From owner-freebsd-security Sun Mar 21 0: 1: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from scam.xcf.berkeley.edu (scam.XCF.Berkeley.EDU [128.32.43.201]) by hub.freebsd.org (Postfix) with SMTP id D4ADF15377 for ; Sun, 21 Mar 1999 00:01:01 -0800 (PST) (envelope-from grady@scam.XCF.Berkeley.EDU) Received: (qmail 4720 invoked by uid 348); 21 Mar 1999 08:01:00 -0000 Received: from localhost (HELO scam.XCF.Berkeley.EDU) (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Mar 1999 08:01:00 -0000 To: freebsd-security@freebsd.org Subject: question about e-bay breakin last week From: grady@xcf.berkeley.edu (Steven Grady) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <4715.922003259.1@scam.XCF.Berkeley.EDU> Date: Sun, 21 Mar 1999 00:01:00 -0800 Message-Id: <19990321080101.D4ADF15377@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to the story, the cracker who got into e-Bay last week got in via FreeBSD. Does anyone know anything more about this? "I exploited a buffer overflow condition, which existed in an SUID root program," says the hacker, who is finishing up a B.S. in computer science. "Then I used software which I had written myself to get to the rest of the network. FreeBSD was the first machine I accessed, the rest were Solaris." Full URL: http://www.forbes.com/tool/html/99/mar/0319/side1.htm Steven grady@xcf.berkeley.edu "Where do we keep all our chainsaws, mom?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 21 0:18:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (Postfix) with ESMTP id 6D7C414FA2 for ; Sun, 21 Mar 1999 00:18:48 -0800 (PST) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id DAA02608; Sun, 21 Mar 1999 03:18:25 -0500 (EST) Date: Sun, 21 Mar 1999 03:18:25 -0500 (EST) From: To: Steven Grady Cc: freebsd-security@FreeBSD.ORG Subject: Re: question about e-bay breakin last week In-Reply-To: <19990321080101.D4ADF15377@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 21 Mar 1999, Steven Grady wrote: > According to the story, the cracker who got into e-Bay last week got > in via FreeBSD. Does anyone know anything more about this? Does anyone else think the story sounds a bit fishy? The 'hacker' mentions little more than well-known 'hacking cliches', and the 'proof' that is mentioned (a bogus page placed on one of Ebay's web servers) could have just as easily been accomplished by spoofed DNS. *shrug* Later, -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 21 1: 2:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id D6D0F150EB for ; Sun, 21 Mar 1999 01:02:45 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id BAA09799; Sun, 21 Mar 1999 01:02:20 -0800 (PST) (envelope-from dillon) Date: Sun, 21 Mar 1999 01:02:20 -0800 (PST) From: Matthew Dillon Message-Id: <199903210902.BAA09799@apollo.backplane.com> To: Cc: Steven Grady , freebsd-security@FreeBSD.ORG Subject: Re: question about e-bay breakin last week References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :On Sun, 21 Mar 1999, Steven Grady wrote: : :> According to the story, the cracker who got into e-Bay last week got :> in via FreeBSD. Does anyone know anything more about this? : :Does anyone else think the story sounds a bit fishy? The 'hacker' :mentions little more than well-known 'hacking cliches', and the :'proof' that is mentioned (a bogus page placed on one of Ebay's web :servers) could have just as easily been accomplished by spoofed DNS. : :*shrug* : :Later, : : -Mike It's hard to say. It depends how up-to-date EBay's machines are. If they are running too-old versions of (name virtually any third-party server software here) then breaking in would be trivial. If they are uptodate then breaking in would be near impossible. I think the last freebsd-specific hole was in lpd, closed 6+ months ago. But there have been dozens of holes in popular third party programs closed, some quite recently. popper, imapd, wu-ftpd, a couple of possible holes in sshd, named, and so forth. You name it. Most of these holes were fixed months ago, but if a company does not keep their systems uptodate they'd be wide open. Just look at the number of people running older FreeBSD releases -- I wonder how many bother to update their ports installs at all. The problem is even worse for Linux ( though nothing compared to the disaster called 'NT' ). I can say that whenever a new hole is found, ISPs tend to get hit first. I haven't heard anyone at BEST screaming recently so it's doubtful that a new hole has been found. Also suspect is the fact that EBay should be running secure servers --- they shouldn't be running *any* standard services on their servers and they sure as hell don't have consumer shell accounts. Security holes are typically exploited through standard services or consumer shell accounts. The machines should therefore be reasonably secure unless EBay had shit for brains when they wrote the CGI support for their web site. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 21 1: 3:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from ncc1701.cell2000.net (ncc1701.cell2000.net [206.228.197.5]) by hub.freebsd.org (Postfix) with SMTP id ABB0D150AE for ; Sun, 21 Mar 1999 01:03:14 -0800 (PST) (envelope-from steve@cell2000.net) Received: from pandora-s-box [206.228.196.160] by ncc1701.cell2000.net (SMTPD32-4.06) id A565A90E01F4; Sun, 21 Mar 1999 01:01:25 PDT Message-ID: <000a01be7379$6e98b050$a0c4e4ce@pandora-s-box.cell2000.net> Reply-To: "Steven Alexander" From: "Steven Alexander" To: Cc: Subject: Re: question about e-bay breakin last week Date: Sun, 21 Mar 1999 01:01:38 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I honestly wonder how accurate the Forbes article is. I don't think it's too bright to talk to journalists after hacking several major sites. At any rate, there are still many undiscovered buffer overflows in most OS's and freebsd is not immune. I wouldn't doubt that somebody wrote an exploit for an as of yet undiscovered(publicly) one. my $.02 -steven -----Original Message----- From: mike@seidata.com To: Steven Grady Cc: freebsd-security@FreeBSD.ORG Date: Saturday, March 20, 1999 11:17 PM Subject: Re: question about e-bay breakin last week >On Sun, 21 Mar 1999, Steven Grady wrote: > >> According to the story, the cracker who got into e-Bay last week got >> in via FreeBSD. Does anyone know anything more about this? > >Does anyone else think the story sounds a bit fishy? The 'hacker' >mentions little more than well-known 'hacking cliches', and the >'proof' that is mentioned (a bogus page placed on one of Ebay's web >servers) could have just as easily been accomplished by spoofed DNS. > >*shrug* > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 21 1:10:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.andrew.cmu.edu (SMTP2.ANDREW.CMU.EDU [128.2.10.82]) by hub.freebsd.org (Postfix) with ESMTP id 7A3C815227 for ; Sun, 21 Mar 1999 01:10:23 -0800 (PST) (envelope-from Harry_M_Leitzell@cmu.edu) Received: from unix11.andrew.cmu.edu (UNIX11.ANDREW.CMU.EDU [128.2.15.15]) by smtp2.andrew.cmu.edu (8.8.5/8.8.2) with SMTP id EAA13223; Sun, 21 Mar 1999 04:09:56 -0500 (EST) Date: Sun, 21 Mar 1999 04:09:56 -0500 (EST) From: "Harry M. Leitzell" X-Sender: Harry_M_Leitzell@unix11.andrew.cmu.edu Reply-To: "Harry M. Leitzell" To: mike@seidata.com Cc: Steven Grady , freebsd-security@FreeBSD.ORG Subject: Re: question about e-bay breakin last week In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 21 Mar 1999 mike@seidata.com wrote: > On Sun, 21 Mar 1999, Steven Grady wrote: > > > According to the story, the cracker who got into e-Bay last week got > > in via FreeBSD. Does anyone know anything more about this? > > Does anyone else think the story sounds a bit fishy? The 'hacker' > mentions little more than well-known 'hacking cliches', and the > 'proof' that is mentioned (a bogus page placed on one of Ebay's web > servers) could have just as easily been accomplished by spoofed DNS. > > *shrug* > > Later, > > -Mike It might be the journalist instead of MagicFX who came up with the wording. Most writers will do that to aim for a larger audience than the technical literate crowd. I am a bit peeved that it didn't mention the program he used that had a buffer overflow in it though. Spoofed DNS would imply he only rerouted requests to a machine he already had access to and that Exodus doesn't really keep its name servers up to date (That is bull because they run an EFnet IRC server and keep their bind versions bleeding edge for the exact reason of preventing spoofing). I am guessing that the student did break in and the journalist just dumbed down what he said to capture the mainstream audience. -Harry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 21 23: 7:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from agata.clio.it (unknown [195.60.136.3]) by hub.freebsd.org (Postfix) with SMTP id 6CA1614C24 for ; Sun, 21 Mar 1999 23:07:12 -0800 (PST) (envelope-from delphi@agata.clio.it) Received: (qmail 5000 invoked by uid 7770); 22 Mar 1999 07:15:05 -0000 Received: from unknown (HELO agata.clio.it) (195.60.136.16) by 195.60.136.3 with SMTP; 22 Mar 1999 07:15:05 -0000 Message-ID: <36F5ED3C.48E39427@agata.clio.it> Date: Mon, 22 Mar 1999 08:11:56 +0100 From: Jilani Khaldi X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: (no subject) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 83caf9be subscribe freebsd-security delphi@agata.clio.it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 1:28:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from titan.cc.wwu.edu (titan.cc.wwu.edu [140.160.240.18]) by hub.freebsd.org (Postfix) with ESMTP id 6C8261511A for ; Mon, 22 Mar 1999 01:28:50 -0800 (PST) (envelope-from n8412060@cc.wwu.edu) Received: from localhost by titan.cc.wwu.edu (8.9.1/8.9.1) with ESMTP id BAA11834 for ; Mon, 22 Mar 1999 01:28:31 -0800 (PST) Date: Mon, 22 Mar 1999 01:28:30 -0800 (PST) From: "mr. t" To: freebsd-security@freebsd.org Subject: need to speak to security officer Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Officer(s): Please email me direct, I do not want what I've found to appear for everyone. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 1:47:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from bofh.fastnet.co.uk (lart.org.uk [194.207.104.22]) by hub.freebsd.org (Postfix) with ESMTP id 1CF3C14ED8 for ; Mon, 22 Mar 1999 01:47:17 -0800 (PST) (envelope-from netadmin@bofh.fastnet.co.uk) Received: (from netadmin@localhost) by bofh.fastnet.co.uk (8.8.8/8.8.8) id JAA07493; Mon, 22 Mar 1999 09:46:47 GMT (envelope-from netadmin) Date: Mon, 22 Mar 1999 09:46:47 +0000 From: Jay Tribick To: "mr. t" Cc: freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer Message-ID: <19990322094647.F7007@bofh.fastnet.co.uk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; "mr. t" on 22.03.1999 @ 09:28:30 GMT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Officer(s): > > Please email me direct, I do not want what I've found to appear for > everyone. Sounds ominous :) -- Regards, Jay Tribick [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 1:59: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.3]) by hub.freebsd.org (Postfix) with ESMTP id 7D117151A0 for ; Mon, 22 Mar 1999 01:58:42 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.164.76]) by mta2-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990322095954.PPDK4977319.mta2-rme@wocker>; Mon, 22 Mar 1999 21:59:54 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: Jay Tribick Date: Mon, 22 Mar 1999 21:58:49 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: need to speak to security officer Reply-To: junkmale@xtra.co.nz Cc: freebsd-security@FreeBSD.ORG In-reply-to: <19990322094647.F7007@bofh.fastnet.co.uk> References: ; "mr. t" on 22.03.1999 @ 09:28:30 GMT X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990322095954.PPDK4977319.mta2-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Mar 99, at 9:46, Jay Tribick wrote: > > Officer(s): > > > > Please email me direct, I do not want what I've found to appear for > > everyone. > > Sounds ominous :) Sounds fun actually. I'd love to know. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 2:22:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from glup.irobot.uv.es (glup.irobot.uv.es [147.156.160.55]) by hub.freebsd.org (Postfix) with ESMTP id 22BDB14CFC for ; Mon, 22 Mar 1999 02:17:29 -0800 (PST) (envelope-from dferruz@infase.es) Received: from tango (tango.irobot.uv.es) by glup.irobot.uv.es with SMTP (1.39.111.2/16.2) id AA228851826; Mon, 22 Mar 1999 11:23:46 GMT Message-Id: <003a01be744d$451a2e00$0da09c93@tango.irobot.uv.es> From: "David Ferruz" To: Subject: Date: Mon, 22 Mar 1999 11:17:59 +0100 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0037_01BE7455.A4BDD8E0" X-Priority: 3 X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0037_01BE7455.A4BDD8E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable unsuscribe ------=_NextPart_000_0037_01BE7455.A4BDD8E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
unsuscribe
------=_NextPart_000_0037_01BE7455.A4BDD8E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 5:22:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from easeway.com (ns1.easeway.com [209.69.39.1]) by hub.freebsd.org (Postfix) with ESMTP id 19DA214C13 for ; Mon, 22 Mar 1999 05:22:41 -0800 (PST) (envelope-from mwlucas@easeway.com) Received: (from mwlucas@localhost) by easeway.com (8.8.8/8.8.5) id IAA07200; Mon, 22 Mar 1999 08:16:46 -0500 (EST) Message-Id: <199903221316.IAA07200@easeway.com> Subject: Re: need to speak to security officer In-Reply-To: from "mr. t" at "Mar 22, 99 01:28:30 am" To: n8412060@cc.wwu.edu (mr. t) Date: Mon, 22 Mar 1999 08:16:46 -0500 (EST) Cc: freebsd-security@FreeBSD.ORG From: mwlucas@exceptionet.com X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe you can mail him directly as security-officer@freebsd.org ==ml > > Officer(s): > > Please email me direct, I do not want what I've found to appear for > everyone. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Michael Lucas | Exceptionet, Inc. | www.exceptionet.com "Exceptional Networking" | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 5:49:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.wa.freei.net (Mail1.Wa.FreeI.Net [209.162.144.3]) by hub.freebsd.org (Postfix) with ESMTP id 9E2C614EA7; Mon, 22 Mar 1999 05:49:30 -0800 (PST) (envelope-from Silvia_Brown2@gte.net) Received: from 209.162.150.235 (dial235.Block3.trm2.FreeI.Net [209.162.150.235]) by mail.wa.freei.net (8.9.1/8.9.1) with SMTP id XAA59162; Sun, 21 Mar 1999 23:12:31 -0800 (PST) (envelope-from Silvia_Brown2@gte.net) From: Silvia_Brown2@gte.net Message-Id: <199903220712.XAA59162@mail.wa.freei.net> Subject: Find Out What The Future Holds For You? Date: Sun, 21 Mar 99 22:45:12 Pacific Standard Time Reply-To: Silvia_Brown7@gte.net X-Priority: 3 X-MSMailPriority: Normal Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org LIVE PERSONAL PSYCHIC! (as seen on T.V.) LEARN TODAY WHAT YOUR FUTURE HOLDS FOR LOVE, FAMILY AND MONEY. ASTROLOGY CLAIRVOYANCY NUMEROLOGY TAROT ALL QUESTIONS ANSWERED IMMEDIATELY! REALIZE YOUR OWN DESTINY! CALL RIGHT NOW! 1-900-226-4140 or 1-800-372-3384 for VISA, MC (These are not sex lines!) This message is intended for Psyhic Readers , Psychic Users and people who are involved in the $1 Billion Dollar a year Psychic Industry. If this message has reached you in error, please disregard it and accept our apoligies. To be removed from this list, please respond with the subject "remove". Thank you. Stop Unsolicited Commercial Email-join CAUCE (http://www.cauce.org) Support HR 1748, the anti-spam bill. LIVE PERSONAL PSYCHIC! (as seen on T.V.) LEARN TODAY WHAT YOUR FUTURE HOLDS OR LOVE, FAMILY AND MONEY. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 7:34:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from lance.netxn.com (lance.netxn.com [209.135.12.8]) by hub.freebsd.org (Postfix) with ESMTP id E92BC14BD7 for ; Mon, 22 Mar 1999 07:34:38 -0800 (PST) (envelope-from binx@netxn.com) Received: from borg (borg.netxn.com [209.135.13.199]) by lance.netxn.com (8.8.5/8.8.5) with SMTP id HAA20323 for ; Mon, 22 Mar 1999 07:35:34 -0800 (PST) Message-ID: <014e01bd5671$49cff2e0$c70d87d1@netxn.com> From: "Chris Wilson" To: Subject: lists Date: Mon, 23 Mar 1998 07:35:19 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_014B_01BD562E.3AE4CF00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_014B_01BD562E.3AE4CF00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable lists ------=_NextPart_000_014B_01BD562E.3AE4CF00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
lists
------=_NextPart_000_014B_01BD562E.3AE4CF00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 7:38:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p17-max12.wlg.ihug.co.nz [216.100.145.17]) by hub.freebsd.org (Postfix) with ESMTP id 7260E14C18 for ; Mon, 22 Mar 1999 07:38:10 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id PAA06235; Mon, 22 Mar 1999 15:37:32 GMT Message-Id: <199903221537.PAA06235@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 Cc: mwlucas@exceptionet.com To: freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer In-reply-to: Your message of "Mon, 22 Mar 1999 08:16:46 EST." <199903221316.IAA07200@easeway.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 23 Mar 1999 03:37:32 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was an announcement a while back that the FreeBSD security officer was resigning his post. I haven't seen any announcements since saying that we have a new one. The security-officer@freebsd.org address is the correct address to use. I gather that it goes to several people. Andrew McNaughton > I believe you can mail him directly as security-officer@freebsd.org > > ==ml > > > > > Officer(s): > > > > Please email me direct, I do not want what I've found to appear for > > everyone. -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 8:28:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from fgw2.netvalue.fr (cegetel-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id 47157150AF for ; Mon, 22 Mar 1999 08:28:36 -0800 (PST) (envelope-from erwan@netvalue.fr) Received: (from bin@localhost) by fgw2.netvalue.fr (8.9.1/8.8.8) id RAA04678 for ; Mon, 22 Mar 1999 17:28:15 +0100 (CET) (envelope-from erwan@netvalue.fr) X-Authentication-Warning: fgw2.netvalue.fr: bin set sender to using -f Received: from (etoile.netvalue.fr [192.168.1.11]) by fgw2.netvalue.fr via smap (V2.1) id xma004676; Mon, 22 Mar 99 17:27:51 +0100 Received: from netvalue.fr ([192.168.1.100]) by etoile.netvalue.fr (Netscape Messaging Server 3.5) with ESMTP id AAA6B39 for ; Mon, 22 Mar 1999 17:27:51 +0100 Message-ID: <36F66F86.88FA36E3@netvalue.fr> Date: Mon, 22 Mar 1999 17:27:50 +0100 From: Erwan Arzur Organization: NetValue S.A. X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: security@freebsd.org Subject: natd + nmap ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just tried to scan a FreeBDS3.0 w/ natd, and it appears that using the -sU flag with nmap seems to completely lock natd at 100% cpu. Thus, there is no way to send any packet in or out of the gateway. I am right assuming this is a kind of DOS attack ? Is there any way to prevent this kind of thing to happen, like an option to natd to make it drop incoming packets when reaching a given load ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 8:46:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id AE1CB14C59 for ; Mon, 22 Mar 1999 08:46:26 -0800 (PST) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id JAA10334; Mon, 22 Mar 1999 09:46:04 -0700 (MST) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.1/8.9.1) id JAA08801; Mon, 22 Mar 1999 09:46:04 -0700 (MST) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Mon, 22 Mar 1999 09:46:04 -0700 (MST) From: "David G. Andersen" To: Erwan Arzur Cc: security@FreeBSD.ORG Subject: Re: natd + nmap ? In-Reply-To: Erwan Arzur's message of Mon, March 22 1999 <36F66F86.88FA36E3@netvalue.fr> References: <36F66F86.88FA36E3@netvalue.fr> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14070.29563.424538.218011@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I assume this was scanning from *inside* the natd gateway to the outside world? That's not too surprising, though the drop behavior you suggest would be better. -Dave Lo and Behold, Erwan Arzur said: > I just tried to scan a FreeBDS3.0 w/ natd, and it appears that using the > -sU flag with nmap seems to completely lock natd at 100% cpu. Thus, > there is no way to send any packet in or out of the gateway. > > I am right assuming this is a kind of DOS attack ? Is there any way to > prevent this kind of thing to happen, like an option to natd to make it > drop incoming packets when reaching a given load ? -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group "What's footnote FIVE?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 8:56: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from fgw2.netvalue.fr (cegetel-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id 7064115007 for ; Mon, 22 Mar 1999 08:56:04 -0800 (PST) (envelope-from erwan@netvalue.fr) Received: (from bin@localhost) by fgw2.netvalue.fr (8.9.1/8.8.8) id RAA04827 for ; Mon, 22 Mar 1999 17:55:45 +0100 (CET) (envelope-from erwan@netvalue.fr) X-Authentication-Warning: fgw2.netvalue.fr: bin set sender to using -f Received: from (etoile.netvalue.fr [192.168.1.11]) by fgw2.netvalue.fr via smap (V2.1) id xma004823; Mon, 22 Mar 99 17:55:44 +0100 Received: from netvalue.fr ([192.168.1.100]) by etoile.netvalue.fr (Netscape Messaging Server 3.5) with ESMTP id AAA6E92; Mon, 22 Mar 1999 17:55:43 +0100 Message-ID: <36F6760E.2B4970BB@netvalue.fr> Date: Mon, 22 Mar 1999 17:55:42 +0100 From: Erwan Arzur Organization: NetValue S.A. X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: "David G. Andersen" Cc: security@FreeBSD.ORG Subject: Re: natd + nmap ? References: <36F66F86.88FA36E3@netvalue.fr> <14070.29563.424538.218011@torrey.cs.utah.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "David G. Andersen" wrote: > I assume this was scanning from *inside* the natd gateway to the > outside world? That's not too surprising, though the drop behavior > you suggest would be better. No, it was from an external computer (not trusted at all), scanning the external I/F of a temporary gateway i've installed on our external network (it will be removed soon ...) ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 9:22: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id D6A6415122 for ; Mon, 22 Mar 1999 09:21:50 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id SAA11311; Mon, 22 Mar 1999 18:21:18 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id SAA37064; Mon, 22 Mar 1999 18:21:18 +0100 (MET) Date: Mon, 22 Mar 1999 18:21:17 +0100 From: Eivind Eklund To: Andrew McNaughton Cc: freebsd-security@FreeBSD.ORG, mwlucas@exceptionet.com Subject: Re: need to speak to security officer Message-ID: <19990322182117.D35449@bitbox.follo.net> References: <199903221316.IAA07200@easeway.com> <199903221537.PAA06235@aniwa.sky> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199903221537.PAA06235@aniwa.sky>; from Andrew McNaughton on Tue, Mar 23, 1999 at 03:37:32AM +1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 23, 1999 at 03:37:32AM +1200, Andrew McNaughton wrote: > > There was an announcement a while back that the FreeBSD security officer was > resigning his post. I haven't seen any announcements since saying that we > have a new one. We have an acting security officer: Warner Losh To refer to the authorative source, the CVS logs for handbook/contrib.sgml: 1.340 Sun Feb 7 13:06:22 1999 UTC by eivind Guido don't quit being a committer just because he leaves the core team :-) Also, change Security Officer role to point at imp (that's him over in the corner - he's the scapegoat now!) > The security-officer@freebsd.org address is the correct address to use. I > gather that it goes to several people. That's correct. It reaches the entire security team, for which official up-to-date listings are currently not available. (It used to be possible to get the list of who is on the security team by running 'expn' against hub, but that route is now closed). Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 9:34: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 4195E15189 for ; Mon, 22 Mar 1999 09:33:41 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony [10.0.0.6]) by rover.village.org (8.9.3/8.6.6) with ESMTP id RAA00281; Mon, 22 Mar 1999 17:33:10 GMT Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id KAA04006; Mon, 22 Mar 1999 10:32:46 -0700 (MST) Message-Id: <199903221732.KAA04006@harmony.village.org> To: Andrew McNaughton Subject: Re: need to speak to security officer Cc: freebsd-security@FreeBSD.ORG, mwlucas@exceptionet.com In-reply-to: Your message of "Tue, 23 Mar 1999 03:37:32 +1200." <199903221537.PAA06235@aniwa.sky> References: <199903221537.PAA06235@aniwa.sky> Date: Mon, 22 Mar 1999 10:32:46 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message <199903221537.PAA06235@aniwa.sky> Andrew McNaughton writes: : There was an announcement a while back that the FreeBSD security officer was : resigning his post. I haven't seen any announcements since saying that we : have a new one. We do have a new one. Me. No announcement has been made about this, however. : The security-officer@freebsd.org address is the correct address to use. I : gather that it goes to several people. Yes. Continue to use that. Warner -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNvZ+u1UuHi5z0oilAQE3yAQAgnqhrexMNlWFMtbWIcj0vk/RROFNJ7v1 QXzpdFhkLQES/8Ow8f7Mz6HagQRv6i1Z+F01iAKaDRhw3OwBJ4DqQc2VV3oyipcQ XXYK+h9UfHo/F9SYJihqDK4nvRn2+H89O3ngTIBlAnzm4eXTRh8ueInqVrM+Bn5w /8cg0rjHcB4= =vlnC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 9:36:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from almazs.pacex.net (almazs.pacex.net [204.1.219.156]) by hub.freebsd.org (Postfix) with ESMTP id B5E63152D0 for ; Mon, 22 Mar 1999 09:36:17 -0800 (PST) (envelope-from admin@pacex.net) Received: from almazs.pacex.net (almazs.pacex.net [204.1.219.156]) by almazs.pacex.net (8.9.2/8.9.2) with SMTP id JAA15360; Mon, 22 Mar 1999 09:35:57 -0800 (PST) Date: Mon, 22 Mar 1999 09:35:57 -0800 (PST) From: net admin To: "mr. t" Cc: freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why not? we all want to benefit from your discovery!! afterall that what this list is about. especially security! On Mon, 22 Mar 1999, mr. t wrote: > > Officer(s): > > Please email me direct, I do not want what I've found to appear for > everyone. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 9:43: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.shellsys.net (shellsys.net [207.66.106.66]) by hub.freebsd.org (Postfix) with ESMTP id 00C17152DD for ; Mon, 22 Mar 1999 09:42:56 -0800 (PST) (envelope-from hideaway@hideaway.ms) Received: from localhost (localhost [127.0.0.1]) by shell.shellsys.net (Postfix) with ESMTP id 12BCC1F20; Mon, 22 Mar 1999 10:42:37 -0700 (MST) Date: Mon, 22 Mar 1999 10:42:37 -0700 (MST) From: Pete Fritchman X-Sender: hideaway@shell.shellsys.net To: net admin Cc: "mr. t" , freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The general procedure seems to get a patch out for it you can release when you release the news to the public. Otherwise, it will be script kiddie heaven everywhere, which nobody will appreciate. --------------------------------- | Pete C. Fritchman | | hideaway@hideaway.ms | | Systems Administrator | --------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. On Mon, 22 Mar 1999, net admin wrote: > Why not? we all want to benefit from your discovery!! > afterall that what this list is about. especially security! > > On Mon, 22 Mar 1999, mr. t wrote: > > > > > Officer(s): > > > > Please email me direct, I do not want what I've found to appear for > > everyone. > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 10: 4:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from yoshi.iq.org (yoshy.iq.org [203.4.184.224]) by hub.freebsd.org (Postfix) with ESMTP id 5C30914BCE for ; Mon, 22 Mar 1999 10:03:14 -0800 (PST) (envelope-from proff@yoshi.iq.org) Received: (from proff@localhost) by yoshi.iq.org (8.8.8/8.8.8) id FAA19540; Tue, 23 Mar 1999 05:00:06 +1100 (EST) From: Julian Assange Message-Id: <199903221800.FAA19540@yoshi.iq.org> Subject: Re: need to speak to security officer In-Reply-To: from Pete Fritchman at "Mar 22, 99 10:42:37 am" To: hideaway@hideaway.ms (Pete Fritchman) Date: Tue, 23 Mar 1999 05:00:05 +1100 (EST) Cc: admin@pacex.net, n8412060@cc.wwu.edu, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The general procedure seems to get a patch out for it you can release when > you release the news to the public. Otherwise, it will be script kiddie > heaven everywhere, which nobody will appreciate. Script kiddies are people too. Ain't nothing wrong with a little loving. Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 10:19:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.shellsys.net (shellsys.net [207.66.106.66]) by hub.freebsd.org (Postfix) with ESMTP id 0B91114CE2 for ; Mon, 22 Mar 1999 10:19:27 -0800 (PST) (envelope-from hideaway@hideaway.ms) Received: from localhost (localhost [127.0.0.1]) by shell.shellsys.net (Postfix) with ESMTP id 3AD4C1F20; Mon, 22 Mar 1999 11:19:08 -0700 (MST) Date: Mon, 22 Mar 1999 11:19:08 -0700 (MST) From: Pete Fritchman X-Sender: hideaway@shell.shellsys.net To: Julian Assange Cc: admin@pacex.net, n8412060@cc.wwu.edu, freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer In-Reply-To: <199903221800.FAA19540@yoshi.iq.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yep, when a little group of "31337 h4x0rs" goes, and rm -rf's 20 boxes, they aren't just people, they are assholes. That's why a patch will be nice, so systems that care about not getting hacked won't get hacked. --------------------------------- | Pete C. Fritchman | | hideaway@hideaway.ms | | Systems Administrator | --------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. On Tue, 23 Mar 1999, Julian Assange wrote: > > The general procedure seems to get a patch out for it you can release when > > you release the news to the public. Otherwise, it will be script kiddie > > heaven everywhere, which nobody will appreciate. > > Script kiddies are people too. Ain't nothing wrong with a little loving. > > Julian. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 13: 5:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 19A4214A2F for ; Mon, 22 Mar 1999 13:05:42 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id MAA43497; Mon, 22 Mar 1999 12:59:34 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Julian Assange Cc: hideaway@hideaway.ms (Pete Fritchman), admin@pacex.net, n8412060@cc.wwu.edu, freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer In-reply-to: Your message of "Tue, 23 Mar 1999 05:00:05 +1100." <199903221800.FAA19540@yoshi.iq.org> Date: Mon, 22 Mar 1999 12:59:34 -0800 Message-ID: <43495.922136374@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Script kiddies are people too. No they're not. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 17:41:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.enteract.com (thor.enteract.com [207.229.143.11]) by hub.freebsd.org (Postfix) with SMTP id 42C6C14F59 for ; Mon, 22 Mar 1999 17:41:52 -0800 (PST) (envelope-from dscheidt@enteract.com) Received: (qmail 27884 invoked from network); 23 Mar 1999 01:33:06 -0000 Received: from nathan.enteract.com (dscheidt@207.229.143.6) by thor.enteract.com with SMTP; 23 Mar 1999 01:33:06 -0000 Date: Mon, 22 Mar 1999 19:33:06 -0600 (CST) From: David Scheidt To: "Jordan K. Hubbard" Cc: freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer In-Reply-To: <43495.922136374@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 22 Mar 1999, Jordan K. Hubbard wrote: :> Script kiddies are people too. : :No they're not. Sure they are. So's soylent green. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 22 22:40: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from drwho.xnet.com (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (Postfix) with ESMTP id 376571534B for ; Mon, 22 Mar 1999 22:39:51 -0800 (PST) (envelope-from drwho@drwho.xnet.com) Received: (from drwho@localhost) by drwho.xnet.com (8.9.2/8.9.2) id NAA04973 for freebsd-security@FreeBSD.ORG; Mon, 22 Mar 1999 13:04:46 -0600 (CST) (envelope-from drwho) Date: Mon, 22 Mar 1999 13:04:45 -0600 From: Michael Maxwell To: freebsd-security@FreeBSD.ORG Subject: Needless to say... Message-ID: <19990322130445.D4838@drwho.xnet.com> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <199903221800.FAA19540@yoshi.iq.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Pete Fritchman on Mon, Mar 22, 1999 at 11:19:08AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'll be sending off a copy of that one spam that was in here to CAUCE -- I'm sure they'll be thrilled with that one: A spammer advertising for CAUCE :) -- Michael Maxwell | http://www.xnet.com/~drwho/ "American Justice: oxymoron. William J. Clinton: moron." --M. Maxwell (1999) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 23 1:46:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (Postfix) with ESMTP id C165914C4E for ; Tue, 23 Mar 1999 01:46:05 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.164.76]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990323094649.CJVN4957949.mta1-rme@wocker>; Tue, 23 Mar 1999 21:46:49 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: Warren Toomey Date: Tue, 23 Mar 1999 21:46:01 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: unknown connection attempts from localhost Reply-To: junkmale@xtra.co.nz Cc: freebsd-security@FreeBSD.ORG In-reply-to: <199903182305.KAA10759@henry.cs.adfa.edu.au> References: <000001be7191$b78e5e70$0a0010ac@ren.craxx.com> from laurens van alphen at "Mar 18, 1999 11:50:27 pm" X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990323094649.CJVN4957949.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 19 Mar 99, at 10:05, Warren Toomey wrote: > > > [snip] Connection attempt to UDP 127.0.0.1:1645 from 127.0.0.1:53 > > > [snip] Connection attempt to UDP 127.0.0.1:1739 from 127.0.0.1:53 > > Usually a reply to a DNS request from your machine. Your client has > timed out, but the reply from the server still comes back. There > just isn't anybody there to receive it. I was looking at my kernel.log last night when I realised I was getting these messages whenever my security logs were mailed out to me. Then I remembered I was also having trouble with my ADSL modem. The two issues are linked. At present, this is just a theory, so I'd like feedback on whether or not the list thinks this is what is actually happening. My topology looks something like this: 210.55.164.76 assigned by DHCP server at my ISP | ADSL Modem | 192.168.1.254 | | 192.168.0.1 as assigned via DHCP by the modem (ed0) | FreeBSD | 192.168.0.156 static (ed1) | | my Hub The adsl modem contains a firewall, DHCP server, and does NAT. It's a Nokia M10. The fireall therein allows for only 8 pinholes. So I have http, telnet, dns, and mail coming in/out, but that's it. I run a DNS for freebsddiary.cx on the FreeBSD box. When a request comes for that DNS I think it's actually going from the FreeBSD box, out to the ADSL modem which tries to send it back in again, but it's blocked by the modem's firewall because it's come from inside (i.e the modem thinks it's a spoofed packet). This causes the timeout and hence the entries in kernel.log. I have similar problems when browsing to my own websites. I can't get to http://www.freebsddiary.cx, but you can. It's because of the firewall in the modem. My ISP has acknowledge the problem and are "looking into it". Today I was toying with adding routing or redirect information so that such requests never leave the FreeBSD box. I'm running ipfilter on the freebsd box so doing that should be pretty straight forward. But that's for another day. cheers -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 23 5:27:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 9158A14C87 for ; Tue, 23 Mar 1999 05:27:16 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA15108; Tue, 23 Mar 1999 14:26:56 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA41482; Tue, 23 Mar 1999 14:26:56 +0100 (MET) Date: Tue, 23 Mar 1999 14:26:55 +0100 From: Eivind Eklund To: Erwan Arzur Cc: security@FreeBSD.ORG Subject: Re: natd + nmap ? Message-ID: <19990323142655.D40692@bitbox.follo.net> References: <36F66F86.88FA36E3@netvalue.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <36F66F86.88FA36E3@netvalue.fr>; from Erwan Arzur on Mon, Mar 22, 1999 at 05:27:50PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Mar 22, 1999 at 05:27:50PM +0100, Erwan Arzur wrote: > I just tried to scan a FreeBDS3.0 w/ natd, and it appears that using the > -sU flag with nmap seems to completely lock natd at 100% cpu. Thus, > there is no way to send any packet in or out of the gateway. And -sU does what? There are two possibilities: A genuine bug in libalias or natd making it just spin, or a total overload of libalias. My very first suspicion would be that this sends a gazillion SYN packets, and that the active connections table in libalias get clogged. If this is the case, fixing it require re-writing a bit of the data structure handling code for libalias. I started this about a year ago, but I dropped finishing it because it seemed pretty useless - a pure optimization against a piece of software that I'd never seen be a significant piece of the load on a machine. I still have the code, however, if somebody else is interested in finishing it (or testing/debugging it once I get the time to do the finishing - I do not have a practical setup for testing libalias at the moment.) > I am right assuming this is a kind of DOS attack ? Is there any way to > prevent this kind of thing to happen, like an option to natd to make it > drop incoming packets when reaching a given load ? Not with the present code base. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 23 5:54:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from fap.abaid.com (fap.abaid.com [194.242.196.41]) by hub.freebsd.org (Postfix) with ESMTP id 9093314DAC for ; Tue, 23 Mar 1999 05:54:07 -0800 (PST) (envelope-from Ernst.Dorfmann@Holzbau.com) Received: (from uucp@localhost) by fap.abaid.com (8.9.1/8.9.1) with UUCP id OAA63434 for security@FreeBSD.ORG; Tue, 23 Mar 1999 14:53:58 +0100 (CET) (envelope-from Ernst.Dorfmann@Holzbau.com) Received: from Dorfmann (Dorfmann.Holzbau.com [10.0.0.10]) by Server-Linux.Holzbau.com (8.8.8/8.8.8) with SMTP id OAA08176 for ; Tue, 23 Mar 1999 14:52:12 +0100 Received: by localhost with Microsoft MAPI; Tue, 23 Mar 1999 14:52:30 +0100 Message-ID: <01BE753C.C6750D40.Ernst.Dorfmann@Holzbau.com> From: Ernst Dorfmann To: "security@FreeBSD.ORG" Date: Tue, 23 Mar 1999 14:52:28 +0100 Organization: Holzbau AG - S.p.a. X-Mailer: Microsoft Internet E-Mail/MAPI - 8.0.0.4211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe unsubscribe security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 23 5:59:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from roo.stockholm.yahoo.com (roo.stockholm.yahoo.com [195.67.32.209]) by hub.freebsd.org (Postfix) with ESMTP id 330C315394 for ; Tue, 23 Mar 1999 05:58:43 -0800 (PST) (envelope-from felipe@europe.yahoo-inc.com) Received: from europe.yahoo-inc.com (localhost [127.0.0.1]) by roo.stockholm.yahoo.com (8.9.2/8.9.1) with ESMTP id OAA38891; Tue, 23 Mar 1999 14:56:59 +0100 (CET) (envelope-from felipe@europe.yahoo-inc.com) Message-ID: <36F79DAB.3C015C03@europe.yahoo-inc.com> Date: Tue, 23 Mar 1999 14:56:59 +0100 From: Felipe Garcia Organization: Yahoo! X-Mailer: Mozilla 4.07 [en] (X11; I; FreeBSD 3.1-STABLE i386) MIME-Version: 1.0 To: Pete Fritchman Cc: Julian Assange , admin@pacex.net, n8412060@cc.wwu.edu, freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pete Fritchman wrote: a patch will came out to fix this, some people will patch other will read the patch and do bad things, if this what was found is that bad, let people know about it so they can protect them self, get a patch out fast! /felipe > > Yep, when a little group of "31337 h4x0rs" goes, and rm -rf's 20 boxes, > they aren't just people, they are assholes. That's why a patch will be > nice, so systems that care about not getting hacked won't get hacked. > > --------------------------------- > | Pete C. Fritchman | > | hideaway@hideaway.ms | > | Systems Administrator | > --------------------------------- > What's the similarity between an air > conditioner and a computer? They both > stop working when you open windows. > > On Tue, 23 Mar 1999, Julian Assange wrote: > > > > The general procedure seems to get a patch out for it you can release when > > > you release the news to the public. Otherwise, it will be script kiddie > > > heaven everywhere, which nobody will appreciate. > > > > Script kiddies are people too. Ain't nothing wrong with a little loving. > > > > Julian. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Felipe Garcia felipe@europe.yahoo-inc.com +46 8 412 69 84 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 23 6:30:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from fgw2.netvalue.fr (cegetel-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id AFA2F14C14; Tue, 23 Mar 1999 06:30:39 -0800 (PST) (envelope-from erwan@netvalue.fr) Received: (from bin@localhost) by fgw2.netvalue.fr (8.9.1/8.8.8) id PAA05420; Tue, 23 Mar 1999 15:30:20 +0100 (CET) (envelope-from erwan@netvalue.fr) X-Authentication-Warning: fgw2.netvalue.fr: bin set sender to using -f Received: from (etoile.netvalue.fr [192.168.1.11]) by fgw2.netvalue.fr via smap (V2.1) id xma005416; Tue, 23 Mar 99 15:30:10 +0100 Received: from netvalue.fr ([192.168.1.100]) by etoile.netvalue.fr (Netscape Messaging Server 3.5) with ESMTP id AAA4933; Tue, 23 Mar 1999 15:30:08 +0100 Message-ID: <36F7A568.4ACDBDE4@netvalue.fr> Date: Tue, 23 Mar 1999 15:30:00 +0100 From: Erwan Arzur Organization: NetValue S.A. X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Eivind Eklund Cc: security@FreeBSD.ORG Subject: Re: natd + nmap ? References: <36F66F86.88FA36E3@netvalue.fr> <19990323142655.D40692@bitbox.follo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eivind Eklund wrote: > On Mon, Mar 22, 1999 at 05:27:50PM +0100, Erwan Arzur wrote: > > I just tried to scan a FreeBDS3.0 w/ natd, and it appears that using the > > -sU flag with nmap seems to completely lock natd at 100% cpu. Thus, > > there is no way to send any packet in or out of the gateway. > > And -sU does what? > > There are two possibilities: A genuine bug in libalias or natd making > it just spin, or a total overload of libalias. > > My very first suspicion would be that this sends a gazillion SYN > packets, and that the active connections table in libalias get > clogged. -sU UDP scans: This method is used to determine which UDP (User Datagram Protocol, RFC 768) ports are open on a host. The technique is to send 0 byte udp packets to each port on the target machine. If we receive an ICMP port unreachable message, then the port is closed. Otherwise we assume it is open. Some people think UDP scanning is pointless. I usu- ally remind them of the recent Solaris rcpbind hole. Rpcbind can be found hiding on an undocu- mented UDP port somewhere above 32770. So it > If this is the case, fixing it require re-writing a bit of > the data structure handling code for libalias. I started this about a > year ago, but I dropped finishing it because it seemed pretty useless > - a pure optimization against a piece of software that I'd never seen > be a significant piece of the load on a machine. I still have the > code, however, if somebody else is interested in finishing it (or > testing/debugging it once I get the time to do the finishing - I do > not have a practical setup for testing libalias at the moment.) I can setup my own computer to test your code, if you wish ... One can still prevent this kind of attack by trusting (divert to natd) only a limited range of UDP ports, but this would make natd pretty useless, anyway ... Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 23 6:46: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from glup.irobot.uv.es (glup.irobot.uv.es [147.156.160.55]) by hub.freebsd.org (Postfix) with ESMTP id 52B7D14F2A for ; Tue, 23 Mar 1999 06:43:25 -0800 (PST) (envelope-from dferruz@infase.es) Received: from tango (tango.irobot.uv.es) by glup.irobot.uv.es with SMTP (1.39.111.2/16.2) id AA042824175; Tue, 23 Mar 1999 15:49:35 GMT Message-Id: <004e01be74d6$ea94db80$0da09c93@tango.irobot.uv.es> From: "David Ferruz" To: Subject: Date: Tue, 23 Mar 1999 03:43:15 +0100 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0046_01BE74DF.48B67A40" X-Priority: 3 X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0046_01BE74DF.48B67A40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable unsuscribe ------=_NextPart_000_0046_01BE74DF.48B67A40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
unsuscribe
------=_NextPart_000_0046_01BE74DF.48B67A40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 23 7: 7:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from glup.irobot.uv.es (glup.irobot.uv.es [147.156.160.55]) by hub.freebsd.org (Postfix) with ESMTP id 1E7F51530B for ; Tue, 23 Mar 1999 07:06:40 -0800 (PST) (envelope-from dferruz@infase.es) Received: from tango (tango.irobot.uv.es) by glup.irobot.uv.es with SMTP (1.39.111.2/16.2) id AA043984927; Tue, 23 Mar 1999 16:02:07 GMT Message-Id: <005401be74d8$a7c02ce0$0da09c93@tango.irobot.uv.es> From: "David Ferruz" To: Date: Tue, 23 Mar 1999 03:55:48 +0100 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsuscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 23 16:20:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 59A8015404 for ; Tue, 23 Mar 1999 16:19:40 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id QAA00295; Tue, 23 Mar 1999 16:18:52 -0800 (PST) Message-ID: <19990323161852.A28384@best.com> Date: Tue, 23 Mar 1999 16:18:52 -0800 From: "Jan B. Koum " To: Felipe Garcia , Pete Fritchman Cc: Julian Assange , admin@pacex.net, n8412060@cc.wwu.edu, freebsd-security@FreeBSD.ORG Subject: Re: need to speak to security officer References: <36F79DAB.3C015C03@europe.yahoo-inc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <36F79DAB.3C015C03@europe.yahoo-inc.com>; from Felipe Garcia on Tue, Mar 23, 1999 at 02:56:59PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nothing was found and there is nothing to worry about. The person who started this thread was just confused .. everyone can calm down now... -- Yan On Tue, Mar 23, 1999 at 02:56:59PM +0100, Felipe Garcia wrote: > Pete Fritchman wrote: > > a patch will came out to fix this, some people will patch other will > read the patch and do bad things, if this what was found is that bad, > let people know about it so they can protect them self, get a patch out > fast! > > /felipe > > > > > Yep, when a little group of "31337 h4x0rs" goes, and rm -rf's 20 boxes, > > they aren't just people, they are assholes. That's why a patch will be > > nice, so systems that care about not getting hacked won't get hacked. > > > > --------------------------------- > > | Pete C. Fritchman | > > | hideaway@hideaway.ms | > > | Systems Administrator | > > --------------------------------- > > What's the similarity between an air > > conditioner and a computer? They both > > stop working when you open windows. > > > > On Tue, 23 Mar 1999, Julian Assange wrote: > > > > > > The general procedure seems to get a patch out for it you can release when > > > > you release the news to the public. Otherwise, it will be script kiddie > > > > heaven everywhere, which nobody will appreciate. > > > > > > Script kiddies are people too. Ain't nothing wrong with a little loving. > > > > > > Julian. > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Felipe Garcia > felipe@europe.yahoo-inc.com > +46 8 412 69 84 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 6:30:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from pascal.uol.com.br (pascal.uol.com.br [200.230.198.87]) by hub.freebsd.org (Postfix) with ESMTP id 42B3114BFD for ; Wed, 24 Mar 1999 06:30:44 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br (rjo-max124.homeshopping.com.br [200.255.48.124]) by pascal.uol.com.br (8.9.1/8.9.1) with ESMTP id LAA15142; Wed, 24 Mar 1999 11:23:39 -0300 (EST) Message-ID: <36F8F559.8F94487C@agoractvm.com.br> Date: Wed, 24 Mar 1999 11:23:21 -0300 From: "Dep. de =?iso-8859-1?Q?Teleinform=E1tica?=" Reply-To: agora@agoractvm.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Best of Security Cc: Alessandro - xsandro , Andre Silveira David , "Axel Hollanda (aghi)" , " Bia (Tear)" , BK , BMF Rio , Cristiano Colpani , " Dep. de =?iso-8859-1?Q?Teleinform=E1tica?=" , Fernando Ultremare , FreeBSD Security , Guilherme Galileo Cox , Henrique , in0x , Luciana Vital de Matos , Marina , Misty , Nelson Brito , "Nilson R. A. de Brito" , Paranoia , Paulo Junior , SDI Pilot , SECRETARIA BVRJ , Stratus , Thiago Modelli Subject: NOVO VIRUS. Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Assunto: ATENÇÃO: NOVO VÍRUS Este alerta foi dado pela IBM!! SE VOCÊ RECEBER UM E-MAIL COM O TÍTULO "IT TAKES GUTS TO SAY JESUS". (É PRECISO CORAGEM PARA DIZER JESUS) NÃO ABRA! ELE VAI APAGAR TUDO NO SEU HARD DRIVE. MANDE ESSA MENSAGEM PARA O MAIOR NÚMERO DE PESSOAS QUE VC PUDER. ESTE É UM VÍRUS NOVO E NÃO SÃO MUITAS PESSOAS QUE O CONHECEM. ESTA INFORMAÇÃO FOI ANUNCIADA PELA IBM. DIVIDA ESSA INFORMAÇÃO COM TODO MUNDO QUE ACESSA A INTERNET. -- Nelson / Guilherme Departamento de Teleinfomática ÁGORA Corretora de Títulos e Valores Mobiliários S/A Rio de Janeiro - RJ - Brasil *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* "Aquele que pergunta, e' tolo por 5 minutos. E aquele que nao pergunta e' tolo por toda a vida !" (Confucio) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 6:43:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell.shellsys.net (shellsys.net [207.66.106.66]) by hub.freebsd.org (Postfix) with ESMTP id 3166114BFD for ; Wed, 24 Mar 1999 06:43:12 -0800 (PST) (envelope-from hideaway@hideaway.ms) Received: from localhost (localhost [127.0.0.1]) by shell.shellsys.net (Postfix) with ESMTP id BEFAC1F29 for ; Wed, 24 Mar 1999 07:42:52 -0700 (MST) Date: Wed, 24 Mar 1999 07:42:52 -0700 (MST) From: Pete Fritchman X-Sender: hideaway@shell.shellsys.net To: freebsd-security@freebsd.org Subject: Re: NOVO VIRUS. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org heh, anyone know spanish? Out of that, I get that Jesus is going to invade our computers.=20 --------------------------------- | Pete C. Fritchman | | hideaway@hideaway.ms | | Systems Administrator | --------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. On Wed, 24 Mar 1999, Dep. de [iso-8859-1] Teleinform=E1tica wrote: > Assunto: ATEN=C7=C3O: NOVO V=CDRUS > Este alerta foi dado pela IBM!! > =20 > SE VOC=CA RECEBER UM E-MAIL COM O T=CDTULO >=20 > "IT TAKES GUTS TO SAY JESUS". (=C9 PRECISO CORAGEM PARA DIZER > JESUS) >=20 > N=C3O ABRA! ELE VAI APAGAR TUDO NO SEU HARD DRIVE. MANDE > ESSA MENSAGEM PARA O MAIOR N=DAMERO DE PESSOAS QUE VC > PUDER. ESTE =C9 UM V=CDRUS NOVO E N=C3O S=C3O MUITAS PESSOAS QUE > O CONHECEM. ESTA INFORMA=C7=C3O FOI ANUNCIADA PELA IBM. > DIVIDA ESSA INFORMA=C7=C3O COM TODO MUNDO QUE ACESSA A > INTERNET. >=20 > =20 >=20 > =20 >=20 > --=20 > Nelson / Guilherme > Departamento de Teleinfom=E1tica > =C1GORA Corretora de T=EDtulos e Valores Mobili=E1rios S/A > Rio de Janeiro - RJ - Brasil >=20 > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > "Aquele que pergunta, e' tolo por 5 minutos. E aquele que nao pergunta=20 > e' tolo por toda a vida !" > =09=09=09=09=09=09=09(Confucio) > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 6:53:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 129C414E4E for ; Wed, 24 Mar 1999 06:53:24 -0800 (PST) (envelope-from fpscha@ns1.sminter.com.ar) Received: (from fpscha@localhost) by ns1.sminter.com.ar (8.8.5/8.8.4) id LAA03986; Wed, 24 Mar 1999 11:52:49 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199903241452.LAA03986@ns1.sminter.com.ar> Subject: Re: NOVO VIRUS. In-Reply-To: from Pete Fritchman at "Mar 24, 99 07:42:52 am" To: hideaway@hideaway.ms (Pete Fritchman) Date: Wed, 24 Mar 1999 11:52:49 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Pete Fritchman escribió: > heh, anyone know spanish? Yes, I do. But the original message is in portuguese ;-) It talks about an evil virus that will crash our hard disks and do a lot of other evil things. It asks us to spread the message :( The only interesting thing is the sender's signature: "The one who asks is a fool for five minutes. The one who doesn't ask is a fool for lifetime." (Confuce) Regards. Fernando P. Schapachnik Administracion de la red VIA Net Works Argentina SA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 7: 1:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.insolwwb.net (ns.insolwwb.net [206.31.149.200]) by hub.freebsd.org (Postfix) with ESMTP id 5491714BFD for ; Wed, 24 Mar 1999 07:01:17 -0800 (PST) (envelope-from mgrommet@insolwwb.net) Received: from mike (isinet.insolwwb.net [208.150.248.1]) by ns.insolwwb.net (8.9.0/8.9.0) with SMTP id IAA06834; Wed, 24 Mar 1999 08:53:15 -0600 (CST) From: mike grommet Reply-To: To: "'Pete Fritchman'" Cc: Subject: RE: NOVO VIRUS. Date: Wed, 24 Mar 1999 09:02:47 -0600 Message-ID: <4092EFCAF9AAD211A6080060976792610140BA@ISIMAIL> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 In-reply-to: <4092EFCAF9AAD211A6080060976792610C95BF@ISIMAIL> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, I think its portuguese, and no, I don't speak or write that one either. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Pete Fritchman Sent: Wednesday, March 24, 1999 8:43 AM To: freebsd-security@FreeBSD.ORG Subject: Re: NOVO VIRUS. heh, anyone know spanish? Out of that, I get that Jesus is going to invade our computers. --------------------------------- | Pete C. Fritchman | | hideaway@hideaway.ms | | Systems Administrator | --------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. On Wed, 24 Mar 1999, Dep. de [iso-8859-1] Teleinformática wrote: > Assunto: ATENÇÃO: NOVO VÍRUS > Este alerta foi dado pela IBM!! > > SE VOCÊ RECEBER UM E-MAIL COM O TÍTULO > > "IT TAKES GUTS TO SAY JESUS". (É PRECISO CORAGEM PARA DIZER > JESUS) > > NÃO ABRA! ELE VAI APAGAR TUDO NO SEU HARD DRIVE. MANDE > ESSA MENSAGEM PARA O MAIOR NÚMERO DE PESSOAS QUE VC > PUDER. ESTE É UM VÍRUS NOVO E NÃO SÃO MUITAS PESSOAS QUE > O CONHECEM. ESTA INFORMAÇÃO FOI ANUNCIADA PELA IBM. > DIVIDA ESSA INFORMAÇÃO COM TODO MUNDO QUE ACESSA A > INTERNET. > > > > > > -- > Nelson / Guilherme > Departamento de Teleinfomática > ÁGORA Corretora de Títulos e Valores Mobiliários S/A > Rio de Janeiro - RJ - Brasil > > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > "Aquele que pergunta, e' tolo por 5 minutos. E aquele que nao pergunta > e' tolo por toda a vida !" > (Confucio) > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 7: 2:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from kant.uol.com.br (kant.uol.com.br [200.246.5.74]) by hub.freebsd.org (Postfix) with ESMTP id 03D5014FF4 for ; Wed, 24 Mar 1999 07:02:20 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br (rjo-max240.homeshopping.com.br [200.255.48.240]) by kant.uol.com.br (8.9.1/8.9.1) with ESMTP id MAA14802; Wed, 24 Mar 1999 12:01:24 -0300 (EST) Message-ID: <36F8FD63.412BE2AF@agoractvm.com.br> Date: Wed, 24 Mar 1999 11:57:39 -0300 From: "Dep. de =?iso-8859-1?Q?Teleinform=E1tica?=" Reply-To: agora@agoractvm.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Fernando Schapachnik Cc: Pete Fritchman , freebsd-security@FreeBSD.ORG Subject: Re: NOVO VIRUS. References: <199903241452.LAA03986@ns1.sminter.com.ar> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik wrote: > > En un mensaje anterior, Pete Fritchman escribió: > > heh, anyone know spanish? > > Yes, I do. But the original message is in portuguese ;-) > It talks about an evil virus that will crash our hard disks and do a lot > of other evil things. It asks us to spread the message :( > > The only interesting thing is the sender's signature: > "The one who asks is a fool for five minutes. The one who doesn't ask is a > fool for lifetime." (Confuce) > > Regards. > > Fernando P. Schapachnik > Administracion de la red > VIA Net Works Argentina SA > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Look I just foward this message for anyone in my BookAddress, if it's disturb just delet it... -- Nelson / Guilherme Departamento de Teleinfomática ÁGORA Corretora de Títulos e Valores Mobiliários S/A Rio de Janeiro - RJ - Brasil *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* "Aquele que pergunta, e' tolo por 5 minutos. E aquele que nao pergunta e' tolo por toda a vida !" (Confucio) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 7: 8:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 42A3614E52 for ; Wed, 24 Mar 1999 07:07:22 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (wes@zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id IAA21910; Wed, 24 Mar 1999 08:06:55 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <36F8FF8E.F276BA9D@softweyr.com> Date: Wed, 24 Mar 1999 08:06:54 -0700 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: mgrommet@insolwwb.net Cc: "'Pete Fritchman'" , freebsd-security@FreeBSD.ORG Subject: Re: NOVO VIRUS. References: <4092EFCAF9AAD211A6080060976792610140BA@ISIMAIL> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org mike grommet wrote: > > Actually, I think its portuguese, and no, I don't speak or write that one > either. Babelfish does. Here's that it produced: IT DOES NOT OPEN! IT VAI TO DELETE EVERYTHING IN ITS HARD DRIVE. IT ORDERS THIS MESSAGE FOR THE BIGGEST NUMBER OF PEOPLE WHO VC WILL BE ABLE. THIS IS A NEW VIRUS AND THEY ARE NOT MUITAS PEOPLE WHO KNOW IT. THIS INFORMATION WAS ANNOUNCED BY IBM. IT DIVIDES THIS INFORMATION WITH THAT IT HAS ACCESS THE INTERNET. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 7:14:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from gateway.newtoy.com (snowfox.pr.mcs.net [205.164.44.72]) by hub.freebsd.org (Postfix) with ESMTP id 8C52A14C19 for ; Wed, 24 Mar 1999 07:14:40 -0800 (PST) (envelope-from snowfox@snowfox.net) Received: from milk (snowfox [192.168.2.1]) by gateway.newtoy.com (8.8.8/8.8.8) with SMTP id JAA04389 for ; Wed, 24 Mar 1999 09:17:45 -0600 (CST) (envelope-from snowfox@snowfox.net) Message-ID: <00d801be7609$7626f380$0102a8c0@newtoy.com> From: "SnowFox" To: References: <4092EFCAF9AAD211A6080060976792610140BA@ISIMAIL> Subject: Re: NOVO VIRUS. Date: Wed, 24 Mar 1999 09:17:41 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's Portuguese. It basically says that if you see a message with "It takes guts to say 'Jesus'" or similar, it shouldn't be read - it has the ability to format your hard drive without [attachments?] even being opened. It also says the author received this information directly from IBM. Sounds like "Good times" to me. :p ----- Original Message ----- From: mike grommet To: 'Pete Fritchman' Cc: Sent: Wednesday, March 24, 1999 9:02 AM Subject: RE: NOVO VIRUS. > Actually, I think its portuguese, and no, I don't speak or write that one > either. > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Pete Fritchman > Sent: Wednesday, March 24, 1999 8:43 AM > To: freebsd-security@FreeBSD.ORG > Subject: Re: NOVO VIRUS. > > > > heh, anyone know spanish? > > Out of that, I get that Jesus is going to invade our computers. > > --------------------------------- > | Pete C. Fritchman | > | hideaway@hideaway.ms | > | Systems Administrator | > --------------------------------- > What's the similarity between an air > conditioner and a computer? They both > stop working when you open windows. > > On Wed, 24 Mar 1999, Dep. de [iso-8859-1] Teleinformática wrote: > > > Assunto: ATENÇÃO: NOVO VÍRUS > > Este alerta foi dado pela IBM!! > > > > SE VOCÊ RECEBER UM E-MAIL COM O TÍTULO > > > > "IT TAKES GUTS TO SAY JESUS". (É PRECISO CORAGEM PARA DIZER > > JESUS) > > > > NÃO ABRA! ELE VAI APAGAR TUDO NO SEU HARD DRIVE. MANDE > > ESSA MENSAGEM PARA O MAIOR NÚMERO DE PESSOAS QUE VC > > PUDER. ESTE É UM VÍRUS NOVO E NÃO SÃO MUITAS PESSOAS QUE > > O CONHECEM. ESTA INFORMAÇÃO FOI ANUNCIADA PELA IBM. > > DIVIDA ESSA INFORMAÇÃO COM TODO MUNDO QUE ACESSA A > > INTERNET. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 7:42:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from tbd.gfoster.com (gfoster.intr.net [207.32.93.21]) by hub.freebsd.org (Postfix) with ESMTP id 4386714C19 for ; Wed, 24 Mar 1999 07:42:33 -0800 (PST) (envelope-from gfoster@tbd.gfoster.com) Received: (from gfoster@localhost) by tbd.gfoster.com (8.9.2/8.9.2) id KAA09871; Wed, 24 Mar 1999 10:42:15 -0500 (EST) (envelope-from gfoster) Date: Wed, 24 Mar 1999 10:42:15 -0500 (EST) Message-Id: <199903241542.KAA09871@tbd.gfoster.com> From: Glen Foster To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org who To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 7:44:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id BC0D114C0B for ; Wed, 24 Mar 1999 07:44:56 -0800 (PST) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id KAA06316; Wed, 24 Mar 1999 10:45:30 -0500 (envelope-from jared) Date: Wed, 24 Mar 1999 10:45:30 -0500 From: Jared Mauch To: Glen Foster Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <19990324104530.A6145@puck.nether.net> Mail-Followup-To: Glen Foster , freebsd-security@FreeBSD.ORG References: <199903241542.KAA09871@tbd.gfoster.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <199903241542.KAA09871@tbd.gfoster.com>; from Glen Foster on Wed, Mar 24, 1999 at 10:42:15AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All spammers must die. On Wed, Mar 24, 1999 at 10:42:15AM -0500, Glen Foster wrote: > who > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 7:45:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from pascal.uol.com.br (pascal.uol.com.br [200.230.198.87]) by hub.freebsd.org (Postfix) with ESMTP id 7AA3C14BDD for ; Wed, 24 Mar 1999 07:45:28 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br (rjo-max229.homeshopping.com.br [200.255.48.229]) by pascal.uol.com.br (8.9.1/8.9.1) with ESMTP id MAA08147 for ; Wed, 24 Mar 1999 12:41:42 -0300 (EST) Message-ID: <36F907A0.944FF541@agoractvm.com.br> Date: Wed, 24 Mar 1999 12:41:20 -0300 From: "Dep. de =?iso-8859-1?Q?Teleinform=E1tica?=" Reply-To: agora@agoractvm.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe -- Nelson / Guilherme Departamento de Teleinfomática ÁGORA Corretora de Títulos e Valores Mobiliários S/A Rio de Janeiro - RJ - Brasil *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* "Aquele que pergunta, e' tolo por 5 minutos. E aquele que nao pergunta e' tolo por toda a vida !" (Confucio) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 8: 2:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from satsuma.mail.easynet.net (satsuma.mail.easynet.net [195.40.1.44]) by hub.freebsd.org (Postfix) with ESMTP id D3075154F3 for ; Wed, 24 Mar 1999 08:02:06 -0800 (PST) (envelope-from max@ukonline.net) Received: from bell.ukonline.co.uk ([195.40.119.5] helo=ukonline.net) by satsuma.mail.easynet.net with esmtp (Exim 2.12 #1) id 10Pq6E-0006wc-00 for freebsd-security@FreeBSD.ORG; Wed, 24 Mar 1999 16:01:46 +0000 Message-ID: <36F90CAC.ABA6B811@ukonline.net> Date: Wed, 24 Mar 1999 16:02:52 +0000 From: Max Booth Organization: UK Online Ltd X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 3.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: Re: NOVO VIRUS. References: <4092EFCAF9AAD211A6080060976792610140BA@ISIMAIL> <00d801be7609$7626f380$0102a8c0@newtoy.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org SnowFox wrote: > > It's Portuguese. > > It basically says that if you see a message with "It takes guts to say > 'Jesus'" or similar, it shouldn't be read - it has the ability to format > your hard drive without [attachments?] even being opened. It also says the > author received this information directly from IBM. > > Sounds like "Good times" to me. :p It's the Jesus Hoax... http://www.datafellows.com/v-descs/hjesus.htm max -- Max Booth Systems Developer for UK Online Ltd http://www.ukonline.co.uk/ Email: max@ukonline.net "Believing oneself to be perfect is often the sign of a delusional mind" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 9:44: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from myname.my.domain (modem07.tdnet.com.br [200.236.148.200]) by hub.freebsd.org (Postfix) with SMTP id 4B6AA14D06 for ; Wed, 24 Mar 1999 09:42:53 -0800 (PST) (envelope-from grios@netshell.com.br) Received: (qmail 242 invoked from network); 24 Mar 1999 14:43:57 -0000 Received: from localhost.my.domain (HELO netshell.com.br) (127.0.0.1) by localhost.my.domain with SMTP; 24 Mar 1999 14:43:57 -0000 Message-ID: <36F8FA2D.D8C425BE@netshell.com.br> Date: Wed, 24 Mar 1999 14:43:57 +0000 From: Gustavo V G C Rios X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: agora@agoractvm.com.br Cc: Best of Security , Alessandro - xsandro , Andre Silveira David , "Axel Hollanda (aghi)" , " Bia (Tear)" , BK , BMF Rio , Cristiano Colpani , Fernando Ultremare , FreeBSD Security , Guilherme Galileo Cox , Henrique , in0x , Luciana Vital de Matos , Marina , Misty , Nelson Brito , "Nilson R. A. de Brito" , Paranoia , Paulo Junior , SDI Pilot , SECRETARIA BVRJ , Stratus , Thiago Modelli Subject: Re: NOVO VIRUS. References: <36F8F559.8F94487C@agoractvm.com.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Voces estao de sacanagem, nao eh mesmo! -- Real computer scientists don't write code. They occasionally tinker with rogramming systems', but those are so high level that they hardly count (and rarely count accurately; precision is for applications.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 10:50: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 9DF9514D76 for ; Wed, 24 Mar 1999 10:49:59 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA44503; Wed, 24 Mar 1999 10:38:43 -0800 (PST) (envelope-from dillon) Date: Wed, 24 Mar 1999 10:38:43 -0800 (PST) From: Matthew Dillon Message-Id: <199903241838.KAA44503@apollo.backplane.com> To: Gustavo V G C Rios Cc: agora@agoractvm.com.br, Best of Security , Alessandro - xsandro , Andre Silveira David , "Axel Hollanda (aghi)" , " Bia (Tear)" , BK , BMF Rio , Cristiano Colpani , Fernando Ultremare , FreeBSD Security , Guilherme Galileo Cox , Henrique , in0x , Luciana Vital de Matos , Marina , Misty , Nelson Brito , "Nilson R. A. de Brito" , Paranoia , Paulo Junior , SDI Pilot , SECRETARIA BVRJ , Stratus , Thiago Modelli Subject: Re: NOVO VIRUS. References: <36F8F559.8F94487C@agoractvm.com.br> <36F8FA2D.D8C425BE@netshell.com.br> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Voces estao de sacanagem, nao eh mesmo! :-- :Real computer scientists don't write code. They occasionally tinker :with rogramming systems', but those are so high level that they :hardly count (and rarely count accurately; precision is for :applications.) Heh heh! It strikes me funny when I see a non-english posting with an english quote-of-the-day. It makes me want to have a french quote-of-the-day for all my (english) postings!!! Maybe someone could write a language-of-the-week-quote-of-the-day generator! -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 10:53:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from kant.uol.com.br (kant.uol.com.br [200.246.5.74]) by hub.freebsd.org (Postfix) with ESMTP id 17CBC14D76 for ; Wed, 24 Mar 1999 10:53:49 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br (rjo-max062.homeshopping.com.br [200.255.48.62]) by kant.uol.com.br (8.9.1/8.9.1) with ESMTP id PAA12520; Wed, 24 Mar 1999 15:48:37 -0300 (EST) Message-ID: <36F932A2.F852BDDA@agoractvm.com.br> Date: Wed, 24 Mar 1999 15:44:50 -0300 From: "Dep. de =?iso-8859-1?Q?Teleinform=E1tica?=" Reply-To: agora@agoractvm.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Matthew Dillon Cc: Gustavo V G C Rios , Best of Security , Alessandro - xsandro , Andre Silveira David , "Axel Hollanda (aghi)" , " Bia (Tear)" , BK , BMF Rio , Cristiano Colpani , Fernando Ultremare , FreeBSD Security , Guilherme Galileo Cox , Henrique , in0x , Luciana Vital de Matos , Marina , Misty , Nelson Brito , "Nilson R. A. de Brito" , Paranoia , Paulo Junior , SDI Pilot , SECRETARIA BVRJ , Stratus , Thiago Modelli Subject: Re: NOVO VIRUS. References: <36F8F559.8F94487C@agoractvm.com.br> <36F8FA2D.D8C425BE@netshell.com.br> <199903241838.KAA44503@apollo.backplane.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon wrote: > > :Voces estao de sacanagem, nao eh mesmo! > :-- > :Real computer scientists don't write code. They occasionally tinker > :with rogramming systems', but those are so high level that they > :hardly count (and rarely count accurately; precision is for > :applications.) > > Heh heh! It strikes me funny when I see a non-english posting with an > english quote-of-the-day. It makes me want to have a french > quote-of-the-day for all my (english) postings!!! > > Maybe someone could write a language-of-the-week-quote-of-the-day > generator! > > -Matt > Matthew Dillon > Are you serius? Well, put this: ---------------------------------------------------- Eu sou Matthew Dillon, um otario que adora garotinhos! E viva a SACANAGEM... Sou pederasta mesmo... Uiii CREUZA... ---------------------------------------------------- HEHEHHEHEHEHEHHE -- Nelson / Guilherme Departamento de Teleinfomática ÁGORA Corretora de Títulos e Valores Mobiliários S/A Rio de Janeiro - RJ - Brasil *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* "Aquele que pergunta, e' tolo por 5 minutos. E aquele que nao pergunta e' tolo por toda a vida !" (Confucio) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 11:52:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id 1D6F614DA6 for ; Wed, 24 Mar 1999 11:52:39 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-16.dialup.dnai.com [207.181.255.16]) by dnai.com (8.8.8/8.8.8) with SMTP id LAA10244 for ; Wed, 24 Mar 1999 11:52:19 -0800 (PST) Message-Id: <4.1.19990324113601.0097aeb0@mail.dnai.com> X-Sender: miket@mail.dnai.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 Mar 1999 11:51:25 -0800 To: freebsd-security@freebsd.org From: Mike Thompson Subject: Kerberos vs SSH Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We are configuring a series of web servers running FreeBSD 2.2.8 for a new Internet service. To implement our service we need to provide a mechanism for secure communication between the servers using an rsh-like facility. One method of doing this would be to run SSH on each server for encrypted/authenticated communication. However, the downsides of this are that there wouldn't be a central administration facility for managing authentication information (unless we create one), ssh has a relatively high CPU overhead to encrypt all communications and we would like to avoid paying the substantial license fees for SSH across a large number of servers. An alternative would be to run a rsh in combination with a Kerberos server to centrally administer authentication information between each server. Communication between the servers would take place behind a router to prevent interception of the unencoded packets. We would also use IPFW to restrict communication with rsh as further protection against hacking. Does anyone here have an opinion as to whether rsh and Kerberos can be used in this manner for efficient and secure communication between web servers running a distributed application? Ideally, we want to keep the cost per server as low as possible with regards to licensing fees, but we also don't want to compromise on security. Thanks, Mike Thompson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 12:21:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [152.160.231.196]) by hub.freebsd.org (Postfix) with ESMTP id 2C17B14BE3 for ; Wed, 24 Mar 1999 12:21:43 -0800 (PST) (envelope-from dugsong@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1001) id 910AA23D84; Wed, 24 Mar 1999 15:21:19 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id 7100315CC2; Wed, 24 Mar 1999 15:21:19 -0500 (EST) Date: Wed, 24 Mar 1999 15:21:19 -0500 (EST) From: Dug Song To: Mike Thompson Cc: freebsd-security@freebsd.org Subject: Re: Kerberos vs SSH In-Reply-To: <4.1.19990324113601.0097aeb0@mail.dnai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 Mar 1999, Mike Thompson wrote: > Does anyone here have an opinion as to whether rsh and Kerberos > can be used in this manner for efficient and secure communication > between web servers running a distributed application? use SSH v1 with Kerberos v4. http://www.monkey.org/~dugsong/ssh-afs-kerberos.html or, pay for SSH v2 and Kerberos v5. :-) -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 12:35:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 6AD7314D18 for ; Wed, 24 Mar 1999 12:35:06 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10PuLa-000HkV-00; Wed, 24 Mar 1999 22:33:54 +0200 From: Sheldon Hearn To: Dug Song Cc: Mike Thompson , freebsd-security@freebsd.org Subject: Re: Kerberos vs SSH In-reply-to: Your message of "Wed, 24 Mar 1999 15:21:19 EST." Date: Wed, 24 Mar 1999 22:33:54 +0200 Message-ID: <68230.922307634@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 Mar 1999 15:21:19 EST, Dug Song wrote: > use SSH v1 with Kerberos v4. > > http://www.monkey.org/~dugsong/ssh-afs-kerberos.html > > or, pay for SSH v2 and Kerberos v5. :-) Um, what's wrong with ssh v1 and Kerberos5? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 13:28: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailserver.inf.furb.rct-sc.br (penha.inf.furb.rct-sc.br [200.19.218.65]) by hub.freebsd.org (Postfix) with SMTP id 35D45150C1 for ; Wed, 24 Mar 1999 13:27:58 -0800 (PST) (envelope-from colpani@inf.furb.rct-sc.br) Received: from localhost by mailserver.inf.furb.rct-sc.br (AIX 4.1/UCB 5.64/4.03) id AA26324; Wed, 24 Mar 1999 18:25:19 -0400 Date: Wed, 24 Mar 1999 18:25:19 -0400 (AST) From: Cristiano Colpani To: "Dep. de =?iso-8859-1?Q?Teleinform=E1tica?=" Cc: Best of Security , Alessandro - xsandro , Andre Silveira David , "Axel Hollanda (aghi)" , " Bia (Tear)" , BK , BMF Rio , Cristiano Colpani , Fernando Ultremare , FreeBSD Security , Guilherme Galileo Cox , Henrique , in0x , Luciana Vital de Matos , Marina , Misty , Nelson Brito , "Nilson R. A. de Brito" , Paranoia , Paulo Junior , SDI Pilot , SECRETARIA BVRJ , Stratus , Thiago Modelli Subject: "IT TAKES GUTS TO SAY JESUS" In-Reply-To: <36F8F559.8F94487C@agoractvm.com.br> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org a tah bom, agora voce vai ser engolido pelo seu computador.. NO CARRIER On Wed, 24 Mar 1999, Dep. de [iso-8859-1] Teleinform=E1tica wrote: > Assunto: ATEN=C7=C3O: NOVO V=CDRUS > Este alerta foi dado pela IBM!! > =20 > SE VOC=CA RECEBER UM E-MAIL COM O T=CDTULO >=20 > "IT TAKES GUTS TO SAY JESUS". (=C9 PRECISO CORAGEM PARA DIZER > JESUS) >=20 > N=C3O ABRA! ELE VAI APAGAR TUDO NO SEU HARD DRIVE. MANDE > ESSA MENSAGEM PARA O MAIOR N=DAMERO DE PESSOAS QUE VC > PUDER. ESTE =C9 UM V=CDRUS NOVO E N=C3O S=C3O MUITAS PESSOAS QUE > O CONHECEM. ESTA INFORMA=C7=C3O FOI ANUNCIADA PELA IBM. > DIVIDA ESSA INFORMA=C7=C3O COM TODO MUNDO QUE ACESSA A > INTERNET. >=20 > =20 >=20 > =20 >=20 > --=20 > Nelson / Guilherme > Departamento de Teleinfom=E1tica > =C1GORA Corretora de T=EDtulos e Valores Mobili=E1rios S/A > Rio de Janeiro - RJ - Brasil >=20 > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > "Aquele que pergunta, e' tolo por 5 minutos. E aquele que nao pergunta=20 > e' tolo por toda a vida !" > =09=09=09=09=09=09=09(Confucio) > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 14:42:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from srv1-bnu.bnu.nutecnet.com.br (srv1-bnu.bnu.nutecnet.com.br [200.247.224.1]) by hub.freebsd.org (Postfix) with ESMTP id 1879814DFA for ; Wed, 24 Mar 1999 14:42:27 -0800 (PST) (envelope-from bishop@sekure.org) Received: from dlri0253.bnu.zaz.com.br (dlri0253.bnu.zaz.com.br [200.247.236.253]) by srv1-bnu.bnu.nutecnet.com.br (8.8.5/SCA-6.6) with ESMTP id TAA01381; Wed, 24 Mar 1999 19:39:31 -0300 (BRA) Date: Wed, 24 Mar 1999 19:34:31 +0000 (GMT) From: Augusto Cesar X-Sender: bishop@bishop.psychadelic.org To: "Dep. de =?iso-8859-1?Q?Teleinform=E1tica?=" Cc: Best of Security , Alessandro - xsandro , Andre Silveira David , "Axel Hollanda (aghi)" , " Bia (Tear)" , BK , BMF Rio , Cristiano Colpani , Fernando Ultremare , FreeBSD Security , Guilherme Galileo Cox , Henrique , in0x , Luciana Vital de Matos , Marina , Misty , Nelson Brito , "Nilson R. A. de Brito" , Paranoia , Paulo Junior , SDI Pilot , SECRETARIA BVRJ , Stratus , Thiago Modelli Subject: Re: NOVO VIRUS. In-Reply-To: <36F8F559.8F94487C@agoractvm.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 Mar 1999, Dep. de Teleinform=E1tica wrote: > Assunto: ATEN=C7=C3O: NOVO V=CDRUS > Este alerta foi dado pela IBM!! > =20 > SE VOC=CA RECEBER UM E-MAIL COM O T=CDTULO >=20 > "IT TAKES GUTS TO SAY JESUS". (=C9 PRECISO CORAGEM PARA DIZER > JESUS) >=20 > N=C3O ABRA! ELE VAI APAGAR TUDO NO SEU HARD DRIVE. MANDE > ESSA MENSAGEM PARA O MAIOR N=DAMERO DE PESSOAS QUE VC > PUDER. ESTE =C9 UM V=CDRUS NOVO E N=C3O S=C3O MUITAS PESSOAS QUE > O CONHECEM. ESTA INFORMA=C7=C3O FOI ANUNCIADA PELA IBM. > DIVIDA ESSA INFORMA=C7=C3O COM TODO MUNDO QUE ACESSA A > INTERNET. >=20 eh de conhecimento geral, ou deveria ser, que o kernel de um sistema unix poe o usuario em um modo protegido o qual nenhum virus pode funcionar comprometendo todo o sistema, entao apenas o maximo que ele poderia apagar seria os arquivos do user atual de mail, por favor, parem de responder com estes enormes CCs. -- Augusto Cesar Sekure SDI bishop@sekure.org pgp key at: http://bishop.sekure.org/bishop.key http://www.sekure.org / blumenau-sc division To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 15:13:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from tantivy.stanford.edu (tantivy.Stanford.EDU [36.118.0.70]) by hub.freebsd.org (Postfix) with ESMTP id 7987A14F47 for ; Wed, 24 Mar 1999 15:13:46 -0800 (PST) (envelope-from techie@tantivy.stanford.edu) Received: (from techie@localhost) by tantivy.stanford.edu (8.9.1a/8.9.1) id PAA06293; Wed, 24 Mar 1999 15:10:15 -0800 (PST) Date: Wed, 24 Mar 1999 15:10:15 -0800 (PST) From: Bob Vaughan Message-Id: <199903242310.PAA06293@tantivy.stanford.edu> To: agora@agoractvm.com.br, bishop@sekure.org Subject: Re: NOVO VIRUS. Cc: admin@suntelnetwork.net, alessandrofm@nitnet.com.br, bk@linuxbr.com.br, bmfrio@parxtech.com.br, bos@sekure.org, brodbeck@tro.matrix.com.br, colpani@furb.rct-sc.br, cox@sinistro.net, darklady@zipmail.com.br, eleet@sekure.org, freebsd-security@FreeBSD.ORG, grlink@infolink.com.br, hc_@linuxbr.com.br, isc@suntelnetwork.net, jamez@sekure.org, luciana@mtec.com.br, misty@biosys.net, nelsonbrito@netscape.net, niusin@montreal.com.br, paranoia@sekure.org, pjr@ruralrj.com.br, SECRETARIA@bvrj.com.br, silveira@esquadro.com.br, suid-bit@usa.net In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can we please let this die already? -- Welcome My Son, Welcome To The Machine -- Bob Vaughan | techie@{w6yx|tantivy}.stanford.edu | kc6sxc@w6yx.ampr.org | P.O. Box 9792, Stanford, Ca 94309-9792 -- I am Me, I am only Me, And no one else is Me, What could be simpler? -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 16: 3: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp0.mindspring.com (smtp0.mindspring.com [207.69.200.30]) by hub.freebsd.org (Postfix) with ESMTP id 3170C14F83 for ; Wed, 24 Mar 1999 16:03:02 -0800 (PST) (envelope-from ob1k@mindspring.com) Received: from user-38lc3rq.dialup.mindspring.com (user-38lc3rq.dialup.mindspring.com [209.86.15.122]) by smtp0.mindspring.com (8.8.5/8.8.5) with ESMTP id TAA30968; Wed, 24 Mar 1999 19:02:33 -0500 (EST) Date: Wed, 24 Mar 1999 19:03:35 +0000 (GMT) From: ob1k To: Pete Fritchman Cc: freebsd-security@freebsd.org Subject: Re: NOVO VIRUS. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's not spanish. It's portuguese. On Wed, 24 Mar 1999, Pete Fritchman wrote: >=20 > heh, anyone know spanish? >=20 > Out of that, I get that Jesus is going to invade our computers.=20 >=20 > --------------------------------- > | Pete C. Fritchman | > | hideaway@hideaway.ms | > | Systems Administrator | > --------------------------------- > What's the similarity between an air > conditioner and a computer? They both > stop working when you open windows. >=20 > On Wed, 24 Mar 1999, Dep. de [iso-8859-1] Teleinform=E1tica wrote: >=20 > > Assunto: ATEN=C7=C3O: NOVO V=CDRUS > > Este alerta foi dado pela IBM!! > > =20 > > SE VOC=CA RECEBER UM E-MAIL COM O T=CDTULO > >=20 > > "IT TAKES GUTS TO SAY JESUS". (=C9 PRECISO CORAGEM PARA DIZER > > JESUS) > >=20 > > N=C3O ABRA! ELE VAI APAGAR TUDO NO SEU HARD DRIVE. MANDE > > ESSA MENSAGEM PARA O MAIOR N=DAMERO DE PESSOAS QUE VC > > PUDER. ESTE =C9 UM V=CDRUS NOVO E N=C3O S=C3O MUITAS PESSOAS QUE > > O CONHECEM. ESTA INFORMA=C7=C3O FOI ANUNCIADA PELA IBM. > > DIVIDA ESSA INFORMA=C7=C3O COM TODO MUNDO QUE ACESSA A > > INTERNET. > >=20 > > =20 > >=20 > > =20 > >=20 > > --=20 > > Nelson / Guilherme > > Departamento de Teleinfom=E1tica > > =C1GORA Corretora de T=EDtulos e Valores Mobili=E1rios S/A > > Rio de Janeiro - RJ - Brasil > >=20 > > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > > "Aquele que pergunta, e' tolo por 5 minutos. E aquele que nao pergunta= =20 > > e' tolo por toda a vida !" > > =09=09=09=09=09=09=09(Confucio) > > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >=20 >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 16:12:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id 49BAC14BE3 for ; Wed, 24 Mar 1999 16:11:47 -0800 (PST) (envelope-from nick@shibumi.feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id LAA08282; Thu, 25 Mar 1999 11:10:04 GMT (envelope-from nick@shibumi.feralmonkey.org) Date: Thu, 25 Mar 1999 11:10:02 +0000 (GMT) From: 0x1c To: Mike Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <4.1.19990324113601.0097aeb0@mail.dnai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You might also be interested at implementing some sort of a VPN between the servers. Have a look at www.kame.net for a free *BSD IPsec implementation. Cheers, Nick -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War On Wed, 24 Mar 1999, Mike Thompson wrote: > We are configuring a series of web servers running FreeBSD 2.2.8 > for a new Internet service. To implement our service we need > to provide a mechanism for secure communication between the > servers using an rsh-like facility. > > One method of doing this would be to run SSH on each server for > encrypted/authenticated communication. However, the downsides > of this are that there wouldn't be a central administration > facility for managing authentication information (unless we > create one), ssh has a relatively high CPU overhead to encrypt > all communications and we would like to avoid paying the substantial > license fees for SSH across a large number of servers. > > An alternative would be to run a rsh in combination with a > Kerberos server to centrally administer authentication > information between each server. Communication between the > servers would take place behind a router to prevent > interception of the unencoded packets. We would also use > IPFW to restrict communication with rsh as further protection > against hacking. > > Does anyone here have an opinion as to whether rsh and Kerberos > can be used in this manner for efficient and secure communication > between web servers running a distributed application? > > Ideally, we want to keep the cost per server as low as possible > with regards to licensing fees, but we also don't want to compromise > on security. > > Thanks, > > Mike Thompson > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 20:11:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.isrc.qut.edu.au (sentry.isrc.qut.edu.au [131.181.97.10]) by hub.freebsd.org (Postfix) with SMTP id D4CE114D32 for ; Wed, 24 Mar 1999 20:11:22 -0800 (PST) (envelope-from gaskell@isrc.qut.edu.au) Received: (qmail 14276 invoked from network); 25 Mar 1999 04:11:01 -0000 Received: from primrose.isrc.qut.edu.au (HELO isrc.qut.edu.au) (@131.181.6.10) by secure.isrc.qut.edu.au with SMTP; 25 Mar 1999 04:11:01 -0000 Received: from primrose.isrc.qut.edu.au (primrose.isrc.qut.edu.au [131.181.6.10]) by isrc.qut.edu.au (8.8.8+Sun/8.8.6) with ESMTP id OAA18741; Thu, 25 Mar 1999 14:11:00 +1000 (EST) Date: Thu, 25 Mar 1999 14:10:59 +1000 (EST) From: Gary Gaskell To: Mike Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <4.1.19990324113601.0097aeb0@mail.dnai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was using rsh/rlogin with a kerberos server for something similar 5 years ago (kerberos v5) and it was all free, save the time of compilation and configuration. What's the problem? the rtools are part of the MIT distribution. Gary On Wed, 24 Mar 1999, Mike Thompson wrote: > We are configuring a series of web servers running FreeBSD 2.2.8 > for a new Internet service. To implement our service we need > to provide a mechanism for secure communication between the > servers using an rsh-like facility. > > One method of doing this would be to run SSH on each server for > encrypted/authenticated communication. However, the downsides > of this are that there wouldn't be a central administration > facility for managing authentication information (unless we > create one), ssh has a relatively high CPU overhead to encrypt > all communications and we would like to avoid paying the substantial > license fees for SSH across a large number of servers. > > An alternative would be to run a rsh in combination with a > Kerberos server to centrally administer authentication > information between each server. Communication between the > servers would take place behind a router to prevent > interception of the unencoded packets. We would also use > IPFW to restrict communication with rsh as further protection > against hacking. > > Does anyone here have an opinion as to whether rsh and Kerberos > can be used in this manner for efficient and secure communication > between web servers running a distributed application? > > Ideally, we want to keep the cost per server as low as possible > with regards to licensing fees, but we also don't want to compromise > on security. > > Thanks, > > Mike Thompson > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, Gary ----------------------------------------------------------- Gary Gaskell Manager Secure Network Laboratory Phone (07) 3864 1190 Information Security Research Centre Fax (07) 3221 2384 Queensland University of Technology ----------------------------------------------------------- _--_|\ / QUT A University for http://www.qut.edu.au/ _.--._/ the Real World. v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 20:29: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 2CC111503F for ; Wed, 24 Mar 1999 20:29:07 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id UAA68023; Wed, 24 Mar 1999 20:26:12 -0800 (PST) (envelope-from dillon) Date: Wed, 24 Mar 1999 20:26:12 -0800 (PST) From: Matthew Dillon Message-Id: <199903250426.UAA68023@apollo.backplane.com> To: Gary Gaskell Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I was using rsh/rlogin with a kerberos server for something similar 5 :years ago (kerberos v5) and it was all free, save the time of compilation :and configuration. : :What's the problem? the rtools are part of the MIT distribution. : :Gary : :On Wed, 24 Mar 1999, Mike Thompson wrote: : :> We are configuring a series of web servers running FreeBSD 2.2.8 :> for a new Internet service. To implement our service we need :> to provide a mechanism for secure communication between the :> servers using an rsh-like facility. :> :> One method of doing this would be to run SSH on each server for :> encrypted/authenticated communication. However, the downsides :> of this are that there wouldn't be a central administration :> facility for managing authentication information (unless we :> create one), ssh has a relatively high CPU overhead to encrypt :> all communications and we would like to avoid paying the substantial :> license fees for SSH across a large number of servers. :> :> An alternative would be to run a rsh in combination with a :> Kerberos server to centrally administer authentication :> information between each server. Communication between the :> servers would take place behind a router to prevent :> interception of the unencoded packets. We would also use :> IPFW to restrict communication with rsh as further protection :... SSh can be configured to use kerberos V fairly easily. I set the following in my /etc/make.conf.local: MAKE_KERBEROS5= YES KRB5_HOME= /usr/krb5 And then I build the krb5 port and the ssh port. Of course, in order to use kerberos you need to setup a kerberos server, and kerberos is extremely user unfriendly when it comes to figuring out how it works. But if you can get past that point you can get ssh working w/ kerberos. This is what BEST.COM does. We also disallow passworded root logins except on the console ( even w/ ssh ), and use the kerberos 'ksu' command to control access to root. This allows us to configure a crypted root password in the password file good for logging into the console, but useless if stolen and decrypted. All other accounts have '*' for their password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys files are also discouraged, though we do use them for direct root-root cron'd administrative functions from two 'secured' machines. rsh, rlogin, telnet, exec, and other administrative services are disabled entirely on administrative machines. sshd is the only way to get in apart from finding a hole in the servers running that implement the function and purpose of the machine. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 20:49:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.isrc.qut.edu.au (sentry.isrc.qut.edu.au [131.181.97.10]) by hub.freebsd.org (Postfix) with SMTP id 1E49614CCA for ; Wed, 24 Mar 1999 20:49:40 -0800 (PST) (envelope-from gaskell@isrc.qut.edu.au) Received: (qmail 14408 invoked from network); 25 Mar 1999 04:49:20 -0000 Received: from primrose.isrc.qut.edu.au (HELO isrc.qut.edu.au) (@131.181.6.10) by secure.isrc.qut.edu.au with SMTP; 25 Mar 1999 04:49:20 -0000 Received: from primrose.isrc.qut.edu.au (primrose.isrc.qut.edu.au [131.181.6.10]) by isrc.qut.edu.au (8.8.8+Sun/8.8.6) with ESMTP id OAA18901; Thu, 25 Mar 1999 14:49:18 +1000 (EST) Date: Thu, 25 Mar 1999 14:49:18 +1000 (EST) From: Gary Gaskell To: Matthew Dillon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <199903250426.UAA68023@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps we (myself) am confused. I thought you wanted a rsh like tool, that used strong crypto (liek ssh does), but has a central control point, rather than ssh's peer-to-peer architecture. The rsh I mentioned in the MIT kerberos distribution is is kerberised. the command is krsh and the server is krshd which can be started from inetd. Personally I would have agreed back in 1994 that the MIT beta distribution of Kerberos was a little uninituitive to setup, but I think it's pretty good now. I know I had a web page back in those days detailing each step. Others have now gone further. Best wishes with your project. Gary On Wed, 24 Mar 1999, Matthew Dillon wrote: > :I was using rsh/rlogin with a kerberos server for something similar 5 > :years ago (kerberos v5) and it was all free, save the time of compilation > :and configuration. > : > :What's the problem? the rtools are part of the MIT distribution. > : > :Gary > : > :On Wed, 24 Mar 1999, Mike Thompson wrote: > : > :> We are configuring a series of web servers running FreeBSD 2.2.8 > :> for a new Internet service. To implement our service we need > :> to provide a mechanism for secure communication between the > :> servers using an rsh-like facility. > :> > :> One method of doing this would be to run SSH on each server for > :> encrypted/authenticated communication. However, the downsides > :> of this are that there wouldn't be a central administration > :> facility for managing authentication information (unless we > :> create one), ssh has a relatively high CPU overhead to encrypt > :> all communications and we would like to avoid paying the substantial > :> license fees for SSH across a large number of servers. > :> > :> An alternative would be to run a rsh in combination with a > :> Kerberos server to centrally administer authentication > :> information between each server. Communication between the > :> servers would take place behind a router to prevent > :> interception of the unencoded packets. We would also use > :> IPFW to restrict communication with rsh as further protection > :... > > SSh can be configured to use kerberos V fairly easily. I set the > following in my /etc/make.conf.local: > > MAKE_KERBEROS5= YES > KRB5_HOME= /usr/krb5 > > And then I build the krb5 port and the ssh port. > > Of course, in order to use kerberos you need to setup a kerberos > server, and kerberos is extremely user unfriendly when it comes > to figuring out how it works. But if you can get past that point > you can get ssh working w/ kerberos. > > This is what BEST.COM does. We also disallow passworded root logins > except on the console ( even w/ ssh ), and use the kerberos 'ksu' command > to control access to root. This allows us to configure a crypted root > password in the password file good for logging into the console, but > useless if stolen and decrypted. All other accounts have '*' for their > password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys > files are also discouraged, though we do use them for direct root-root > cron'd administrative functions from two 'secured' machines. > > rsh, rlogin, telnet, exec, and other administrative services are disabled > entirely on administrative machines. sshd is the only way to get in apart > from finding a hole in the servers running that implement the function > and purpose of the machine. > > -Matt > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, Gary ----------------------------------------------------------- Gary Gaskell Manager Secure Network Laboratory Phone (07) 3864 1190 Information Security Research Centre Fax (07) 3221 2384 Queensland University of Technology ----------------------------------------------------------- _--_|\ / QUT A University for http://www.qut.edu.au/ _.--._/ the Real World. v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 22:34:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from yoshi.iq.org (yoshy.iq.org [203.4.184.224]) by hub.freebsd.org (Postfix) with ESMTP id 8C44014D49; Wed, 24 Mar 1999 22:34:17 -0800 (PST) (envelope-from proff@yoshi.iq.org) Received: (from proff@localhost) by yoshi.iq.org (8.8.8/8.8.8) id RAA23303; Thu, 25 Mar 1999 17:33:59 +1100 (EST) To: junkmale@xtra.co.nz Cc: "Gary Palmer" , freebsd-security@FreeBSD.ORG Subject: Re: Strange behaviour ... References: <19990317181804.PAWH3226200.mta2-rme@wocker> Cc: proff@iq.org From: Julian Assange Date: 25 Mar 1999 17:33:59 +1100 In-Reply-To: "Dan Langille"'s message of "Thu, 18 Mar 1999 07:16:35 +1300" Message-ID: Lines: 15 User-Agent: Gnus/5.070066 (Pterodactyl Gnus v0.66) XEmacs/20.4 (Emerald) Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Dan Langille" writes: > > Wojtek wrote in message ID > > : > > > i advise you to switch to 3.1 as soon as You can. > > > afaik strange things happen on 3.0 release... very strange... > > > > We had our first report of abduction of someone running 3.0-RELEASE by > > a UFO this morning. > > Yes, but how many went unreported? > :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 22:37:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from yoshi.iq.org (yoshy.iq.org [203.4.184.224]) by hub.freebsd.org (Postfix) with ESMTP id 78AD614D49; Wed, 24 Mar 1999 22:37:49 -0800 (PST) (envelope-from proff@yoshi.iq.org) Received: (from proff@localhost) by yoshi.iq.org (8.8.8/8.8.8) id RAA23306; Thu, 25 Mar 1999 17:35:12 +1100 (EST) To: Fernando Schapachnik Cc: dv@dv.ru (Dmitry Valdov), freebsd-current@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: disk quota overriding References: <199903171150.IAA23361@ns1.sminter.com.ar> Cc: proff@iq.org From: Julian Assange Date: 25 Mar 1999 17:35:12 +1100 In-Reply-To: Fernando Schapachnik's message of "Wed, 17 Mar 1999 08:50:50 -0300 (GMT)" Message-ID: Lines: 7 User-Agent: Gnus/5.070066 (Pterodactyl Gnus v0.66) XEmacs/20.4 (Emerald) Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik writes: > Are you aware that, due to nature of hardlinks the only extra space is > same that for an empty file? Due to this, how many empty files do you No, it's actually 128 bytes less. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 23:50:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id DC37E14E78 for ; Wed, 24 Mar 1999 23:50:34 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-21.dialup.dnai.com [207.181.255.21]) by dnai.com (8.8.8/8.8.8) with SMTP id XAA15011; Wed, 24 Mar 1999 23:47:08 -0800 (PST) Message-Id: <4.1.19990324234311.00a0eba0@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 Mar 1999 23:46:09 -0800 To: Gary Gaskell , Matthew Dillon From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <199903250426.UAA68023@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the response. I wanted both central admin of authentication and strong crypto, but I didn't know that ssh could be easily configured to work with Kerberos. It seems that by combining the two that I get the best of both worlds. The general concensus seems to be that rsh and like tools can be easily hacked, kerberos or no kerberos. Thanks again, Mike At 02:49 PM 3/25/99 +1000, Gary Gaskell wrote: > >Perhaps we (myself) am confused. I thought you wanted a rsh like tool, >that used strong crypto (liek ssh does), but has a central control point, >rather than ssh's peer-to-peer architecture. > >The rsh I mentioned in the MIT kerberos distribution is is kerberised. >the command is krsh and the server is krshd which can be started from >inetd. > >Personally I would have agreed back in 1994 that the MIT beta distribution >of Kerberos was a little uninituitive to setup, but I think it's pretty >good now. I know I had a web page back in those days detailing each step. >Others have now gone further. > >Best wishes with your project. > >Gary > >On Wed, 24 Mar 1999, Matthew Dillon wrote: > >> :I was using rsh/rlogin with a kerberos server for something similar 5 >> :years ago (kerberos v5) and it was all free, save the time of compilation >> :and configuration. >> : >> :What's the problem? the rtools are part of the MIT distribution. >> : >> :Gary >> : >> :On Wed, 24 Mar 1999, Mike Thompson wrote: >> : >> :> We are configuring a series of web servers running FreeBSD 2.2.8 >> :> for a new Internet service. To implement our service we need >> :> to provide a mechanism for secure communication between the >> :> servers using an rsh-like facility. >> :> >> :> One method of doing this would be to run SSH on each server for >> :> encrypted/authenticated communication. However, the downsides >> :> of this are that there wouldn't be a central administration >> :> facility for managing authentication information (unless we >> :> create one), ssh has a relatively high CPU overhead to encrypt >> :> all communications and we would like to avoid paying the substantial >> :> license fees for SSH across a large number of servers. >> :> >> :> An alternative would be to run a rsh in combination with a >> :> Kerberos server to centrally administer authentication >> :> information between each server. Communication between the >> :> servers would take place behind a router to prevent >> :> interception of the unencoded packets. We would also use >> :> IPFW to restrict communication with rsh as further protection >> :... >> >> SSh can be configured to use kerberos V fairly easily. I set the >> following in my /etc/make.conf.local: >> >> MAKE_KERBEROS5= YES >> KRB5_HOME= /usr/krb5 >> >> And then I build the krb5 port and the ssh port. >> >> Of course, in order to use kerberos you need to setup a kerberos >> server, and kerberos is extremely user unfriendly when it comes >> to figuring out how it works. But if you can get past that point >> you can get ssh working w/ kerberos. >> >> This is what BEST.COM does. We also disallow passworded root logins >> except on the console ( even w/ ssh ), and use the kerberos 'ksu' >command >> to control access to root. This allows us to configure a crypted root >> password in the password file good for logging into the console, but >> useless if stolen and decrypted. All other accounts have '*' for their >> password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys >> files are also discouraged, though we do use them for direct root-root >> cron'd administrative functions from two 'secured' machines. >> >> rsh, rlogin, telnet, exec, and other administrative services are disabled >> entirely on administrative machines. sshd is the only way to get in >apart >> from finding a hole in the servers running that implement the function >> and purpose of the machine. >> >> -Matt >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > >Cheers, > >Gary > >----------------------------------------------------------- >Gary Gaskell >Manager Secure Network Laboratory Phone (07) 3864 1190 >Information Security Research Centre Fax (07) 3221 2384 >Queensland University of Technology >----------------------------------------------------------- > _--_|\ > / QUT A University for http://www.qut.edu.au/ > _.--._/ the Real World. > v > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 24 23:51: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id E8F5A1514A for ; Wed, 24 Mar 1999 23:51:02 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-21.dialup.dnai.com [207.181.255.21]) by dnai.com (8.8.8/8.8.8) with SMTP id XAA15004; Wed, 24 Mar 1999 23:47:06 -0800 (PST) Message-Id: <4.1.19990324233231.00a02e40@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 Mar 1999 23:41:01 -0800 To: Matthew Dillon , Gary Gaskell From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199903250426.UAA68023@apollo.backplane.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew, Thanks for the detailed response. It sounds like BEST has a configuration that is close to what I would like to achieve. A few quick questions if you don't mind: Are you refering to SSH v1 or SSH v2, or do both compile with Kerberos in the manner you describe? I am currently looking into what the licensing costs would be for us to license SSH v2 for our servers. Does BEST.COM pay to license SSH v1 or SSH v2 for internal use? I set up a Kerberos IV server and it is very unfriendly, but possible. I'll investigate Kerberos V in the ports. By using Kerberos I assume it gives you the advantage of configuring all ssh authentication and passwords on the Kerberos server? Thanks again, Mike Thompson At 08:26 PM 3/24/99 -0800, Matthew Dillon wrote: > SSh can be configured to use kerberos V fairly easily. I set the > following in my /etc/make.conf.local: > >MAKE_KERBEROS5= YES >KRB5_HOME= /usr/krb5 > > And then I build the krb5 port and the ssh port. > > Of course, in order to use kerberos you need to setup a kerberos > server, and kerberos is extremely user unfriendly when it comes > to figuring out how it works. But if you can get past that point > you can get ssh working w/ kerberos. > > This is what BEST.COM does. We also disallow passworded root logins > except on the console ( even w/ ssh ), and use the kerberos 'ksu' command > to control access to root. This allows us to configure a crypted root > password in the password file good for logging into the console, but > useless if stolen and decrypted. All other accounts have '*' for their > password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys > files are also discouraged, though we do use them for direct root-root > cron'd administrative functions from two 'secured' machines. > > rsh, rlogin, telnet, exec, and other administrative services are disabled > entirely on administrative machines. sshd is the only way to get in apart > from finding a hole in the servers running that implement the function > and purpose of the machine. > > -Matt > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 0:25:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id C5D9B14DC8 for ; Thu, 25 Mar 1999 00:25:35 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-34.dialup.dnai.com [207.181.255.34]) by dnai.com (8.8.8/8.8.8) with SMTP id AAA22904; Thu, 25 Mar 1999 00:24:37 -0800 (PST) Message-Id: <4.1.19990325001254.009fb5e0@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 00:23:44 -0800 To: 0x1c From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.1.19990324113601.0097aeb0@mail.dnai.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nick, Thanks for the tip. I have downloaded KAME and looked at the documentation. Once configured and installed KAME seems to provide a modified kernel that adds a new virtual network device (de0?) that can securely communicate with other systems similarly configured. Not knowing anything about VPNs, it seems that I could configure one server to be a router and the other systems to be hosts of the router. All servers could then communicate securely with each other over the KAME VPN. A few questions I have are: 1. Can I use standard tools such as rsh, rlogin and the like securely between servers with such a configuration? Or do I want to still stick with ssh? 2. Do special versions of tools have to be compiled to work with the VPN, or are standard tools OK? 3. Are there implications with running IPFW on a system that has a KAME installed in the Kernel? 4. The documentation seems a little terse. Is there a good tutorial that explains how to get started with KAME on a FreeBSD system? Thanks, Mike Thompson At 11:10 AM 3/25/99 +0000, 0x1c wrote: >You might also be interested at implementing some sort of a VPN between >the servers. Have a look at www.kame.net for a free *BSD IPsec >implementation. > >Cheers, >Nick > >-- >Therefore those skilled at the unorthodox are as infinite as heaven and >earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War > >On Wed, 24 Mar 1999, Mike Thompson wrote: > >> We are configuring a series of web servers running FreeBSD 2.2.8 >> for a new Internet service. To implement our service we need >> to provide a mechanism for secure communication between the >> servers using an rsh-like facility. >> >> One method of doing this would be to run SSH on each server for >> encrypted/authenticated communication. However, the downsides >> of this are that there wouldn't be a central administration >> facility for managing authentication information (unless we >> create one), ssh has a relatively high CPU overhead to encrypt >> all communications and we would like to avoid paying the substantial >> license fees for SSH across a large number of servers. >> >> An alternative would be to run a rsh in combination with a >> Kerberos server to centrally administer authentication >> information between each server. Communication between the >> servers would take place behind a router to prevent >> interception of the unencoded packets. We would also use >> IPFW to restrict communication with rsh as further protection >> against hacking. >> >> Does anyone here have an opinion as to whether rsh and Kerberos >> can be used in this manner for efficient and secure communication >> between web servers running a distributed application? >> >> Ideally, we want to keep the cost per server as low as possible >> with regards to licensing fees, but we also don't want to compromise >> on security. >> >> Thanks, >> >> Mike Thompson >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 1: 1:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 0594215012 for ; Thu, 25 Mar 1999 01:01:49 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id BAA95914; Thu, 25 Mar 1999 01:01:26 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 01:01:26 -0800 (PST) From: Matthew Dillon Message-Id: <199903250901.BAA95914@apollo.backplane.com> To: Mike Thompson Cc: Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <4.1.19990324233231.00a02e40@mail.dnai.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Matthew, : :Thanks for the detailed response. It sounds like BEST has a :configuration that is close to what I would like to achieve. :A few quick questions if you don't mind: : :Are you refering to SSH v1 or SSH v2, or do both compile :with Kerberos in the manner you describe? : :I am currently looking into what the licensing costs would be :for us to license SSH v2 for our servers. Does BEST.COM pay :to license SSH v1 or SSH v2 for internal use? : :I set up a Kerberos IV server and it is very unfriendly, but :possible. I'll investigate Kerberos V in the ports. By using :Kerberos I assume it gives you the advantage of configuring :all ssh authentication and passwords on the Kerberos server? : :Thanks again, : :Mike Thompson BEST currently uses SSH v1 under the ISP terms in the COPYING notice. We've looked into using SSH v2 a number of times but two factors have kept us from being able to switch: (1) the fact that the author made SSH v2 incompatible with SSH v1, and (2) because, when we checked, the licensing terms were too overpriced ( but that was a year ago and I don't remember what the price was ). So we aren't using v2. The whole thing has really miffed me, actually. I like to support free software, especially free software of the quality level and usefullness of ssh, but the authors have made it rather difficult to do. I haven't checked the status of SSH v2 recently, so it is possible that commercial licensing is more doable now. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 1: 6:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id A43FF1514A for ; Thu, 25 Mar 1999 01:06:18 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id BAA95946; Thu, 25 Mar 1999 01:05:58 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 01:05:58 -0800 (PST) From: Matthew Dillon Message-Id: <199903250905.BAA95946@apollo.backplane.com> To: Mike Thompson Cc: Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> <4.1.19990324234311.00a0eba0@mail.dnai.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :The general concensus seems to be that rsh and like tools can be easily :hacked, kerberos or no kerberos. : :Thanks again, Well, for rsh or telnet configured for kerberos-only operation, it's reasonably safe. The one problem with this is that kerberos defaults to disabling encryption ... you have to explicitly enable it. In general, the biggest security hole with standard tools such as ftp, rsh, telnet, and rlogin ( non-kerberos ) is that they pass plaintext and both initial passwords and passwords passed later on are vulnerable to interception. With kerberos and no encryption by default, these tools are still vulnerable. You can get into the account just fine without exposing a password, but once in the account if you need to type a password of any sort in to do something else, *that* password is vulnerable to interception. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 2:10:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [193.10.159.47]) by hub.freebsd.org (Postfix) with SMTP id A078215019 for ; Thu, 25 Mar 1999 02:10:40 -0800 (PST) (envelope-from joda@pdc.kth.se) Received: from joda by blubb.pdc.kth.se with local (Exim 1.71 #3) id 10Q72X-0005m9-00; Thu, 25 Mar 1999 11:07:05 +0100 To: Matthew Dillon Cc: Mike Thompson , Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> <4.1.19990324234311.00a0eba0@mail.dnai.com> <199903250905.BAA95946@apollo.backplane.com> X-Emacs: 19.34 Mime-Version: 1.0 (generated by SEMI MIME-Edit 0.77) Content-Type: text/plain; charset=US-ASCII From: joda@pdc.kth.se (Johan Danielsson) Date: 25 Mar 1999 11:07:04 +0100 In-Reply-To: Matthew Dillon's message of "Thu, 25 Mar 1999 01:05:58 -0800 (PST)" Message-ID: Lines: 20 X-Mailer: Gnus v5.6.45/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon writes: > The one problem with this is that kerberos defaults to disabling > encryption ... you have to explicitly enable it. Don't day that `kerberos' defaults to disabling encryption. Kerberos is a protocol to authenticate users, and as such it always uses encryption. Kerberos *applications* can choose to use or not use encryption, but to say that all of them, and all implementation of them, doesn't by default is unfair. Most applications that doesn't encrypt has a good reason not to, like being originally written in an era where computers were slow enough to make encrypted telnet sessions painful. Which isn't an excuse for not doing encryption, but an explanation. /Johan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 2:18:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from fep02-svc.tin.it (mta02-acc.tin.it [212.216.176.33]) by hub.freebsd.org (Postfix) with ESMTP id 321B714DFA for ; Thu, 25 Mar 1999 02:18:46 -0800 (PST) (envelope-from molter@tin.it) Received: from nympha.ecomotor.it ([212.216.29.175]) by fep02-svc.tin.it (InterMail v4.0 201-221-105) with SMTP id <19990325101820.CDPH14636.fep02-svc@nympha.ecomotor.it> for ; Thu, 25 Mar 1999 11:18:20 +0100 Received: (qmail 761 invoked by uid 1000); 25 Mar 1999 09:55:14 -0000 From: "Marco Molteni" Date: Thu, 25 Mar 1999 10:55:14 +0100 (CET) X-Sender: molter@localhost To: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <4.1.19990325001254.009fb5e0@mail.dnai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Mike Thompson wrote: Mike, let me jump in since I use KAME for research ;-) > Once configured and installed KAME seems to provide a modified kernel > that adds a new virtual network device (de0?) that can securely > communicate with other systems similarly configured. No. There is no "virtual network device". KAME provides IPsec (and IPv6). IPsec lets you selectively setup encrypted and/or authenticated network connections. You can tune the meaning of "network connections" by choosing your IPsec "policy". If you set a per host policy, IPsec is completely transparent (ie no application needs to know about IPsec, it works normally, but all the data is encrypted). IPsec works at the network layer, not at the application layer (like ssh or ssl or whatever). > Not knowing anything about VPNs, it seems that I could configure one > server to be a router and the other systems to be hosts of the router. > All servers could then communicate securely with each other over the > KAME VPN. Well, IPsec can provide both VPN (aka tunnel mode) and host-to-host (aka transport mode) security. It depends on what you want to do. A VPN authenticates only the two networks connected, not the specific hosts. > A few questions I have are: > > 1. Can I use standard tools such as rsh, rlogin and the like > securely between servers with such a configuration? Or do > I want to still stick with ssh? As I said before, IPsec can be completely transparent to applications. With IPsec (properly configured ;-) you don't need ssh. > 2. Do special versions of tools have to be compiled to work > with the VPN, or are standard tools OK? see 1. > 3. Are there implications with running IPFW on a system that > has a KAME installed in the Kernel? don't know this, sorry. > 4. The documentation seems a little terse. can you say pioneer? ;-) > Is there a good tutorial that explains how to get started with KAME on a > FreeBSD system? IMHO, if you want to use KAME (ie IPsec) and you want to know what you are doing, you should read the RFCs defining IPsec (try http://www.vpnc.org/ipsec-standards.html), at least you should understand what a SA (Security Association) and a security policy are. That said, if you search in the KAME documentation that comes in the package and in the "newsletter" on their web site, you can find some examples about VPNs and host-to-host security. Marco --- "Hi, I have a Compaq machine running Windows 95. How do I install FreeBSD?" "I'm sorry, this is device driver testing: brain implants are two doors down on the right". (Bill Paul, on the freebsd-net mailing list) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 2:22:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id E656C14DFA for ; Thu, 25 Mar 1999 02:22:54 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-12.dialup.dnai.com [207.181.255.12]) by dnai.com (8.8.8/8.8.8) with SMTP id CAA12883; Thu, 25 Mar 1999 02:19:29 -0800 (PST) Message-Id: <4.1.19990325021717.0097e980@mail.dnai.com> X-Sender: miket@mail.dnai.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 02:18:35 -0800 To: Matthew Dillon , Gary Gaskell From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199903250426.UAA68023@apollo.backplane.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew, Another quick question. Under the configuration described below can one system issue an ssh command from a script to another system without having to include a password? We have automated scripts that will run nightly that will run on one server and execute commands on other servers using ssh. Suppling such a password to the Kerberos kinit application before using ssh in such a script will be problematic. I assume this is why you mentioned your use of the "authorized_keys" files for limited purposes? Any other suggestions? Mike Thompson At 08:26 PM 3/24/99 -0800, Matthew Dillon wrote: >:I was using rsh/rlogin with a kerberos server for something similar 5 >:years ago (kerberos v5) and it was all free, save the time of compilation >:and configuration. >: >:What's the problem? the rtools are part of the MIT distribution. >: >:Gary >: >:On Wed, 24 Mar 1999, Mike Thompson wrote: >: >:> We are configuring a series of web servers running FreeBSD 2.2.8 >:> for a new Internet service. To implement our service we need >:> to provide a mechanism for secure communication between the >:> servers using an rsh-like facility. >:> >:> One method of doing this would be to run SSH on each server for >:> encrypted/authenticated communication. However, the downsides >:> of this are that there wouldn't be a central administration >:> facility for managing authentication information (unless we >:> create one), ssh has a relatively high CPU overhead to encrypt >:> all communications and we would like to avoid paying the substantial >:> license fees for SSH across a large number of servers. >:> >:> An alternative would be to run a rsh in combination with a >:> Kerberos server to centrally administer authentication >:> information between each server. Communication between the >:> servers would take place behind a router to prevent >:> interception of the unencoded packets. We would also use >:> IPFW to restrict communication with rsh as further protection >:... > > SSh can be configured to use kerberos V fairly easily. I set the > following in my /etc/make.conf.local: > >MAKE_KERBEROS5= YES >KRB5_HOME= /usr/krb5 > > And then I build the krb5 port and the ssh port. > > Of course, in order to use kerberos you need to setup a kerberos > server, and kerberos is extremely user unfriendly when it comes > to figuring out how it works. But if you can get past that point > you can get ssh working w/ kerberos. > > This is what BEST.COM does. We also disallow passworded root logins > except on the console ( even w/ ssh ), and use the kerberos 'ksu' command > to control access to root. This allows us to configure a crypted root > password in the password file good for logging into the console, but > useless if stolen and decrypted. All other accounts have '*' for their > password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys > files are also discouraged, though we do use them for direct root-root > cron'd administrative functions from two 'secured' machines. > > rsh, rlogin, telnet, exec, and other administrative services are disabled > entirely on administrative machines. sshd is the only way to get in apart > from finding a hole in the servers running that implement the function > and purpose of the machine. > > -Matt > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 2:28:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id 0E9AD14FD8 for ; Thu, 25 Mar 1999 02:28:06 -0800 (PST) (envelope-from nick@shibumi.feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id VAA83877; Thu, 25 Mar 1999 21:27:06 GMT (envelope-from nick@shibumi.feralmonkey.org) Date: Thu, 25 Mar 1999 21:27:05 +0000 (GMT) From: 0x1c To: Mike Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <4.1.19990325001254.009fb5e0@mail.dnai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Mike Thompson wrote: [snip] > A few questions I have are: > > 1. Can I use standard tools such as rsh, rlogin and the like > securely between servers with such a configuration? Or do > I want to still stick with ssh? It provides an encrypted ip tunnel between two endpoints. Hence, it is transparent at the application layer. > 2. Do special versions of tools have to be compiled to work > with the VPN, or are standard tools OK? Standard tools are ok. > 3. Are there implications with running IPFW on a system that > has a KAME installed in the Kernel? I'm not aware of any off the top of my head, however I doubt there would be any major complications with such a setup. > 4. The documentation seems a little terse. Is there a good > tutorial that explains how to get started with KAME on a > FreeBSD system? I think the people who develop KAME are pretty available for specific questions via email. If you have any particular queries they should be able to help. With regards to a tutorial, i'm unaware of any. > Thanks, > > Mike Thompson Cheers, Nick -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 4:19: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 114B614CE4 for ; Thu, 25 Mar 1999 04:18:52 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10Q92j-000064-00; Thu, 25 Mar 1999 14:15:25 +0200 From: Sheldon Hearn To: Mike Thompson Cc: Matthew Dillon , Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-reply-to: Your message of "Wed, 24 Mar 1999 23:41:01 PST." <4.1.19990324233231.00a02e40@mail.dnai.com> Date: Thu, 25 Mar 1999 14:15:25 +0200 Message-ID: <375.922364125@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 Mar 1999 23:41:01 PST, Mike Thompson wrote: > Are you refering to SSH v1 or SSH v2, or do both compile > with Kerberos in the manner you describe? Why are you so interested in ssh2? It's a totally different piece of software from a different vendor. Are you sure it does something that you need done, and which ssh1 doesn't do just fine? > I am currently looking into what the licensing costs would be > for us to license SSH v2 for our servers. Does BEST.COM pay > to license SSH v1 or SSH v2 for internal use? There are no licensing costs involved in using ssh1. > I'll investigate Kerberos V in the ports. By using Kerberos I assume > it gives you the advantage of configuring all ssh authentication and > passwords on the Kerberos server? Not exactly. All your Kerberos passwords are on the Kerberos server. However, sshd configuration still needs to be host-specific. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 5:35:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from computer.eng.mindspring.net (computer.eng.mindspring.net [207.69.192.185]) by hub.freebsd.org (Postfix) with ESMTP id F20A614BDB for ; Thu, 25 Mar 1999 05:35:49 -0800 (PST) (envelope-from ahobson@computer.eng.mindspring.net) Received: (from ahobson@localhost) by computer.eng.mindspring.net (8.9.1/8.8.4) id IAA08947; Thu, 25 Mar 1999 08:35:30 -0500 (EST) From: Andrew Hobson To: freebsd-security@freebsd.org Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: 25 Mar 1999 08:35:29 -0500 In-Reply-To: Matthew Dillon's message of "Wed, 24 Mar 1999 20:26:12 -0800 (PST)" Message-ID: Lines: 20 User-Agent: Gnus/5.070079 (Pterodactyl Gnus v0.79) XEmacs/21.0(beta65) (20) X-Face: (e_H,)"'M4u!E!3"|XVHJ=[/_.:z73Z^oGf")[Payuf said: > This is what BEST.COM does. We also disallow passworded root > logins except on the console ( even w/ ssh ), and use the > kerberos 'ksu' command to control access to root. This allows > us to configure a crypted root password in the password file > good for logging into the console, but useless if stolen and > decrypted. All other accounts have '*' for their password ( > i.e. ssh+kerberos logins only). How do you handle updating the password files on all machines when you need to add or remove a user? Do you have any automated process? Drew -- begin 644 ahobson@mindspring.com.booby.trap.yes.it.is.gzipped.twice.gz.gz M'XL(`/*U^C`"`Y/OYF!XN?67`1/SVX.,O`P,#(<6V+V7OR#'I\$P"D;!*!@% HHV`4C()1,`I&P2@8!:-@%(P"$'APET'ED; Thu, 25 Mar 1999 06:41:42 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id PAA13986; Thu, 25 Mar 1999 15:41:20 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id PAA59379; Thu, 25 Mar 1999 15:41:19 +0100 (MET) Date: Thu, 25 Mar 1999 15:41:19 +0100 From: Eivind Eklund To: Sheldon Hearn Cc: Mike Thompson , Matthew Dillon , Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <19990325154118.E57330@bitbox.follo.net> References: <4.1.19990324233231.00a02e40@mail.dnai.com> <375.922364125@axl.noc.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <375.922364125@axl.noc.iafrica.com>; from Sheldon Hearn on Thu, Mar 25, 1999 at 02:15:25PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 25, 1999 at 02:15:25PM +0200, Sheldon Hearn wrote: > On Wed, 24 Mar 1999 23:41:01 PST, Mike Thompson wrote: > > I am currently looking into what the licensing costs would be > > for us to license SSH v2 for our servers. Does BEST.COM pay > > to license SSH v1 or SSH v2 for internal use? > > There are no licensing costs involved in using ssh1. This is false, for most reasonable definitions of 'use'. In particular, the use to which Mike Thompson (the original poster) said he would put the software is explicitly covered in the license for ssh (COPYING in the main ssh source directory) as needing commercial licensing from Data Fellows. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 6:52:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 2DC731526B; Thu, 25 Mar 1999 06:52:53 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10QBUh-000HfO-00; Thu, 25 Mar 1999 16:52:27 +0200 From: Sheldon Hearn To: Eivind Eklund Cc: Mike Thompson , Matthew Dillon , Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-reply-to: Your message of "Thu, 25 Mar 1999 15:41:19 +0100." <19990325154118.E57330@bitbox.follo.net> Date: Thu, 25 Mar 1999 16:52:25 +0200 Message-ID: <67903.922373545@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999 15:41:19 +0100, Eivind Eklund wrote: > In particular, the use to which Mike Thompson (the original poster) > said he would put the software is explicitly covered in the license > for ssh (COPYING in the main ssh source directory) as needing > commercial licensing from Data Fellows. He's neither modifying nor distributing the program, right? In that case, section 2b says: (b) Activities other than copying, distribution and modification of the Program are not subject to this License and they are outside its scope. Functional use (running) of the Program is not restricted. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 6:57:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.unacom.com (phoenix.unacom.com [209.51.241.25]) by hub.freebsd.org (Postfix) with SMTP id 8581C151B2 for ; Thu, 25 Mar 1999 06:57:37 -0800 (PST) (envelope-from geniusj@phoenix.unacom.com) Received: (qmail 29011 invoked by uid 1000); 25 Mar 1999 14:57:13 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Mar 1999 14:57:13 -0000 Date: Thu, 25 Mar 1999 09:57:12 -0500 (EST) From: The Tech-Admin Dude To: Sheldon Hearn Cc: Eivind Eklund , Mike Thompson , Matthew Dillon , Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <67903.922373545@axl.noc.iafrica.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Sheldon Hearn wrote: > > > On Thu, 25 Mar 1999 15:41:19 +0100, Eivind Eklund wrote: > > > In particular, the use to which Mike Thompson (the original poster) > > said he would put the software is explicitly covered in the license > > for ssh (COPYING in the main ssh source directory) as needing > > commercial licensing from Data Fellows. > > He's neither modifying nor distributing the program, right? In that > case, section 2b says: > > (b) Activities other than copying, distribution and modification of the > Program are not subject to this License and they are outside its scope. > Functional use (running) of the Program is not restricted. Ah, it seems the license itself is encrypted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 7:40:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id 01066153E4 for ; Thu, 25 Mar 1999 07:40:30 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (930 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 25 Mar 1999 09:27:25 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 25 Mar 1999 09:27:25 -0600 (CST) From: James Wyatt To: Matthew Dillon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <199903250905.BAA95946@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Matthew Dillon wrote: [ ... ] > are still vulnerable. You can get into the account just fine without > exposing a password, but once in the account if you need to type a > password of any sort in to do something else, *that* password is > vulnerable to interception. especially sudo and su... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 7:49:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 2DDA414D4E; Thu, 25 Mar 1999 07:49:14 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (wes@zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id IAA24580; Thu, 25 Mar 1999 08:48:35 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <36FA5AD3.AEDA954B@softweyr.com> Date: Thu, 25 Mar 1999 08:48:35 -0700 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Julian Assange Cc: junkmale@xtra.co.nz, Gary Palmer , freebsd-security@FreeBSD.ORG Subject: Re: Strange behaviour ... References: <19990317181804.PAWH3226200.mta2-rme@wocker> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Julian Assange wrote: > > "Dan Langille" writes: > > > > Wojtek wrote in message ID > > > : > > > > i advise you to switch to 3.1 as soon as You can. > > > > afaik strange things happen on 3.0 release... very strange... > > > > > > We had our first report of abduction of someone running 3.0-RELEASE by > > > a UFO this morning. > > > > Yes, but how many went unreported? > > > > :) That was an old thread. Exactly WHERE have you been for the last several weeks, Julian? Do you even recall? ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 7:51:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (Postfix) with ESMTP id 1957614A14; Thu, 25 Mar 1999 07:51:47 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA00655; Thu, 25 Mar 1999 10:51:26 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Thu, 25 Mar 1999 10:51:26 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Eivind Eklund Cc: Sheldon Hearn , Mike Thompson , Matthew Dillon , Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <19990325154118.E57330@bitbox.follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Eivind Eklund wrote: > On Thu, Mar 25, 1999 at 02:15:25PM +0200, Sheldon Hearn wrote: > > On Wed, 24 Mar 1999 23:41:01 PST, Mike Thompson wrote: > > > I am currently looking into what the licensing costs would be > > > for us to license SSH v2 for our servers. Does BEST.COM pay > > > to license SSH v1 or SSH v2 for internal use? > > > > There are no licensing costs involved in using ssh1. > > This is false, for most reasonable definitions of 'use'. > > In particular, the use to which Mike Thompson (the original poster) > said he would put the software is explicitly covered in the license > for ssh (COPYING in the main ssh source directory) as needing > commercial licensing from Data Fellows. My impression was that a license was needed from RSA to use RSA public key routines commercially. The Data Fellows purchase would cover that also, I believe. One nice side to using SSH w/kerberos instead of just kerberized utilities is that tunneling of X programs occurs automatically with ssh/slogin. Any chance of K5 becoming the default version of kerberos distributed with FreeBSD sometime? :-) Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 8:59:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id DAF8814CA0 for ; Thu, 25 Mar 1999 08:59:15 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Thu, 25 Mar 1999 09:58:55 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma003360; Thu, 25 Mar 99 09:58:29 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA03117; Thu, 25 Mar 1999 09:58:28 -0700 (MST) Date: Thu, 25 Mar 1999 09:58:27 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Robert Watson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Robert Watson wrote: > > > There are no licensing costs involved in using ssh1. > > > > This is false, for most reasonable definitions of 'use'. > > > > In particular, the use to which Mike Thompson (the original poster) > > said he would put the software is explicitly covered in the license > > for ssh (COPYING in the main ssh source directory) as needing > > commercial licensing from Data Fellows. > > My impression was that a license was needed from RSA to use RSA public key > routines commercially. The Data Fellows purchase would cover that also, I > believe. I think this is also only required in countries (such as the US) where the RSA algorithm is legally patented. RSA cannot be patented in many other countries since it was disclosed in a public journal before the patent was applied for. As I recall, US patent law allows for a grace period of 12 months after the public disclosure in which to file a patent application and receive a valid patent (after the typical waiting period of several years). But this will all become moot next year when the RSA patent in the US expires. Something else to consider is SSH1's use of IDEA, which is another patent-protected cipher that could possibly require commercial licensing. But that's less critical than RSA, since other suitable bulk ciphers are easily substituted instead. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:29:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 4CD2714C3F for ; Thu, 25 Mar 1999 10:29:11 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA00857; Thu, 25 Mar 1999 10:28:50 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 10:28:50 -0800 (PST) From: Matthew Dillon Message-Id: <199903251828.KAA00857@apollo.backplane.com> To: Mike Thompson Cc: Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <4.1.19990325021717.0097e980@mail.dnai.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Matthew, : :Another quick question. Under the configuration described below :can one system issue an ssh command from a script to another system :without having to include a password? We have automated scripts :that will run nightly that will run on one server and execute commands :on other servers using ssh. Suppling such a password to the :Kerberos kinit application before using ssh in such a script will be :problematic. I assume this is why you mentioned your use of the :"authorized_keys" files for limited purposes? Any other suggestions? : :Mike Thompson You can always use ssh's authorized_keys mechanism, in which a user ( or root ) on one machine gives root on another machine access via a keypair. Typically, in order for this to work from cron, you cannot put a password on the private key, so the administrative machine from which the ssh is issued must be secure. People sometimes forget that in a typical setup, if someone steals the private key from machine A for which machine B has entered the public key in its authorized_keys file, that person can use it to ssh to machine B from anywhere. With ssh, you have to use the 'from="fulldomainname"' option *IN* the authorized_keys file to ensure that the key authenticates *AND* that it is coming from a specific client. e.g. # authorized_keys file # from="apollo.backplane.com" 1024 37 8123412340... -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:34: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 4999E14D1D for ; Thu, 25 Mar 1999 10:34:00 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA00915; Thu, 25 Mar 1999 10:33:39 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 10:33:39 -0800 (PST) From: Matthew Dillon Message-Id: <199903251833.KAA00915@apollo.backplane.com> To: Andrew Hobson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> us to configure a crypted root password in the password file :> good for logging into the console, but useless if stolen and :> decrypted. All other accounts have '*' for their password ( :> i.e. ssh+kerberos logins only). : :How do you handle updating the password files on all machines when you :need to add or remove a user? Do you have any automated process? : :Drew Well, the provisioning for customer accounts is totally automated using code I wrote for BEST. Provisioning for administrative accounts is easy. We do it by hand. Most employees only have access to one administrative machine. Employees are given access to other peripheral machines depending on their job. Except for the one employee machine, these accounts do not have home directories and the password field is '*' ( i.e. kerberos/ssh-only access ). Access is controlled through kerberos. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:37:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 9A07B14BFF for ; Thu, 25 Mar 1999 10:37:22 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA00989; Thu, 25 Mar 1999 10:36:55 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 10:36:55 -0800 (PST) From: Matthew Dillon Message-Id: <199903251836.KAA00989@apollo.backplane.com> To: James Wyatt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :On Thu, 25 Mar 1999, Matthew Dillon wrote: : [ ... ] :> are still vulnerable. You can get into the account just fine without :> exposing a password, but once in the account if you need to type a :> password of any sort in to do something else, *that* password is :> vulnerable to interception. : :especially sudo and su... - Jy@ We used sudo for a little while 3 years ago, but I decided that it was too big a security risk and wiped it. sudo is one of the stupidest programs I've ever seen. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:39:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 37AD514FBB; Thu, 25 Mar 1999 10:39:13 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA01021; Thu, 25 Mar 1999 10:38:41 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 10:38:41 -0800 (PST) From: Matthew Dillon Message-Id: <199903251838.KAA01021@apollo.backplane.com> To: Robert Watson Cc: Eivind Eklund , Sheldon Hearn , Mike Thompson , Gary Gaskell , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :One nice side to using SSH w/kerberos instead of just kerberized utilities :is that tunneling of X programs occurs automatically with ssh/slogin. : :Any chance of K5 becoming the default version of kerberos distributed with :FreeBSD sometime? :-) : : Robert N Watson I would second this request. We've been using KRB5 for almost a year now, possibly even longer. -Matt Matthew Dillon :robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:45:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from computer.eng.mindspring.net (computer.eng.mindspring.net [207.69.192.185]) by hub.freebsd.org (Postfix) with ESMTP id C106515045 for ; Thu, 25 Mar 1999 10:45:34 -0800 (PST) (envelope-from ahobson@computer.eng.mindspring.net) Received: (from ahobson@localhost) by computer.eng.mindspring.net (8.9.1/8.8.4) id NAA10891; Thu, 25 Mar 1999 13:45:10 -0500 (EST) From: Andrew Hobson To: Matthew Dillon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> <199903251833.KAA00915@apollo.backplane.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: 25 Mar 1999 13:45:10 -0500 In-Reply-To: Matthew Dillon's message of "Thu, 25 Mar 1999 10:33:39 -0800 (PST)" Message-ID: Lines: 23 User-Agent: Gnus/5.070079 (Pterodactyl Gnus v0.79) XEmacs/21.0(beta65) (20) X-Face: (e_H,)"'M4u!E!3"|XVHJ=[/_.:z73Z^oGf")[Payuf said: > Provisioning for administrative accounts is easy. We do it by hand. > Most employees only have access to one administrative machine. Employees > are given access to other peripheral machines depending on their job. > Except for the one employee machine, these accounts do not have home > directories and the password field is '*' ( i.e. kerberos/ssh-only > access ). Access is controlled through kerberos. At work we have about a hundred machines and we access them via kerberos. Admins have accounts on all boxes. If we need to add or remove a user, it's a bit of a pain to manually update the password file on every machine. We're a bit concerned about doing it automatically, because if something goes wrong, /etc/passwd might be corrupted or nonexistant. I'm not a big fan of NIS. I'm sure we can come up with an automated solution that will be reasonably safe, but I was wondering how other people solved this problem. Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:48:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id 698FF14C3F for ; Thu, 25 Mar 1999 10:48:32 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-51.dialup.dnai.com [207.181.255.51]) by dnai.com (8.8.8/8.8.8) with SMTP id KAA20531; Thu, 25 Mar 1999 10:47:33 -0800 (PST) Message-Id: <4.1.19990325103002.00abc6e0@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 10:39:56 -0800 To: Sheldon Hearn From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <375.922364125@axl.noc.iafrica.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:15 PM 3/25/99 +0200, Sheldon Hearn wrote: >Why are you so interested in ssh2? It's a totally different piece of >software from a different vendor. Are you sure it does something that >you need done, and which ssh1 doesn't do just fine? Being new to the security implications of web applications, it was not apparent that SSH v2 is from a different vendor as SSH v1 (same authors I believe). Both licenses with the shareware versions explicitly state the product is not to be used for commercial purposes and refer the reader to DataFellows to purchase a commercial license. Granted, the licenses do differ in that SSH v1 can be used for free for such things as the internal operations of ISPs that are not sold as a service to users, but SSH v2 clearly cannot. As a new software/internet company we want to be responsible for paying for the licensed software from both a moral and legal perspective. Also, one might naturally assume that SSH v2 is in active development and SSH v1 development has essentially stopped. I am beginning to thing that SSH v1 is actually a much more mature product that SSH v2. It certainly seems to be a more flexible product. >> I am currently looking into what the licensing costs would be >> for us to license SSH v2 for our servers. Does BEST.COM pay >> to license SSH v1 or SSH v2 for internal use? > >There are no licensing costs involved in using ssh1. In the COPYING file with SSH version 1.2.26 it states explicitly: For commercial licensing please contact Data Fellows, Ltd. Data Fellows has exclusive licensing rights for the technology for commercial purposes. Data Fellows offers commercial versions of SSH with maintenance agreements in addition to various licensing options. The license then goes on to indicate that SSH can actually be used for some commercial purposes (ISPs are an example) where SSH is not being resold as a service or product to end users. My partners and I are looking to build a major web service and the last thing we want to do is unwittingly make SSH a major part of our on-line web service architecture and then be hit with a lawsuit for licensing violations. Not what an Internet start-up needs. >Not exactly. All your Kerberos passwords are on the Kerberos server. >However, sshd configuration still needs to be host-specific. Got it. Thanks, Mike Thompson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:51:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id E4C1614EDF for ; Thu, 25 Mar 1999 10:51:07 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA01406; Thu, 25 Mar 1999 10:50:47 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 10:50:47 -0800 (PST) From: Matthew Dillon Message-Id: <199903251850.KAA01406@apollo.backplane.com> To: Andrew Hobson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> <199903251833.KAA00915@apollo.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :On Thu, 25 Mar 1999 10:33:39 -0800 (PST), Matthew Dillon said: : :> Provisioning for administrative accounts is easy. We do it by hand. :> Most employees only have access to one administrative machine. Employees :> are given access to other peripheral machines depending on their job. :> Except for the one employee machine, these accounts do not have home :> directories and the password field is '*' ( i.e. kerberos/ssh-only :> access ). Access is controlled through kerberos. : :At work we have about a hundred machines and we access them via :kerberos. Admins have accounts on all boxes. If we need to add or :remove a user, it's a bit of a pain to manually update the password :file on every machine. : :We're a bit concerned about doing it automatically, because if :something goes wrong, /etc/passwd might be corrupted or nonexistant. :I'm not a big fan of NIS. : :I'm sure we can come up with an automated solution that will be :reasonably safe, but I was wondering how other people solved this :problem. : :Drew It's pretty easy to write a script to manipulate the password file, especially if you are not entering any encrypted passwords ( i.e. leaving that field '*' ). If you are worried about messing it up, just have cron backup the password file once a day or something like that. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:51:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id 2B2DA14D21 for ; Thu, 25 Mar 1999 10:51:01 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-51.dialup.dnai.com [207.181.255.51]) by dnai.com (8.8.8/8.8.8) with SMTP id KAA20523; Thu, 25 Mar 1999 10:47:32 -0800 (PST) Message-Id: <4.1.19990325101825.00a28bf0@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 10:21:04 -0800 To: Matthew Dillon From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: Gary Gaskell , freebsd-security@FreeBSD.ORG In-Reply-To: <199903250901.BAA95914@apollo.backplane.com> References: <4.1.19990324233231.00a02e40@mail.dnai.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew, I know what you mean. I am currently waiting to hear back from DataFellows with regards to a quote for SSH v2. We don't mind paying for SSH, but the price of $495 (from their web site) a server will certainly lead me to look for another solution if that price indeed holds. Also, it seems that SSH v2 does not support Kerberos like SSH v1 (at least not yet) which makes centralized management of keys and passwords a headache. Mike At 01:01 AM 3/25/99 -0800, Matthew Dillon wrote: > BEST currently uses SSH v1 under the ISP terms in the COPYING notice. > > We've looked into using SSH v2 a number of times but two factors have > kept us from being able to switch: (1) the fact that the author made > SSH v2 incompatible with SSH v1, and (2) because, when we checked, the > licensing terms were too overpriced ( but that was a year ago and I don't > remember what the price was ). So we aren't using v2. > > The whole thing has really miffed me, actually. I like to support > free software, especially free software of the quality level and > usefullness of ssh, but the authors have made it rather difficult to do. > > I haven't checked the status of SSH v2 recently, so it is possible that > commercial licensing is more doable now. > > -Matt > Matthew Dillon > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 10:58:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rapidsite.net (mail.rapidsite.net [207.158.192.62]) by hub.freebsd.org (Postfix) with SMTP id 0D53214DF0 for ; Thu, 25 Mar 1999 10:58:41 -0800 (PST) (envelope-from gryphon@intech.net) Received: from gw1.hway.net (207.158.192.37) by mail.rapidsite.net (RS ver 1.0.2) with SMTP id 607; Thu, 25 Mar 1999 13:58:16 -0500 (EST) Message-ID: <36FA884F.B2554229@intech.net> Date: Thu, 25 Mar 1999 14:02:39 -0500 From: Coranth Gryphon Reply-To: gryphon@hway.net X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: Andrew Hobson Cc: Matthew Dillon , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> <199903251833.KAA00915@apollo.backplane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At work we have about a hundred machines and we access them via > kerberos. Admins have accounts on all boxes. If we need to add or > remove a user, it's a bit of a pain to manually update the password > file on every machine. > > We're a bit concerned about doing it automatically, because if > something goes wrong, /etc/passwd might be corrupted or nonexistant. > I'm not a big fan of NIS. > At work we have about a hundred machines and we access them via > kerberos. Admins have accounts on all boxes. If we need to add or > remove a user, it's a bit of a pain to manually update the password > file on every machine. > > We're a bit concerned about doing it automatically, because if > something goes wrong, /etc/passwd might be corrupted or nonexistant. > I'm not a big fan of NIS. That 'doing something wrong' is always a concern, but very often the only solution is one where things entail some risk. If you can reduce that risk to being only "code is written properly", then that's about the best you can hope for. We have a similar setup. What we use for remote password maintenance is actually three step process. First, all login information is stored in a single secure repository (we use a SQL database on a carefully monitored machine). A single interace allows you to change the configuration information that gets distributed from this central source. This could just as easily be stored in flat files or by some other means. Then we have a program that generates the correct /etc/* files based upon information stored in the repository. This is a pretty straight forward script, the results of which can easily be verified. Finally, we use ssh/scp to distribute the generated files to the correct machines. If you can figure out how to represent the information you want to dist (ie. the source datamodel), then the rest is fairly straightforward. -coranth ---------------------------------------+---------------------------- Coranth Gryphon | Work Phone: 561-912-2497 Chief Architect, Hiway Technologies | #include ---------------------------------------+---------------------------- When all else fails, do the impossible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 11:14:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (Postfix) with ESMTP id 27E5714C3F; Thu, 25 Mar 1999 11:14:42 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.164.76]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990325191529.ZUES4957949.mta1-rme@wocker>; Fri, 26 Mar 1999 07:15:29 +1200 From: "Dan Langille" Organization: The FreeBSD Diary To: Wes Peters Date: Fri, 26 Mar 1999 07:14:51 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Strange behaviour ... Reply-To: junkmale@xtra.co.nz Cc: Julian Assange , Gary Palmer , freebsd-security@FreeBSD.ORG In-reply-to: <36FA5AD3.AEDA954B@softweyr.com> X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990325191529.ZUES4957949.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 25 Mar 99, at 8:48, Wes Peters wrote: > Julian Assange wrote: > > > > "Dan Langille" writes: > > > > > > Wojtek wrote in message ID > > > > : > > > > > i advise you to switch to 3.1 as soon as You can. > > > > > afaik strange things happen on 3.0 release... very strange... > > > > > > > > We had our first report of abduction of someone running 3.0-RELEASE by > > > > a UFO this morning. > > > > > > Yes, but how many went unreported? > > > > > > > :) > > That was an old thread. Exactly WHERE have you been for the last > several weeks, Julian? Do you even recall? > > ;^) /me points at Julian He *must* be one of the 'them' now! -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12: 2:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from portal.gmu.edu (portal.gmu.edu [129.174.1.8]) by hub.freebsd.org (Postfix) with ESMTP id A690E14D1D for ; Thu, 25 Mar 1999 12:02:40 -0800 (PST) (envelope-from egault@gmu.edu) Received: from dervish (dervish.irc.gmu.edu [129.174.48.75]) by portal.gmu.edu (8.8.8/8.8.8) with SMTP id PAA16353 for ; Thu, 25 Mar 1999 15:02:20 -0500 (EST) Message-Id: <4.1.19990325145000.00b63100@mason.gmu.edu> X-Sender: egault@mason.gmu.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 15:02:19 -0500 To: freebsd-security@freebsd.org From: Erik Gault Subject: xinetd vs. tcp_wrappers Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I hate to ask such an ignorant question as this but I spent quite a few hours trying to find information and didn't come up with as much as I'd hoped. I was interested in tightening up the security on my FreeBSD system and I'd read a bit about inetd not being particularly secure so I thought I'd look into what the options were for replacing it or putting additional software into place to improve the situation. I came across a number of inetd "replacements" including xinetd, netpipes, ucspi-tcp, etc. and also the tcp_wrappers program. Of all the programs I found xinetd and tcp_wrappers sounded like they were probably closest to what I wanted. I found plenty of information on tcp_wrappers and one Web site with information on xinetd (http://xinetd.synack.net) but what I couldn't find (and what I'm most interested in) was opinions from knowledgeable folks about what the "best" way to replace or deal with inetd is. Anybody have strong feelings about this? I sense tcp_wrappers is in widespread use but I couldn't get a feel for how widespread use of xinetd is. What do most security savvy system administrators use? Erik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12: 9:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (Postfix) with ESMTP id 6B8A815371 for ; Thu, 25 Mar 1999 12:09:15 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.9.2/RDY&DVV) id MAA22667; Thu, 25 Mar 1999 12:06:16 -0800 (PST) Message-Id: <199903252006.MAA22667@burka.rdy.com> Subject: Re: Kerberos vs SSH In-Reply-To: <199903251828.KAA00857@apollo.backplane.com> from Matthew Dillon at "Mar 25, 1999 10:28:50 am" To: dillon@apollo.backplane.com (Matthew Dillon) Date: Thu, 25 Mar 1999 12:06:15 -0800 (PST) Cc: miket@dnai.com, gaskell@isrc.qut.edu.au, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon writes: > :Matthew, > : > :Another quick question. Under the configuration described below > :can one system issue an ssh command from a script to another system > :without having to include a password? We have automated scripts > :that will run nightly that will run on one server and execute commands > :on other servers using ssh. Suppling such a password to the > :Kerberos kinit application before using ssh in such a script will be > :problematic. I assume this is why you mentioned your use of the No, it won't be. You can always use host key in cases like that rather than user keys. > :"authorized_keys" files for limited purposes? Any other suggestions? > : > :Mike Thompson > > You can always use ssh's authorized_keys mechanism, in which a user ( or > root ) on one machine gives root on another machine access via a keypair. > Typically, in order for this to work from cron, you cannot put a password > on the private key, so the administrative machine from which the ssh is > issued must be secure. > > People sometimes forget that in a typical setup, if someone steals the > private key from machine A for which machine B has entered the public > key in its authorized_keys file, that person can use it to ssh to > machine B from anywhere. With ssh, you have to use the > 'from="fulldomainname"' option *IN* the authorized_keys file to ensure > that the key authenticates *AND* that it is coming from a specific client. > e.g. > > # authorized_keys file > # > from="apollo.backplane.com" 1024 37 8123412340... > > -Matt > Matthew Dillon > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12:13:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id 85E3B14EC8 for ; Thu, 25 Mar 1999 12:13:43 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-1.dialup.dnai.com [207.181.255.1]) by dnai.com (8.8.8/8.8.8) with SMTP id MAA27742; Thu, 25 Mar 1999 12:12:52 -0800 (PST) Message-Id: <4.1.19990325120933.00ad08d0@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 12:11:59 -0800 To: Matthew Dillon From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199903251828.KAA00857@apollo.backplane.com> References: <4.1.19990325021717.0097e980@mail.dnai.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew, In case you or anyone cares, here is the security scheme that I am developing for a web site application across a number of FreeBSD servers based on the information I have gathered in this thread. The design of our web application is to have a number of cooperating servers that communicate securely among themselves for management purposes -- generally calling Perl/shell scripts through ssh to accomplish a specific task. All servers would also be directly connected to the Internet running the Apache web server running our application. This implies that each server both issue and receive ssh commands and a private key must be stored on the issuing ssh server. This might seem a little dangerous considering the server is directly connected to the Internet. If a private key from one server were compromised (such as getting access to it from the Apache web server) a hacker could potentially gain entry into every other server (as Matthew Dillon pointed out). To protect against such a penetration I intend to bind ssh to a reserved IP address (192.168.xxx.xxx) that each server will run behind a router (protecting against packet leakage). SSH logins on the servers Internet exposed IP address will not be permitted. Furthermore, each server will run IPFW (FreeBSD is great) to strictly limit what type of traffic can connect to a server from the Internet. Finally, we would not permit remote root ssh access because our web application runs completely in user space. Access only to the application user account is needed. To gain manual entrance to an application server for admin purposes we will first have to ssh into a well protected admin server from the Internet and then ssh again to a specific application server through the reserved IP address range. We must make certain that a compromise of a private key from an application server does not allow entry into our admin server. The only way that I can see to make this even more secure would be to run two NICs on each server so secured IP packets are never co-mingled with Internet IP packets, even behind a router. However, this is something that we would not like to do because it doubles the cost of our network hardware and increases complexity. The cost per server (both hardware and software) is a critical factor in whether our business succeeds. Please feel free to comment on this security scheme. Any holes that people might find now will certainly save me development time and grief in the future. Thanks again for everyone's help. I am certainly glad that I convinced my partners months ago to use FreeBSD for this project rather than that OS that is grabbing all the hype. Mike Thompson At 10:28 AM 3/25/99 -0800, Matthew Dillon wrote: >:Matthew, >: >:Another quick question. Under the configuration described below >:can one system issue an ssh command from a script to another system >:without having to include a password? We have automated scripts >:that will run nightly that will run on one server and execute commands >:on other servers using ssh. Suppling such a password to the >:Kerberos kinit application before using ssh in such a script will be >:problematic. I assume this is why you mentioned your use of the >:"authorized_keys" files for limited purposes? Any other suggestions? >: >:Mike Thompson > > You can always use ssh's authorized_keys mechanism, in which a user ( or > root ) on one machine gives root on another machine access via a keypair. > Typically, in order for this to work from cron, you cannot put a password > on the private key, so the administrative machine from which the ssh is > issued must be secure. > > People sometimes forget that in a typical setup, if someone steals the > private key from machine A for which machine B has entered the public > key in its authorized_keys file, that person can use it to ssh to > machine B from anywhere. With ssh, you have to use the > 'from="fulldomainname"' option *IN* the authorized_keys file to ensure > that the key authenticates *AND* that it is coming from a specific client. > e.g. > > # authorized_keys file > # > from="apollo.backplane.com" 1024 37 8123412340... > > -Matt > Matthew Dillon > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12:29:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id 63A5214FBB for ; Thu, 25 Mar 1999 12:29:47 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 2325 invoked by uid 1001); 25 Mar 1999 20:29:26 -0000 Date: Thu, 25 Mar 1999 15:29:26 -0500 From: Brian Reichert To: freebsd-security@FreeBSD.ORG Subject: Re: xinetd vs. tcp_wrappers Message-ID: <19990325152926.G1474@numachi.com> References: <4.1.19990325145000.00b63100@mason.gmu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <4.1.19990325145000.00b63100@mason.gmu.edu>; from Erik Gault on Thu, Mar 25, 1999 at 03:02:19PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 25, 1999 at 03:02:19PM -0500, Erik Gault wrote: > I was interested in tightening up the security on my FreeBSD system > and I'd read a bit about inetd not being particularly secure so I thought > I'd look into what the options were for replacing it or putting additional > software into place to improve the situation. I came across a number of > inetd "replacements" including xinetd, netpipes, ucspi-tcp, etc. and also > the tcp_wrappers program. FWIW, I'm using ucspi-tcp to handle things here. I've pulled inetd off of all our machines. Neither ucspi-tcp nor tcp_wrappers will launch UDP services, as far as I know. There are slight behavioral differences between them. Their respective authors seem to be in a feud, and there was a recent spat on BUGTRAQ about those differences. All of the tools listed solve differnent problem in sloghtly differeny ways; what are _your_ concerns? > > Erik > -- Brian 'you Bastard' Reichert reichert@numachi.com 37 Crystal Ave. #303 Current daytime number: (603)-434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12:29:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from carp.gbr.epa.gov (carp.gbr.epa.gov [204.46.159.110]) by hub.freebsd.org (Postfix) with ESMTP id 6619B14F6C for ; Thu, 25 Mar 1999 12:29:38 -0800 (PST) (envelope-from mjenkins@carp.gbr.epa.gov) Received: (from mjenkins@localhost) by carp.gbr.epa.gov (8.8.8/8.8.8) id OAA04252 for freebsd-security@FreeBSD.ORG; Thu, 25 Mar 1999 14:29:11 -0600 (CST) (envelope-from mjenkins) Date: Thu, 25 Mar 1999 14:29:11 -0600 (CST) From: Mike Jenkins Message-Id: <199903252029.OAA04252@carp.gbr.epa.gov> To: freebsd-security@FreeBSD.ORG Subject: Re: xinetd vs. tcp_wrappers In-Reply-To: <4.1.19990325145000.00b63100@mason.gmu.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Last time I checked, NetBSD had compiled in support for tcp_wrappers in inetd. Now that would be nice. Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12:33:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (Postfix) with ESMTP id A5485150A7 for ; Thu, 25 Mar 1999 12:33:15 -0800 (PST) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.3/8.9.3) id MAA25377; Thu, 25 Mar 1999 12:32:49 -0800 (PST) Message-Id: <199903252032.MAA25377@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: Matthew Dillon Cc: freebsd-security@FreeBSD.ORG Subject: sudo (was Re: Kerberos vs SSH) In-Reply-To: Your message of "Thu, 25 Mar 1999 10:36:55 PST." <199903251836.KAA00989@apollo.backplane.com> From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-To: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1151249328P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 25 Mar 1999 12:32:49 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_-1151249328P Content-Type: text/plain; charset=us-ascii If memory serves me right, Matthew Dillon wrote: > We used sudo for a little while 3 years ago, but I decided that it was > too big a security risk and wiped it. sudo is one of the stupidest > programs I've ever seen. I'd be curious to hear what you think sudo's shortcomings are, and why it merits being labeled as one of the stupidest programs you've ever seen? Bruce. --==_Exmh_-1151249328P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNvqdcKjOOi0j7CY9AQE81QP+OXYO0z9pyKAmmLkYdK6XJNlII4a2tjjB YKjyScgdSklR3Zfx053C7MkzsmWjKVK9H2fce4TFeUQ7gxP9xErGlZcvyQocfo2N Jt12oCc4sX15GBJkRsnQ/ySQXa/gcBD+8dFiyUdHSSt6KyRiuzqSTuuuaBAUMpuB tT8F+3RfZac= =zwE+ -----END PGP MESSAGE----- --==_Exmh_-1151249328P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12:40:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from trolldom.oss.uswest.net (trolldom.oss.uswest.net [204.147.86.29]) by hub.freebsd.org (Postfix) with SMTP id 951BF15371 for ; Thu, 25 Mar 1999 12:40:35 -0800 (PST) (envelope-from marker@trolldom.oss.uswest.net) Received: (qmail 14433 invoked from network); 25 Mar 1999 20:40:13 -0000 Received: from localhost.uswest.net (HELO trolldom.oss.uswest.net) (127.0.0.1) by localhost.uswest.net with SMTP; 25 Mar 1999 20:40:13 -0000 To: freebsd-security@freebsd.org Reply-To: marker@uswest.net Subject: Re: xinetd vs. tcp_wrappers In-reply-to: Your message of "Thu, 25 Mar 1999 15:02:19 EST." <4.1.19990325145000.00b63100@mason.gmu.edu> Date: Thu, 25 Mar 1999 14:40:13 -0600 From: Jeff Marker Message-Id: <19990325204041.951BF15371@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999 15:02:19 -0500 egault@gmu.edu wrote: >I found plenty of information on tcp_wrappers and one Web site with >information on xinetd (http://xinetd.synack.net) but what I couldn't >find (and what I'm most interested in) was opinions from >knowledgeable folks about what the "best" way to replace or deal with >inetd is. Anybody have strong feelings about this? I'm sure that a lot of people have strong feelings about it. :) I don't, really. Will that invalidate my response? >I sense tcp_wrappers is in widespread use but I couldn't get a feel >for how widespread use of xinetd is. What do most security savvy >system administrators use? I'd have to guess that "most" use tcp_wrappers, because it's been around for a good while. I use both, but not together (there's a patch to xinetd that allows tcp_wrappers to be used, but i've not installed it.) My understanding is that xinetd is meant to be a complete replacement for the inetd/tcp_wrappers bunndle. As such, it is expected to have the functionality of both. I have, however, been unable to get xinetd to 1) send me mail when someone touches my machines in a way i've not said is ok, 2) do the "twisting" of the connection to a different service/host. However, i've not spent a whole lot of time at it, either. Xinetd is nice because it can limit the number of instances of a specific service. I think that i favor tcp_wrappers a little, but not enough to take sides in a holy war, or even enough to really press for it. Hope i've made some sense. Jeff #include /* i speak for myself, not my company */ -- Jeff Marker US West Internet Services Operations Former UNIX Guy 600 Stinson Blvd. marker@uswest.net Minneapolis, MN 55413-2620 "I claim only to be accurate, not right." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12:44:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id E8E4415401 for ; Thu, 25 Mar 1999 12:44:33 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id MAA02527; Thu, 25 Mar 1999 12:44:03 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 12:44:03 -0800 (PST) From: Matthew Dillon Message-Id: <199903252044.MAA02527@apollo.backplane.com> To: bmah@CA.Sandia.GOV (Bruce A. Mah) Cc: freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) References: <199903252032.MAA25377@stennis.ca.sandia.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :> We used sudo for a little while 3 years ago, but I decided that it was :> too big a security risk and wiped it. sudo is one of the stupidest :> programs I've ever seen. : :I'd be curious to hear what you think sudo's shortcomings are, and why it :merits being labeled as one of the stupidest programs you've ever seen? : :Bruce. Simple: Because the program is designed to poke holes through root and run specified programs. It's fairly easy to misconfigure it, and there is no guarentee that the programs it runs are themselves secure. sudo opens up a whole can of potential security problems. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12:56:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (Postfix) with ESMTP id 5775314CA6 for ; Thu, 25 Mar 1999 12:56:27 -0800 (PST) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.3/8.9.3) id MAA25581; Thu, 25 Mar 1999 12:56:06 -0800 (PST) Message-Id: <199903252056.MAA25581@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 X-Exmh-Isig-Comptype: repl X-Exmh-Isig-Folder: inbox To: Matthew Dillon Cc: bmah@california.sandia.gov (Bruce A. Mah), freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: Your message of "Thu, 25 Mar 1999 12:44:03 PST." <199903252044.MAA02527@apollo.backplane.com> From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-To: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1094945312P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 25 Mar 1999 12:56:06 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_-1094945312P Content-Type: text/plain If memory serves me right, Matthew Dillon wrote: > : > :> We used sudo for a little while 3 years ago, but I decided that it was > :> too big a security risk and wiped it. sudo is one of the stupidest > :> programs I've ever seen. > : > :I'd be curious to hear what you think sudo's shortcomings are, and why it > :merits being labeled as one of the stupidest programs you've ever seen? > : > :Bruce. > > Simple: Because the program is designed to poke holes through > root and run specified programs. It's fairly easy to > misconfigure it, and there is no guarentee that the programs > it runs are themselves secure. sudo opens up a whole can of > potential security problems. I prefer sudo to su if for no other reason than it eliminates the need for me to remember a bunch of root passwords for machines. I don't use the features that restrict what commands can be run, so I couldn't comment on those. Having command logging is nice also, but for me it's less to keep tracks of the Bad Guys than as a record of things I've done as root. For me it fits the bill nicely, although your points are well taken. Bruce. --==_Exmh_-1094945312P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNvqi5ajOOi0j7CY9AQEIEgP9F6GYXvrhmnqExsS1rvNwO/45K9g8h/W+ ninvwG4U475r3sh4Mt1Gc7ii6aJwedzkul6Yihm5RX7MF9g1k+6wyLGoyFmdkE+u gu4B3SZMYrcahvRoBQETqy1Bx+E199WN8wyJf3geFHXdi3en9NbQPzf9X4jyrCkm TYggPu4OI/g= =V2Ro -----END PGP MESSAGE----- --==_Exmh_-1094945312P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 12:57:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id 6AF8C15556 for ; Thu, 25 Mar 1999 12:56:55 -0800 (PST) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.2/8.9.1) id MAA11219; Thu, 25 Mar 1999 12:56:33 -0800 (PST) (envelope-from mph) Date: Thu, 25 Mar 1999 12:56:33 -0800 From: Matthew Hunt To: marker@uswest.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: xinetd vs. tcp_wrappers Message-ID: <19990325125633.A11172@wopr.caltech.edu> References: <4.1.19990325145000.00b63100@mason.gmu.edu> <19990325204041.951BF15371@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: <19990325204041.951BF15371@hub.freebsd.org>; from Jeff Marker on Thu, Mar 25, 1999 at 02:40:13PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 25, 1999 at 02:40:13PM -0600, Jeff Marker wrote: > Xinetd is nice because it can limit the number of instances of a > specific service. Note that FreeBSD's inetd can also do this. Matt -- Matthew Hunt * Stay close to the Vorlon. http://www.pobox.com/~mph/ * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 13: 0:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id E0A2C14D03 for ; Thu, 25 Mar 1999 13:00:47 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id NAA02706; Thu, 25 Mar 1999 13:00:27 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 13:00:27 -0800 (PST) From: Matthew Dillon Message-Id: <199903252100.NAA02706@apollo.backplane.com> To: Mike Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <4.1.19990325021717.0097e980@mail.dnai.com> <4.1.19990325120933.00ad08d0@mail.dnai.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Matthew, : :In case you or anyone cares, here is the security scheme that :I am developing for a web site application across a number of :FreeBSD servers based on the information I have gathered in :this thread. It's always interesting to hear how people deal with security issues. :The design of our web application is to have a number of cooperating :servers that communicate securely among themselves for management :purposes -- generally calling Perl/shell scripts through ssh to :accomplish a specific task. All servers would also be directly :... : :To protect against such a penetration I intend to bind ssh to a :reserved IP address (192.168.xxx.xxx) that each server will run :behind a router (protecting against packet leakage). SSH logins :on the servers Internet exposed IP address will not be permitted. :Furthermore, each server will run IPFW (FreeBSD is great) to :strictly limit what type of traffic can connect to a server from :the Internet. Finally, we would not permit remote root ssh :access because our web application runs completely in user :space. Access only to the application user account is needed. SSH can also be configured to run a specific program - you can allow ssh access but you do not have to allow the client machine to get a shell. For example, if the purpose of the SSH link is to provide a secure channel between two perl scripts, you can configure sshd on the remote machine to run a specific perl script rather then allow the client to specify the script. You can then layer additional security within the protocol that the scripts talk to each other with, on top of the ssh security. You do this using the 'command' option in the authorized_keys file. For example: from="lander.backplane.com" command="/etc/adm/dodumps" 1024 35 230489234... This is very cool because you can use different keypairs for different command sets, and it enhances security somewhat by not giving the client access to a shell. :Please feel free to comment on this security scheme. Any holes :that people might find now will certainly save me development :time and grief in the future. Just remember the old axiom: Firewalls are like IT manager 's teddy bears: They give the higher-ups warm fuzzy feelings despite the fact that they don't actually *do* anything :-) Let me give you an example. And I hope Cisco ( and others ) have fixed this by now because it's been a known problem for a *long* time. Many years. Many firewalls fail to filter packets when you fragment a packet header. Think about it. . :Thanks again for everyone's help. I am certainly glad that :I convinced my partners months ago to use FreeBSD for this :project rather than that OS that is grabbing all the hype. : :Mike Thompson -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 13:33:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (Postfix) with ESMTP id 8378514D21 for ; Thu, 25 Mar 1999 13:33:18 -0800 (PST) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id QAA06381; Thu, 25 Mar 1999 16:32:52 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14074.43908.398273.970148@trooper.velocet.ca> Date: Thu, 25 Mar 1999 16:32:52 -0500 (EST) To: Mike Thompson Cc: Matthew Dillon , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <4.1.19990325120933.00ad08d0@mail.dnai.com> References: <4.1.19990325021717.0097e980@mail.dnai.com> <4.1.19990325120933.00ad08d0@mail.dnai.com> X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Mike" == Mike Thompson writes: Mike> The only way that I can see to make this even more secure would Mike> be to run two NICs on each server so secured IP packets are Mike> never co-mingled with Internet IP packets, even behind a router. Mike> However, this is something that we would not like to do because Mike> it doubles the cost of our network hardware and increases Mike> complexity. The cost per server (both hardware and software) is Mike> a critical factor in whether our business succeeds. I don't believe that this is "more secure". It is simply "less dependant" on the "correctness" of ipfw (in essence creating a hardware separation in lieu of a software one). The big hole in your design is that access to one machine implies access to all machines. Once someone gains access (though whatever means) to one machine, they can roam around freely amongst many machines. To prevent this, you would want to pass authenticated (not necessarily encrypted) commands back and forth between the servers such that any one server could only invoke a certain narrow number of commands on another. You could do this with ssl web servers, for instance. I suppose, from a security standpoint, I'm saying that you're breaking the "least privildge" principle. Obviously, one server doesn't/shouldn't need to be a complete bonna-fide user on another server. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 13:35:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (Postfix) with ESMTP id 614F31558A for ; Thu, 25 Mar 1999 13:35:57 -0800 (PST) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id QAA06503; Thu, 25 Mar 1999 16:35:35 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14074.44071.183931.902457@trooper.velocet.ca> Date: Thu, 25 Mar 1999 16:35:35 -0500 (EST) To: Matthew Dillon Cc: bmah@CA.Sandia.GOV (Bruce A. Mah), freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: <199903252044.MAA02527@apollo.backplane.com> References: <199903252032.MAA25377@stennis.ca.sandia.gov> <199903252044.MAA02527@apollo.backplane.com> X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Matthew" == Matthew Dillon writes: Matthew> Simple: Because the program is designed to poke holes Matthew> through root and run specified programs. It's fairly easy to Matthew> misconfigure it, and there is no guarentee that the programs Matthew> it runs are themselves secure. sudo opens up a whole can of Matthew> potential security problems. Well... in that respect, sudo is simply pointing out how stupid the UN*X security model is once you get beyond one or two sysadmins working on a group of machines. Security itself isn't easy to configure. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 13:44:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 7774C155BC for ; Thu, 25 Mar 1999 13:44:36 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10QHui-0009Iy-00; Thu, 25 Mar 1999 23:43:44 +0200 From: Sheldon Hearn To: Matthew Dillon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-reply-to: Your message of "Thu, 25 Mar 1999 10:38:41 PST." <199903251838.KAA01021@apollo.backplane.com> Date: Thu, 25 Mar 1999 23:43:44 +0200 Message-ID: <35771.922398224@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999 10:38:41 PST, Matthew Dillon wrote: > I would second this request. We've been using KRB5 for almost a > year now, possibly even longer. Mark! Mark! He's our man! If he can't do it Who the hell can? Later, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 13:52:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 5561415371 for ; Thu, 25 Mar 1999 13:52:10 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10QI2O-000BcU-00; Thu, 25 Mar 1999 23:51:40 +0200 From: Sheldon Hearn To: Erik Gault Cc: freebsd-security@freebsd.org Subject: Re: xinetd vs. tcp_wrappers In-reply-to: Your message of "Thu, 25 Mar 1999 15:02:19 EST." <4.1.19990325145000.00b63100@mason.gmu.edu> Date: Thu, 25 Mar 1999 23:51:39 +0200 Message-ID: <44669.922398699@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999 15:02:19 EST, Erik Gault wrote: > [...] I'd read a bit about inetd not being particularly secure so > I thought I'd look into what the options were for replacing it or > putting additional software into place to improve the situation. Hi Erik, Now that you've received a few interesting answers from people who aren't following current FreeBSD development, let me tell you what's happening. :-) The tcp_wrappers package is in the process of being incorporated into the base system. Our inetd is in the process of being taught how to link against and use libwrap (like NetBSD's inetd). Once that's done, FreeBSD will sport one of the coolest inetd's on the block. Follow the freebsd-current mailing list for updates on this story. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 14: 5: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 559BF14E37 for ; Thu, 25 Mar 1999 14:05:01 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id RAA201990; Thu, 25 Mar 1999 17:04:34 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <199903252044.MAA02527@apollo.backplane.com> References: <199903252032.MAA25377@stennis.ca.sandia.gov> Date: Thu, 25 Mar 1999 17:05:18 -0500 To: Matthew Dillon , bmah@CA.Sandia.GOV (Bruce A. Mah) From: Garance A Drosihn Subject: Re: sudo (was Re: Kerberos vs SSH) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >: I'd be curious to hear what you think sudo's shortcomings are, and >: why it merits being labeled as one of the stupidest programs you've >: ever seen? > > Simple: Because the program is designed to poke holes through > root and run specified programs. It's fairly easy to misconfigure > it, and there is no guarentee that the programs it runs are > themselves secure. sudo opens up a whole can of potential > security problems. When working with lots of sysadmin's and lots of machines, sudo is a very useful tool. At least, it (or programs like it) are better than other alternatives. It beats making executables setuid, for instance. It beats having lots of different people with the password to root, and the ability to run *anything* and do *anything* that they want. Just my 2 cents worth... --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 14:18:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 8017214C2F for ; Thu, 25 Mar 1999 14:18:26 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id OAA03395; Thu, 25 Mar 1999 14:18:05 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 14:18:05 -0800 (PST) From: Matthew Dillon Message-Id: <199903252218.OAA03395@apollo.backplane.com> To: Garance A Drosihn Cc: bmah@CA.Sandia.GOV (Bruce A. Mah), freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) References: <199903252032.MAA25377@stennis.ca.sandia.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :is a very useful tool. At least, it (or programs like it) are :better than other alternatives. : :It beats making executables setuid, for instance. :It beats having lots of different people with the password to :root, and the ability to run *anything* and do *anything* that :they want. : :Just my 2 cents worth... This is my view: If you can't trust someone to know what to do with root access, you don't give it to him. At all. Not one tidbit. Not even sudo. If you can trust someone, you give them root access via ksu. There is no 'grey area' with me. Anything that 'requires' someone to run something as root where someone != sysop is a misconfiguration. For example, you don't give the webmaster root, you run the WWW server under a uid that the webmaster has access too and if you want to protect certain parts of that further, you make certain portions of that tree owned by root ( including the 'home' directory ). Another example: DNS zone files are mostly owned by root and placed in a special group, modes 664. The most critical zone files and the automatically generated ones can be owned by root modes 644. The hostmasters do not have root, but they are placed in the appropriate group in order to be able to do their job re: the zone files. There are lots of cute tricks that can be played with group perms. For example, mode 1770 directories owned by root.. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 14:25: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id DCC581540B for ; Thu, 25 Mar 1999 14:25:07 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id OAA03520; Thu, 25 Mar 1999 14:24:40 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 14:24:40 -0800 (PST) From: Matthew Dillon Message-Id: <199903252224.OAA03520@apollo.backplane.com> To: David Gilbert Cc: bmah@CA.Sandia.GOV (Bruce A. Mah), freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) References: <199903252032.MAA25377@stennis.ca.sandia.gov> <199903252044.MAA02527@apollo.backplane.com> <14074.44071.183931.902457@trooper.velocet.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :>>>>> "Matthew" == Matthew Dillon writes: : :Matthew> Simple: Because the program is designed to poke holes :Matthew> through root and run specified programs. It's fairly easy to :Matthew> misconfigure it, and there is no guarentee that the programs :Matthew> it runs are themselves secure. sudo opens up a whole can of :Matthew> potential security problems. : :Well... in that respect, sudo is simply pointing out how stupid the :UN*X security model is once you get beyond one or two sysadmins :working on a group of machines. Security itself isn't easy to :configure. : :Dave. If these are sysadmins and they need access to critical root-only portions of the machine, you have to give it to them. No magical security model is going to make that problem go away. UNIX is being pragmatic about it. It's just plain silly to run things as root that don't need to be run as root. So don't! Then the only people who need root are the ones that need to be able to work on the guts of the machine. -Matt Matthew Dillon : :-- :============================================================================ :|David Gilbert, Velocet Communications. | Two things can only be | :|Mail: dgilbert@velocet.net | equal if and only if they | :|http://www.velocet.net/~dgilbert | are precisely opposite. | :=========================================================GLO================ : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 15:21:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from eagle.aitken.com (eagle.aitken.com [209.249.97.250]) by hub.freebsd.org (Postfix) with ESMTP id E2DFA14FAF for ; Thu, 25 Mar 1999 15:21:29 -0800 (PST) (envelope-from jaitken@aitken.com) Received: (from jaitken@localhost) by eagle.aitken.com (8.9.1a/8.9.1) id SAA07455; Thu, 25 Mar 1999 18:20:51 -0500 From: Jeff Aitken Message-Id: <199903252320.SAA07455@eagle.aitken.com> Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: from Garance A Drosihn at "Mar 25, 1999 05:05:18 pm" To: drosih@rpi.edu (Garance A Drosihn) Date: Thu, 25 Mar 1999 18:20:50 -0500 (EST) Cc: dillon@apollo.backplane.com, bmah@CA.Sandia.GOV, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL53 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > When working with lots of sysadmin's and lots of machines, sudo > is a very useful tool. At least, it (or programs like it) are > better than other alternatives. > > It beats making executables setuid, for instance. > It beats having lots of different people with the password to > root, and the ability to run *anything* and do *anything* that > they want. Out of curiosity, to what programs do you typically grant people sudo access? Is it not true that most "useful" programs a sysadmin might need to do his job contain some way of exec'ing another program? For example, you can't use sudo to grant access to a text editor of any sort without implicitly giving full root access. What else do you want done as root that doesn't have a similar problem? Change someone's password? Add a user? Each of these can be trivially exploited to gain full root access. I'm not saying it is useless, but I do wonder about the practical benefits of the sudo/super approach. Are you using it to provide additional security or are you just trying to prevent accidental mistakes as root? --Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 15:46:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id D8185154FF for ; Thu, 25 Mar 1999 15:46:43 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (2455 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 25 Mar 1999 17:22:23 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 25 Mar 1999 17:22:22 -0600 (CST) From: James Wyatt To: Matthew Dillon Cc: "Bruce A. Mah" , freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: <199903252044.MAA02527@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon wrote: > :> We used sudo for a little while 3 years ago, but I decided that it was > :> too big a security risk and wiped it. sudo is one of the stupidest > :> programs I've ever seen. Bruce replied: > :I'd be curious to hear what you think sudo's shortcomings are, and why it > :merits being labeled as one of the stupidest programs you've ever seen? Matthew replied: > Simple: Because the program is designed to poke holes through root and > run specified programs. It's fairly easy to misconfigure it, and there is > no guarentee that the programs it runs are themselves secure. sudo opens > up a whole can of potential security problems. Not the answer I expected. How are these different from giving the user the root password? The programs are run similarly - except that root's path almost never has '.'? It is easy to forget that some programs like 'vi' can do shell work, allowing the user to use *any* program, not just what they have been allowed to use. With a group of admins, I can revoke *any* one of them while keeping them around without 'sharing' new root passwords. It also logs which programs which users run, /bin/su does not - root command history is global. I can annoint a contractor or vendor's account for an emergency and de-annoint later, while still allowing them to view operation. The thing I don't like about it is that it makes programs like linsniffer more effective. It looks at TCP startups of telnet, FTP, pop, etc... and very nicely captures their password. Capturing root passwords from users 'su'-ing requires a *lot* more advanced sniffer or cracker intervention. This easily captured password is sufficient for root access if the user is allowed to do anything that might gain them shell. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 16:29:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103]) by hub.freebsd.org (Postfix) with ESMTP id A9F2B15346 for ; Thu, 25 Mar 1999 16:29:03 -0800 (PST) (envelope-from jwyatt@RWSystems.net) Received: from kasie.rwsystems.net([209.197.192.103]) (1150 bytes) by host07.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 25 Mar 1999 18:24:45 -0600 (CST) (Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24) Date: Thu, 25 Mar 1999 18:24:34 -0600 (CST) From: James Wyatt To: Jeff Aitken Cc: Garance A Drosihn , dillon@apollo.backplane.com, bmah@CA.Sandia.GOV, freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: <199903252320.SAA07455@eagle.aitken.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Jeff Aitken wrote: > I'm not saying it is useless, but I do wonder about the practical > benefits of the sudo/super approach. Are you using it to provide > additional security or are you just trying to prevent accidental > mistakes as root? Since I usually run as myself, I frequently type 'sudo !!' under bash or csh/tcsh as a kind of 'Simon says' when it tells me I'm not root... 8{) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 16:32:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 46EDA14D03 for ; Thu, 25 Mar 1999 16:32:23 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id TAA95618; Thu, 25 Mar 1999 19:32:02 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: <199903252320.SAA07455@eagle.aitken.com> References: from Garance A Drosihn at "Mar 25, 1999 05:05:18 pm" Date: Thu, 25 Mar 1999 19:32:48 -0500 To: Jeff Aitken From: Garance A Drosihn Subject: Re: sudo (was Re: Kerberos vs SSH) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 6:20 PM -0500 3/25/99, Jeff Aitken wrote: > Out of curiosity, to what programs do you typically grant people > sudo access? Is it not true that most "useful" programs a sysadmin > might need to do his job contain some way of exec'ing another > program? For example, you can't use sudo to grant access to a text > editor of any sort without implicitly giving full root access. Anyone allowing 'sudo vi' deserves what they get, the same way that anyone pasting their root password on their monitor deserves what they get. Why do we bother with passwords at all, if there are people who do stupid things with passwords? We give sudo access to something like 'lpc', for starting or stopping printer queues. Or we have special reboot scripts (yes, scripts). We'll trust people to do reboots as they feel necessary (particularly since sudo will log the action), but not give out root access to a few dozen part-time students who work in our help desk. Similar we have programs to fix one odd problem or another (such as "restarting portmap", which is a recent problem on our AIX boxes), and those part-time students might be allowed to do that. We admin some unix machines that we do not own. We give the owner (and maybe their grad students) access to a few things they need access to, and rightfully deserve access too, without having to worry about them "fixing" some problem in a way that breaks some of our automatic procedures. And we can do this without having to keep track of hundreds of different passwords for root (on different unix machines). And even when it's someone we trust, like, say, *ME*, there is an advantage to using sudo. an 'rm *' in the wrong window (such as a 'su'-ed window) aren't quite as catastrophic. Yes, a 'sudo rm *' can be bad news, but I am not likely to type sudo unless I'm really sure I need special privs for something. It also means we have a log of priv commands done, useful when something goes haywire and you think 'uh, what just happened?'. (remember, we're in an environment with multiple sysadmins, since we are dealing with a few hundred unix workstations running solaris, aix, or irix). In some environments sudo may seem pointless, but in other situations it can be quite helpful. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 16:37:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id A61371546B for ; Thu, 25 Mar 1999 16:37:25 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id TAA132832; Thu, 25 Mar 1999 19:36:59 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: References: <199903252044.MAA02527@apollo.backplane.com> Date: Thu, 25 Mar 1999 19:37:46 -0500 To: James Wyatt From: Garance A Drosihn Subject: Re: sudo (was Re: Kerberos vs SSH) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 5:22 PM -0600 3/25/99, James Wyatt wrote: > The thing I don't like about it is that it makes programs like > linsniffer more effective. It looks at TCP startups of telnet, > FTP, pop, etc... and very nicely captures their password. > Capturing root passwords from users 'su'-ing requires a *lot* > more advanced sniffer or cracker intervention. No, it only requires that someone sit down and decide to do it. Conceptually it isn't all that hard to look for "password" in a telnet stream, and keep the packets seen before and after that. The only protection for things like that is to use encryption for the session (ssh or kerberos), or use switches that greatly reduce the number of packets that can be seen from a given (hackers) computer. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 16:39:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 8884C15259 for ; Thu, 25 Mar 1999 16:39:40 -0800 (PST) (envelope-from sheldonh@axl.noc.iafrica.com) Received: from sheldonh (helo=axl.noc.iafrica.com) by axl.noc.iafrica.com with local-esmtp (Exim 2.12 #1) id 10QKeG-000CwS-00; Fri, 26 Mar 1999 02:38:56 +0200 From: Sheldon Hearn To: Garance A Drosihn Cc: Jeff Aitken , freebsd-security@FreeBSD.ORG Subject: Re: sudo In-reply-to: Your message of "Thu, 25 Mar 1999 19:32:48 EST." Date: Fri, 26 Mar 1999 02:38:56 +0200 Message-ID: <49751.922408736@axl.noc.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999 19:32:48 EST, Garance A Drosihn wrote: > Or we have special reboot scripts (yes, scripts). We'll trust people > to do reboots as they feel necessary You don't believe that a reboot's as good as a root? :-) Anyway, this is yet another discussion going nowhere in a hurry. Sudo is like any other tool. If you use it without understanding it, you're stuffing your own balls in your mouth. Sooner or later, you'll get the upper-cut that ends your game. :-) Is it my imagination, or are the discussions here getting stupider? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 17:29: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id B1F3514E95; Thu, 25 Mar 1999 17:28:56 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id RAA16946; Thu, 25 Mar 1999 17:27:45 -0800 (PST) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id RAA03700; Thu, 25 Mar 1999 17:27:44 -0800 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id SAA20523; Thu, 25 Mar 1999 18:27:36 -0700 Message-ID: <36FAE278.9740546D@softweyr.com> Date: Thu, 25 Mar 1999 18:27:20 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: junkmale@xtra.co.nz Cc: Julian Assange , Gary Palmer , freebsd-security@FreeBSD.ORG Subject: Re: Strange behaviour ... References: <19990325191529.ZUES4957949.mta1-rme@wocker> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan Langille wrote: > > On 25 Mar 99, at 8:48, Wes Peters wrote: > > > Julian Assange wrote: > > > > > > "Dan Langille" writes: > > > > > > > > Wojtek wrote in message ID > > > > > : > > > > > > i advise you to switch to 3.1 as soon as You can. > > > > > > afaik strange things happen on 3.0 release... very strange... > > > > > > > > > > We had our first report of abduction of someone running 3.0-RELEASE by > > > > > a UFO this morning. > > > > > > > > Yes, but how many went unreported? > > > > > > > > > > :) > > > > That was an old thread. Exactly WHERE have you been for the last > > several weeks, Julian? Do you even recall? > > > > ;^) > > > > /me points at Julian > > He *must* be one of the 'them' now! Aaaaaaaaauuuuuuuuuuuuuuuuugggggggggggggggghhhhhhhhhhhhhhhhhhhhh! Invasion of the Kernel Snatchers! -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 18:10:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (Postfix) with ESMTP id 427FA14D21 for ; Thu, 25 Mar 1999 18:10:04 -0800 (PST) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id VAA12137; Thu, 25 Mar 1999 21:09:36 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14074.60512.17143.428754@trooper.velocet.ca> Date: Thu, 25 Mar 1999 21:09:36 -0500 (EST) To: Jeff Aitken Cc: drosih@rpi.edu (Garance A Drosihn), dillon@apollo.backplane.com, bmah@CA.Sandia.GOV, freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: <199903252320.SAA07455@eagle.aitken.com> References: <199903252320.SAA07455@eagle.aitken.com> X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Jeff" == Jeff Aitken writes: Jeff> Out of curiosity, to what programs do you typically grant people Jeff> sudo access? Is it not true that most "useful" programs a Jeff> sysadmin might need to do his job contain some way of exec'ing Jeff> another program? For example, you can't use sudo to grant Jeff> access to a text editor of any sort without implicitly giving Jeff> full root access. There are a number of cool things you can do. One thing you can do with sudo is specify (exactly or with a regular expression) the arguments that someone is allowed to call a command with. One common one we have on our workstations is: mount /dev/fd[01]a /a umount /a Another use we put it to is allowing people with less privs to run scripts which operate as root. Account management and other mundane tasks. Sudo allows you to protect the environment of the called script such that sane restrictions can be made on what it can do. This obviously requires a lot of effort... and is easily done wrong, but is highly useful in freeing up time of higher level admins. There is also a strong notion of grouping in sudo... and I usually divide people into 3 groups: the world is generally untrusted --- they will try to hack you; the trusted user (who possibly owns the box) without much experience --- you are trying to prevent him from doing something dumb enough to create work for you; and the fully trusted employee where it's just easier not to have root passwords given to everyone. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 18:10:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id 723B9153C0 for ; Thu, 25 Mar 1999 18:10:27 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-45.dialup.dnai.com [207.181.255.45]) by dnai.com (8.8.8/8.8.8) with SMTP id SAA21824; Thu, 25 Mar 1999 18:09:31 -0800 (PST) Message-Id: <4.1.19990325180802.00a23d90@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 25 Mar 1999 18:08:42 -0800 To: David Gilbert From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <14074.43908.398273.970148@trooper.velocet.ca> References: <4.1.19990325120933.00ad08d0@mail.dnai.com> <4.1.19990325021717.0097e980@mail.dnai.com> <4.1.19990325120933.00ad08d0@mail.dnai.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Point well taken. I'll attempt to modify the design to prevent access to one server automatically implying access to all servers. Mike At 04:32 PM 3/25/99 -0500, David Gilbert wrote: >The big hole in your design is that access to one machine implies >access to all machines. Once someone gains access (though whatever >means) to one machine, they can roam around freely amongst many >machines. > >To prevent this, you would want to pass authenticated (not >necessarily encrypted) commands back and forth between the servers >such that any one server could only invoke a certain narrow number of >commands on another. You could do this with ssl web servers, for >instance. > >I suppose, from a security standpoint, I'm saying that you're breaking >the "least privildge" principle. Obviously, one server >doesn't/shouldn't need to be a complete bonna-fide user on another >server. > >Dave. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 20:37:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 1545214D2A for ; Thu, 25 Mar 1999 20:37:03 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from crocus (c3-1d196.neo.rr.com [24.93.233.196]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id XAA05442 for ; Thu, 25 Mar 1999 23:36:43 -0500 (EST) Message-ID: <002101be7742$400997f0$23b197ce@ezo.net> From: "Jim Flowers" To: Subject: Fw: Skip configuration Date: Thu, 25 Mar 1999 23:36:43 -0500 Organization: EZNets, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: Jim Flowers To: Jean M. Vandette Sent: Thursday, March 25, 1999 11:35 PM Subject: Re: Skip configuration > Easier to analyze with info on both ends but I infer that you have: > > =============10.10.10.0/24======ethernet > | > [mtl] #.#.#.# KeyID 6b9d... > | > {Internet} > | > [tor] 209.167.132.39 KeyID c79f... > | > =============10.10.11.0/24======ethernet > > Most of your setup looks OK. I would also add the skiphosts to your ACLs on > both ends: > > On mtl: > > skiphost -a 209.167.132.39 -k DES-EDE-K3 -t DES-CBC -m MD5 -s 8 -r 8 -R > 0xc79... > > On tor: > > skiphost -a #.#.#.# -k DES-EDE-K3 -t DES-CBC -m MD5 -s 8 -r 8 -R 0x6b9d... > > If you only have one key for each skiphost, it is in slot 0 and you don't > need to include the sender KeyID. It is very important, however, that the > keys on both ends have the same length and that they are generated with both > skiphosts having the correct time and date and timezone set first. > > I also recommend using `tcpdump proto 57 or host skiphost.address to see > what is happening (may require rebuilding kernel with bpfilter). > > Here is my general procedure: > > On skiphost A > > 1. Set timezone with `/stand/sysinstall`. > 2. Set time/date with `ntpdate isp.ntp.server`. > 3. Delete all local keys with `skiplocal rm slot`. > 4. Make one new key with length M using `skiplocal keygen -m M`. > 5. Generate script with `skiplocal export > add_A`. > 6. Copy for a template with `cp add_A add_A_net`. > 7. Edit add_A_net to put in the network and netmask and identify the > tunnel > Original: skiphost -a skip.host.B.address ... > Edited: skiphost -a sub.net.B.address -M sub.net.B.netmask -A > skip.host.B.address ... > 8. ftp add_A and add_A_net to skiphost B. > 9. `skiphost -a default` > 10. `skiphost -a sub.net.A.address -M sub.net.A.netmask` > 11. `sh add_B` > 12. `sh add_B_net` > 13. `skipif -s` > 14. `skipd_restart` > > On skiphost B > > 1. Set timezone with `/stand/sysinstall`. > 2. Set time/date with `ntpdate isp.ntp.server`. > 3. Delete all local keys with `skiplocal rm slot`. > 4. Make one new key with length M (SAME AS ON A) using `skiplocal > keygen -m M`. > 5. Generate script with `skiplocal export > add_B`. > 6. Copy for a template with `cp add_B add_B_net`. > 7. Edit add_B_net to put in the network and netmask and identify the > tunnel > Original: skiphost -a skip.host.A.address ... > Edited: skiphost -a sub.net.A.address -M sub.net.A.netmask -A > skip.host.A.address ... > 8. ftp add_B and add_B_net to skiphost A. > 9. `skiphost -a default` > 10. `skiphost -a sub.net.B.address -M sub.net.B.netmask` > 11. `sh add_A` > 12. `sh add_A_net` > 13. `skipif -s` > 14. `skipd_restart` > > The reason for saving it all before turning it on is so that you can have > someone at the far end just boot the machine when it doesn't work and it > will come up OK. Once you're confident that you're through with debugging > you can save it with SKIP turned on. > > I also find it convenient to telnet to an intermediate device and from there > to the distant skiphost so that my telnet session will not be interrupted by > an erroneous entry. > > Now just issue `skiphost -o on` for the distant skiphost and then the local > skiphost and you should be up and tunneling. > > If it still doesn't work it could be that some intermediate isp is not > forwarding your packets in one direction or the other because they have > non-routable addresses as the source address (might be an indication of an > attacker). Use the -f flag in the most recent ports to specify the address > of the local skiphost as the source. Something like: > > skiphost -a 10.10.11.0 -M 255.255.255.0 -A 209.167.132.39 -k DES-EDE-K3 -t > DES-CBC -m MD5 -s 8 -r 8 -R 0xc79f... -f #.#.#.# > > This could well be the cause given that you can communicate skiphost to > skiphost OK. The only place I have run into this, however, is Taiwan and on > my TWC RoadRunner cable system at home. > > Finally, do remember that the hosts on the network have to know how to get > back to the skiphost in order to respond so you should be using routed or > gated or have them configured with static routes for each distant network or > a default route pointing back to the skiphost. If you have them all > pointing at some other machine then it should know to route responses back > to the skiphost. > > That pretty well covers the lot. I would say that more than 70% of the > problems that I have encountered relate to routing problems, not SKIP > problems. > > Good luck. > > Jim > > ----- Original Message ----- > From: Jean M. Vandette > To: > Sent: Thursday, March 25, 1999 9:16 PM > Subject: Skip configuration > > > > Greetings.... > > > > I was given you name by Mike Smith (a good friend of mine) at FreeBSD or > > CDROM.com whichever name you prefer as the person to talk to about setting > up > > skipd for a VPN. I got skip running from one end to the other for > pinging. > > however the hidden private networks do not seem to see each other. > > > mtl# skiphost > > fxp0: access control enabled, only authorized SKIP hosts can connect > > default: cleartext > > 10.10.11.*: SKIP params: > > IP mode: tunneling > > Tunnel address: tor > > Kij alg: DES-EDE-K3 > > Crypt alg: DES-CBC > > MAC alg: MD5 > > Receiver NSID: MD5 (DH Pub.Value) > > Receiver key id: 0xc79fa41f17a16bec2e9fabedd23f6a55 > > Sender NSID: MD5 (DH Pub.Value) > > Sender key id: 0x6b9da71fe7cc8ca40c01c8e4b7be05af > > mtl# ping 10.10.11.1 > > PING 10.10.11.1 (10.10.11.1): 56 data bytes > > Mar 25 19:02:37 mtl skipd: Calculating Shared secret for > > c79fa41f17a16bec2e9fabedd23f6a55 > > Mar 25 19:02:37 mtl skipd: Done > > ^C > > --- 10.10.11.1 ping statistics --- > > 8 packets transmitted, 0 packets received, 100% packet loss > > > The machine in tor is set the same only in reverse of course. Gateway > > forwarding is set > > on and as you can see when I ping the other machine, the packets seem to > be > > lost. > > > > Can you give me some pointers as to what could be wrong. > > > > Regards > > > > Jean M. Vandette > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 21: 3:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.108]) by hub.freebsd.org (Postfix) with ESMTP id 1FD98154FD for ; Thu, 25 Mar 1999 21:03:36 -0800 (PST) (envelope-from assar@sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.1/8.7.3) id GAA01887; Fri, 26 Mar 1999 06:05:35 +0100 (CET) To: Robert Watson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: Mime-Version: 1.0 (generated by tm-edit 7.68) Content-Type: text/plain; charset=US-ASCII From: Assar Westerlund Date: 26 Mar 1999 06:05:33 +0100 In-Reply-To: Robert Watson's message of "Thu, 25 Mar 1999 10:51:26 -0500 (EST)" Message-ID: <5l3e2shmci.fsf@assaris.sics.se> Lines: 7 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson writes: > One nice side to using SSH w/kerberos instead of just kerberized utilities > is that tunneling of X programs occurs automatically with ssh/slogin. rxtelnet? /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 21: 5:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.inreach.com (mail.inreach.com [209.142.0.3]) by hub.freebsd.org (Postfix) with ESMTP id 99F06153A9 for ; Thu, 25 Mar 1999 21:05:32 -0800 (PST) (envelope-from condor@inreach.com) Received: from pavilion (209-142-8-63.stk.inreach.net [209.142.8.63]) by mail.inreach.com (8.8.8/8.8.6/(InReach)) with SMTP id UAA07439 for ; Thu, 25 Mar 1999 20:51:56 -0800 (PST) Received: by localhost with Microsoft MAPI; Thu, 25 Mar 1999 21:02:51 -0800 Message-ID: <01BE7702.D872E180.condor@inreach.com> From: CONDOR Reply-To: "condor@inreach.com" To: "freebsd-security@FreeBSD.ORG" Subject: 2 net card problem Date: Thu, 25 Mar 1999 20:35:10 -0800 Organization: Condor Worldwide Data Systems X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey there group. I am having a problem getting an inside local net to get anything passed my Unix box to the outside interface. -Anything other than mail. Also having what I think is a multicast problem when I bring up the firewall. Do I need to recompile the kernel? (mrouted tells me it is not set up for multicast) yet, I get no errors on this account w/o the firewall up. A good source would be fine, I can read! I just am not seeing all the details in the man pages.. or not assembling them in my head right. I need to get mail i/o, cuseeme i/o, realaudio/video i/o, (yes I hacked /etc/services and others). But I am just missing something. Works great for email though! ;-) Gracias To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 21:14:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from isr3277.urh.uiuc.edu (isr3277.urh.uiuc.edu [130.126.65.13]) by hub.freebsd.org (Postfix) with SMTP id 9C6AA153A9 for ; Thu, 25 Mar 1999 21:14:37 -0800 (PST) (envelope-from ftobin@bigfoot.com) Received: (qmail 76918 invoked by uid 1000); 26 Mar 1999 05:14:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Mar 1999 05:14:16 -0000 Date: Thu, 25 Mar 1999 23:14:16 -0600 (CST) From: Frank Tobin X-Sender: ftobin@isr3277.urh.uiuc.edu Cc: FreeBSD-security Mailing List Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt, on Thu, 25 Mar 1999, wrote: > The thing I don't like about it is that it makes programs like linsniffer > more effective. It looks at TCP startups of telnet, FTP, pop, etc... and > very nicely captures their password. Capturing root passwords from users > 'su'-ing requires a *lot* more advanced sniffer or cracker intervention. > This easily captured password is sufficient for root access if the user is > allowed to do anything that might gain them shell. - Jy@ A decent way to get to prevent such attacks is to allow the use only S/Key one-time passwords when a person sudo's (or even logs in via any unencrypted means). I'm not sure how this would be accomplished, but I'd be surprised if it couldn't be done. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = Pine + PGP 5.0(i) PGP: 1502 6E84 8C08 E828 7945 http://www.bigfoot.com/~ftobin/resources 3F4A 02F8 503A F40E B65E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 21:39:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from nemesis.psionic.com (mcn-65.tx.symbio.net [208.24.141.65]) by hub.freebsd.org (Postfix) with ESMTP id 62375154E4 for ; Thu, 25 Mar 1999 21:39:10 -0800 (PST) (envelope-from crowland@psionic.com) Received: (from maildrop@localhost) by nemesis.psionic.com id XAA16467; Thu, 25 Mar 1999 23:46:59 -0600 (CST) X-Authentication-Warning: nemesis.psionic.com: maildrop set sender to using -f Received: from dolemite(192.168.2.10) by nemesis via smap (V2.0) id xma020659; Thu, 25 Mar 99 23:46:39 -0600 Date: Thu, 25 Mar 1999 23:38:39 -0600 (EST) From: "Craig H. Rowland" To: linux-security@redhat.com, bugtraq@netspace.org, freebsd-security@freebsd.org Subject: ANNOUNCE: New Security Tool: HostSentry 0.02 Alpha Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, After a long delay I'm happy to announce the alpha release of a new security tool called HostSentry. HostSentry is part of the Abacus Project suite of security tools and is designed to function as a Login Anomaly Detector. The tool is in early alpha phase and while some parts may be buggy or incomplete, it is stable enough that it shouldn't cause any harm to a host. A few points about the tool: 1) Please read all the docs. 2) Some signature modules are not fully implemented. 3) Automated response actions are not implemented yet. 4) It has only been tested under RedHat 5.2 and OpenBSD. Early alpha testers have also run it under Slackware and it should work on most Unix systems (I hope). 5) There are some limitations for *BSD variants. Read the docs (and README.wtmp) for details. 6) The tool is written in 100% Python and you'll want to have the latest version (http://www.python.org). 7) It's free, but please read the license. You can get the tool from: http://www.psionic.com/abacus/hostsentry You can read about the other tools here: http://www.psionic.com/abacus You can subscribe to the mailing list by sending a subscribe message to: abacus-request@psionic.com abacus-announce-request@psionic.com What the tool actually does: HostSentry monitors system login accounting records in real-time (wtmp/utmp). These records are used to build a dynamic database of active users and run a series of signature modules during the login and logout phases. The signature modules are pluggable and easily activated or deactivated by the admin. An example wrapper is included to allow administrators to add new signatures. The current list of signatures includes: moduleLoginLogout - Generic audit trail of all user login and logouts. moduleFirstLogin - Alerts administrators if this user is logging in for the first time. moduleForeignDomain - A login was detected from a domain not listed in the allowed domains file. moduleRhostCheck - A user's .rhosts file contains a wildcard or other dangerous modification. moduleHistoryTruncated - A user's .history file is missing, truncated to zero bytes, or symlinked (i.e. /dev/null) moduleOddDirnames - A user's directory contains suspicious directory names on logout (" ..", "...", etc.) moduleMultipleLogins - A single username has multiple concurrent logins from different domains. moduleOddLoginTime - A user is logging in at an odd hour for their usage pattern (not implemented yet). moduleInvalidUtmp - A corresponding utmp/wtmp entry for this login cannot be found (entry possibly removed) (not implemented yet). moduleHistorySuspicious - The user's history file contains suspicious commands (not implemented yet). moduleNetworkDaemon - The user logged out but left a listening network socket operating (private web server, IRC bot, etc.) (not implemented yet). moduleFileExists - A file was found in the user's directory that is listed in the banned/monitored list of the site (not implemented yet). Other modules to be determined as I find time to implement them. The modules that are not implemented yet will be done shortly once I start getting more people testing and can work out the major bugs. I don't want to make this too long, so if you have any more questions please look at the webpage and read the docs. Any comments on the tool are welcome. Thank you, -- Craig http://www.psionic.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 21:42:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from mcclane2.erols.com (mcclane2.erols.com [209.122.46.49]) by hub.freebsd.org (Postfix) with ESMTP id 4472614F2C for ; Thu, 25 Mar 1999 21:42:42 -0800 (PST) (envelope-from jon@mcclane2.erols.com) Received: from mcclane2.erols.com (strife.mcclane2.erols.com [192.168.2.2]) by mcclane2.erols.com (8.8.7/8.8.7) with ESMTP id SAA04819; Thu, 25 Mar 1999 18:34:32 -0500 Message-Id: <199903252334.SAA04819@mcclane2.erols.com> Date: Fri, 26 Mar 1999 00:42:26 -0500 (EST) From: jwhite@cryogen.com Subject: Re: sudo (was Re: Kerberos vs SSH) To: ftobin@bigfoot.com Cc: freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm sorry but this is getting absurd, if it's important enough to go with one time passwords (the only "perfect" solution) then you should be on an encrypted channel and worrying about how secure that channel is. If you pursue this line of reasoning, you will discover that using one time passwords, while ideal is not always feasible and further, it is significantly harder than always using encrypted channels. Oh and if you are actually relying on your attacker using a sniffer that is not "advanced", you are, to put it bluntly, screwed. On 25 Mar, Frank Tobin wrote: > James Wyatt, on Thu, 25 Mar 1999, wrote: > >> The thing I don't like about it is that it makes programs like linsniffer >> more effective. It looks at TCP startups of telnet, FTP, pop, etc... and >> very nicely captures their password. Capturing root passwords from users >> 'su'-ing requires a *lot* more advanced sniffer or cracker intervention. >> This easily captured password is sufficient for root access if the user is >> allowed to do anything that might gain them shell. - Jy@ > > A decent way to get to prevent such attacks is to allow the use only S/Key > one-time passwords when a person sudo's (or even logs in via any > unencrypted means). I'm not sure how this would be accomplished, but I'd > be surprised if it couldn't be done. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 25 22:32:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from unique.usn.blaze.net.au (unique.usn.blaze.net.au [203.17.53.97]) by hub.freebsd.org (Postfix) with ESMTP id 1511914E4B for ; Thu, 25 Mar 1999 22:32:46 -0800 (PST) (envelope-from davidn@blaze.net.au) Received: from labs (labs.usn.blaze.net.au [203.17.53.98]) by unique.usn.blaze.net.au (8.9.3/8.9.1) with SMTP id RAA00412; Fri, 26 Mar 1999 17:32:11 +1100 (EST) (envelope-from davidn@blaze.net.au) Message-ID: <032601be7752$4c7aea60$623511cb@usn.blaze.net.au> From: "David Nugent" To: "Matthew Dillon" Cc: References: <199903250426.UAA68023@apollo.backplane.com> <199903251833.KAA00915@apollo.backplane.com> <199903251850.KAA01406@apollo.backplane.com> Subject: Re: Kerberos vs SSH Date: Fri, 26 Mar 1999 17:31:35 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It's pretty easy to write a script to manipulate the password file, > especially if you are not entering any encrypted passwords ( i.e. leaving > that field '*' ). If you are worried about messing it up, just have cron > backup the password file once a day or something like that. Ever tried recovering a system with a corrupted password database? It's a pain to recover, especially if pwd_mkdb is not statically linked. David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 2:28:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from uno.canit.se (uno.canit.se [195.190.200.1]) by hub.freebsd.org (Postfix) with ESMTP id 5760014CFE for ; Fri, 26 Mar 1999 02:27:59 -0800 (PST) (envelope-from linusn@uno.canit.se) Received: (from linusn@localhost) by uno.canit.se (8.8.7/8.8.7) id LAA03815; Fri, 26 Mar 1999 11:27:27 +0100 To: Mike Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <4.1.19990325103002.00abc6e0@mail.dnai.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Linus Nordberg Date: 26 Mar 1999 11:27:26 +0100 In-Reply-To: Mike Thompson's message of "Thu, 25 Mar 1999 10:39:56 -0800" Message-ID: Lines: 13 User-Agent: Gnus/5.07008 (Pterodactyl Gnus v0.80) Emacs/20.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Thompson writes: As a new software/internet company we want to be responsible for paying for the licensed software from both a moral and legal perspective. speaking of morality/legality and ssh i'd like to point out that the legal aspects of the bignum code in ssh2 is in strong doubt. according to , they have simply stolen the gmp code and now claim that they wrote it. --linus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 2:58:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id DDECD14EA1 for ; Fri, 26 Mar 1999 02:58:05 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id MAA06926; Fri, 26 Mar 1999 12:57:40 +0200 (EET) Date: Fri, 26 Mar 1999 12:57:40 +0200 (EET) From: Narvi To: Andrew Hobson Cc: Matthew Dillon , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 25 Mar 1999, Andrew Hobson wrote: > On Thu, 25 Mar 1999 10:33:39 -0800 (PST), Matthew Dillon said: > > > Provisioning for administrative accounts is easy. We do it by hand. > > Most employees only have access to one administrative machine. Employees > > are given access to other peripheral machines depending on their job. > > Except for the one employee machine, these accounts do not have home > > directories and the password field is '*' ( i.e. kerberos/ssh-only > > access ). Access is controlled through kerberos. > > At work we have about a hundred machines and we access them via > kerberos. Admins have accounts on all boxes. If we need to add or > remove a user, it's a bit of a pain to manually update the password > file on every machine. > > We're a bit concerned about doing it automatically, because if > something goes wrong, /etc/passwd might be corrupted or nonexistant. > I'm not a big fan of NIS. > > I'm sure we can come up with an automated solution that will be > reasonably safe, but I was wondering how other people solved this > problem. You might have a look at Hesiod. I have considered it once or twice, but have never had the time to implement it. There is a port in the ports collection > > Drew > Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 3: 3:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id B630F14E2F for ; Fri, 26 Mar 1999 03:03:54 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id NAA07073; Fri, 26 Mar 1999 13:03:27 +0200 (EET) Date: Fri, 26 Mar 1999 13:03:27 +0200 (EET) From: Narvi To: Matthew Dillon Cc: James Wyatt , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <199903251836.KAA00989@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Mar 1999, Matthew Dillon wrote: > > : > :On Thu, 25 Mar 1999, Matthew Dillon wrote: > : [ ... ] > :> are still vulnerable. You can get into the account just fine without > :> exposing a password, but once in the account if you need to type a > :> password of any sort in to do something else, *that* password is > :> vulnerable to interception. > : > :especially sudo and su... - Jy@ > > We used sudo for a little while 3 years ago, but I decided that it was > too big a security risk and wiped it. sudo is one of the stupidest > programs I've ever seen. > > -Matt > Matthew Dillon > The other problem of using sudo is that some of the protection it seems to offer is just that, seeming. Just too many things allow the user to exec a shell or other uncontrollable things. And if you are virtually giving the person having sudo capabilities full root, why not just give them root? Or not give them root, managing the resources differently (even if with setuid/and or setgid programs) and avoid sudo? Sander To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 5:29:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from sl001.infi.net (sl001.infi.net [205.219.238.210]) by hub.freebsd.org (Postfix) with ESMTP id 6263A14E8C for ; Fri, 26 Mar 1999 05:29:27 -0800 (PST) (envelope-from possum@infi.net) Received: (from possum@localhost) by sl001.infi.net (8.8.8/8.8.8) id IAA25524; Fri, 26 Mar 1999 08:29:08 -0500 (EST) Date: Fri, 26 Mar 1999 08:29:07 -0500 (EST) From: Paul Stroud To: freebsd-security@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 5:41:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from sl001.infi.net (sl001.infi.net [205.219.238.210]) by hub.freebsd.org (Postfix) with ESMTP id ADA4114E8C for ; Fri, 26 Mar 1999 05:41:31 -0800 (PST) (envelope-from possum@infi.net) Received: (from possum@localhost) by sl001.infi.net (8.8.8/8.8.8) id IAA26007; Fri, 26 Mar 1999 08:41:12 -0500 (EST) Date: Fri, 26 Mar 1999 08:41:11 -0500 (EST) From: Paul Stroud To: freebsd-security@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 5:43: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from bofh.fastnet.co.uk (lart.org.uk [194.207.104.22]) by hub.freebsd.org (Postfix) with ESMTP id 2120514C37 for ; Fri, 26 Mar 1999 05:43:02 -0800 (PST) (envelope-from netadmin@bofh.fastnet.co.uk) Received: (from netadmin@localhost) by bofh.fastnet.co.uk (8.8.8/8.8.8) id NAA20875; Fri, 26 Mar 1999 13:42:27 GMT (envelope-from netadmin) Date: Fri, 26 Mar 1999 13:42:27 +0000 From: Jay Tribick To: Paul Stroud Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <19990326134227.X18424@bofh.fastnet.co.uk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; "Paul Stroud" on 26.03.1999 @ 13:41:11 GMT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > unsubscribe freebsd-security > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message What is wrong with you people!? It says quite clearly at the bottom of /every/ mailling list message: "To unsubscribe send mail to majordomo@freebsd.org" ...!?!? -- Regards, Jay Tribick [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 5:43:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from sl001.infi.net (sl001.infi.net [205.219.238.210]) by hub.freebsd.org (Postfix) with ESMTP id 8B2F9151B7 for ; Fri, 26 Mar 1999 05:43:39 -0800 (PST) (envelope-from possum@infi.net) Received: (from possum@localhost) by sl001.infi.net (8.8.8/8.8.8) id IAA26095; Fri, 26 Mar 1999 08:43:16 -0500 (EST) Date: Fri, 26 Mar 1999 08:43:15 -0500 (EST) From: Paul Stroud To: Jay Tribick Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <19990326134227.X18424@bofh.fastnet.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oh Bite me! On Fri, 26 Mar 1999, Jay Tribick wrote: > > unsubscribe freebsd-security > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > What is wrong with you people!? It says quite clearly > at the bottom of /every/ mailling list message: > > "To unsubscribe send mail to majordomo@freebsd.org" > > ...!?!? > > -- > Regards, > > Jay Tribick > > [| Network Admin | FastNet International | http://fast.net.uk/ |] > [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] > [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 7: 8:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id 8D7F514EA1; Fri, 26 Mar 1999 07:08:10 -0800 (PST) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.3/8.7.3) id KAA13472; Fri, 26 Mar 1999 10:08:56 -0500 (envelope-from jared) Date: Fri, 26 Mar 1999 10:08:56 -0500 From: Jared Mauch To: Paul Stroud Cc: Jay Tribick , freebsd-security@FreeBSD.ORG, owner-majordomo@FreeBSD.ORG Subject: Re: your mail Message-ID: <19990326100856.A13231@puck.nether.net> Mail-Followup-To: Paul Stroud , Jay Tribick , freebsd-security@FreeBSD.ORG, owner-majordomo@freebsd.org References: <19990326134227.X18424@bofh.fastnet.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Paul Stroud on Fri, Mar 26, 1999 at 08:43:15AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 26, 1999 at 08:43:15AM -0500, Paul Stroud wrote: > Oh Bite me! No thanks. You may enjoy it too much. > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > What is wrong with you people!? It says quite clearly > > at the bottom of /every/ mailling list message: > > > > "To unsubscribe send mail to majordomo@freebsd.org" You're requiring literacy and clue to be on the list. Remember who the general public are. majordomo should not be passing along these administrative requests. - Jared > > > > ...!?!? > > > > -- > > Regards, > > > > Jay Tribick > > > > [| Network Admin | FastNet International | http://fast.net.uk/ |] > > [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] > > [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 7:22:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (Postfix) with ESMTP id 2B09715140; Fri, 26 Mar 1999 07:22:29 -0800 (PST) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon.acadiau.ca [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with ESMTP id LAA28755; Fri, 26 Mar 1999 11:21:28 -0400 (AST) Received: from localhost (026809r@localhost) by dragon.acadiau.ca (8.8.8+Sun/8.8.8) with ESMTP id LAA29346; Fri, 26 Mar 1999 11:21:21 -0400 (AST) Date: Fri, 26 Mar 1999 11:21:21 -0400 (AST) From: Michael Richards <026809r@dragon.acadiau.ca> X-Sender: 026809r@dragon To: Jared Mauch Cc: Paul Stroud , Jay Tribick , freebsd-security@FreeBSD.ORG, owner-majordomo@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <19990326100856.A13231@puck.nether.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 26 Mar 1999, Jared Mauch wrote: > > Oh Bite me! > No thanks. You may enjoy it too much. Have 100 lusers joined the list in the last week, or is it's just Miss Johnson's grade 3 class? Honestly people! Over the past few weeks, the intelligence of the posts to this list has been steadily declining. -Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 8:18:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p19-max8.wlg.ihug.co.nz [209.79.142.211]) by hub.freebsd.org (Postfix) with ESMTP id BE2811566C for ; Fri, 26 Mar 1999 08:18:55 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id EAA16015; Sat, 27 Mar 1999 04:18:24 +1200 (NZST) Message-Id: <199903261618.EAA16015@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: marker@uswest.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: xinetd vs. tcp_wrappers In-reply-to: Your message of "Thu, 25 Mar 1999 14:40:13 CST." <19990325204041.951BF15371@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 27 Mar 1999 04:18:24 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org marker@trolldom.oss.uswest.net said: > My understanding is that xinetd is meant to be a complete replacement > for the inetd/tcp_wrappers bunndle. As such, it is expected to have > the functionality of both. I have, however, been unable to get xinetd > to > > 1) send me mail when someone touches my machines in a > way i've not said is ok, Supposing someone is sniffing your network, and you are reading your mail from another machine, does this mail give away any otherwise unknown information about the configuration of the machine? Andrew McNaughton -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 8:21:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 5C1A91514C for ; Fri, 26 Mar 1999 08:20:56 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id IAA05283; Fri, 26 Mar 1999 08:20:33 -0800 (PST) (envelope-from dillon) Date: Fri, 26 Mar 1999 08:20:33 -0800 (PST) From: Matthew Dillon Message-Id: <199903261620.IAA05283@apollo.backplane.com> To: Linus Nordberg Cc: Mike Thompson , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <4.1.19990325103002.00abc6e0@mail.dnai.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Mike Thompson writes: : : As a new software/internet company we want to be responsible for : paying for the licensed software from both a moral and legal : perspective. : :speaking of morality/legality and ssh i'd like to point out that the :legal aspects of the bignum code in ssh2 is in strong doubt. : :according to , they :have simply stolen the gmp code and now claim that they wrote it. : :--linus That's a pretty old message. If you look at the followups to it you will find the counterargument from the ssh 2 people, and a third example from even older bignum source code that is very similar to the ssh 2 and gmp code. There are only so many ways a bignum library can be written. Still, I think the GMP author was right in regards to the SSH 2 people using his code verbatim. On the otherhand, bignum is something that a good programmer could write from scratch in a week. The last two postings in the thread note that the bignum code can be derived from Knuth's Seminumerical Alg. book fairly easily... in a few hours. I'd agree with that comment too. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 8:33:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from dfw-ix4.ix.netcom.com (dfw-ix4.ix.netcom.com [206.214.98.4]) by hub.freebsd.org (Postfix) with ESMTP id 615FD14A23; Fri, 26 Mar 1999 08:33:14 -0800 (PST) (envelope-from sb@napanet.net) Received: (from smap@localhost) by dfw-ix4.ix.netcom.com (8.8.4/8.8.4) id KAA29192; Fri, 26 Mar 1999 10:24:03 -0600 (CST) Received: from ali-ca22-18.ix.netcom.com(209.110.229.82) by dfw-ix4.ix.netcom.com via smap (V1.3) id rma029037; Fri Mar 26 10:23:23 1999 Message-ID: <00d501be77a4$efdf8e20$52e56ed1@sb.napanet.net> From: "Steve Brown" To: "Michael Richards" <026809r@dragon.acadiau.ca>, "Jared Mauch" Cc: "Paul Stroud" , "Jay Tribick" , , Subject: Re: your mail Date: Fri, 26 Mar 1999 08:23:06 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey, seems to me it's been pretty steadily going down overall since about 1991 ...Steve -----Original Message----- From: Michael Richards <026809r@dragon.acadiau.ca> To: Jared Mauch Cc: Paul Stroud ; Jay Tribick ; freebsd-security@FreeBSD.ORG ; owner-majordomo@FreeBSD.ORG Date: Friday, March 26, 1999 7:22 AM Subject: Re: your mail >On Fri, 26 Mar 1999, Jared Mauch wrote: > >> > Oh Bite me! >> No thanks. You may enjoy it too much. > >Have 100 lusers joined the list in the last week, or is it's just Miss >Johnson's grade 3 class? >Honestly people! Over the past few weeks, the intelligence of the posts to >this list has been steadily declining. > >-Michael > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 8:36: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from po9.andrew.cmu.edu (PO9.ANDREW.CMU.EDU [128.2.10.109]) by hub.freebsd.org (Postfix) with ESMTP id 6604A15516 for ; Fri, 26 Mar 1999 08:35:57 -0800 (PST) (envelope-from tcrimi+@andrew.cmu.edu) Received: (from postman@localhost) by po9.andrew.cmu.edu (8.8.5/8.8.2) id LAA27388; Fri, 26 Mar 1999 11:35:31 -0500 (EST) Received: via switchmail; Fri, 26 Mar 1999 11:35:31 -0500 (EST) Received: from unix7.andrew.cmu.edu via qmail ID ; Fri, 26 Mar 1999 11:34:48 -0500 (EST) Received: from unix7.andrew.cmu.edu via qmail ID ; Fri, 26 Mar 1999 11:34:47 -0500 (EST) Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix7.andrew.cmu.edu.sun4m.54 via MS.5.6.unix7.andrew.cmu.edu.sun4_51; Fri, 26 Mar 1999 11:34:47 -0500 (EST) Message-ID: Date: Fri, 26 Mar 1999 11:34:47 -0500 (EST) From: Thomas Valentino Crimi To: Matthew Dillon , Narvi Subject: Re: Kerberos vs SSH Cc: James Wyatt , freebsd-security@FreeBSD.ORG In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Excerpts from FreeBSD-Security: 26-Mar-99 Re: Kerberos vs SSH by Narvi@haldjas.folklore.e > And if you are virtually giving the person having sudo capabilities full > root, why not just give them root? Or not give them root, managing the > resources differently (even if with setuid/and or setgid programs) and > avoid sudo? There most definitely is a place for sudo, but it is more of a convienence program than a security tool. Basic rule applies that if you don't trust the person with root, don't give them sudo access. If I were to say, add enough protections to a program so that it can safely run as root by any user, I'd may as well make it suid. All sudo really does it make suid executable available to a closed list of people, yes, I could do it with separate files, but sudo is convienent (and doing it the other way doesn't buy me anymore security from what I can tell, suid vi is just as dangerous as sudo vi). But, if I have a local user at a workstation who would like the ability to say, kill runaway programs, mount a disk, reboot the machine so as to flip OSes, sudo is very convienent. By letting the user in front of the machine I already must implicitly trust them not to be malicious, with minimal skill, or even with a screwdriver or hammer, they have control of the machine. sudo can help you avoid the honest mistakes. Everyone has different situations, and I could hardly advise an ISP to make extensive use of sudo, arguments about how to maintain a large number of people with the root password turn into 'you shouldn't have that many people with root', If you do want to have 5+ people with root, I think sudo is a good answer, you can even use the access control list to give people _advice_ on what they should and shouldn't run (vipw, ok, rm, ok, but it's not your job to reboot - just an example), no use thinking the list will curtail a runaway disgruntled sysadmin, but then again, what does? :) As stated many time, we all have different security situations, and in my loose group of machine, sudo makes sense, barring any buffer overruns or other exploits of sudo, it works perfectly well at letting friends who also use the machines do what they need. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 8:37:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from pilot014.cl.msu.edu (pilot014.cl.msu.edu [35.9.5.114]) by hub.freebsd.org (Postfix) with ESMTP id 2C0DD156A7 for ; Fri, 26 Mar 1999 08:37:45 -0800 (PST) (envelope-from zik@msu.edu) Received: from msu.edu (zik@laurel.cl.msu.edu [35.8.3.245]) by pilot014.cl.msu.edu (8.9.1a/8.9.1) with ESMTP id LAA61478 for ; Fri, 26 Mar 1999 11:37:26 -0500 Message-ID: <36FBB7C6.D185D18B@msu.edu> Date: Fri, 26 Mar 1999 11:37:26 -0500 From: Ed Symanzik Organization: Michigan State University X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 3.0-RELEASE i386) X-Accept-Language: zh-TW MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: your mail References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Richards wrote: > > On Fri, 26 Mar 1999, Jared Mauch wrote: > > > > Oh Bite me! > > No thanks. You may enjoy it too much. > > Have 100 lusers joined the list in the last week, or is it's just Miss > Johnson's grade 3 class? > Honestly people! Over the past few weeks, the intelligence of the posts to > this list has been steadily declining. > > -Michael > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message me too. What was the question? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 9: 6:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from biggusdiskus.flyingfox.com (parker-T1-2-gw.sf3d.best.net [209.157.165.30]) by hub.freebsd.org (Postfix) with ESMTP id C413E15654 for ; Fri, 26 Mar 1999 09:06:26 -0800 (PST) (envelope-from jas@flyingfox.com) Received: (from jas@localhost) by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id KAA23685; Fri, 26 Mar 1999 10:17:38 -0800 (PST) Date: Fri, 26 Mar 1999 10:17:38 -0800 (PST) From: Jim Shankland Message-Id: <199903261817.KAA23685@biggusdiskus.flyingfox.com> To: netadmin@fastnet.co.uk, possum@sl001.infi.net Subject: Re: your mail Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <19990326134227.X18424@bofh.fastnet.co.uk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, the trick is that when sending an "unsubscribe" message to the entire list, it is essential to send it as a multi-part MIME message with a copy in HTML. Otherwise, the message is so small that some of the hundreds or thousands of readers of the list mistakenly think it is insignificant. Jim Shankland NLynx Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 9:25:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from zira.worldgate.ca (de7.zira.worldgate.ca [207.167.0.18]) by hub.freebsd.org (Postfix) with ESMTP id 5FD9114E27 for ; Fri, 26 Mar 1999 09:25:24 -0800 (PST) (envelope-from root@zira.worldgate.ca) Received: (from root@localhost) by zira.worldgate.ca (8.8.8/8.8.8) id KAA07519 for security@freebsd.org; Fri, 26 Mar 1999 10:25:46 -0700 (MST) (envelope-from root) Date: Fri, 26 Mar 1999 10:25:46 -0700 (MST) From: Other Routing Dudette Message-Id: <199903261725.KAA07519@zira.worldgate.ca> To: security@freebsd.org Subject: tcpd: [D] root@205.178.42.115 -> ftpd@de4.zira.worldgate.ca Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org denied: ftpd@de4.zira.worldgate.ca from root@205.178.42.115 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 9:25:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from zira.worldgate.ca (de7.zira.worldgate.ca [207.167.0.18]) by hub.freebsd.org (Postfix) with ESMTP id 5ACB115140 for ; Fri, 26 Mar 1999 09:25:44 -0800 (PST) (envelope-from root@zira.worldgate.ca) Received: (from root@localhost) by zira.worldgate.ca (8.8.8/8.8.8) id KAA07528 for security@freebsd.org; Fri, 26 Mar 1999 10:26:06 -0700 (MST) (envelope-from root) Date: Fri, 26 Mar 1999 10:26:06 -0700 (MST) From: Other Routing Dudette Message-Id: <199903261726.KAA07528@zira.worldgate.ca> To: security@freebsd.org Subject: tcpd: [D] root@205.178.42.115 -> ftpd@de4.zira.worldgate.ca Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org denied: ftpd@de4.zira.worldgate.ca from root@205.178.42.115 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 9:30:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from trolldom.oss.uswest.net (trolldom.oss.uswest.net [204.147.86.29]) by hub.freebsd.org (Postfix) with SMTP id D56941558B for ; Fri, 26 Mar 1999 09:30:12 -0800 (PST) (envelope-from marker@trolldom.oss.uswest.net) Received: (qmail 17819 invoked from network); 26 Mar 1999 17:29:52 -0000 Received: from localhost.uswest.net (HELO trolldom.oss.uswest.net) (127.0.0.1) by localhost.uswest.net with SMTP; 26 Mar 1999 17:29:52 -0000 To: freebsd-security@FreeBSD.ORG Reply-To: marker@uswest.net Subject: Re: xinetd vs. tcp_wrappers In-reply-to: Your message of "Sat, 27 Mar 1999 04:18:24 +1200." <199903261618.EAA16015@aniwa.sky> Date: Fri, 26 Mar 1999 11:29:52 -0600 From: Jeff Marker Message-Id: <19990326173014.D56941558B@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 27 Mar 1999 04:18:24 +1200 andrew@squiz.co.nz wrote: > >marker@trolldom.oss.uswest.net said: >> My understanding is that xinetd is meant to be a complete replacement >> for the inetd/tcp_wrappers bunndle. As such, it is expected to have >> the functionality of both. I have, however, been unable to get xinetd >> to >> >> 1) send me mail when someone touches my machines in a >> way i've not said is ok, > >Supposing someone is sniffing your network, and you are reading your >mail from another machine, does this mail give away any otherwise >unknown information a bout the configuration of the machine? It does give away some unknowns, because the person sniffing then knows that the machine in question has some sort of defense. The mail that i get looks something like this (stripping out most of the headers): From: somename@example.com To: admin@example.com Subject: service-probing-host.example.org [probing-host@example.org] (finger info from said host) The headers will contain the address of the machine which generated the mail in a "Received" line. Otherwise, the information that is sent is the info for the host which is doing the probing. Theoreticly, the person doing the sniffing could be doing the probing as well, which would give her/him an idea of which services i have wrapped. I feel that this information i may be leaking via the mail is a fair trade-off for the early notification i receive of a potential attack (the mail i get also goes to my pager). Others may (will) feel differently. Jeff P.S. I'd like to apologize to Sheldon and the list for giving general responses on a FreeBSDcentric list. Sheldon: the incorporation of tcp_wrappers into the base system is going to save me a whole boatload of time in the future. #include /* i speak only for myself, not my employer */ -- Jeff Marker US West Internet Services Operations Security Guy 600 Stinson Blvd. marker@uswest.net Minneapolis, MN 55413-2620 "Nowhere is the meaning of life so evident as in the floating disk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 11: 5:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 6A0F514C1B for ; Fri, 26 Mar 1999 11:05:41 -0800 (PST) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id VAA20889; Fri, 26 Mar 1999 21:05:07 +0200 (EET) Date: Fri, 26 Mar 1999 21:05:07 +0200 (EET) From: Narvi To: Matthew Dillon Cc: Linus Nordberg , Mike Thompson , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <199903261620.IAA05283@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 26 Mar 1999, Matthew Dillon wrote: > > That's a pretty old message. If you look at the followups to it > you will find the counterargument from the ssh 2 people, and a > third example from even older bignum source code that is very similar > to the ssh 2 and gmp code. > > There are only so many ways a bignum library can be written. Still, > I think the GMP author was right in regards to the SSH 2 people using > his code verbatim. On the otherhand, bignum is something that a > good programmer could write from scratch in a week. The last two > postings in the thread note that the bignum code can be derived from > Knuth's Seminumerical Alg. book fairly easily... in a few hours. I'd > agree with that comment too. > > -Matt > Matthew Dillon > > Anybody who has taken a computer algebra course in part of their curriculum should be able to implement the easy part of arbitary length library (arbitary length integers & operations over finite fields) with relative ease. There should be *many* such people. Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 14:46:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from bofh.kuru.cx (bofh.kuru.cx [194.89.15.166]) by hub.freebsd.org (Postfix) with SMTP id DE3D8150EB for ; Fri, 26 Mar 1999 14:46:14 -0800 (PST) (envelope-from vh@bofh.kuru.cx) Received: (qmail 3732 invoked by uid 1001); 27 Mar 1999 00:40:11 -0000 Date: Sat, 27 Mar 1999 00:40:11 +0000 (GMT) From: Viljo Hakala X-Sender: vh@bofh.kuru.cx To: Other Routing Dudette Cc: security@freebsd.org Subject: Re: tcpd: [D] root@205.178.42.115 -> ftpd@de4.zira.worldgate.ca In-Reply-To: <199903261726.KAA07528@zira.worldgate.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's really no point for these, someone perhaps thinks that one can notify ppl here about unauthorized connections.. AFAIK it isnt so. security-owner, could you please take care of these (block the sender's domain perhaps)? -- vh On Fri, 26 Mar 1999, Other Routing Dudette wrote: > denied: ftpd@de4.zira.worldgate.ca from root@205.178.42.115 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 14:50:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 14C9714F65 for ; Fri, 26 Mar 1999 14:50:34 -0800 (PST) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id OAA17649 for ; Fri, 26 Mar 1999 14:49:41 -0800 (PST) (envelope-from fbsd-security@ursine.com) Message-ID: <199903261450210680.4231D295@quaggy.ursine.com> In-Reply-To: <199903261817.KAA23685@biggusdiskus.flyingfox.com> References: <199903261817.KAA23685@biggusdiskus.flyingfox.com> X-Mailer: Calypso Evaluation Version 3.00.00.13 (2) Date: Fri, 26 Mar 1999 14:50:21 -0800 From: "Michael Bryan" To: freebsd-security@freebsd.org Subject: Re: your mail Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 3/26/99 at 10:17 AM Jim Shankland wrote: >Actually, the trick is that when sending an "unsubscribe" message >to the entire list, it is essential to send it as a multi-part >MIME message with a copy in HTML. Otherwise, the message is >so small that some of the hundreds or thousands of readers of the >list mistakenly think it is insignificant. Oh, no, I don't think that's adequate either. One should also include a 1.3 MByte JPEG (minimal compression, of course) with the phrase "unsubscribe freebsd-security" spelled out in large multi-colored 3D letters. Sending multiple copies is a good idea, as well. (A fact which the mailing list software seems to be randomly promoting on its own these days, just in case somebody forgets this...) ;-) Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 14:55: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from gras-varg.worldgate.com (gras-varg.worldgate.com [198.161.84.12]) by hub.freebsd.org (Postfix) with ESMTP id CE1B114C58 for ; Fri, 26 Mar 1999 14:55:05 -0800 (PST) (envelope-from skafte@gras-varg.worldgate.com) Received: (from skafte@localhost) by gras-varg.worldgate.com (8.9.1a/8.9.1) id PAA27257 for security@freebsd.org; Fri, 26 Mar 1999 15:54:45 -0700 (MST) Date: Fri, 26 Mar 1999 15:54:45 -0700 From: Greg Skafte To: security@freebsd.org Subject: Sorry i'm a monkey Message-ID: <19990326155444.A27214@gras-varg.worldgate.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i Organization: WorldGate Inc. X-PGP-Fingerprint: 42 9C 2C A8 4D 2B C9 C4 7D B6 00 B0 50 47 20 97 X-URL: http://gras-varg.worldgate.com/~skafte Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had a machine that was misconfigured and sent an email message to security@freebsd.org instead of security@worldgate.com I'm stand infront of you all with my pants down and saying OOOOPPPPSSSS -- Email: skafte@worldgate.com Voice: +780 413 1910 Fax: +780 421 4929 #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 14:59:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id B73A714C58 for ; Fri, 26 Mar 1999 14:59:35 -0800 (PST) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.2) with ESMTP id OAA17715 for ; Fri, 26 Mar 1999 14:59:17 -0800 (PST) (envelope-from fbsd-security@ursine.com) Message-ID: <199903261459220480.423A1371@quaggy.ursine.com> In-Reply-To: <199903261618.EAA16015@aniwa.sky> References: <199903261618.EAA16015@aniwa.sky> X-Mailer: Calypso Evaluation Version 3.00.00.13 (2) Date: Fri, 26 Mar 1999 14:59:22 -0800 From: "Michael Bryan" To: freebsd-security@freebsd.org Subject: Re: xinetd vs. tcp_wrappers Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 3/27/99 at 4:18 AM Andrew McNaughton wrote: >marker@trolldom.oss.uswest.net said: >> I have, however, been unable to get xinetd to >> >> 1) send me mail when someone touches my machines in a >> way i've not said is ok, > >Supposing someone is sniffing your network, and you are >reading your mail from another machine, does this mail >give away any otherwise unknown information about the >configuration of the machine? Why would you be doing an admin task over the network in the clear in the first place? My personal opinion is that every admin task should either be done on the console, or via a secure/encrypted communication channel, if at all possible. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 18:47: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (Postfix) with ESMTP id 3253714D75 for ; Fri, 26 Mar 1999 18:47:05 -0800 (PST) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.8.7/8.8.7) id VAA14713; Fri, 26 Mar 1999 21:46:40 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14076.18063.704725.905099@trooper.velocet.ca> Date: Fri, 26 Mar 1999 21:46:39 -0500 (EST) To: Frank Tobin Cc: FreeBSD-security Mailing List Subject: Re: sudo (was Re: Kerberos vs SSH) In-Reply-To: References: X-Mailer: VM 6.62 under Emacs 19.34.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Frank" == Frank Tobin writes: Frank> A decent way to get to prevent such attacks is to allow the use Frank> only S/Key one-time passwords when a person sudo's (or even Frank> logs in via any unencrypted means). I'm not sure how this Frank> would be accomplished, but I'd be surprised if it couldn't be Frank> done. I took a stab at forcing this right around the 3.0 release. I found that I couldn't quite force it. There were things in login.conf that sounded like they were meant to do this, but the actual /bin/login program has a lot of code commented out of it. I eventually gave up. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 19:14:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 29D1914D1F for ; Fri, 26 Mar 1999 19:14:12 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id EAA27022 for freebsd-security@FreeBSD.ORG; Sat, 27 Mar 1999 04:13:52 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id EB7528848; Sat, 27 Mar 1999 00:53:46 +0100 (CET) Date: Sat, 27 Mar 1999 00:53:46 +0100 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: sudo (was Re: Kerberos vs SSH) Message-ID: <19990327005346.A35876@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <199903252320.SAA07455@eagle.aitken.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.95.3i In-Reply-To: <199903252320.SAA07455@eagle.aitken.com>; from Jeff Aitken on Thu, Mar 25, 1999 at 06:20:50PM -0500 X-Operating-System: FreeBSD 4.0-CURRENT/ELF ctm#5173 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Jeff Aitken: > program? For example, you can't use sudo to grant access to a text > editor of any sort without implicitly giving full root access. That's why my own replacement for su (Calife[1]), although similar in principle to sudo, has only one function: giving a root shell to someone authorised by a list. It can also allow people to become another user w/o going through root (i.e. they can become webmaster or guest but not root). That way, I don't have to share root passwords or creating uid 0 accounts. It also give a bit more logging than plain su. [1] -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #70: Sat Feb 27 09:43:08 CET 1999 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 20:26: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (Postfix) with ESMTP id 3987014D20 for ; Fri, 26 Mar 1999 20:25:59 -0800 (PST) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id XAA01686; Fri, 26 Mar 1999 23:25:36 -0500 (EST) Date: Fri, 26 Mar 1999 23:25:36 -0500 (EST) From: To: Andrew McNaughton Cc: marker@uswest.net, freebsd-security@FreeBSD.ORG Subject: Re: xinetd vs. tcp_wrappers In-Reply-To: <199903261618.EAA16015@aniwa.sky> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 27 Mar 1999, Andrew McNaughton wrote: > Supposing someone is sniffing your network, and you are reading Supposing there's a quota, or logical size limit on the mail fs, DoS comes to mind. That's the problem with fixing 'bugs', you have to be careful not to introduce 40 others that are 10 times worse. Later, -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 26 20:31:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (Postfix) with ESMTP id E1A7D14CB4 for ; Fri, 26 Mar 1999 20:31:31 -0800 (PST) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id XAA02740; Fri, 26 Mar 1999 23:30:27 -0500 (EST) Date: Fri, 26 Mar 1999 23:30:27 -0500 (EST) From: To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <199903261450210680.4231D295@quaggy.ursine.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 26 Mar 1999, Michael Bryan wrote: > Oh, no, I don't think that's adequate either. One should also That's not adequate either... you also need a list full of people to talk about the idiots doing this... that way you'll waste even more bandwidth and system resources and encourage all those who are actually interested in the list's topic/charter to go elsewhere. Later, -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 27 0:44:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from myname.my.domain (unknown [200.236.148.193]) by hub.freebsd.org (Postfix) with SMTP id 442A214C21 for ; Sat, 27 Mar 1999 00:44:04 -0800 (PST) (envelope-from grios@netshell.com.br) Received: (qmail 401 invoked from network); 27 Mar 1999 05:45:11 -0000 Received: from localhost (HELO netshell.com.br) (127.0.0.1) by localhost with SMTP; 27 Mar 1999 05:45:11 -0000 Message-ID: <36FC7066.1FE66497@netshell.com.br> Date: Sat, 27 Mar 1999 05:45:10 +0000 From: Gustavo Rios X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.8-STABLE i386) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: suid/guid Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there any suid/guid bit set file exploitable on systems 2.2.8-Stable? Thank you for your time and cooperation! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 27 18:15:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 5A04115211 for ; Sat, 27 Mar 1999 18:14:37 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony [10.0.0.6]) by rover.village.org (8.9.3/8.6.6) with ESMTP id CAA23858; Sun, 28 Mar 1999 02:14:16 GMT Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id TAA78932; Sat, 27 Mar 1999 19:14:29 -0700 (MST) Message-Id: <199903280214.TAA78932@harmony.village.org> To: Gustavo Rios Subject: Re: suid/guid Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 27 Mar 1999 05:45:10 GMT." <36FC7066.1FE66497@netshell.com.br> References: <36FC7066.1FE66497@netshell.com.br> Date: Sat, 27 Mar 1999 19:14:29 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- In message <36FC7066.1FE66497@netshell.com.br> Gustavo Rios writes: : Is there any suid/guid bit set file exploitable on systems 2.2.8-Stable? Not the the best of my knowledge. Warner FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNv2Qg9xynu/2qPVhAQH43QP8DBPhe8oIlpu1161g22wqU5g5tjpjANVJ eK1R5fr+JkKkaPOa2JGL/DtA+X8UZl12aEcr1bNmVWusabgn3vmKtfbkPtNWusWA FPYT4MGprozU9+KcN3ZIPEA150rBLaUGbRjscNve2fufXW1uHtObJwHigqitl+FH pZqpQX+GhFU= =rE8g -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 27 20:50:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from aniwa.sky (p6-max5.wlg.ihug.co.nz [202.49.241.6]) by hub.freebsd.org (Postfix) with ESMTP id 83EF01534D for ; Sat, 27 Mar 1999 20:50:17 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id QAA10976; Sun, 28 Mar 1999 16:48:42 +1200 (NZST) Message-Id: <199903280448.QAA10976@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Warner Losh Cc: Gustavo Rios , freebsd-security@FreeBSD.ORG Subject: Re: suid/guid In-reply-to: Your message of "Sat, 27 Mar 1999 19:14:29 MST." <199903280214.TAA78932@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 28 Mar 1999 16:48:41 +1200 From: Andrew McNaughton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message <36FC7066.1FE66497@netshell.com.br> Gustavo Rios writes: > : Is there any suid/guid bit set file exploitable on systems 2.2.8-Stable? > > Not the the best of my knowledge. > > Warner > FreeBSD Security Officer Does 2.2.8-STABLE exist? I thought 2.2.8 had stopped at RELEASE. There was some discussion, and I gather a 2.2.8 ports collection is on the net. Unless this is being kept up to date, it will include some security holes. eg ports for lsof and super were updated to cover security holes in suid binaries not long back, but this may not be reflected in old ports collections. Andrew McNaughton -- ----------- Andrew McNaughton andrew@squiz.co.nz http://www.newsroom.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 27 21:39:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id C201A14CF7 for ; Sat, 27 Mar 1999 21:39:21 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id VAA34989; Sat, 27 Mar 1999 21:37:52 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Andrew McNaughton Cc: Warner Losh , Gustavo Rios , freebsd-security@FreeBSD.ORG Subject: Re: suid/guid In-reply-to: Your message of "Sun, 28 Mar 1999 16:48:41 +1200." <199903280448.QAA10976@aniwa.sky> Date: Sat, 27 Mar 1999 21:37:52 -0800 Message-ID: <34987.922599472@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Does 2.2.8-STABLE exist? I thought 2.2.8 had stopped at RELEASE. "Official" support stopped as of 2.2.8-RELEASE, yes, but various committers have continued to fold in changes that were important to them and/or requested on an individual basis. As long as there's somebody willing to back-port a change, and it's of the "no brainer" type where no conceivable de-stabilizing downside exists, there's a sort of tacit approval to commit it after the branch has officially died. Doing a quick diff between the RELENG_2_2_8_RELEASE and RELENG_2_2 tags, in fact, I see XXXK of diffs, mostly in the area of man page fixes, Y2K changes (cosmetic) and login class defaults. The vinum filesystem also entered the tree, post-2.2.8, for some special customer. > There was some discussion, and I gather a 2.2.8 ports collection is > on the net. Unless this is being kept up to date, it will include > some security holes. This is something which should be actively taken up with Satoshi Asami and/or ports@freebsd.org - I have no idea what his plans for updating the ports which have specific and important security holes in them; if asked nicely, he's generally pretty accomodating about the exceptions. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 27 21:40:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 153EC15398 for ; Sat, 27 Mar 1999 21:40:16 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id VAA35010; Sat, 27 Mar 1999 21:39:20 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: Andrew McNaughton Cc: Warner Losh , Gustavo Rios , freebsd-security@FreeBSD.ORG Subject: Re: suid/guid In-reply-to: Your message of "Sun, 28 Mar 1999 16:48:41 +1200." <199903280448.QAA10976@aniwa.sky> Date: Sat, 27 Mar 1999 21:39:19 -0800 Message-ID: <35008.922599559@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Whoops, I was a little bit too quick on the send there - substitute 690K for the XXXX diff byte count in my last message. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 27 23:28:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id A610014C0C for ; Sat, 27 Mar 1999 23:28:39 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id XAA01660; Sat, 27 Mar 1999 23:27:44 -0800 (PST) Message-ID: <19990327232743.C29901@best.com> Date: Sat, 27 Mar 1999 23:27:43 -0800 From: "Jan B. Koum " To: Matthew Dillon , James Wyatt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903251836.KAA00989@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199903251836.KAA00989@apollo.backplane.com>; from Matthew Dillon on Thu, Mar 25, 1999 at 10:36:55AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 25, 1999 at 10:36:55AM -0800, Matthew Dillon wrote: > > : > :On Thu, 25 Mar 1999, Matthew Dillon wrote: > : [ ... ] > :> are still vulnerable. You can get into the account just fine without > :> exposing a password, but once in the account if you need to type a > :> password of any sort in to do something else, *that* password is > :> vulnerable to interception. > : > :especially sudo and su... - Jy@ > > We used sudo for a little while 3 years ago, but I decided that it was > too big a security risk and wiped it. sudo is one of the stupidest > programs I've ever seen. > > -Matt > Matthew Dillon > > I have to agree with Matt 200% on the sudo. While the software itself might be well done -- the idea of 'partial root' is not. At a large FreeBSD shop where I work I see sudo been abused by people who are not qualified to even have a Unix shell. To many sudo != root, where it is just that, root. If you trust someone with root -- let them su(1). Else don't even give them partial root access. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message