Vermillion , security@FreeBSD.ORG Subject: Re: MS5 password salt calculation Message-ID: <20011231130416.B71938@over-yonder.net> References: <20011230013854.A39364@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from andyf@speednet.com.au on Mon, Dec 31, 2001 at 10:32:41AM +1100 X-Editor: vi X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 31, 2001 at 10:32:41AM +1100 I heard the voice of Andy Farkas, and lo! it spake thus: > On Sun, 30 Dec 2001, Bill Vermillion wrote: > > > ... You should also not[e] that the > > next $ is the salt separator, and on my system there are typically 8 > > digits after $1$ and before the next $, for 2trillion+ salts. > > > > Bill > > Its interesting that my master.passwd file circa 2.2.x days has only 5 > chars between the $'s, yet more recent ones have 8. Interestingly, looking at my passwd file shows some with 5, and some 8 with. Guess that shows who doesn't change their passwords often enough ;) -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 11: 8:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from draco.over-yonder.net (draco.over-yonder.net [198.78.58.61]) by hub.freebsd.org (Postfix) with ESMTP id 7077F37B417 for ; Mon, 31 Dec 2001 11:08:20 -0800 (PST) Received: by draco.over-yonder.net (Postfix, from userid 100) id 2A8FCFC4; Mon, 31 Dec 2001 13:08:20 -0600 (CST) Date: Mon, 31 Dec 2001 13:08:20 -0600 From: "Matthew D. Fuller" To: security@FreeBSD.ORG Subject: Re: MS5 password salt calculation Message-ID: <20011231130820.C71938@over-yonder.net> References: <20011230013854.A39364@wjv.com> <20011231130416.B71938@over-yonder.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011231130416.B71938@over-yonder.net>; from fullermd@over-yonder.net on Mon, Dec 31, 2001 at 01:04:16PM -0600 X-Editor: vi X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 31, 2001 at 01:04:16PM -0600 I heard the voice of Matthew D. Fuller, and lo! it spake thus: > > Interestingly, looking at my passwd file shows some with 5, and some 8 > with. Guess that shows who doesn't change their passwords often enough Eek! cixelsyd I am! -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 13:12:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 3A94937B432 for ; Mon, 31 Dec 2001 13:12:51 -0800 (PST) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 16L9jm-000OTC-00 for freebsd-security@freebsd.org; Mon, 31 Dec 2001 13:12:50 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: openssh version Message-Id: Date: Mon, 31 Dec 2001 13:12:50 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i did a cvsup of -stable (4.5-prerelease) yesterday. it seems to have OpenSSH_2.9 as opposed to 3.0.x. for a number of reasons, this is a bit unsettling. do we expect an upgrade before 4.5-release? randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 16:57:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from http.descrypt.com (rrcs-nys-24-97-31-162.biz.rr.com [24.97.31.162]) by hub.freebsd.org (Postfix) with ESMTP id 9265837B41B for ; Mon, 31 Dec 2001 16:57:25 -0800 (PST) Received: from trojan (tal [66.66.192.118]) by http.descrypt.com (8.11.6/8.11.6) with SMTP id g010vJ275051 for ; Mon, 31 Dec 2001 19:57:19 -0500 (EST) (envelope-from beneliet@descrypt.com) Message-ID: <000b01c1925f$4c788600$76c04242@trojan> From: "Tal Ben-Eliezer" To: References: Subject: Re: openssh version Date: Mon, 31 Dec 2001 19:57:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org why dont you just visit www.openssh.com (?) and download the source for the 3.x version of OpenSSH, this is what i did. Tal Ben-Eliezer Descrypt Communications www.descrypt.com ----- Original Message ----- From: "Randy Bush" To: Sent: Monday, December 31, 2001 4:12 PM Subject: openssh version > i did a cvsup of -stable (4.5-prerelease) yesterday. it seems to have > OpenSSH_2.9 as opposed to 3.0.x. for a number of reasons, this is a bit > unsettling. do we expect an upgrade before 4.5-release? > > randy > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 19:23:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id BDCF137B41E for ; Mon, 31 Dec 2001 19:23:43 -0800 (PST) Received: from user-38lc2i0.dialup.mindspring.com ([209.86.10.64] helo=gohan.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16LFWb-0007cK-00; Mon, 31 Dec 2001 19:23:41 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id g012lP002688; Mon, 31 Dec 2001 18:47:25 -0800 (PST) (envelope-from cjc) Date: Mon, 31 Dec 2001 21:47:24 -0500 From: "Crist J. Clark" To: Randy Bush Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh version Message-ID: <20011231214724.A2275@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from randy@psg.com on Mon, Dec 31, 2001 at 01:12:50PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 31, 2001 at 01:12:50PM -0800, Randy Bush wrote: > i did a cvsup of -stable (4.5-prerelease) yesterday. it seems to have > OpenSSH_2.9 as opposed to 3.0.x. for a number of reasons, this is a bit > unsettling. What would those reasons be? > do we expect an upgrade before 4.5-release? No. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 22:32:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from zibbi.icomtek.csir.co.za (zibbi.icomtek.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id 7C73C37B422 for ; Mon, 31 Dec 2001 22:32:10 -0800 (PST) Received: (from jhay@localhost) by zibbi.icomtek.csir.co.za (8.11.6/8.11.6) id g016Va856231; Tue, 1 Jan 2002 08:31:36 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <200201010631.g016Va856231@zibbi.icomtek.csir.co.za> Subject: Re: openssh version In-Reply-To: <20011231214724.A2275@gohan.cjclark.org> from "Crist J. Clark" at "Dec 31, 2001 09:47:24 pm" To: cjclark@alum.mit.edu Date: Tue, 1 Jan 2002 08:31:36 +0200 (SAT) Cc: randy@psg.com (Randy Bush), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Mon, Dec 31, 2001 at 01:12:50PM -0800, Randy Bush wrote: > > i did a cvsup of -stable (4.5-prerelease) yesterday. it seems to have > > OpenSSH_2.9 as opposed to 3.0.x. for a number of reasons, this is a bit > > unsettling. > > What would those reasons be? I can think of two: If you check the version number that ours report and then go to the OpenSSH security page, http://www.openssh.org/security.html, it makes you wonder. I know at least some of those things were fixed in our tree, but it is confusing. There were bug fixes made in the meantime. I have run into one of them, if you use bitkeeper over ssh it would hang on exit under certain conditions. The hang would be forever or until you did a "^C". Except it is a little difficult to press "^C" in a cron script. This was tracked to a problem fixed in OpenSSH 2.9.9. They now ship with this in their relnotes: ============================================================================== OpenSSH version 2.9 has a bug which can cause lost EOF errors when used as a BitKeeper transport, especially over slow links. We've confirmed that the problem has been fixed as of version 2.9.9; get an update at http://www.openssh.com/portable.html ============================================================================== My solution is to use the ports version. Maybe we should remove the in-tree version and just get sysinstall to install the ports version by default? Or otherwise maybe get the guy that maintain the ports version to also do the in-tree version? He seems quite quick in updating the ports version. John -- John Hay -- John.Hay@icomtek.csir.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 22:37:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id DDD6E37B41F for ; Mon, 31 Dec 2001 22:37:43 -0800 (PST) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 16LIYC-000N6g-00; Mon, 31 Dec 2001 22:37:28 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: John Hay Cc: freebsd-security@freebsd.org Subject: Re: openssh version References: <20011231214724.A2275@gohan.cjclark.org> <200201010631.g016Va856231@zibbi.icomtek.csir.co.za> Message-Id: Date: Mon, 31 Dec 2001 22:37:28 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i urge folk to use 3.0 or greater > My solution is to use the ports version. and, to make it install over the one in the build tree, apply the following patch to /usr/ports/security/openssh-portable Index: Makefile =================================================================== RCS file: /home/ncvs/ports/security/openssh-portable/Makefile,v retrieving revision 1.10 diff -u -r1.10 Makefile --- Makefile 2001/11/07 13:47:51 1.10 +++ Makefile 2001/12/01 14:36:33 @@ -32,6 +32,8 @@ CONFIGURE_ARGS+= --with-tcp-wrappers .endif +CONFIGURE_ARGS+= --datadir=/usr/share --exec-prefix=/usr --sysconfdir=/etc/ssh --localstatedir=/var --mandir=/usr/share/man + post-install: @${CAT} ${PKGMESSAGE} --- thanks to jacques vidrine for help the other month randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 31 22:44:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mighty.grot.org (mighty.grot.org [216.15.97.5]) by hub.freebsd.org (Postfix) with ESMTP id 28CBB37B427 for ; Mon, 31 Dec 2001 22:44:27 -0800 (PST) Received: by mighty.grot.org (Postfix, from userid 515) id C76C85E59; Mon, 31 Dec 2001 22:44:26 -0800 (PST) Date: Mon, 31 Dec 2001 22:44:26 -0800 From: "R.P. Aditya" To: Randy Bush Cc: freebsd-security@freebsd.org Subject: Re: openssh version Message-ID: <20011231224426.A75624@mighty.grot.org> Reply-To: "R.P. Aditya" References: <20011231214724.A2275@gohan.cjclark.org> <200201010631.g016Va856231@zibbi.icomtek.csir.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ; from randy@psg.com on Mon, Dec 31, 2001 at 10:37:28PM -0800 X-PGP-Key: http://www.grot.org/pubkey.asc X-PGP-Key-ID: 0x6405D8D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 31, 2001 at 10:37:28PM -0800, Randy Bush wrote: > i urge folk to use 3.0 or greater is there a particular reason? even if using ssh protocol ver 2? Adi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message