From owner-freebsd-security Sun Jan 20 10:49:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from johnson.mail.mindspring.net (johnson.mail.mindspring.net [207.69.200.177]) by hub.freebsd.org (Postfix) with ESMTP id E904637B404; Sun, 20 Jan 2002 10:49:33 -0800 (PST) Received: from 1cust172.tnt4.des-moines.ia.da.uu.net ([63.11.140.172] helo=vaio) by johnson.mail.mindspring.net with smtp (Exim 3.33 #1) id 16Rqhe-000835-00; Sat, 19 Jan 2002 03:18:20 -0500 From: msluyter@yahoo.com To: Subject: All New Date: Fri, 18 Jan 2002 21:31:30 -0600 X-Priority: 1 X-MSMail-Priority: High Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org TIRED OF ENDLESSLY POSTING YOUR ONLINE CLASSIFIED AD AND GETTING NO RESULTS? There are over 7000 such sites scattered about the web; and quite frankly, none of them generate enough traffic to be worth your while. Even when someone finds or visits one of these sites, your ad is hopelessly lost in a myriad of similar offerings. Another frustration is search engines. If you are not in the Top 10, forget about high-traffic on your web site. Not everyone can be in the Top 10 and stay there; when there are estimates of four million web pages! How do we know? We know because that's exactly what we used to do. The greatest way of marketing this century is undoubtedly direct e-mail. It's similar to the postman delivering a letter to your mailbox. There is NO stumbling on to it! The ability to promote your product, service, website, or MLM/network marketing opportunity to millions instantly is what advertisers have been dreaming of for over 100 years. We will e-mail your one page promotion to a list of our general addresses. The greatest part is, it's completely affordable. ----------------------------------------------------------------------- NOTICE: Absolutely no pornography, chain letters, get rich quick, pyramid schemes, or any threatening or questionable materials. ----------------------------------------------------------------------- STANDARD PRICING AND PROCEDURES ----------------------------------------------------------------------- EXTRACTING: Our list of general Internet addreses are actually extracted from the most popular web sites on the Internet. The addresses are verified and run through our purification process. The process includes addresses run against our custom remove filter of 2,492 keywords, as well as through our 192MB remove /flamer list. The EDU, ORG, GOV, MIL, and US domains are removed, as well as other domains that asked not to receive e-mail. ----------------------------------------------------------------------- SET-UP FEE: $150.00 This will cover the costs of uploading files, Internet Access (ISP), and software set-up. ----------------------------------------------------------------------- EVALUATION: $350.00 (optional) One of our marketing specialists will evaluate your sales letter, and offer his/her expertise on how to make it the most successful. ----------------------------------------------------------------------- STANDARD PRICING: (Emails Delivered) 1 Million- $800.00 per 2 Million- $700.00 per 3 Million & up- $600.00 per ----------------------------------------------------------------------- SPECIAL OFFER! This introductory offer of $475.00 includes: 1. Set-Up Fee 2. Evaluation of Sales Letter 3. 250,000 e-mails delivered ----------------------------------------------------------------------- PAYMENT POLICY All services must be paid in full prior to delivery of advertisement. Under NO CIRCUMSTANCES will any sales or marketing strategies be discussed until payment is received. ----------------------------------------------------------------------- If you are serious about Direct Email Marketing--Fax the following form to (602) 392-8288 ---------------------------------------------------------------------- PLEASE FILL THIS FORM OUT COMPLETELY! Contact Name: _____________________________________________ Business Name: ______________________________________ Business Type: ______________________________________ # Years in Business: _________________________ Address: _________________________________________________ City: ____________________ State: ______ Zip: ______________ Country: _______________ Email Address: _______________________________________________ Phone: __________________________Fax: ____________________________ ----------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 20 12:41: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from pf39.warszawa.sdi.tpnet.pl (pf39.warszawa.sdi.tpnet.pl [213.25.209.39]) by hub.freebsd.org (Postfix) with ESMTP id 94F3137B421 for ; Sun, 20 Jan 2002 12:40:52 -0800 (PST) Received: (from zaks@localhost) by pf39.warszawa.sdi.tpnet.pl (8.11.6/8.11.6) id g0KKenk01129; Sun, 20 Jan 2002 21:40:49 +0100 (CET) (envelope-from zaks) From: Slawek Zak To: freebsd-security@FreeBSD.ORG Subject: Re: identd inside of jail References: Content-MD5: 1f27dce8f86573653f1b7bcdfd807e59 Date: Sun, 20 Jan 2002 21:40:48 +0100 In-Reply-To: (Robert Watson's message of "Fri, 7 Dec 2001 11:52:57 -0500 (EST)") Message-ID: <87wuycycvj.fsf@pf39.warszawa.sdi.tpnet.pl> Lines: 14 User-Agent: Gnus/5.090005 (Oort Gnus v0.05) XEmacs/21.5 (asparagus, i386-unknown-freebsd4.4) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 7 Dec 2001, Robert Watson told this: > This problem is fixed in 5.0-CURRENT as it performs two checks in udp and > tcp getcred: first, it checks for privilege (and permits the jail to > succeed), and second, it checks whether the connection in question is > visible to the current jail. And what about check if connection was initiated from server, just like it's done in OpenBSD? ;) /S -- hundred-and-one symptoms of being an internet addict: 196. Your computer costs more than your car. * Suavek Zak / PGP: finger://zaks@prioris.mini.pw.edu.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 20 12:47:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 2F4E737B402 for ; Sun, 20 Jan 2002 12:47:19 -0800 (PST) Received: (qmail 51629 invoked by uid 1000); 20 Jan 2002 20:47:12 -0000 Date: Sun, 20 Jan 2002 21:47:12 +0100 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: racoon + ipfw Message-ID: <20020120214712.H19960@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, i had a short amount of time to fiddle with racoon, and i didn't get it working because ipfw blocked the proto it use. I postponed the project and forgot to figure it out. My question is, what should i allow in order to get setkey/racoon working properly ? With regards, Bart Matthaei --=20 Bart Matthaei bart@dreamflow.nl=20 Young Urban Professional In short: YUP "The whacky morning DJ says democracy's a joke" --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8SyzQgcc6pR+tCegRAkpfAJ9AguilQa3ExaPjYeW8F8TLCCtG2wCfewl7 GQCFJHqmvkA5jFx02oOVCL0= =lTJV -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 20 15:21:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from avocet.prod.itd.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50]) by hub.freebsd.org (Postfix) with ESMTP id C157137B404 for ; Sun, 20 Jan 2002 15:21:37 -0800 (PST) Received: from dialup-209.247.139.76.dial1.sanjose1.level3.net ([209.247.139.76] helo=blossom.cjclark.org) by avocet.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16SRHD-0007aZ-00; Sun, 20 Jan 2002 15:21:33 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g0KNKfj67649; Sun, 20 Jan 2002 15:20:41 -0800 (PST) (envelope-from cjc) Date: Sun, 20 Jan 2002 15:20:28 -0800 From: "Crist J . Clark" To: Bart Matthaei Cc: freebsd-security@FreeBSD.ORG Subject: Re: racoon + ipfw Message-ID: <20020120152028.B66815@blossom.cjclark.org> References: <20020120214712.H19960@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020120214712.H19960@heresy.dreamflow.nl>; from bart@dreamflow.nl on Sun, Jan 20, 2002 at 09:47:12PM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jan 20, 2002 at 09:47:12PM +0100, Bart Matthaei wrote: > Hi all, > > i had a short amount of time to fiddle with racoon, and i didn't get > it working because ipfw blocked the proto it use. I postponed the > project and forgot to figure it out. > My question is, what should i allow in order to get setkey/racoon working > properly ? isakmp 500/udp -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 20 20: 2:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from fl-mta01.durocom.com (fl-mta01.durocom.com [216.53.195.242]) by hub.freebsd.org (Postfix) with ESMTP id D2A7037B417 for ; Sun, 20 Jan 2002 20:02:24 -0800 (PST) Received: from [198.69.78.93] by fl-mta01.durocom.com with SMTP id <20020121040404.BDET984.fl-mta01@[198.69.78.93]>; Sun, 20 Jan 2002 23:04:04 -0500 From: linbl@slingshot.com To: Subject: Happy Holiday Date: Sun, 20 Jan 2002 21:53:39 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_1B37_00002A92.00001000" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <20020121040404.BDET984.fl-mta01@[198.69.78.93]> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_000_1B37_00002A92.00001000 Content-Type: text/html; ViaPro

To be removed from future mailings CLICK HERE

 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 21 6:18:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail2.rol.it (mail2.rol.it [193.41.7.204]) by hub.freebsd.org (Postfix) with SMTP id 6F7BC37B423 for ; Mon, 21 Jan 2002 06:18:39 -0800 (PST) From: verbavolant@logos.net To: security@freebsd.org Subject: Verba Volant Message-Id: <20020121141840.6F7BC37B423@hub.freebsd.org> Date: Mon, 21 Jan 2002 06:18:40 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We have been requested to insert the following email address, "security@freebsd.org", in the Verba Volant Newsletter database. Through this daily service you will receive a quotation, selected from amongst the most celebrated philosophers, writers and poets of all time and translated into many languages and dialects by volunteers worldwide. If you would like to confirm your subscription to Verba Volant, please click on the following link: http://www.logos.net/owa-l/press.subscribe?lang=en&email=security@freebsd.org If you do not wish to click on the link, your subscription will be cancelled. Thank you for your time. Verba Volant Il nous a été demandé d'ajouter l'adresse électronique "security@freebsd.org" dans la liste des destinataires de Verba Volant, un service qui tous les jours vous adressera une citation sélectionnée parmi les œuvres des meilleurs philosophes, écrivains, poètes de tous les temps et traduite en de très nombreuses langues grâce à des volontaires du monde entier. Pour confirmer l'inscription à Verba Volant, veuillez vous connecter au lien suivant: http://www.logos.net/owa-l/press.subscribe?lang=fr&email=security@freebsd.org Si vous préférez ne pas cliquer sur le lien, vous ne recevrez rien. Merci dans tous les cas de nous avoir accordé quelques secondes. Verba Volant Se nos ha solicitado insertar la dirección de correo electrónico "security@freebsd.org" en el listado de envíos de Verba Volant, un servicio que diariamente le enviará citas elegidas entre los mejores filosofos, escritores, poetas, etc., traducidas a varios idiomas y dialectos. Dichas citas están traducidas por voluntarios que se conectan a nuestra web desde todo el mundo. Si quiere confirmar la suscripción a Verba Volant, le rogamos entre en: http://www.logos.net/owa-l/press.subscribe?lang=es&email=security@freebsd.org Si no entra en la dirección señalada no recibirá las citas. Muchas gracias por el tiempo que nos ha dedicado. Verba Volant Ci è stato chiesto di inserire l'indirizzo di posta elettronica "security@freebsd.org" nell’elenco dei destinatari di Verba Volant, un servizio che ogni giorno ti invierà una citazione scelta tra quelle dei migliori filosofi, scrittori, poeti di tutti i tempi e tradotta in moltissime lingue e dialetti grazie alla collaborazione di volontari da tutto il mondo. Se desideri confermare l'iscrizione, ti preghiamo di collegarti al seguente link: http://www.logos.net/owa-l/press.subscribe?lang=it&email=security@freebsd.org Nel caso preferissi non cliccare sul link, non riceverai nulla. Grazie comunque per i secondi che ci hai dedicato. Cordiali saluti. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 21 8: 6: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from snmail.softnet.ro (snmail.SoftNet.ro [193.231.173.3]) by hub.freebsd.org (Postfix) with ESMTP id 20D0337B400 for ; Mon, 21 Jan 2002 08:06:04 -0800 (PST) Received: from softnet.ro ([193.231.173.125]) by snmail.softnet.ro (Lotus Domino Release 5.0.5) with ESMTP id 2002012118083273:10954 ; Mon, 21 Jan 2002 18:08:32 +0200 Message-ID: <34B14E7A.1FA55AD1@softnet.ro> Date: Mon, 05 Jan 1998 23:19:55 +0200 From: Florin MANAILA X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: BSD Subject: Sysctl var. X-MIMETrack: Itemize by SMTP Server on server1/softnet(Release 5.0.5 |September 22, 2000) at 01/21/2002 06:08:32 PM, Serialize by Router on server1/softnet(Release 5.0.5 |September 22, 2000) at 01/21/2002 06:08:40 PM, Serialize complete at 01/21/2002 06:08:40 PM Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't find any documentation for : sysctl var: net.inet.ip.check_interface net.inet.ip.stealth any clue ? Best regards, Florin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 21 9: 5:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe39.pav1.hotmail.com [64.4.30.96]) by hub.freebsd.org (Postfix) with ESMTP id 3E2D237B402 for ; Mon, 21 Jan 2002 09:05:40 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 21 Jan 2002 09:05:40 -0800 X-Originating-IP: [216.95.234.92] From: "jack xiao" To: Subject: PAM for both RADIUS and LDAP? Date: Mon, 21 Jan 2002 12:04:55 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0156_01C1A273.D73FB5A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 21 Jan 2002 17:05:40.0125 (UTC) FILETIME=[DA6D5CD0:01C1A29D] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0156_01C1A273.D73FB5A0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0157_01C1A273.D73FB5A0" ------=_NextPart_001_0157_01C1A273.D73FB5A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_001_0157_01C1A273.D73FB5A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_001_0157_01C1A273.D73FB5A0-- ------=_NextPart_000_0156_01C1A273.D73FB5A0 Content-Type: text/plain; name="question.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="question.txt" Hi, I am wondering if there are some PAM port under FreeBSD which can support Radius and LDAP authentication very well. Under the security port, I found some, but I am not sure which one has the authentication functions I want. Thanks a lot! Jack ------=_NextPart_000_0156_01C1A273.D73FB5A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 21 9:44: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from camelia.dnt.ro (camelia.dnt.ro [193.226.100.57]) by hub.freebsd.org (Postfix) with ESMTP id 8CD4637B400 for ; Mon, 21 Jan 2002 09:43:58 -0800 (PST) Received: from localhost (camelia@localhost) by camelia.dnt.ro (8.11.6/8.11.6) with ESMTP id g0LHhq317953 for ; Mon, 21 Jan 2002 19:43:52 +0200 (EET) (envelope-from camelia@office.dnt.ro) X-Authentication-Warning: camelia.dnt.ro: camelia owned process doing -bs Date: Mon, 21 Jan 2002 19:43:51 +0200 (EET) From: Camelia NASTASE To: Subject: Re: Sysctl var. In-Reply-To: <34B14E7A.1FA55AD1@softnet.ro> Message-ID: <20020121193740.N17844-100000@camelia.dnt.ro> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I don't find any documentation for : > > sysctl var: > > net.inet.ip.check_interface causes IP to verify that an incoming packet arrives on an interface that has an address matching the packet's destination address. > net.inet.ip.stealth I presume you have support for stealth forwarding enabled. hope it helps, camelia -- Camelia Nastase, camelia@office.dnt.ro Network Administrator Dynamic Network Technologies, Romania Tel: +40-1-2106863 Fax: +40-1-3122745 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 21 9:47:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx4.airmail.net (mx4.airmail.net [209.196.77.101]) by hub.freebsd.org (Postfix) with ESMTP id B6ED837B405; Mon, 21 Jan 2002 09:47:24 -0800 (PST) Received: from covert.black-ring.iadfw.net ([209.196.123.142]) by mx4.airmail.net with smtp (Exim 3.16 #10) id 16SiXU-0001nq-00; Mon, 21 Jan 2002 11:47:24 -0600 Received: from mail.airmail.net from [207.136.49.94] by covert.black-ring.iadfw.net (/\##/\ Smail3.1.30.16 #30.55) with smtp for sender: id ; Mon, 21 Jan 2002 11:48:46 -0600 (CST) Message-Id: Date: Mon, 21 Jan 2002 11:49:09 -0600 (CST) Apparently-To: , , , From: david bucher SUBJECT: The schedule you received will help you cut down on an every X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Outlook Express 5.00.2919.6600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_002B_019BEB03.A8EB03B0" Content-Transfer-Encoding: 7bit To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_002B_019BEB03.A8EB03B0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit The “Writing Bulletin Board” in the hall is to display student’s writings that will later be placed in their portfolio. The schedule you received will help you cut down on an every month writing display. When your six weeks are up, you are done for the year! However we must maintain our writing program which includes our portfolios. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 21 23:43:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from xoanon.mcwest.org (xoanon.Colorado.EDU [198.11.17.3]) by hub.freebsd.org (Postfix) with ESMTP id AB86D37B402 for ; Mon, 21 Jan 2002 23:43:39 -0800 (PST) Received: from xoanon.mcwest.org (localhost [127.0.0.1]) by xoanon.mcwest.org (8.11.1/8.11.1) with ESMTP id g0M7iAB01318 for ; Tue, 22 Jan 2002 00:44:10 -0700 (MST) (envelope-from mccreary@xoanon.mcwest.org) Message-Id: <200201220744.g0M7iAB01318@xoanon.mcwest.org> To: freebsd-security@FreeBSD.ORG From: "Sean McCreary" Subject: Update for isakmpd port Date: Tue, 22 Jan 2002 00:44:10 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've put together an update for isakmpd in the ports collection, and I'd like some feedback before I submit the changes. The port is based off the isakmpd source released with OpenBSD 3.0, but includes several patches to make it work better with FreeBSD. In addition to patches to the sysdep files for FreeBSD, I also changed the default location for the isakmpd.conf from /etc/isakmpd to /usr/local/etc/isakmpd. This may be controversial, but it seems to match the approach taken in other ports like the one for OpenSSH. Feel free to tell me whether you think this is a good or bad thing :-) This version also supports negotiation of SAs in phase 2 that use encryption algorithms other than DES or 3DES, and uses arc4random() for the generation of cookies rather than the predictable sequence generated by random(). There are a few more things that need to be done to fix problems with building certpatch automatically and running the regression tests, but the daemon itself runs well for me and I'd like feedback on how well it works for others. You can temporarily obtain the port from either http://www.pch.net/software/isakmpd/isakmpd-3.0_FreeBSD_Port.tgz or ftp://ftp.cs.colorado.edu/pub/isakmpd/isakmpd-3.0_FreeBSD_Port.tgz Please send feedback to either or me directly. -- Sean McCreary mccreary@pch.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 21 23:51:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp012.mail.yahoo.com (smtp012.mail.yahoo.com [216.136.173.32]) by hub.freebsd.org (Postfix) with SMTP id 7165637B400 for ; Mon, 21 Jan 2002 23:51:41 -0800 (PST) Received: from unknown (HELO labkom1) (202.77.97.209) by smtp.mail.vip.sc5.yahoo.com with SMTP; 22 Jan 2002 07:51:36 -0000 Message-ID: <000801c1a31b$afe43e60$2e020a0a@mti.itb.ac.id> From: "Asep Ruspeni" To: References: <000101c19d18$57401d00$40c801ca@warhawk> Subject: relaying mail from DHCP clients Date: Tue, 22 Jan 2002 15:06:12 +0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org my configurations : FreeBSD : mail server using sendmail Windows2000 : DHCP server need help : -my clients (which obtain IP from DHCP server) could'nt send mail using MUA outlook express. the comment was : relaying denied, IP lookup failed [IP generated by DHCP server] question : how do i setup my sendmail configuration so my clients could send mail from his/her MUA using smtp service in my freebsd box. thank you in advance. asep. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 0:10:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 7BD9437B402 for ; Tue, 22 Jan 2002 00:10:49 -0800 (PST) Received: (qmail 67975 invoked by uid 1000); 22 Jan 2002 08:10:48 -0000 Date: Tue, 22 Jan 2002 09:10:48 +0100 From: Bart Matthaei To: Asep Ruspeni Cc: freebsd-security@freebsd.org Subject: Re: relaying mail from DHCP clients Message-ID: <20020122091048.K58243@heresy.dreamflow.nl> References: <000101c19d18$57401d00$40c801ca@warhawk> <000801c1a31b$afe43e60$2e020a0a@mti.itb.ac.id> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <000801c1a31b$afe43e60$2e020a0a@mti.itb.ac.id>; from asepruspeni@yahoo.com on Tue, Jan 22, 2002 at 03:06:12PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 22, 2002 at 03:06:12PM +0700, Asep Ruspeni wrote: > my configurations : >=20 > FreeBSD : mail server using sendmail > Windows2000 : DHCP server >=20 > need help : > -my clients (which obtain IP from DHCP server) could'nt send mail using M= UA > outlook express. > the comment was : > relaying denied, IP lookup failed [IP generated by DHCP server] >=20 > question : > how do i setup my sendmail configuration so my clients could send mail fr= om > his/her MUA using smtp service in my freebsd box. >=20 > thank you in advance. > asep. >=20 First of all, I think this is a bit off-topic. But ill try to answer anyway. After 2 min. of googling: FEATURE(accept_unresolvable_domains). Normally, sendmail will refuse to accept mail that has a return adress with a domain that cannot be resolved using the regular host lookups. (a technique commonly used by spammers). This feature permits acceptance of such addresses. Unresolvable domains can be selectively accepted using the access database. For more info: http://www.sendmail.org/tips/relaying.html HTH Regards, Bart Matthaei =20 --=20 Bart Matthaei bart@dreamflow.nl=20 Young Urban Professional In short: YUP "The whacky morning DJ says democracy's a joke" --J/dobhs11T7y2rNN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8TR6Igcc6pR+tCegRAluIAKCwAU1zcYtHcq4XJ+sXta4XEqqF/wCfeVyO kG4JKyg2GORVxofudIuJN8E= =4e1m -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 0:17:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from rambo.simx.org (rambo.simx.org [194.17.208.54]) by hub.freebsd.org (Postfix) with ESMTP id 3475C37B402 for ; Tue, 22 Jan 2002 00:17:51 -0800 (PST) Received: from rambo.simx.org (malin.twenty4help.se [195.67.108.195]) by rambo.simx.org (8.11.6/8.11.6) with ESMTP id g0M8HUX44561; Tue, 22 Jan 2002 09:17:30 +0100 (CET) (envelope-from listsub@rambo.simx.org) Message-ID: <3C4D2021.80006@rambo.simx.org> Date: Tue, 22 Jan 2002 09:17:37 +0100 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: Bart Matthaei Cc: Asep Ruspeni , freebsd-security@FreeBSD.ORG Subject: Re: relaying mail from DHCP clients References: <000101c19d18$57401d00$40c801ca@warhawk> <000801c1a31b$afe43e60$2e020a0a@mti.itb.ac.id> <20020122091048.K58243@heresy.dreamflow.nl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bart Matthaei wrote: >On Tue, Jan 22, 2002 at 03:06:12PM +0700, Asep Ruspeni wrote: > >>my configurations : >> >>FreeBSD : mail server using sendmail >>Windows2000 : DHCP server >> >>need help : >>-my clients (which obtain IP from DHCP server) could'nt send mail using MUA >>outlook express. >>the comment was : >>relaying denied, IP lookup failed [IP generated by DHCP server] >> >>question : >>how do i setup my sendmail configuration so my clients could send mail from >>his/her MUA using smtp service in my freebsd box. >> >>thank you in advance. >>asep. >> > >First of all, I think this is a bit off-topic. But ill try to answer >anyway. > >After 2 min. of googling: > >FEATURE(accept_unresolvable_domains). > >Normally, sendmail will refuse to accept mail that has a return adress >with a domain that cannot be resolved using the regular host lookups. >(a technique commonly used by spammers). >This feature permits acceptance of such addresses. >Unresolvable domains can be selectively accepted using the access >database. > >For more info: http://www.sendmail.org/tips/relaying.html > >HTH > >Regards, > >Bart Matthaei > > My guess would be that all you have to do is edit the /etc/mail/access file to be something like 192.168.0 RELAY and then rebuild the access db with 'cd /etc/mail; makemap hash access < access'. Restart sendmail and youre done. That is if youre clients are on the 192.168.0 subnet, if not, change it to suit your needs. -- R > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 0:24:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from camelia.dnt.ro (camelia.dnt.ro [193.226.100.57]) by hub.freebsd.org (Postfix) with ESMTP id 8C8E437B402 for ; Tue, 22 Jan 2002 00:24:54 -0800 (PST) Received: from localhost (camelia@localhost) by camelia.dnt.ro (8.11.6/8.11.6) with ESMTP id g0M8Oo125956; Tue, 22 Jan 2002 10:24:50 +0200 (EET) (envelope-from camelia@office.dnt.ro) X-Authentication-Warning: camelia.dnt.ro: camelia owned process doing -bs Date: Tue, 22 Jan 2002 10:24:49 +0200 (EET) From: Camelia NASTASE To: Asep Ruspeni Cc: Subject: Re: relaying mail from DHCP clients In-Reply-To: <000801c1a31b$afe43e60$2e020a0a@mti.itb.ac.id> Message-ID: <20020122101115.P25912-100000@camelia.dnt.ro> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > my configurations : > > FreeBSD : mail server using sendmail > Windows2000 : DHCP server > > need help : > -my clients (which obtain IP from DHCP server) could'nt send mail using MUA > outlook express. > the comment was : > relaying denied, IP lookup failed [IP generated by DHCP server] > > question : > how do i setup my sendmail configuration so my clients could send mail from > his/her MUA using smtp service in my freebsd box. > > thank you in advance. > asep. > add an entry to /etc/mail/access containing the range off addresses you want to relay for. then remake the access database and restart sendmail. for instance, if you want to relay for 192.168.0.0/24, you add an entry like: 192.168.0 RELAY hope it helps, camelia -- Camelia Nastase, camelia@office.dnt.ro Network Administrator Dynamic Network Technologies, Romania Tel: +40-1-2106863 Fax: +40-1-3122745 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 0:26:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id E82A937B404 for ; Tue, 22 Jan 2002 00:26:51 -0800 (PST) Received: (qmail 68139 invoked by uid 1000); 22 Jan 2002 08:26:50 -0000 Date: Tue, 22 Jan 2002 09:26:50 +0100 From: Bart Matthaei To: Roger 'Rocky' Vetterberg Cc: freebsd-security@freebsd.org Subject: Re: relaying mail from DHCP clients Message-ID: <20020122092650.L58243@heresy.dreamflow.nl> References: <000101c19d18$57401d00$40c801ca@warhawk> <000801c1a31b$afe43e60$2e020a0a@mti.itb.ac.id> <20020122091048.K58243@heresy.dreamflow.nl> <3C4D2021.80006@rambo.simx.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3C4D2021.80006@rambo.simx.org>; from listsub@rambo.simx.org on Tue, Jan 22, 2002 at 09:17:37AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 22, 2002 at 09:17:37AM +0100, Roger 'Rocky' Vetterberg wrote: > My guess would be that all you have to do is edit the /etc/mail/access > file to be something like > 192.168.0 RELAY Sorry for my cluelessness. Haven't used sendmail in a while .. :) Regards, Bart -- Bart Matthaei bart@dreamflow.nl Young Urban Professional In short: YUP "The whacky morning DJ says democracy's a joke" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 1:24:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp011.mail.yahoo.com (smtp011.mail.yahoo.com [216.136.173.31]) by hub.freebsd.org (Postfix) with SMTP id 20F1337B427 for ; Tue, 22 Jan 2002 01:24:05 -0800 (PST) Received: from unknown (HELO labkom1) (202.77.97.209) by smtp.mail.vip.sc5.yahoo.com with SMTP; 22 Jan 2002 09:24:00 -0000 Message-ID: <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> From: "Asep Ruspeni" To: References: <20020122101115.P25912-100000@camelia.dnt.ro> Subject: Re: relaying mail from DHCP clients Date: Tue, 22 Jan 2002 16:38:44 +0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > add an entry to /etc/mail/access containing the range off addresses you > want to relay for. then remake the access database and restart sendmail. > > for instance, if you want to relay for 192.168.0.0/24, you add an entry > like: > > 192.168.0 thank you for your advice, i did have addedd entry /etc/mail/access and then rebuild the access db with makemap hash access < access but still i got error messages like this (when i started sending mail to some mail account at yahoo.com): The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was some-account@yahoo.com. Subject 'test smtp', Account: 'my-domain', Server: 'my-domain', Protocol: SMTP, Server Response: '550 5.7.1 ... Relaying denied. IP name lookup failed [10.10.2.46]', Port: 25, Secure(SSL): No, Server Error: 550, Error Number: 0x800CCC79 my range of IP address i want to relay : 10.10.2.1 - 10.10.2.254 any further suggestions? asep. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 2: 9:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id C9D0A37B416 for ; Tue, 22 Jan 2002 02:09:18 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 9F58A10DDF7; Tue, 22 Jan 2002 02:09:18 -0800 (PST) Date: Tue, 22 Jan 2002 02:09:18 -0800 From: Alfred Perlstein To: Asep Ruspeni Cc: freebsd-security@freebsd.org Subject: Re: relaying mail from DHCP clients Message-ID: <20020122020918.V13686@elvis.mu.org> References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id>; from asepruspeni@yahoo.com on Tue, Jan 22, 2002 at 04:38:44PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Asep Ruspeni [020122 01:24] wrote: > > any further suggestions? Try freebsd-questions. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 2:29:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 188D937B404 for ; Tue, 22 Jan 2002 02:29:16 -0800 (PST) Received: (qmail 68529 invoked by uid 1000); 22 Jan 2002 10:29:13 -0000 Date: Tue, 22 Jan 2002 11:29:13 +0100 From: Bart Matthaei To: Asep Ruspeni Cc: freebsd-security@freebsd.org Subject: Re: relaying mail from DHCP clients Message-ID: <20020122112913.N58243@heresy.dreamflow.nl> References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="eAbsdosE1cNLO4uF" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id>; from asepruspeni@yahoo.com on Tue, Jan 22, 2002 at 04:38:44PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --eAbsdosE1cNLO4uF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 22, 2002 at 04:38:44PM +0700, Asep Ruspeni wrote: > any further suggestions? Did you try the suggestion i made ?=20 FEATURE(accept_unresolvable_domains) (see my first mail on the subject) As far as I know, it's a config option for sendmail to deny relaying for unresolved ip's. Try looking trough the FAQ at sendmail.org. Regards, Bart Matthaei --=20 Bart Matthaei bart@dreamflow.nl=20 Young Urban Professional In short: YUP "The whacky morning DJ says democracy's a joke" --eAbsdosE1cNLO4uF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8TT75gcc6pR+tCegRAjSbAKCiV0xjhwJWCsiJstxNIwH0UEzFeACfSo0T HfBZGD3K0FM3pEfPFBwaZm4= =xADW -----END PGP SIGNATURE----- --eAbsdosE1cNLO4uF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 8: 4:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by hub.freebsd.org (Postfix) with ESMTP id 3E92837B402 for ; Tue, 22 Jan 2002 08:04:11 -0800 (PST) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 5AF2B1A01A; Tue, 22 Jan 2002 10:04:09 -0600 (CST) Message-ID: <00b401c1a35e$2c55fa50$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Asep Ruspeni" , References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> Subject: Re: relaying mail from DHCP clients Date: Tue, 22 Jan 2002 10:02:20 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you running a DNS server that the destination server can use to do a reverse lookup too? Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Asep Ruspeni" To: Sent: Tuesday, January 22, 2002 3:38 AM Subject: Re: relaying mail from DHCP clients > > add an entry to /etc/mail/access containing the range off addresses you > > want to relay for. then remake the access database and restart sendmail. > > > > for instance, if you want to relay for 192.168.0.0/24, you add an entry > > like: > > > > 192.168.0 > > thank you for your advice, i did have addedd entry > /etc/mail/access > and then rebuild the access db with > makemap hash access < access > > but still i got error messages like this (when i started sending mail to > some mail account at yahoo.com): > > The message could not be sent because one of the recipients was rejected by > the server. The rejected e-mail address was some-account@yahoo.com. Subject > 'test smtp', Account: 'my-domain', Server: 'my-domain', Protocol: SMTP, > Server Response: '550 5.7.1 ... Relaying denied. IP > name lookup failed [10.10.2.46]', Port: 25, Secure(SSL): No, Server Error: > 550, Error Number: 0x800CCC79 > > my range of IP address i want to relay : 10.10.2.1 - 10.10.2.254 > > any further suggestions? > asep. > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 8:11:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id C147437B416 for ; Tue, 22 Jan 2002 08:10:49 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g0MGAjD91180; Tue, 22 Jan 2002 11:10:45 -0500 (EST) Date: Tue, 22 Jan 2002 11:10:45 -0500 (EST) From: Ralph Huntington To: "Thomas T. Veldhouse" Cc: Asep Ruspeni , Subject: Please discontinue discussion "relaying mail" In-Reply-To: <00b401c1a35e$2c55fa50$3028680a@tgt.com> Message-ID: <20020122110906.R93587-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can we please take this discussion off freebsd-security, where it surely does not belong. Please. On Tue, 22 Jan 2002, Thomas T. Veldhouse wrote: > Are you running a DNS server that the destination server can use to do a > reverse lookup too? > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Asep Ruspeni" > To: > Sent: Tuesday, January 22, 2002 3:38 AM > Subject: Re: relaying mail from DHCP clients > > > > > add an entry to /etc/mail/access containing the range off addresses you > > > want to relay for. then remake the access database and restart sendmail. > > > > > > for instance, if you want to relay for 192.168.0.0/24, you add an entry > > > like: > > > > > > 192.168.0 > > > > thank you for your advice, i did have addedd entry > > /etc/mail/access > > and then rebuild the access db with > > makemap hash access < access > > > > but still i got error messages like this (when i started sending mail to > > some mail account at yahoo.com): > > > > The message could not be sent because one of the recipients was rejected > by > > the server. The rejected e-mail address was some-account@yahoo.com. > Subject > > 'test smtp', Account: 'my-domain', Server: 'my-domain', Protocol: SMTP, > > Server Response: '550 5.7.1 ... Relaying denied. > IP > > name lookup failed [10.10.2.46]', Port: 25, Secure(SSL): No, Server Error: > > 550, Error Number: 0x800CCC79 > > > > my range of IP address i want to relay : 10.10.2.1 - 10.10.2.254 > > > > any further suggestions? > > asep. > > > > > > _________________________________________________________ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 8:11:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 94EBA37B417 for ; Tue, 22 Jan 2002 08:11:36 -0800 (PST) Received: (qmail 70293 invoked by uid 1000); 22 Jan 2002 16:11:34 -0000 Date: Tue, 22 Jan 2002 17:11:34 +0100 From: Bart Matthaei To: "Thomas T. Veldhouse" Cc: freebsd-security@freebsd.org Subject: Re: relaying mail from DHCP clients Message-ID: <20020122171134.E69805@heresy.dreamflow.nl> References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> <00b401c1a35e$2c55fa50$3028680a@tgt.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <00b401c1a35e$2c55fa50$3028680a@tgt.com>; from veldy@veldy.net on Tue, Jan 22, 2002 at 10:02:20AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 22, 2002 at 10:02:20AM -0600, Thomas T. Veldhouse wrote: > Are you running a DNS server that the destination server can use to do a > reverse lookup too? It's not neccesary to give private ip's a reverse. It's better for the functioning of your network, but not mandatory. The MTA should allow non-resolved ip's to relay. This is just a sendmail config option. With Regards, Bart Matthaei --=20 Bart Matthaei bart@dreamflow.nl=20 Young Urban Professional In short: YUP "The whacky morning DJ says democracy's a joke" --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8TY82gcc6pR+tCegRAgIaAKDDBKReA/CsAdWS2CFhiHF/EN0XXQCfSmGV 3YWuvX+HwRbOQCfCw9g/cXk= =UM3z -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 8:14:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by hub.freebsd.org (Postfix) with ESMTP id 384E237B400; Tue, 22 Jan 2002 08:14:31 -0800 (PST) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id B7AB01A01A; Tue, 22 Jan 2002 10:14:26 -0600 (CST) Message-ID: <005001c1a35f$9c4da780$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Bart Matthaei" Cc: , "FreeBSD-Questions, " References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> <00b401c1a35e$2c55fa50$3028680a@tgt.com> <20020122171134.E69805@heresy.dreamflow.nl> Subject: Re: relaying mail from DHCP clients Date: Tue, 22 Jan 2002 10:12:37 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wasn't talking about private IPs, I was talking about the sendmail server itself. Tom Veldhouse veldy@veldy.net PS -- moved to FreeBSD-questions ----- Original Message ----- From: "Bart Matthaei" To: "Thomas T. Veldhouse" Cc: Sent: Tuesday, January 22, 2002 10:11 AM Subject: Re: relaying mail from DHCP clients To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 8:18:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from gramsc1.dyndns.org (h00609774e769.ne.mediaone.net [24.91.224.187]) by hub.freebsd.org (Postfix) with ESMTP id 71E2937B400 for ; Tue, 22 Jan 2002 08:18:23 -0800 (PST) Received: from tr0tsky (tr0tsky [10.0.0.4]) by gramsc1.dyndns.org (8.12.1/8.12.1) with SMTP id g0MGIG4Z064275; Tue, 22 Jan 2002 11:18:16 -0500 (EST)?g (envelope-from resopmok@gramsc1.dyndns.org)œ Date: Tue, 22 Jan 2002 11:18:16 -0500 From: Chris Thomas To: freebsd-security@freebsd.org Cc: "Asep Ruspeni" Subject: Re: relaying mail from DHCP clients Message-Id: <20020122111816.5e70b6ff.resopmok@gramsc1.dyndns.org> In-Reply-To: <20020122112913.N58243@heresy.dreamflow.nl> References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> <20020122112913.N58243@heresy.dreamflow.nl> X-Mailer: Sylpheed version 0.6.5 (GTK+ 1.2.10; i386--freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org as i recall, FEATURE(accept_unresolvable_domains) does not have anything to do with relaying mail, but accepting mail (i.e., it will allow a mail from user@this.name.does.not.resolve to be received to the mail server. also useful for running mail in self-contained LANs that have no internal DNS.) this part of the discussion is where security actually comes into play, and is useful to have on a semi-infrequent basis.. in order for clients to use your SMTP server to relay mail, either their IPs or names must be listed in /etc/mail/access (with the database rehashed). this means one of the following 3 things needs to be done: 1) add the specific IP of your client to /etc/mail/access 2) use an open relay, so anyone can relay with your server (very unwise) 3) use pop3 before relay authentication. it is wise to only allow clients from inside your LAN to relay mail, preventing your server from being used as a relay by spammers (note that you can specify an IP range in /etc/mail/access). open mail relays are a problem, and they can get you blacklisted fairly easily (www.ordb.org). pop3 authentication is a viable solution, but can be somewhat difficult to ipmlement with sendmail. -chris On Tue, 22 Jan 2002 11:29:13 +0100 Bart Matthaei wrote about Re: relaying mail from DHCP clients: ||On Tue, Jan 22, 2002 at 04:38:44PM +0700, Asep Ruspeni wrote: ||> any further suggestions? || ||Did you try the suggestion i made ? || ||FEATURE(accept_unresolvable_domains) (see my first mail on the ||subject) || ||As far as I know, it's a config option for sendmail to deny relaying ||for unresolved ip's. Try looking trough the FAQ at sendmail.org. || ||Regards, || ||Bart Matthaei || ||-- ||Bart Matthaei bart@dreamflow.nl || ||Young Urban Professional In short: YUP || ||"The whacky morning DJ says democracy's a joke" || To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 8:37:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from vaemail.bankofamerica.com (vaemail.bankofamerica.com [171.159.192.14]) by hub.freebsd.org (Postfix) with ESMTP id ECECA37B405 for ; Tue, 22 Jan 2002 08:37:34 -0800 (PST) Received: from vaimail.bankofamerica.com (vaimail.bankofamerica.com [171.182.200.13]) by vaemail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id g0MGbWF20824 for ; Tue, 22 Jan 2002 11:37:32 -0500 (EST) Received: from smtpsw04 (smtpsw04.bankofamerica.com [171.172.129.20]) by vaimail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id g0MGbVO16278 for ; Tue, 22 Jan 2002 11:37:31 -0500 (EST) Date: Tue, 22 Jan 2002 10:29:09 -0600 From: Rick.Robinson@bankofamerica.com Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:06.sudo To: freebsd-security@FreeBSD.ORG Message-id: <86256B49.005A75BA.00@notes.bankofamerica.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT X-Lotus-FromDomain: BANKOFAMERICA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maybe I am missing something, but the sudo-1.6.4.1.tgz packages don't appear to be out on the servers. Is there an eta as to when those packages will be available? Thanks. Rick V. Solution 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 9: 4: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id B0AC337B400 for ; Tue, 22 Jan 2002 09:04:04 -0800 (PST) Received: (qmail 94955 invoked by uid 1001); 22 Jan 2002 17:03:57 -0000 Date: Tue, 22 Jan 2002 12:03:57 -0500 From: "Peter C. Lai" To: Rick.Robinson@bankofamerica.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:06.sudo Message-ID: <20020122120357.A94908@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <86256B49.005A75BA.00@notes.bankofamerica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <86256B49.005A75BA.00@notes.bankofamerica.com>; from Rick.Robinson@bankofamerica.com on Tue, Jan 22, 2002 at 10:29:09AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I cvsup'd today and reinstalled sudo and it appears to be up to 1.6.5.1 now, so try that version.. On Tue, Jan 22, 2002 at 10:29:09AM -0600, Rick.Robinson@bankofamerica.com wrote: > > > Maybe I am missing something, but the sudo-1.6.4.1.tgz packages don't appear > to be out on the servers. Is there an eta as to when those packages will be > available? Thanks. > > Rick > > > > V. Solution > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from the following directories: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 203.206.3784 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 9:20:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.sial.org (sense-sea-MegaSub-1-583.oz.net [216.39.146.75]) by hub.freebsd.org (Postfix) with ESMTP id E12F637B41C for ; Tue, 22 Jan 2002 09:20:40 -0800 (PST) Received: from darkness.sial.org (localhost [IPv6:::1]) by mail.sial.org (8.12.2/8.12.2) with ESMTP id g0MHKccF077745 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Tue, 22 Jan 2002 09:20:38 -0800 (PST) Received: (from jmates@localhost) by darkness.sial.org (8.12.2/8.12.2/Submit) id g0MHKb29077744 for freebsd-security@freebsd.org; Tue, 22 Jan 2002 09:20:37 -0800 (PST) Date: Tue, 22 Jan 2002 09:20:37 -0800 From: "Jeremy A. Mates" To: freebsd-security@freebsd.org Subject: Re: relaying mail from DHCP clients Message-ID: <20020122172037.GA77721@darkness.sial.org> Mail-Followup-To: "Jeremy A. Mates" , freebsd-security@freebsd.org References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> <20020122112913.N58243@heresy.dreamflow.nl> <20020122111816.5e70b6ff.resopmok@gramsc1.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020122111816.5e70b6ff.resopmok@gramsc1.dyndns.org> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Chris Thomas [2002-01-22 08:19-0800]: > it is wise to only allow clients from inside your LAN to relay mail, > preventing your server from being used as a relay by spammers (note > that you can specify an IP range in /etc/mail/access). open mail > relays are a problem, and they can get you blacklisted fairly easily > (www.ordb.org). pop3 authentication is a viable solution, but can be > somewhat difficult to ipmlement with sendmail. Or, you can use SMTP AUTH (and/or STARTTLS) if pop-before-smtp does not appeal to you: http://www.sial.org/talks/smtpauth-starttls/ -- Jeremy Mates http://www.sial.org/ OpenPGP: 0x11C3D628 (4357 1D47 FF78 24BB 0FBF 7AA8 A846 9F86 11C3 D628) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 9:39: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 160D037B417; Tue, 22 Jan 2002 09:38:56 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 83C7A2D; Tue, 22 Jan 2002 11:38:55 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g0MHcsH00767; Tue, 22 Jan 2002 11:38:54 -0600 (CST) (envelope-from nectar) Date: Tue, 22 Jan 2002 11:38:54 -0600 From: "Jacques A. Vidrine" To: Rick.Robinson@bankofamerica.com Cc: freebsd-ports@freebsd.org Subject: How do packages on FTP.FREEBSD.ORG get updated? (was Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:06.sudo) Message-ID: <20020122173854.GC686@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Rick.Robinson@bankofamerica.com, freebsd-ports@freebsd.org References: <86256B49.005A75BA.00@notes.bankofamerica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86256B49.005A75BA.00@notes.bankofamerica.com> User-Agent: Mutt/1.3.25i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 22, 2002 at 10:29:09AM -0600, Rick.Robinson@bankofamerica.com wrote: > Maybe I am missing something, but the sudo-1.6.4.1.tgz packages don't appear > to be out on the servers. That's why the advisory says ``NOTE: It may be several days before updated packages are available.'' :-) > Is there an eta as to when those packages will be > available? Thanks. That's a very good question. I do not know the process for how the packages get pushed out to the FTP sites. Maybe someone on the ports list knows. I've set follow-ups there. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 9:44:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe54.law12.hotmail.com [64.4.18.47]) by hub.freebsd.org (Postfix) with ESMTP id BA0AD37B404 for ; Tue, 22 Jan 2002 09:44:50 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 22 Jan 2002 09:44:50 -0800 X-Originating-IP: [24.20.227.61] From: "Lawrence Sica" To: "Asep Ruspeni" , References: <000101c19d18$57401d00$40c801ca@warhawk> <000801c1a31b$afe43e60$2e020a0a@mti.itb.ac.id> Subject: Re: relaying mail from DHCP clients Date: Tue, 22 Jan 2002 09:45:34 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 22 Jan 2002 17:44:50.0551 (UTC) FILETIME=[7DCDA870:01C1A36C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Asep Ruspeni" To: Sent: Tuesday, January 22, 2002 12:06 AM Subject: relaying mail from DHCP clients > my configurations : > > FreeBSD : mail server using sendmail > Windows2000 : DHCP server > > need help : > -my clients (which obtain IP from DHCP server) could'nt send mail using MUA > outlook express. > the comment was : > relaying denied, IP lookup failed [IP generated by DHCP server] > > question : > how do i setup my sendmail configuration so my clients could send mail from > his/her MUA using smtp service in my freebsd box. > Sendmail will do smtp auth and pop before smtp. Are these IP's in a private lan or using public ip's? If the ip range is small enough you could add the ip's into the relay-domains file, you would then have to kill -HUP . HTH --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 9:47:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe58.law12.hotmail.com [64.4.18.193]) by hub.freebsd.org (Postfix) with ESMTP id 4CE1F37B423 for ; Tue, 22 Jan 2002 09:46:45 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 22 Jan 2002 09:46:43 -0800 X-Originating-IP: [24.20.227.61] From: "Lawrence Sica" To: "Roger 'Rocky' Vetterberg" , "Bart Matthaei" Cc: "Asep Ruspeni" , References: <000101c19d18$57401d00$40c801ca@warhawk> <000801c1a31b$afe43e60$2e020a0a@mti.itb.ac.id> <20020122091048.K58243@heresy.dreamflow.nl> <3C4D2021.80006@rambo.simx.org> Subject: Re: relaying mail from DHCP clients Date: Tue, 22 Jan 2002 09:47:27 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 22 Jan 2002 17:46:43.0345 (UTC) FILETIME=[C108A810:01C1A36C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Roger 'Rocky' Vetterberg" To: "Bart Matthaei" Cc: "Asep Ruspeni" ; Sent: Tuesday, January 22, 2002 12:17 AM Subject: Re: relaying mail from DHCP clients > > > Bart Matthaei wrote: > > >On Tue, Jan 22, 2002 at 03:06:12PM +0700, Asep Ruspeni wrote: > > > >>my configurations : > >> > >>FreeBSD : mail server using sendmail > >>Windows2000 : DHCP server > >> > >>need help : > >>-my clients (which obtain IP from DHCP server) could'nt send mail using MUA > >>outlook express. > >>the comment was : > >>relaying denied, IP lookup failed [IP generated by DHCP server] > >> > >>question : > >>how do i setup my sendmail configuration so my clients could send mail from > >>his/her MUA using smtp service in my freebsd box. > >> > >>thank you in advance. > >>asep. > >> > > > >First of all, I think this is a bit off-topic. But ill try to answer > >anyway. > > > >After 2 min. of googling: > > > >FEATURE(accept_unresolvable_domains). > > > >Normally, sendmail will refuse to accept mail that has a return adress > >with a domain that cannot be resolved using the regular host lookups. > >(a technique commonly used by spammers). > >This feature permits acceptance of such addresses. > >Unresolvable domains can be selectively accepted using the access > >database. > > This won't help for ip's. All that does is turn of sendmail's reverse lookup feature. He needs to enable relaying not accepting mail for users... This is a dangerous feature as it is, too bad too many mail servers dont have a reverse dns ip address. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 9:49:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe52.law12.hotmail.com [64.4.18.41]) by hub.freebsd.org (Postfix) with ESMTP id EE1A637B402 for ; Tue, 22 Jan 2002 09:49:22 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 22 Jan 2002 09:49:22 -0800 X-Originating-IP: [24.20.227.61] From: "Lawrence Sica" To: "Asep Ruspeni" , References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> Subject: Re: relaying mail from DHCP clients Date: Tue, 22 Jan 2002 09:50:06 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 22 Jan 2002 17:49:22.0876 (UTC) FILETIME=[201F27C0:01C1A36D] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Asep Ruspeni" To: Sent: Tuesday, January 22, 2002 1:38 AM Subject: Re: relaying mail from DHCP clients > > add an entry to /etc/mail/access containing the range off addresses you > > want to relay for. then remake the access database and restart sendmail. > > > > for instance, if you want to relay for 192.168.0.0/24, you add an entry > > like: > > > > 192.168.0 > > thank you for your advice, i did have addedd entry > /etc/mail/access > and then rebuild the access db with > makemap hash access < access > > but still i got error messages like this (when i started sending mail to > some mail account at yahoo.com): > > The message could not be sent because one of the recipients was rejected by > the server. The rejected e-mail address was some-account@yahoo.com. Subject > 'test smtp', Account: 'my-domain', Server: 'my-domain', Protocol: SMTP, > Server Response: '550 5.7.1 ... Relaying denied. IP > name lookup failed [10.10.2.46]', Port: 25, Secure(SSL): No, Server Error: > 550, Error Number: 0x800CCC79 > you are using non-routable ip's. Either setup internal DNS or put entries for the ip's in /etc/hosts. Either way will remove that. You could also turn off sendmail's reverse lookup feature but be VERY careful there, if this mail server touches the internet i wouldnt do that. If its just internal mail or relaying to an external hub you could probably safely turn it off. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 18:40:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.68.158.10]) by hub.freebsd.org (Postfix) with ESMTP id E9BC637B402 for ; Tue, 22 Jan 2002 18:40:01 -0800 (PST) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [192.168.18.91]) by mafalda.univalle.edu.co (8.12.1/8.12.1) with ESMTP id g0N2dsYY025515 for ; Tue, 22 Jan 2002 21:39:54 -0500 (GMT) Received: from libertad.univalle.edu.co (buliwyf@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.1/8.12.1) with ESMTP id g0N2druS019596 for ; Tue, 22 Jan 2002 21:39:53 -0500 (COT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.12.1/8.12.1/Submit) with ESMTP id g0N2drIc019593 for ; Tue, 22 Jan 2002 21:39:53 -0500 (COT) Date: Tue, 22 Jan 2002 21:39:53 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: Creating users from the web Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, i want to build a system to create users from a web interface. I tried to use the su_exec function of apache but it doesn't support run programs "as root" or execute setuid programs. I really need that the system work by the web... i know that it could be insecure, but anyway, i have to do it. Any sugestions? Thanks for any help. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 18:54:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.rudiment.dk (rudiment.egmont-kol.dk [130.225.237.12]) by hub.freebsd.org (Postfix) with ESMTP id 2CF6737B402 for ; Tue, 22 Jan 2002 18:54:27 -0800 (PST) Received: by mail.rudiment.dk (Postfix, from userid 104) id 1E03212B0F; Wed, 23 Jan 2002 03:54:35 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail.rudiment.dk (Postfix) with ESMTP id 0E93812B0E for ; Wed, 23 Jan 2002 03:54:35 +0100 (CET) Date: Wed, 23 Jan 2002 03:54:34 +0100 (CET) From: Morten Grunnet Buhl Reply-To: Morten Grunnet Buhl To: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 19: 3:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by hub.freebsd.org (Postfix) with SMTP id C004737B400 for ; Tue, 22 Jan 2002 19:03:19 -0800 (PST) Received: from unknown (HELO labkom1) (202.77.97.209) by smtp.mail.vip.sc5.yahoo.com with SMTP; 23 Jan 2002 03:02:59 -0000 Message-ID: <000001c1a3bc$8ce9db80$2e020a0a@mti.itb.ac.id> From: "Asep Ruspeni" To: References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> <00b401c1a35e$2c55fa50$3028680a@tgt.com> Subject: Re: relaying mail from DHCP clients Date: Wed, 23 Jan 2002 10:09:23 +0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Are you running a DNS server that the destination server can use to do a > reverse lookup too? unfortunately the DNS server which do a reverse lookup is in another location (in parent domain). so, what should i do next ? thank you in advance asep. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 19:37:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id 9532F37B404 for ; Tue, 22 Jan 2002 19:37:22 -0800 (PST) Received: (qmail 27866 invoked by uid 3001); 23 Jan 2002 03:37:20 -0000 Received: from natto.numachi.com (198.175.254.216) by numachi.numachi.com with SMTP; 23 Jan 2002 03:37:20 -0000 Received: (qmail 41881 invoked by uid 1001); 23 Jan 2002 03:37:20 -0000 Date: Tue, 22 Jan 2002 22:37:20 -0500 From: Brian Reichert To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: Creating users from the web Message-ID: <20020122223720.O2872@numachi.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Tue, Jan 22, 2002 at 09:39:53PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 22, 2002 at 09:39:53PM -0500, Buliwyf McGraw wrote: > > Hello, i want to build a system to create users from a web interface. > I tried to use the su_exec function of apache but it doesn't support > run programs "as root" or execute setuid programs. > I really need that the system work by the web... i know that it could > be insecure, but anyway, i have to do it. Write a suid wrapper. Not a FreeBSD security issue, I think. Or, use 'sudo'. > Any sugestions? > Thanks for any help. > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 20: 3:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from intense.net (server.intense.net [199.217.236.1]) by hub.freebsd.org (Postfix) with ESMTP id E71F537B405 for ; Tue, 22 Jan 2002 20:03:49 -0800 (PST) Received: from bob ([209.248.134.245]) by intense.net (8.8.8/8.8.8) with SMTP id WAA12520; Tue, 22 Jan 2002 22:03:09 -0600 (CST) Message-ID: <001701c1a3c3$19ab6e20$6c01a8c0@mpcsecurity.com> From: "Robert Herrold" To: "Buliwyf McGraw" , References: Subject: Re: Creating users from the web Date: Tue, 22 Jan 2002 22:04:48 -0600 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-Mimeole: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Commercially, you can take a look at billmax (1st 100 users free). An oldie I used to use was called URIBS from n2h2 ----- Original Message ----- From: "Buliwyf McGraw" To: Sent: Tuesday, January 22, 2002 8:39 PM Subject: Creating users from the web > > Hello, i want to build a system to create users from a web interface. > I tried to use the su_exec function of apache but it doesn't support > run programs "as root" or execute setuid programs. > I really need that the system work by the web... i know that it could > be insecure, but anyway, i have to do it. > Any sugestions? > Thanks for any help. > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 20:28:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from FreeBSD.TheBechards.com (h002078c8c555.ne.mediaone.net [24.61.79.14]) by hub.freebsd.org (Postfix) with ESMTP id EDEFB37B404 for ; Tue, 22 Jan 2002 20:28:43 -0800 (PST) Received: from destek.net (Steve.Local.TheBechards.com [192.168.1.101]) by FreeBSD.TheBechards.com (8.11.3/8.11.3) with ESMTP id g0N4SLn92495; Tue, 22 Jan 2002 23:28:28 -0500 (EST) (envelope-from steve@destek.net) Message-ID: <3C4E3C29.AA3ABB78@destek.net> Date: Tue, 22 Jan 2002 23:29:29 -0500 From: Stephen Bechard X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Buliwyf McGraw Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Creating users from the web References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Take a look at WebMin in the ports collection. Steve Buliwyf McGraw wrote: > > Hello, i want to build a system to create users from a web interface. > I tried to use the su_exec function of apache but it doesn't support > run programs "as root" or execute setuid programs. > I really need that the system work by the web... i know that it could > be insecure, but anyway, i have to do it. > Any sugestions? > Thanks for any help. > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 21:50:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from pirahna.awe-full.com (s64-180-126-6.bc.hsia.telus.net [64.180.126.6]) by hub.freebsd.org (Postfix) with ESMTP id 96B7C37B405 for ; Tue, 22 Jan 2002 21:49:48 -0800 (PST) Received: from uniserve.com (pirahna@localhost [127.0.0.1]) by pirahna.awe-full.com (8.11.6/8.11.6) with ESMTP id g0N5n0j15207; Tue, 22 Jan 2002 21:49:11 -0800 (PST) (envelope-from landons@uniserve.com) Message-ID: <3C4E4ECC.1090100@uniserve.com> Date: Tue, 22 Jan 2002 21:49:00 -0800 From: Landon Stewart User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:0.9.4) Gecko/20011126 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: Creating users from the web References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org WebMin is a little more than you need for this perticular task, but you could code something to have commands inserted into a database, including ENCRYPTED passwords, then write a perl script to query the database and run whatever commands and parameters were in the database. After its all done, it would mark it completed and around we go. This way its scaleable (if you expand to more than one server). RELATIVELY secure (you could encrypt the SQL connections if you want to go over a network), and best of all you wouldn't have to run anything as root except your perl script that processes and does the user additions. I wrote an EXTENSIVE "tools" package for an ISP I worked for that allowed staff to add/remove for email/usernames/virtusertable entries as well as do searches etc... OR Go with sudo :-) Buliwyf McGraw wrote: > Hello, i want to build a system to create users from a web interface. > I tried to use the su_exec function of apache but it doesn't support > run programs "as root" or execute setuid programs. > I really need that the system work by the web... i know that it could > be insecure, but anyway, i have to do it. > Any sugestions? > Thanks for any help. > >======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle >======================================================================= > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Landon Stewart System Administrator Vancouver Pacific Pender Uniserve Online Right of Use: The sender intends this message for a specific recipient and, as it may contain information that is privileged or confidential, any use, dissemination, forwarding, or copying by anyone without permission from the sender is prohibited. Personal e-mail may contain views that are not necessarily those of the company. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 22 23:53:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from thorium.datanet.hu (thorium.datanet.hu [194.149.0.116]) by hub.freebsd.org (Postfix) with SMTP id 8FD8937B400 for ; Tue, 22 Jan 2002 23:53:00 -0800 (PST) Received: (qmail 27110 invoked by uid 5001); 23 Jan 2002 07:52:58 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 23 Jan 2002 07:52:58 -0000 Date: Wed, 23 Jan 2002 08:52:58 +0100 (CET) From: sj@datanet.hu To: Robert Herrold Cc: Buliwyf McGraw , Subject: Re: Creating users from the web In-Reply-To: <001701c1a3c3$19ab6e20$6c01a8c0@mpcsecurity.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You may try another approach: Build a simple cgi script that will put data about the new user to a file or database. Then make an entry in root's crontab to script regularly to process the file or database mentioned above. This way you don't need setu(g)id programs. Of course, you need strong authentication and carefully designed cgi script and a bullet-proof command involved from cron SJ. On Tue, 22 Jan 2002, Robert Herrold wrote: > Commercially, you can take a look at billmax (1st 100 users free). An oldie > I used to use was called URIBS from n2h2 > > > ----- Original Message ----- > From: "Buliwyf McGraw" > To: > Sent: Tuesday, January 22, 2002 8:39 PM > Subject: Creating users from the web > > > > > > Hello, i want to build a system to create users from a web interface. > > I tried to use the su_exec function of apache but it doesn't support > > run programs "as root" or execute setuid programs. > > I really need that the system work by the web... i know that it could > > be insecure, but anyway, i have to do it. > > Any sugestions? > > Thanks for any help. > > > > ======================================================================= > > Buliwyf McGraw > > Administrador del Servidor Libertad > > Centro de Servicios de Informacion > > Universidad del Valle > > ======================================================================= > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 23 9: 7:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id 2BD8D37B416 for ; Wed, 23 Jan 2002 09:07:47 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g0NH7Pa58775; Wed, 23 Jan 2002 09:07:25 -0800 (PST) (envelope-from jan@caustic.org) Date: Wed, 23 Jan 2002 09:07:24 -0800 (PST) From: "f.johan.beisser" X-X-Sender: jan@localhost To: Landon Stewart Cc: Buliwyf McGraw , Subject: Re: Creating users from the web In-Reply-To: <3C4E4ECC.1090100@uniserve.com> Message-ID: <20020123090041.M32624-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 22 Jan 2002, Landon Stewart wrote: > WebMin is a little more than you need for this perticular task, but you > could code something to have commands inserted into a database, > including ENCRYPTED passwords, then write a perl script to query the > database and run whatever commands and parameters were in the database. > After its all done, it would mark it completed and around we go. why not use pam_ldap or pam_mysql? both are in $PORTSDIR/security. combine that with a php interface (there are php/DBI crossovers..) and an ssl'd http link, you've suddenly simplified the proceedure. > This way its scaleable (if you expand to more than one server). > RELATIVELY secure (you could encrypt the SQL connections if you want to > go over a network), and best of all you wouldn't have to run anything as > root except your perl script that processes and does the user additions. pam is probably more scalable, and even allows for easily removed accounts, plus it'll have even more scalable account management. > I wrote an EXTENSIVE "tools" package for an ISP I worked for that > allowed staff to add/remove for email/usernames/virtusertable entries as > well as do searches etc... nice. are these tools available? this may actually be a thread for freebsd-isp@freebsd.org. -- jan -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 23 11: 8:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 0B40437B402 for ; Wed, 23 Jan 2002 11:08:29 -0800 (PST) Received: (qmail 26383 invoked by uid 0); 23 Jan 2002 19:08:27 -0000 Received: from pd9508874.dip.t-dialin.net (HELO mail.gsinet.sittig.org) (217.80.136.116) by mail.gmx.net (mp004-rz3) with SMTP; 23 Jan 2002 19:08:27 -0000 Received: (qmail 25166 invoked from network); 23 Jan 2002 19:04:35 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 23 Jan 2002 19:04:35 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id g0NJ4W725162 for freebsd-security@freebsd.org; Wed, 23 Jan 2002 20:04:32 +0100 (CET) (envelope-from sittig) Date: Wed, 23 Jan 2002 20:04:32 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: relaying mail from DHCP clients Message-ID: <20020123200431.X1494@shell.gsinet.sittig.org> Mail-Followup-To: freebsd-security@freebsd.org References: <20020122101115.P25912-100000@camelia.dnt.ro> <002701c1a328$9aac7fa0$2e020a0a@mti.itb.ac.id> <00b401c1a35e$2c55fa50$3028680a@tgt.com> <000001c1a3bc$8ce9db80$2e020a0a@mti.itb.ac.id> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000001c1a3bc$8ce9db80$2e020a0a@mti.itb.ac.id>; from asepruspeni@yahoo.com on Wed, Jan 23, 2002 at 10:09:23AM +0700 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jan 23, 2002 at 10:09 +0700, Asep Ruspeni wrote: > > so, what should i do next ? PLEASE stop posting off topic messages to the -security list but take this elsewhere! You've been told so a few times already. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 23 17:17:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from intense.net (server.intense.net [199.217.236.1]) by hub.freebsd.org (Postfix) with ESMTP id 8E29F37B402 for ; Wed, 23 Jan 2002 17:17:08 -0800 (PST) Received: from bob ([209.248.134.245]) by intense.net (8.8.8/8.8.8) with SMTP id TAA25318 for ; Wed, 23 Jan 2002 19:17:00 -0600 (CST) Message-ID: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com> From: "Robert Herrold" To: Subject: whois records hacked? Date: Wed, 23 Jan 2002 19:18:06 -0600 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did a whois on microsoft.com and not sure if it's something corrupted in my whois, or if Microsoft.com's whois record had been compromised. Any thoughts? Robert Herrold Senior Network Engineer Metropark Communications INC 10405 Baur Blvd Suite A St Louis MO 63132 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 23 17:31:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id C609337B404 for ; Wed, 23 Jan 2002 17:31:27 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.6/8.11.6) id g0O1VQj00847; Wed, 23 Jan 2002 20:31:26 -0500 (EST) (envelope-from mike@sentex.net) Received: from house.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6av) with ESMTP id g0O1VNF00838; Wed, 23 Jan 2002 20:31:23 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020123202922.01a14310@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 23 Jan 2002 20:31:46 -0500 To: "Robert Herrold" From: Mike Tancsa Subject: Re: whois records hacked? Cc: In-Reply-To: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You are probably seeing all the joke NS host names registered.... Whois graffiti I guess... Try, whois -h whois.networksolutions.com "dom microsoft.com" instead to narrow down your query. Things like MICROSOFT.COM.HACKED.BY.HACKSWARE.COM is a registered host for HACKSWARE.COM. For this sort of stuff, try the various general security lists (see www.securityfocus.com ) ---Mike At 07:18 PM 1/23/2002 -0600, Robert Herrold wrote: >Did a whois on microsoft.com and not sure if it's something corrupted in my >whois, or if Microsoft.com's whois record had been compromised. Any >thoughts? > >Robert Herrold >Senior Network Engineer >Metropark Communications INC >10405 Baur Blvd >Suite A >St Louis MO 63132 > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 23 17:35:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from uce55.uchaswv.edu (uce55.uchaswv.edu [12.4.161.9]) by hub.freebsd.org (Postfix) with ESMTP id DA66F37B416 for ; Wed, 23 Jan 2002 17:34:56 -0800 (PST) Received: from there ([172.16.32.103]) by uce55.uchaswv.edu (8.9.3 (PHNE_22672)/8.9.3) with SMTP id UAA26749; Wed, 23 Jan 2002 20:37:20 -0500 (EST) Message-Id: <200201240137.UAA26749@uce55.uchaswv.edu> Content-Type: text/plain; charset="iso-8859-1" From: Nathan Mace To: "Robert Herrold" , Subject: Re: whois records hacked? Date: Wed, 23 Jan 2002 20:34:30 -0500 X-Mailer: KMail [version 1.3.2] References: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com> In-Reply-To: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org looks normal too me. what exactly made you think it wasn't normal? nathan On Wednesday 23 January 2002 08:18 pm, Robert Herrold wrote: > Did a whois on microsoft.com and not sure if it's something corrupted in my > whois, or if Microsoft.com's whois record had been compromised. Any > thoughts? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 23 17:40:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from intense.net (server.intense.net [199.217.236.1]) by hub.freebsd.org (Postfix) with ESMTP id BF7D337B400 for ; Wed, 23 Jan 2002 17:40:24 -0800 (PST) Received: from bob ([209.248.134.245]) by intense.net (8.8.8/8.8.8) with SMTP id TAA25583; Wed, 23 Jan 2002 19:39:57 -0600 (CST) Message-ID: <05ad01c1a478$437a3dc0$6c01a8c0@mpcsecurity.com> From: "Robert Herrold" To: "Nathan Mace" , References: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com> <200201240137.UAA26749@uce55.uchaswv.edu> Subject: Re: whois records hacked? Date: Wed, 23 Jan 2002 19:41:37 -0600 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to those who have straightened me out :) Guess I've never one a whois on Microsoft.com before. Results were $ whois microsoft.com Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. MICROSOFT.COM.Z---HELLO-FROM-SIBERIA---I.Z3S.COM MICROSOFT.COM.WILL.LIVE.FOREVER.BUT.LUNIX.SUCKS-BYBIRTH.ARTISTICCHEESE.COM MICROSOFT.COM.WILL.ALWAYS.FEARPENGUINS.COM MICROSOFT.COM.WHOIS.RESULTS.MAKE.A.GREAT.HUMOUR-LIST.COM MICROSOFT.COM.WAS.HACKED.TODAY.BY.JAMESSMALL.COM MICROSOFT.COM.TONY.HAS.SEXUAL.IN.ADEQUACY ,etc ----- Original Message ----- From: "Nathan Mace" To: "Robert Herrold" ; Sent: Wednesday, January 23, 2002 7:34 PM Subject: Re: whois records hacked? > looks normal too me. what exactly made you think it wasn't normal? > > nathan > > > On Wednesday 23 January 2002 08:18 pm, Robert Herrold wrote: > > Did a whois on microsoft.com and not sure if it's something corrupted in my > > whois, or if Microsoft.com's whois record had been compromised. Any > > thoughts? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 23 23:10:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from gargoyle.fenux.net (cx2093273-a.stllwtr1.ok.home.com [24.254.202.71]) by hub.freebsd.org (Postfix) with ESMTP id 6A13C37B402 for ; Wed, 23 Jan 2002 23:10:31 -0800 (PST) Received: from gryphon ([192.168.42.4]) by gargoyle.fenux.net (8.11.6/8.11.6) with ESMTP id g0O7AG761592; Thu, 24 Jan 2002 01:10:17 -0600 (CST) (envelope-from jason@fenux.net) From: "Jason Burgess" To: "'Robert Herrold'" , "'Buliwyf McGraw'" , Subject: RE: Creating users from the web Date: Thu, 24 Jan 2002 01:08:53 -0600 Message-ID: <000501c1a4a5$fc48e7c0$042aa8c0@fenux.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <001701c1a3c3$19ab6e20$6c01a8c0@mpcsecurity.com> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You could also try writing a perl or other cgi wrapper that would allow you to run the programs as root jason burgess -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Robert Herrold Sent: Tuesday, January 22, 2002 10:05 PM To: Buliwyf McGraw; freebsd-security@FreeBSD.ORG Subject: Re: Creating users from the web Commercially, you can take a look at billmax (1st 100 users free). An oldie I used to use was called URIBS from n2h2 ----- Original Message ----- From: "Buliwyf McGraw" To: Sent: Tuesday, January 22, 2002 8:39 PM Subject: Creating users from the web > > Hello, i want to build a system to create users from a web interface. > I tried to use the su_exec function of apache but it doesn't support > run programs "as root" or execute setuid programs. > I really need that the system work by the web... i know that it could > be insecure, but anyway, i have to do it. > Any sugestions? > Thanks for any help. > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 1:47:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from encephalon.de (p3E9E18B3.dip0.t-ipconnect.de [62.158.24.179]) by hub.freebsd.org (Postfix) with ESMTP id A71FF37B400 for ; Thu, 24 Jan 2002 01:47:12 -0800 (PST) Received: (from bsd@localhost) by encephalon.de (8.11.6/8.11.6) id g0O9i9r01385; Thu, 24 Jan 2002 10:44:09 +0100 (CET) (envelope-from bsd) Date: Thu, 24 Jan 2002 10:44:09 +0100 From: Roger Kaputtnik To: Robert Herrold Cc: freebsd-security@FreeBSD.ORG Subject: Re: whois records hacked? Message-ID: <20020124104409.A1362@encephalon.de> References: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com>; from bobber@intense.net on Wed, Jan 23, 2002 at 07:18:06PM -0600 X-Operating-System: FreeBSD encephalon.de 4.5-RC FreeBSD 4.5-RC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. > Did a whois on microsoft.com and not sure if it's something corrupted in my > whois, or if Microsoft.com's whois record had been compromised. Any > thoughts? Looks like. Hmm, looks nice ;-) Axel -- encephalon.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 7:51:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from vmmr1.verisignmail.com (vmmr1.verisignmail.com [216.168.230.137]) by hub.freebsd.org (Postfix) with ESMTP id 0640537B402 for ; Thu, 24 Jan 2002 07:51:28 -0800 (PST) Received: from vmms1.verisignmail.com (vmms1.verisignmail.com [10.166.0.138]) by vmmr1.verisignmail.com (Mirapoint) with ESMTP id ABO48126; Thu, 24 Jan 2002 10:51:27 -0500 (EST) Received: from there ([212.16.11.122]) by vmms1.verisignmail.com (Mirapoint) with SMTP id AHW96968; Thu, 24 Jan 2002 10:51:26 -0500 (EST) Message-Id: <200201241551.AHW96968@vmms1.verisignmail.com> Content-Type: text/plain; charset="koi8-r" From: dr3node To: freebsd-security@freebsd.org Subject: Can't set up an IPsec tunnel. Date: Thu, 24 Jan 2002 18:47:26 +0300 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The situation is: [office network 192.168.0.0/24] | \/ [gate: FreeBSD 4.5-RC] [fxp1 192.168.0.1] [natd] [fxp0 192.168.4.11] [default gateway 192.168.4.1] | \/ [gate: 192.168.4.1 (not mine)] [RedHat 6.1] [masquarade everything(tcp, udp) going from my fbsd gate as from 111.111.11.1] [masquarade everything(tcp, udp) coming from internet to 111.111.11.1 to my fbsd gate so i almost have real ip on my gate] | \/ (internet) | \/ [host on collocation: FreeBSD 4.5-RC] [ip: 222.222.22.2] i need to set up the tunnel between my 2 freebsd hosts so everything in and out the office network'll go trough the host on collocation. (office)->(fbsd gate)->(tunnel)->(fbsd host)->(internet) and i just can't do that. and nobody knows how to do that. please help me somebody or my boss will rape and kill me(or kill and rape me). Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 9:24:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D201637B416; Thu, 24 Jan 2002 09:22:48 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 18A35532C; Thu, 24 Jan 2002 18:22:46 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: security@freebsd.org Cc: markm@freebsd.org Subject: login(1) PAMification From: Dag-Erling Smorgrav Date: 24 Jan 2002 18:22:45 +0100 Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=-=-= See the attached patch. DES -- Dag-Erling Smorgrav - des@ofug.org --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=login.diff ? etc/pam.d/passwd ? lib/libpam/modules/check.sh ? usr.bin/login/login.c.no_pam ? usr.bin/login/login.c.pamref ? usr.bin/login/login.c.ref Index: etc/pam.d/login =================================================================== RCS file: /home/ncvs/src/etc/pam.d/login,v retrieving revision 1.6 diff -u -r1.6 login --- etc/pam.d/login 21 Jan 2002 18:51:24 -0000 1.6 +++ etc/pam.d/login 24 Jan 2002 17:19:32 -0000 @@ -6,6 +6,7 @@ # auth auth required pam_nologin.so no_warn +auth sufficient pam_self.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass @@ -16,12 +17,14 @@ # account #account required pam_kerberosIV.so #account required pam_krb5.so +account required pam_login_access.so account required pam_unix.so # session #session required pam_kerberosIV.so #session required pam_krb5.so #session required pam_ssh.so +session required pam_lastlog.so session required pam_unix.so # password Index: etc/pam.d/sshd =================================================================== RCS file: /home/ncvs/src/etc/pam.d/sshd,v retrieving revision 1.2 diff -u -r1.2 sshd --- etc/pam.d/sshd 5 Dec 2001 21:26:00 -0000 1.2 +++ etc/pam.d/sshd 24 Jan 2002 17:19:32 -0000 @@ -9,9 +9,11 @@ auth required pam_unix.so no_warn try_first_pass # account +account required pam_login_access.so account required pam_unix.so # session +session required pam_lastlog.so session required pam_permit.so # password Index: etc/pam.d/su =================================================================== RCS file: /home/ncvs/src/etc/pam.d/su,v retrieving revision 1.6 diff -u -r1.6 su --- etc/pam.d/su 21 Jan 2002 18:51:24 -0000 1.6 +++ etc/pam.d/su 24 Jan 2002 17:19:32 -0000 @@ -6,6 +6,7 @@ # auth auth sufficient pam_rootok.so no_warn +auth sufficient pam_self.so no_warn auth requisite pam_wheel.so no_warn auth_as_self noroot_ok #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self Index: lib/libpam/libpam/Makefile =================================================================== RCS file: /home/ncvs/src/lib/libpam/libpam/Makefile,v retrieving revision 1.25 diff -u -r1.25 Makefile --- lib/libpam/libpam/Makefile 23 Jan 2002 15:54:08 -0000 1.25 +++ lib/libpam/libpam/Makefile 24 Jan 2002 17:19:32 -0000 @@ -78,6 +78,8 @@ .if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL) STATIC_MODULES+= ${MODOBJDIR}/pam_krb5/libpam_krb5.a .endif +STATIC_MODULES+= ${MODOBJDIR}/pam_lastlog/libpam_lastlog.a +STATIC_MODULES+= ${MODOBJDIR}/pam_login_access/libpam_login_access.a STATIC_MODULES+= ${MODOBJDIR}/pam_nologin/libpam_nologin.a STATIC_MODULES+= ${MODOBJDIR}/pam_opie/libpam_opie.a STATIC_MODULES+= ${MODOBJDIR}/pam_opieaccess/libpam_opieaccess.a Index: lib/libpam/modules/Makefile =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/Makefile,v retrieving revision 1.16 diff -u -r1.16 Makefile --- lib/libpam/modules/Makefile 21 Jan 2002 13:43:52 -0000 1.16 +++ lib/libpam/modules/Makefile 24 Jan 2002 17:19:32 -0000 @@ -32,6 +32,8 @@ .if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL) SUBDIR+= pam_krb5 .endif +SUBDIR+= pam_lastlog +SUBDIR+= pam_login_access SUBDIR+= pam_nologin SUBDIR+= pam_opie SUBDIR+= pam_opieaccess Index: lib/libpam/modules/pam_unix/pam_unix.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_unix/pam_unix.c,v retrieving revision 1.16 diff -u -r1.16 pam_unix.c --- lib/libpam/modules/pam_unix/pam_unix.c 19 Jan 2002 18:29:49 -0000 1.16 +++ lib/libpam/modules/pam_unix/pam_unix.c 24 Jan 2002 17:19:32 -0000 @@ -1,6 +1,13 @@ /*- * Copyright 1998 Juniper Networks, Inc. * All rights reserved. + * Copyright (c) 2002 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software was developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -27,15 +37,21 @@ #include __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.16 2002/01/19 18:29:49 des Exp $"); -#include +#include +#include #include +#include +#include + #ifdef YP #include #include #include #include #endif + #include +#include #include #include #include @@ -68,7 +84,12 @@ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ #define MAX_TRIES 3 -enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_NULLOK, PAM_OPT_LOCAL_PASS, PAM_OPT_NIS_PASS }; +enum { + PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, + PAM_OPT_NULLOK, + PAM_OPT_LOCAL_PASS, + PAM_OPT_NIS_PASS +}; static struct opttab other_options[] = { { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, @@ -198,13 +219,15 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { + struct addrinfo hints, *res; struct options options; - struct passwd *pw; + struct passwd *pwd; struct timeval tp; login_cap_t *lc; time_t warntime; int retval; - const char *user; + const char *rhost, *tty, *user; + char rhostip[MAXHOSTNAMELEN]; char buf[128]; pam_std_option(&options, other_options, argc, argv); @@ -212,53 +235,100 @@ PAM_LOG("Options processed"); retval = pam_get_item(pamh, PAM_USER, (const void **)&user); - if (retval != PAM_SUCCESS || user == NULL) - /* some implementations return PAM_SUCCESS here */ - PAM_RETURN(PAM_USER_UNKNOWN); - - pw = getpwnam(user); - if (pw == NULL) - PAM_RETURN(PAM_USER_UNKNOWN); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + + if (user == NULL || (pwd = getpwnam(user)) == NULL) + PAM_RETURN(PAM_SERVICE_ERR); PAM_LOG("Got user: %s", user); - retval = PAM_SUCCESS; - lc = login_getpwclass(pw); + retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); - if (pw->pw_change || pw->pw_expire) - gettimeofday(&tp, NULL); + retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); - warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN, - DEFAULT_WARN); + if (*pwd->pw_passwd == '\0' && + (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) + return (PAM_NEW_AUTHTOK_REQD); + + lc = login_getpwclass(pwd); + if (lc == NULL) { + PAM_LOG("Unable to get login class for user %s", user); + return (PAM_SERVICE_ERR); + } PAM_LOG("Got login_cap"); - if (pw->pw_change) { - if (tp.tv_sec >= pw->pw_change) - /* some implementations return PAM_AUTHTOK_EXPIRED */ + if (pwd->pw_change || pwd->pw_expire) + gettimeofday(&tp, NULL); + + /* + * Check pw_expire before pw_change - no point in letting the + * user change the password on an expired account. + */ + + if (pwd->pw_expire) { + warntime = login_getcaptime(lc, "warnexpire", + DEFAULT_WARN, DEFAULT_WARN); + if (tp.tv_sec >= pwd->pw_expire) { + login_close(lc); + PAM_RETURN(PAM_ACCT_EXPIRED); + } else if (pwd->pw_expire - tp.tv_sec < warntime && + (flags & PAM_SILENT) == 0) { + snprintf(buf, sizeof(buf), + "Warning: your account expires on %s", + ctime(&pwd->pw_expire)); + pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); + } + } + + retval = PAM_SUCCESS; + if (pwd->pw_change) { + warntime = login_getcaptime(lc, "warnpassword", + DEFAULT_WARN, DEFAULT_WARN); + if (tp.tv_sec >= pwd->pw_change) { retval = PAM_NEW_AUTHTOK_REQD; - else if (pw->pw_change - tp.tv_sec < warntime) { + } else if (pwd->pw_change - tp.tv_sec < warntime && + (flags & PAM_SILENT) == 0) { snprintf(buf, sizeof(buf), "Warning: your password expires on %s", - ctime(&pw->pw_change)); + ctime(&pwd->pw_change)); pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); } } - warntime = login_getcaptime(lc, "warnexpire", DEFAULT_WARN, - DEFAULT_WARN); + /* + * From here on, we must leave retval untouched (unless we + * know we're going to fail), because we need to remember + * whether we're supposed to return PAM_SUCCESS or + * PAM_NEW_AUTHTOK_REQD. + */ - if (pw->pw_expire) { - if (tp.tv_sec >= pw->pw_expire) - retval = PAM_ACCT_EXPIRED; - else if (pw->pw_expire - tp.tv_sec < warntime) { - snprintf(buf, sizeof(buf), - "Warning: your account expires on %s", - ctime(&pw->pw_expire)); - pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); + if (rhost) { + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; + if (getaddrinfo(rhost, NULL, &hints, &res) == 0) { + getnameinfo(res->ai_addr, res->ai_addrlen, + rhostip, sizeof(rhostip), NULL, 0, + NI_NUMERICHOST|NI_WITHSCOPEID); } + if (res != NULL) + freeaddrinfo(res); } + /* + * Check host / tty / time-of-day restrictions + */ + + if (!auth_hostok(lc, rhost, rhostip) || + !auth_ttyok(lc, tty) || + !auth_timeok(lc, time(NULL))) + retval = PAM_AUTH_ERR; + login_close(lc); PAM_RETURN(retval); Index: usr.bin/login/Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/login/Makefile,v retrieving revision 1.39 diff -u -r1.39 Makefile --- usr.bin/login/Makefile 1 Dec 2001 19:48:59 -0000 1.39 +++ usr.bin/login/Makefile 24 Jan 2002 17:19:32 -0000 @@ -2,11 +2,11 @@ # $FreeBSD: src/usr.bin/login/Makefile,v 1.39 2001/12/01 19:48:59 bde Exp $ PROG= login -SRCS= login.c login_access.c login_fbtab.c +SRCS= login.c login_fbtab.c MAN= login.1 login.access.5 -CFLAGS+=-DLOGIN_ACCESS -DLOGALL -WARNS?= 2 +CFLAGS+=-DLOGALL +WARNS?= 4 NO_WERROR= DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBPAM} Index: usr.bin/login/login.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login.c,v retrieving revision 1.78 diff -u -r1.78 login.c --- usr.bin/login/login.c 21 Jan 2002 16:19:38 -0000 1.78 +++ usr.bin/login/login.c 24 Jan 2002 17:19:32 -0000 @@ -79,12 +79,9 @@ #include #include #include -#include -#ifndef NO_PAM #include #include -#endif #include "login.h" #include "pathnames.h" @@ -94,97 +91,105 @@ #define NI_WITHSCOPEID 0 #endif -static int auth_traditional __P((void)); -static void badlogin __P((char *)); -static void dolastlog __P((int)); -static void getloginname __P((void)); -static void motd __P((const char *)); -static void refused __P((const char *,const char *,int)); -static int rootterm __P((char *)); -static void sigint __P((int)); -static void sleepexit __P((int)); -static const char *stypeof __P((char *)); -static void timedout __P((int)); -static void usage __P((void)); - -#ifndef NO_PAM -static int auth_pam __P((void)); -static int export_pam_environment __P((void)); -static int ok_to_export __P((const char *)); - -static pam_handle_t *pamh = NULL; -static char **environ_pam; - -#define PAM_END { \ - if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) \ - syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); \ - if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) \ - syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); \ - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) \ - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); \ -} -#endif /* NO_PAM */ +static int auth_pam(void); +static void bail(int, int); +static int export(const char *); +static void export_pam_environment(void); +static int motd(const char *); +static int rootterm(char *); +static void badlogin(char *); +static char *getloginname(void); +static void pam_syslog(const char *); +static void pam_cleanup(void); +static void refused(const char *, const char *, int); +static const char *stypeof(char *); +static void sigint(int); +static void timedout(int); +static void usage(void); #define TTYGRPNAME "tty" /* group to own ttys */ #define DEFAULT_BACKOFF 3 #define DEFAULT_RETRIES 10 #define DEFAULT_PROMPT "login: " #define DEFAULT_PASSWD_PROMPT "Password:" -#define INVALID_HOST "invalid hostname" -#define UNKNOWN "su" +#define TERM_UNKNOWN "su" #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ -#define NBUFSIZ UT_NAMESIZE + 64 +#define NO_SLEEP_EXIT 0 +#define SLEEP_EXIT 5 /* * This bounds the time given to login. Not a define so it can * be patched on machines where it's too small. */ -u_int timeout = 300; +static u_int timeout = 300; /* Buffer for signal handling of timeout */ -jmp_buf timeout_buf; +static jmp_buf timeout_buf; + +struct passwd *pwd; +static int failures; + +static char *envinit[1]; /* empty environment list */ + +/* + * Command line flags and arguments + */ +static int fflag; /* -f: do not perform authentication */ +static int hflag; /* -h: login from remote host */ +static char *hostname; /* hostname from command line */ +static int pflag; /* -p: preserve environment */ + +/* + * User name + */ +static char *username; /* user name */ +static char *olduser; /* previous user name */ + +/* + * Prompts + */ +static char default_prompt[] = DEFAULT_PROMPT; +static char *prompt; +static char default_passwd_prompt[] = DEFAULT_PASSWD_PROMPT; +static char *passwd_prompt; + +static char *tty; -struct passwd *pwd; -int failures; -char *term, *envinit[1], *hostname, *passwd_prompt, *prompt, *tty, *username; -char full_hostname[MAXHOSTNAMELEN]; +/* + * PAM data + */ +static pam_handle_t *pamh = NULL; +static struct pam_conv pamc = { misc_conv, NULL }; +static int pam_err; +static int pam_silent = PAM_SILENT; +static int pam_cred_established; +static int pam_session_established; int -main(argc, argv) - int argc; - char *argv[]; +main(int argc, char *argv[]) { struct group *gr; struct stat st; - struct timeval tp; - struct utmp utmp; int rootok, retries, backoff; - int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval; - time_t warntime; + int ask, ch, cnt, quietlog, rootlogin, rval; uid_t uid, euid; gid_t egid; + char *term; char *p, *ttyn; - char tbuf[MAXPATHLEN + 2]; char tname[sizeof(_PATH_TTY) + 10]; - char *shell = NULL; - static char default_prompt[] = DEFAULT_PROMPT; - static char default_passwd_prompt[] = DEFAULT_PASSWD_PROMPT; - static char invalid_host[] = INVALID_HOST; + char *arg0, *shell = NULL; login_cap_t *lc = NULL; -#ifndef NO_PAM pid_t pid; - int e; -#endif /* NO_PAM */ (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); (void)signal(SIGHUP, SIG_IGN); if (setjmp(timeout_buf)) { if (failures) - badlogin(tbuf); + badlogin(username); (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout); - exit(0); + bail(NO_SLEEP_EXIT, 0); } (void)signal(SIGALRM, timedout); (void)alarm(timeout); @@ -192,63 +197,22 @@ openlog("login", LOG_ODELAY, LOG_AUTH); - /* - * -p is used by getty to tell login not to destroy the environment - * -f is used to skip a second login authentication - * -h is used by other servers to pass the name of the remote - * host to login so that it may be placed in utmp and wtmp - */ - *full_hostname = '\0'; - term = NULL; - - fflag = hflag = pflag = 0; uid = getuid(); euid = geteuid(); egid = getegid(); + while ((ch = getopt(argc, argv, "fh:p")) != -1) switch (ch) { case 'f': fflag = 1; break; case 'h': - if (uid) + if (uid != 0) errx(1, "-h option: %s", strerror(EPERM)); - hflag = 1; - if (strlcpy(full_hostname, optarg, - sizeof(full_hostname)) >= sizeof(full_hostname)) + if (strlen(optarg) >= MAXHOSTNAMELEN) errx(1, "-h option: %s: exceeds maximum " "hostname size", optarg); - - trimdomain(optarg, UT_HOSTSIZE); - - if (strlen(optarg) > UT_HOSTSIZE) { - struct addrinfo hints, *res; - int ga_err; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - ga_err = getaddrinfo(optarg, NULL, &hints, - &res); - if (ga_err == 0) { - char hostbuf[MAXHOSTNAMELEN]; - - getnameinfo(res->ai_addr, - res->ai_addrlen, - hostbuf, - sizeof(hostbuf), NULL, 0, - NI_NUMERICHOST| - NI_WITHSCOPEID); - optarg = strdup(hostbuf); - if (optarg == NULL) { - syslog(LOG_NOTICE, - "strdup(): %m"); - sleepexit(1); - } - } else - optarg = invalid_host; - if (res != NULL) - freeaddrinfo(res); - } + hflag = 1; hostname = optarg; break; case 'p': @@ -256,22 +220,28 @@ break; case '?': default: - if (!uid) + if (uid == 0) syslog(LOG_ERR, "invalid flag %c", ch); usage(); } argc -= optind; argv += optind; - if (*argv) { - username = *argv; + if (argc > 0) { + username = strdup(*argv); + if (username == NULL) + err(1, "strdup()"); ask = 0; - } else + } else { ask = 1; + } for (cnt = getdtablesize(); cnt > 2; cnt--) (void)close(cnt); + /* + * Get current TTY + */ ttyn = ttyname(STDIN_FILENO); if (ttyn == NULL || *ttyn == '\0') { (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); @@ -286,110 +256,107 @@ * Get "login-retries" & "login-backoff" from default class */ lc = login_getclass(NULL); - prompt = login_getcapstr(lc, "prompt", default_prompt, default_prompt); + prompt = login_getcapstr(lc, "prompt", + default_prompt, default_prompt); passwd_prompt = login_getcapstr(lc, "passwd_prompt", default_passwd_prompt, default_passwd_prompt); - retries = login_getcapnum(lc, "login-retries", DEFAULT_RETRIES, - DEFAULT_RETRIES); - backoff = login_getcapnum(lc, "login-backoff", DEFAULT_BACKOFF, - DEFAULT_BACKOFF); + retries = login_getcapnum(lc, "login-retries", + DEFAULT_RETRIES, DEFAULT_RETRIES); + backoff = login_getcapnum(lc, "login-backoff", + DEFAULT_BACKOFF, DEFAULT_BACKOFF); login_close(lc); lc = NULL; + /* + * Try to authenticate the user until we succeed or time out. + */ for (cnt = 0;; ask = 1) { if (ask) { fflag = 0; - getloginname(); + if (olduser != NULL) + free(olduser); + olduser = username; + username = getloginname(); } rootlogin = 0; rootok = rootterm(tty); /* Default (auth may change) */ - if (strlen(username) > UT_NAMESIZE) - username[UT_NAMESIZE] = '\0'; - /* * Note if trying multiple user names; log failures for * previous user name, but don't bother logging one failure * for nonexistent name (mistyped username). */ - if (failures && strcmp(tbuf, username)) { + if (failures && strcmp(olduser, username) != 0) { if (failures > (pwd ? 0 : 1)) - badlogin(tbuf); + badlogin(olduser); } - (void)strlcpy(tbuf, username, sizeof(tbuf)); + olduser = username; + /* + * Load the PAM policy and set some variables + */ + pam_err = pam_start("login", username, &pamc, &pamh); + if (pam_err != PAM_SUCCESS) { + pam_syslog("pam_start()"); + bail(NO_SLEEP_EXIT, 1); + } + pam_err = pam_set_item(pamh, PAM_TTY, tty); + if (pam_err != PAM_SUCCESS) { + pam_syslog("pam_set_item(PAM_TTY)"); + bail(NO_SLEEP_EXIT, 1); + } + pam_err = pam_set_item(pamh, PAM_RHOST, hostname); + if (pam_err != PAM_SUCCESS) { + pam_syslog("pam_set_item(PAM_RHOST)"); + bail(NO_SLEEP_EXIT, 1); + } + pwd = getpwnam(username); + if (pwd != NULL && pwd->pw_uid == 0) + rootlogin = 1; /* - * if we have a valid account name, and it doesn't have a - * password, or the -f option was specified and the caller - * is root or the caller isn't changing their uid, don't + * If the -f option was specified and the caller is + * root or the caller isn't changing their uid, don't * authenticate. */ - if (pwd != NULL) { - if (pwd->pw_uid == 0) - rootlogin = 1; - - if (fflag && (uid == (uid_t)0 || - uid == (uid_t)pwd->pw_uid)) { - /* already authenticated */ - break; - } else if (pwd->pw_passwd[0] == '\0') { - if (!rootlogin || rootok) { - /* pretend password okay */ - rval = 0; - goto ttycheck; - } - } + if (pwd != NULL && fflag && + (uid == (uid_t)0 || uid == (uid_t)pwd->pw_uid)) { + /* already authenticated */ + rval = 0; + goto ttycheck; } fflag = 0; (void)setpriority(PRIO_PROCESS, 0, -4); -#ifndef NO_PAM - /* - * Try to authenticate using PAM. If a PAM system error - * occurs, perhaps because of a botched configuration, - * then fall back to using traditional Unix authentication. - */ - if ((rval = auth_pam()) == -1) -#endif /* NO_PAM */ - rval = auth_traditional(); + rval = auth_pam(); (void)setpriority(PRIO_PROCESS, 0, 0); - /* - * PAM authentication may have changed "pwd" to the - * entry for the template user. Check again to see if - * this is a root login after all. - */ - if (pwd != NULL && pwd->pw_uid == 0) - rootlogin = 1; - ttycheck: - /* - * If trying to log in as root without Kerberos, - * but with insecure terminal, refuse the login attempt. - */ - if (pwd && !rval) { - if (rootlogin && !rootok) + if (pwd && rval == 0) { + /* deny root logins on insecure terminals */ + if (pwd->pw_uid == 0 && !rootok) refused(NULL, "NOROOT", 0); else /* valid password & authenticated */ break; } + pam_cleanup(); + (void)printf("Login incorrect\n"); failures++; /* - * we allow up to 'retry' (10) tries, - * but after 'backoff' (3) we start backing off + * Allow up to 'retry' (10) attempts, but start + * backing off after 'backoff' (3) attempts. */ if (++cnt > backoff) { if (cnt >= retries) { badlogin(username); - sleepexit(1); + bail(SLEEP_EXIT, 1); } sleep((u_int)((cnt - backoff) * 5)); } @@ -407,6 +374,7 @@ lc = login_getpwclass(pwd); quietlog = login_getcapbool(lc, "hushlogin", 0); + /* * Switching needed for NFS with root access disabled. * @@ -426,92 +394,28 @@ pwd->pw_dir = strdup("/"); if (pwd->pw_dir == NULL) { syslog(LOG_NOTICE, "strdup(): %m"); - sleepexit(1); + bail(SLEEP_EXIT, 1); } } (void)seteuid(euid); (void)setegid(egid); if (!quietlog) quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; - - if (pwd->pw_change || pwd->pw_expire) - (void)gettimeofday(&tp, (struct timezone *)NULL); - - warntime = login_getcaptime(lc, "warnexpire", DEFAULT_WARN, - DEFAULT_WARN); - - if (pwd->pw_expire) { - if (tp.tv_sec >= pwd->pw_expire) { - refused("Sorry -- your account has expired", "EXPIRED", - 1); - } else if (pwd->pw_expire - tp.tv_sec < warntime && !quietlog) - (void)printf("Warning: your account expires on %s", - ctime(&pwd->pw_expire)); - } - - if (lc != NULL) { - if (hostname) { - struct addrinfo hints, *res; - int ga_err; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - ga_err = getaddrinfo(full_hostname, NULL, &hints, - &res); - if (ga_err == 0) { - char hostbuf[MAXHOSTNAMELEN]; - - getnameinfo(res->ai_addr, res->ai_addrlen, - hostbuf, sizeof(hostbuf), NULL, 0, - NI_NUMERICHOST|NI_WITHSCOPEID); - if ((optarg = strdup(hostbuf)) == NULL) { - syslog(LOG_NOTICE, "strdup(): %m"); - sleepexit(1); - } - } else - optarg = NULL; - if (res != NULL) - freeaddrinfo(res); - if (!auth_hostok(lc, full_hostname, optarg)) - refused("Permission denied", "HOST", 1); - } - - if (!auth_ttyok(lc, tty)) - refused("Permission denied", "TTY", 1); - - if (!auth_timeok(lc, time(NULL))) - refused("Logins not available right now", "TIME", 1); - } + shell = login_getcapstr(lc, "shell", pwd->pw_shell, pwd->pw_shell); if (*pwd->pw_shell == '\0') pwd->pw_shell = strdup(_PATH_BSHELL); if (pwd->pw_shell == NULL) { syslog(LOG_NOTICE, "strdup(): %m"); - sleepexit(1); + bail(SLEEP_EXIT, 1); } if (*shell == '\0') /* Not overridden */ shell = pwd->pw_shell; if ((shell = strdup(shell)) == NULL) { syslog(LOG_NOTICE, "strdup(): %m"); - sleepexit(1); + bail(SLEEP_EXIT, 1); } -#ifdef LOGIN_ACCESS - if (login_access(pwd->pw_name, hostname ? full_hostname : tty) == 0) - refused("Permission denied", "ACCESS", 1); -#endif /* LOGIN_ACCESS */ - - /* Nothing else left to fail -- really log in. */ - memset((void *)&utmp, 0, sizeof(utmp)); - (void)time(&utmp.ut_time); - (void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name)); - if (hostname) - (void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host)); - (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); - login(&utmp); - - dolastlog(quietlog); - /* * Set device protections, depending on what terminal the * user is logged in. This feature is used on Suns to give @@ -525,126 +429,116 @@ * Since it isn't clear that flags are useful on character * devices, we just clear them. */ - if (chflags(ttyn, 0) && errno != EOPNOTSUPP) - syslog(LOG_ERR, "chmod(%s): %m", ttyn); - if (chown(ttyn, pwd->pw_uid, + if (ttyn != tname && chflags(ttyn, 0) && errno != EOPNOTSUPP) + syslog(LOG_ERR, "chflags(%s): %m", ttyn); + if (ttyn != tname && chown(ttyn, pwd->pw_uid, (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid)) syslog(LOG_ERR, "chmod(%s): %m", ttyn); - - /* - * Preserve TERM if it happens to be already set. - */ - if ((term = getenv("TERM")) != NULL) { - if ((term = strdup(term)) == NULL) { - syslog(LOG_NOTICE, - "strdup(): %m"); - sleepexit(1); - } - } - /* * Exclude cons/vt/ptys only, assume dialup otherwise * TODO: Make dialup tty determination a library call * for consistency (finger etc.) */ - if (hostname==NULL && isdialuptty(tty)) + if (hflag && isdialuptty(tty)) syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); #ifdef LOGALL /* - * Syslog each successful login, so we don't have to watch hundreds - * of wtmp or lastlogin files. + * Syslog each successful login, so we don't have to watch + * hundreds of wtmp or lastlogin files. */ - if (hostname) + if (hflag) syslog(LOG_INFO, "login from %s on %s as %s", - full_hostname, tty, pwd->pw_name); + hostname, tty, pwd->pw_name); else syslog(LOG_INFO, "login on %s as %s", tty, pwd->pw_name); #endif /* - * If fflag is on, assume caller/authenticator has logged root login. + * If fflag is on, assume caller/authenticator has logged root + * login. */ - if (rootlogin && fflag == 0) - { - if (hostname) + if (rootlogin && fflag == 0) { + if (hflag) syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s", - username, tty, full_hostname); + username, tty, hostname); else syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); } /* - * Destroy environment unless user has requested its preservation. - * We need to do this before setusercontext() because that may - * set or reset some environment variables. + * Destroy environment unless user has requested its + * preservation - but preserve TERM in all cases */ + term = getenv("TERM"); if (!pflag) environ = envinit; + if (term != NULL) + setenv("TERM", term, 0); /* * PAM modules might add supplementary groups during pam_setcred(). */ if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) { syslog(LOG_ERR, "setusercontext() failed - exiting"); - exit(1); + bail(NO_SLEEP_EXIT, 1); } -#ifndef NO_PAM - if (pamh) { - if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_open_session: %s", - pam_strerror(pamh, e)); - } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) - != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_setcred: %s", - pam_strerror(pamh, e)); - } - - /* - * Add any environmental variables that the - * PAM modules may have set. - * Call *after* opening session! - */ - if (pamh) { - environ_pam = pam_getenvlist(pamh); - if (environ_pam) - export_pam_environment(); - } + pam_err = pam_setcred(pamh, pam_silent|PAM_ESTABLISH_CRED); + if (pam_err != PAM_SUCCESS) { + pam_syslog("pam_setcred()"); + bail(NO_SLEEP_EXIT, 1); + } + pam_cred_established = 1; + + pam_err = pam_open_session(pamh, pam_silent); + if (pam_err != PAM_SUCCESS) { + pam_syslog("pam_open_session()"); + bail(NO_SLEEP_EXIT, 1); + } + pam_session_established = 1; + /* + * We must fork() before setuid() because we need to call + * pam_close_session() as root. + */ + pid = fork(); + if (pid < 0) { + err(1, "fork"); + } else if (pid != 0) { /* - * We must fork() before setuid() because we need to call - * pam_close_session() as root. + * Parent: wait for child to finish, then clean up + * session. */ - pid = fork(); - if (pid < 0) { - err(1, "fork"); - PAM_END; - exit(0); - } else if (pid) { - /* parent - wait for child to finish, then cleanup - session */ - wait(NULL); - PAM_END; - exit(0); - } else { - if ((e = pam_end(pamh, PAM_DATA_SILENT)) != PAM_SUCCESS) - syslog(LOG_ERR, "pam_end: %s", - pam_strerror(pamh, e)); - } + wait(NULL); + bail(NO_SLEEP_EXIT, 0); } -#endif /* NO_PAM */ /* - * We don't need to be root anymore, so - * set the user and session context + * NOTICE: We are now in the child process! + */ + + /* + * Add any environment variables the PAM modules may have set. + */ + export_pam_environment(); + + /* + * We're done with PAM now; our parent will deal with the rest. + */ + pam_end(pamh, PAM_DATA_SILENT); + pamh = NULL; + + /* + * We don't need to be root anymore, so set the login name and + * the UID. */ if (setlogin(username) != 0) { syslog(LOG_ERR, "setlogin(%s): %m - exiting", username); - exit(1); + bail(NO_SLEEP_EXIT, 1); } if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETGROUP)) != 0) { @@ -654,45 +548,38 @@ (void)setenv("SHELL", pwd->pw_shell, 1); (void)setenv("HOME", pwd->pw_dir, 1); - if (term != NULL && *term != '\0') - (void)setenv("TERM", term, 1); /* Preset overrides */ - else { - (void)setenv("TERM", stypeof(tty), 0); /* Fallback doesn't */ - } + (void)setenv("TERM", stypeof(tty), 0); (void)setenv("LOGNAME", username, 1); (void)setenv("USER", username, 1); (void)setenv("PATH", rootlogin ? _PATH_STDPATH : _PATH_DEFPATH, 0); if (!quietlog) { - const char *cw; + char *cw; cw = login_getcapstr(lc, "copyright", NULL, NULL); - if (cw != NULL && access(cw, F_OK) == 0) - motd(cw); - else - (void)printf("%s\n\t%s %s\n", - "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", - "The Regents of the University of California. ", - "All rights reserved."); + if (cw == NULL || motd(cw) == -1) + (void)printf("%s", copyright); (void)printf("\n"); cw = login_getcapstr(lc, "welcome", NULL, NULL); - if (cw == NULL || access(cw, F_OK) != 0) - cw = _PATH_MOTDFILE; - motd(cw); + if (cw != NULL && access(cw, F_OK) == 0) + motd(cw); + else + motd(_PATH_MOTDFILE); if (login_getcapbool(lc, "nocheckmail", 0) == 0) { /* $MAIL may have been set by class. */ cw = getenv("MAIL"); - if (cw != NULL) - strlcpy(tbuf, cw, sizeof(tbuf)); - else - snprintf(tbuf, sizeof(tbuf), "%s/%s", + if (cw == NULL) { + asprintf(&cw, "%s/%s", _PATH_MAILDIR, pwd->pw_name); - if (stat(tbuf, &st) == 0 && st.st_size != 0) + } + if (cw && stat(cw, &st) == 0 && st.st_size != 0) (void)printf("You have %smail.\n", (st.st_mtime > st.st_atime) ? "new " : ""); + if (getenv("MAIL") == NULL) + free(cw); } } @@ -706,45 +593,23 @@ /* * Login shells have a leading '-' in front of argv[0] */ - if ((u_int)snprintf(tbuf, sizeof(tbuf), "-%s", - (p = strrchr(pwd->pw_shell, '/')) ? p + 1 : pwd->pw_shell) >= - sizeof(tbuf)) { + p = strrchr(pwd->pw_shell, '/'); + if (asprintf(&arg0, "-%s", p ? p + 1 : pwd->pw_shell) >= MAXPATHLEN) { syslog(LOG_ERR, "user: %s: shell exceeds maximum pathname size", username); errx(1, "shell exceeds maximum pathname size"); + } else if (arg0 == NULL) { + err(1, "asprintf()"); } - execlp(shell, tbuf, (char *)0); + execlp(shell, arg0, (char *)0); err(1, "%s", shell); + + /* + * That's it, folks! + */ } -static int -auth_traditional() -{ - int rval; - char *p; - const char *ep; - const char *salt; - - rval = 1; - salt = pwd != NULL ? pwd->pw_passwd : "xx"; - - p = getpass(passwd_prompt); - ep = crypt(p, salt); - - if (pwd) { - if (!p[0] && pwd->pw_passwd[0]) - ep = ":"; - if (strcmp(ep, pwd->pw_passwd) == 0) - rval = 0; - } - - /* clear entered password */ - memset(p, 0, strlen(p)); - return rval; -} - -#ifndef NO_PAM /* * Attempt to authenticate the user using PAM. Returns 0 if the user is * authenticated, or 1 if not authenticated. If some sort of PAM system @@ -753,32 +618,14 @@ * fall back to a different authentication mechanism. */ static int -auth_pam() +auth_pam(void) { const char *tmpl_user; const void *item; int rval; - int e; - static struct pam_conv conv = { misc_conv, NULL }; - if ((e = pam_start("login", username, &conv, &pamh)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e)); - return -1; - } - if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", - pam_strerror(pamh, e)); - return -1; - } - if (hostname == NULL) - gethostname(full_hostname, sizeof full_hostname); - if ((e = pam_set_item(pamh, PAM_RHOST, full_hostname)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", - pam_strerror(pamh, e)); - return -1; - } - e = pam_authenticate(pamh, 0); - switch (e) { + pam_err = pam_authenticate(pamh, pam_silent); + switch (pam_err) { case PAM_SUCCESS: /* @@ -798,14 +645,14 @@ * point of view, the template user is always passed * back as a changed value of the PAM_USER item. */ - if ((e = pam_get_item(pamh, PAM_USER, &item)) == - PAM_SUCCESS) { - tmpl_user = (const char *) item; + pam_err = pam_get_item(pamh, PAM_USER, &item); + if (pam_err == PAM_SUCCESS) { + tmpl_user = (const char *)item; if (strcmp(username, tmpl_user) != 0) pwd = getpwnam(tmpl_user); - } else - syslog(LOG_ERR, "Couldn't get PAM_USER: %s", - pam_strerror(pamh, e)); + } else { + pam_syslog("pam_get_item(PAM_USER)"); + } rval = 0; break; @@ -816,57 +663,66 @@ break; default: - syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e)); + pam_syslog("pam_authenticate()"); rval = -1; break; } if (rval == 0) { - e = pam_acct_mgmt(pamh, 0); - if (e == PAM_NEW_AUTHTOK_REQD) { - e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); - if (e != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_chauthtok: %s", - pam_strerror(pamh, e)); + pam_err = pam_acct_mgmt(pamh, pam_silent); + switch (pam_err) { + case PAM_SUCCESS: + break; + case PAM_NEW_AUTHTOK_REQD: + pam_err = pam_chauthtok(pamh, + pam_silent|PAM_CHANGE_EXPIRED_AUTHTOK); + if (pam_err != PAM_SUCCESS) { + pam_syslog("pam_chauthtok()"); rval = 1; } - } else if (e != PAM_SUCCESS) { + break; + default: + pam_syslog("pam_acct_mgmt()"); rval = 1; + break; } } if (rval != 0) { - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - } + pam_end(pamh, pam_err); pamh = NULL; } - return rval; + return (rval); } -static int +/* + * Export any environment variables PAM modules may have set + */ +static void export_pam_environment() { - char **pp; + char **pam_env; + char **pp; - for (pp = environ_pam; *pp != NULL; pp++) { - if (ok_to_export(*pp)) - (void) putenv(*pp); - free(*pp); + pam_env = pam_getenvlist(pamh); + if (pam_env != NULL) { + for (pp = pam_env; *pp != NULL; pp++) { + (void)export(*pp); + free(*pp); + } } - return PAM_SUCCESS; } /* - * Sanity checks on PAM environmental variables: + * Perform sanity checks on an environment variable: * - Make sure there is an '=' in the string. * - Make sure the string doesn't run on too long. * - Do not export certain variables. This list was taken from the * Solaris pam_putenv(3) man page. + * Then export it. */ static int -ok_to_export(s) - const char *s; +export(const char *s) { static const char *noexport[] = { "SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH", @@ -876,17 +732,17 @@ size_t n; if (strlen(s) > 1024 || strchr(s, '=') == NULL) - return 0; + return (0); if (strncmp(s, "LD_", 3) == 0) - return 0; + return (0); for (pp = noexport; *pp != NULL; pp++) { n = strlen(*pp); if (s[n] == '=' && strncmp(s, *pp, n) == 0) - return 0; + return (0); } - return 1; + (void)putenv(s); + return (1); } -#endif /* NO_PAM */ static void usage() @@ -897,135 +753,114 @@ } /* - * Allow for authentication style and/or kerberos instance + * Prompt user and read login name from stdin. */ - -void +static char * getloginname() { + char *nbuf, *p; int ch; - char *p; - static char nbuf[NBUFSIZ]; - for (;;) { + nbuf = malloc(MAXLOGNAME); + if (nbuf == NULL) + err(1, "malloc()"); + do { (void)printf("%s", prompt); for (p = nbuf; (ch = getchar()) != '\n'; ) { if (ch == EOF) { badlogin(username); - exit(0); + bail(NO_SLEEP_EXIT, 0); } - if (p < nbuf + (NBUFSIZ - 1)) + if (p < nbuf + MAXLOGNAME - 1) *p++ = ch; } - if (p > nbuf) { - if (nbuf[0] == '-') - (void)fprintf(stderr, - "login names may not start with '-'.\n"); - else { - *p = '\0'; - username = nbuf; - break; - } - } + } while (p == nbuf); + + *p = '\0'; + if (nbuf[0] == '-') { + pam_silent = 0; + memmove(nbuf, nbuf + 1, strlen(nbuf)); + } else { + pam_silent = PAM_SILENT; } + return nbuf; } -int -rootterm(ttyn) - char *ttyn; +/* + * Verify that root is allowed to log in on this terminal. This + * requires the terminal to be known and secure. + */ +static int +rootterm(char *ttyn) { struct ttyent *t; return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); } -volatile int motdinterrupt; -void -sigint(signo) - int signo __unused; +/* + * SIGINT handler for motd(). + */ +static volatile int motdinterrupt; +static void +sigint(int signo __unused) { motdinterrupt = 1; } -void -motd(motdfile) - const char *motdfile; +/* + * Display the contents of a file (such as /etc/motd). + */ +static int +motd(const char *motdfile) { - int fd, nchars; sig_t oldint; - char tbuf[256]; + FILE *f; + int ch; - if ((fd = open(motdfile, O_RDONLY, 0)) < 0) - return; + if ((f = fopen(motdfile, "r")) == NULL) + return (-1); motdinterrupt = 0; oldint = signal(SIGINT, sigint); - while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0 && !motdinterrupt) - (void)write(fileno(stdout), tbuf, nchars); - (void)signal(SIGINT, oldint); - (void)close(fd); + while ((ch = fgetc(f)) != EOF && !motdinterrupt) + putchar(ch); + signal(SIGINT, oldint); + if (ch != EOF || ferror(f)) { + fclose(f); + return (-1); + } + fclose(f); + return (0); } -/* ARGSUSED */ -void -timedout(signo) - int signo; +/* + * SIGALRM handler, to enforce login prompt timeout. + * + * XXX This can potentially confuse the hell out of PAM. We should + * XXX instead implement a conversation function that returns + * XXX PAM_CONV_ERR when interrupted by a signal, and have the signal + * XXX handler just set a flag. + */ +static void +timedout(int signo __unused) { longjmp(timeout_buf, signo); } - -void -dolastlog(quiet) - int quiet; -{ - struct lastlog ll; - int fd; - - if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { - (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); - if (!quiet) { - if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) && - ll.ll_time != 0) { - (void)printf("Last login: %.*s ", - 24-5, (char *)ctime(&ll.ll_time)); - if (*ll.ll_host != '\0') - (void)printf("from %.*s\n", - (int)sizeof(ll.ll_host), - ll.ll_host); - else - (void)printf("on %.*s\n", - (int)sizeof(ll.ll_line), - ll.ll_line); - } - (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); - } - memset((void *)&ll, 0, sizeof(ll)); - (void)time(&ll.ll_time); - (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); - if (hostname) - (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host)); - (void)write(fd, (char *)&ll, sizeof(ll)); - (void)close(fd); - } else { - syslog(LOG_ERR, "cannot open %s: %m", _PATH_LASTLOG); - } -} - void -badlogin(name) - char *name; +badlogin(char *name) { if (failures == 0) return; - if (hostname) { + if (hflag) { syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s", - failures, failures > 1 ? "S" : "", full_hostname); + failures, failures > 1 ? "S" : "", hostname); syslog(LOG_AUTHPRIV|LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s, %s", - failures, failures > 1 ? "S" : "", full_hostname, name); + failures, failures > 1 ? "S" : "", hostname, name); } else { syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s", failures, failures > 1 ? "S" : "", tty); @@ -1037,8 +872,7 @@ } const char * -stypeof(ttyid) - char *ttyid; +stypeof(char *ttyid) { struct ttyent *t; @@ -1047,33 +881,67 @@ if (t != NULL && t->ty_type != NULL) return (t->ty_type); } - return (UNKNOWN); + return (TERM_UNKNOWN); } void -refused(msg, rtype, lout) - const char *msg; - const char *rtype; - int lout; +refused(const char *msg, const char *rtype, int lout) { if (msg != NULL) printf("%s.\n", msg); - if (hostname) + if (hflag) syslog(LOG_NOTICE, "LOGIN %s REFUSED (%s) FROM %s ON TTY %s", - pwd->pw_name, rtype, full_hostname, tty); + pwd->pw_name, rtype, hostname, tty); else syslog(LOG_NOTICE, "LOGIN %s REFUSED (%s) ON TTY %s", pwd->pw_name, rtype, tty); if (lout) - sleepexit(1); + bail(SLEEP_EXIT, 1); } +/* + * Log a PAM error + */ +void +pam_syslog(const char *msg) +{ + syslog(LOG_ERR, "%s: %s", msg, pam_strerror(pamh, pam_err)); +} + +/* + * Shut down PAM + */ +void +pam_cleanup() +{ + + if (pamh != NULL) { + if (pam_session_established) { + pam_err = pam_close_session(pamh, 0); + if (pam_err != PAM_SUCCESS) + pam_syslog("pam_close_session()"); + } + pam_session_established = 0; + if (pam_cred_established) { + pam_err = pam_setcred(pamh, pam_silent|PAM_DELETE_CRED); + if (pam_err != PAM_SUCCESS) + pam_syslog("pam_setcred()"); + } + pam_cred_established = 0; + pam_end(pamh, pam_err); + pamh = NULL; + } +} + +/* + * Exit, optionally after sleeping a few seconds + */ void -sleepexit(eval) - int eval; +bail(int sec, int eval) { - (void)sleep(5); + pam_cleanup(); + (void)sleep(sec); exit(eval); } Index: usr.bin/login/login.h =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login.h,v retrieving revision 1.2 diff -u -r1.2 login.h --- usr.bin/login/login.h 1 Dec 2001 21:12:04 -0000 1.2 +++ usr.bin/login/login.h 24 Jan 2002 17:19:32 -0000 @@ -25,7 +25,6 @@ * $FreeBSD: src/usr.bin/login/login.h,v 1.2 2001/12/01 21:12:04 markm Exp $ */ -int login_access __P((char *, char *)); void login_fbtab __P((char *, uid_t, gid_t)); extern char **environ; Index: usr.bin/login/login_access.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login_access.c,v retrieving revision 1.8 diff -u -r1.8 login_access.c --- usr.bin/login/login_access.c 10 Dec 2001 21:13:05 -0000 1.8 +++ usr.bin/login/login_access.c 24 Jan 2002 17:19:32 -0000 @@ -40,18 +40,19 @@ #define YES 1 #define NO 0 -static int from_match __P((char *, char *)); -static int list_match __P((char *, char *, int (*)(char *, char *))); -static int netgroup_match __P((char *, char *, char *)); -static int string_match __P((char *, char *)); -static int user_match __P((char *, char *)); +static int from_match __P((const char *, const char *)); +static int list_match __P((char *, const char *, + int (*)(const char *, const char *))); +static int netgroup_match __P((const char *, const char *, const char *)); +static int string_match __P((const char *, const char *)); +static int user_match __P((const char *, const char *)); /* login_access - match username/group and host/tty with access control file */ int login_access(user, from) -char *user; -char *from; +const char *user; +const char *from; { FILE *fp; char line[BUFSIZ]; @@ -111,9 +112,9 @@ /* list_match - match an item against a list of tokens with exceptions */ static int list_match(list, item, match_fn) -char *list; -char *item; -int (*match_fn) __P((char *, char *)); +char *list; +const char *item; +int (*match_fn) __P((const char *, const char *)); { char *tok; int match = NO; @@ -145,9 +146,9 @@ /* netgroup_match - match group against machine or user */ static int netgroup_match(group, machine, user) -char *group __unused; -char *machine __unused; -char *user __unused; +const char *group __unused; +const char *machine __unused; +const char *user __unused; { syslog(LOG_ERR, "NIS netgroup support not configured"); return 0; @@ -156,8 +157,8 @@ /* user_match - match a username against one token */ static int user_match(tok, string) -char *tok; -char *string; +const char *tok; +const char *string; { struct group *group; int i; @@ -183,8 +184,8 @@ /* from_match - match a host or tty against a list of tokens */ static int from_match(tok, string) -char *tok; -char *string; +const char *tok; +const char *string; { int tok_len; int str_len; @@ -219,8 +220,8 @@ /* string_match - match a string against one token */ static int string_match(tok, string) -char *tok; -char *string; +const char *tok; +const char *string; { /* --=-=-=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 9:44:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 4338C37B417; Thu, 24 Jan 2002 09:44:53 -0800 (PST) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.11.6/8.11.6) with UUCP id g0OHioX12115; Thu, 24 Jan 2002 17:44:50 GMT (envelope-from mark@grondar.za) Received: from grondar.za (mark@localhost [127.0.0.1]) by grimreaper.grondar.org (8.11.6/8.11.6) with ESMTP id g0OHfYt84252; Thu, 24 Jan 2002 17:41:34 GMT (envelope-from mark@grondar.za) Message-Id: <200201241741.g0OHfYt84252@grimreaper.grondar.org> To: Dag-Erling Smorgrav Cc: security@freebsd.org, markm@freebsd.org Subject: Re: login(1) PAMification References: In-Reply-To: ; from Dag-Erling Smorgrav "24 Jan 2002 18:22:45 +0100." Date: Thu, 24 Jan 2002 17:41:34 +0000 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > See the attached patch. Comments: There is lots more that PAM modules can do; print out //etc/motd, rootterm(), and so on. (Look at pam_securetty()). M -- o Mark Murray \_ FreeBSD Services Limited O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 9:47: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 647F137B416; Thu, 24 Jan 2002 09:47:01 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 23758532C; Thu, 24 Jan 2002 18:47:00 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Mark Murray Cc: security@freebsd.org, markm@freebsd.org Subject: Re: login(1) PAMification References: <200201241741.g0OHfYt84252@grimreaper.grondar.org> From: Dag-Erling Smorgrav Date: 24 Jan 2002 18:46:59 +0100 In-Reply-To: <200201241741.g0OHfYt84252@grimreaper.grondar.org> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark Murray writes: > There is lots more that PAM modules can do; print out //etc/motd, rootterm(), > and so on. (Look at pam_securetty()). Yeah, but I think this is a fairly good start. Let's see if it works properly; we can figure out what more to move out later. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 9:59:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe38.law12.hotmail.com [64.4.18.95]) by hub.freebsd.org (Postfix) with ESMTP id 5965B37B400 for ; Thu, 24 Jan 2002 09:59:24 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 24 Jan 2002 09:59:24 -0800 X-Originating-IP: [24.20.227.61] From: "Lawrence Sica" To: "dr3node" , References: <200201241551.AHW96968@vmms1.verisignmail.com> Subject: Re: Can't set up an IPsec tunnel. Date: Thu, 24 Jan 2002 09:59:39 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 24 Jan 2002 17:59:24.0222 (UTC) FILETIME=[DB60C5E0:01C1A500] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "dr3node" To: Sent: Thursday, January 24, 2002 7:47 AM Subject: Can't set up an IPsec tunnel. > i need to set up the tunnel between my 2 freebsd hosts so everything in and > out the office network'll go trough the host on collocation. > (office)->(fbsd gate)->(tunnel)->(fbsd host)->(internet) > and i just can't do that. > and nobody knows how to do that. > please help me somebody or my boss will rape and kill me(or kill and rape me). > We need a little more info here. Have you attempted it and it is failing? If so is there an error message? If not then I'd recommend searching daemonnews.org i believe there was an article on ipsec there awhile back? --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 10:47:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from vmmr1.verisignmail.com (vmmr1.verisignmail.com [216.168.230.137]) by hub.freebsd.org (Postfix) with ESMTP id 926EA37B400 for ; Thu, 24 Jan 2002 10:47:49 -0800 (PST) Received: from vmms1.verisignmail.com (vmms1.verisignmail.com [10.166.0.138]) by vmmr1.verisignmail.com (Mirapoint) with ESMTP id ABO53100; Thu, 24 Jan 2002 13:47:48 -0500 (EST) Received: from there ([212.16.11.122]) by vmms1.verisignmail.com (Mirapoint) with SMTP id AHX10883; Thu, 24 Jan 2002 13:47:46 -0500 (EST) Message-Id: <200201241847.AHX10883@vmms1.verisignmail.com> Content-Type: text/plain; charset="koi8-r" From: dr3node To: freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. Date: Thu, 24 Jan 2002 21:43:49 +0300 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i've read everything i could find. that is the latest try: Remote host: ifconfig gif0 create tunnel 222.222.22.2 111.111.11.1 ifconfig gif0 inet 222.222.22.2 192.168.0.1 netmask 0xffffff00 setkey -FP setkey -F ipsec.conf: // spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec esp/tunnel/222.222.22.2-111.111.11.1/require; spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/111.111.11.1-222.222.22.2/require; // + racoon with the keys in /usr/local/etc/racoon/psk.txt setkey -f /etc/ipsec.conf Local gateway: ifconfig fxp0 111.111.11.1 netmask 0xffffffff alias ifconfig gif0 create tunnel 111.111.11.1 222.222.22.2 ifconfig gif0 inet 192.168.0.1 222.222.22.2 netmask 0xffffff00 setkey -FP setkey -F ipsec.conf: // spdadd 192.168.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/111.111.11.1-222.222.22.2/require; spdadd 0.0.0.0/0 192.168.0.0/24 any -P in ipsec esp/tunnel/222.222.22.2-111.111.11.1/require; // + racoon with the keys in /usr/local/etc/racoon/psk.txt setkey -f /etc/ipsec.conf and the connection on the gate drops down. the error is: /kernel: gif_output: recursively called too many times(2) i'm wondering what if any troubles because of that RedHat gate with the masquarade or because of my stupidy. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 10:55:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by hub.freebsd.org (Postfix) with ESMTP id 4ECE337B422 for ; Thu, 24 Jan 2002 10:55:08 -0800 (PST) Received: from there (kajsa.energyhq.org [192.168.0.1]) by energyhq.homeip.net (Postfix) with SMTP id 55A6B3FC05; Thu, 24 Jan 2002 19:55:10 +0100 (CET) Content-Type: text/plain; charset="iso-8859-1" From: Miguel Mendez Organization: Energy HQ To: "Robert Herrold" , Subject: Re: whois records hacked? Date: Thu, 24 Jan 2002 19:54:43 +0100 X-Mailer: KMail [version 1.3.2] References: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com> In-Reply-To: <052501c1a475$1105b480$6c01a8c0@mpcsecurity.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020124185510.55A6B3FC05@energyhq.homeip.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 24 January 2002 02:18, Robert Herrold wrote: > Did a whois on microsoft.com and not sure if it's something corrupted in my > whois, or if Microsoft.com's whois record had been compromised. Any > thoughts? Yes, man whois :) flynn@kajsa# whois -h whois.geektools.com microsoft.com Query: microsoft.com Registry: whois.networksolutions.com Results: Registrant: Microsoft Corporation (MICROSOFT-DOM) 1 microsoft way redmond, WA 98052 US Domain Name: MICROSOFT.COM Administrative Contact: Microsoft Hostmaster (MH37-ORG) msnhst@MICROSOFT.COM Microsoft Corp One Microsoft Way Redmond, WA 98052 US 425 882 8080 Fax- - - .: 206 703 2641 Technical Contact: MSN NOC (MN5-ORG) msnnoc@MICROSOFT.COM Microsoft Corp One Microsoft Way Redmond, WA 98052 US 425 882 8080 Fax- PATH [....] Cheers, -- Miguel Mendez - flynn@energyhq.homeip.net EnergyHQ :: http://energyhq.homeip.net FreeBSD - The power to serve! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 10:56: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id E734637B404 for ; Thu, 24 Jan 2002 10:55:58 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0OItvK28163; Thu, 24 Jan 2002 12:55:57 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id MAA19903; Thu, 24 Jan 2002 12:55:57 -0600 (CST) Message-ID: <3C50588C.7200324B@centtech.com> Date: Thu, 24 Jan 2002 12:55:08 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: dr3node Cc: freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. References: <200201241847.AHX10883@vmms1.verisignmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org IPSEC won't work through masquarading boxes or NAT firewalls. Eric dr3node wrote: > > i've read everything i could find. > that is the latest try: > Remote host: > > ifconfig gif0 create tunnel 222.222.22.2 111.111.11.1 > ifconfig gif0 inet 222.222.22.2 192.168.0.1 netmask 0xffffff00 > setkey -FP > setkey -F > ipsec.conf: > // > spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec > esp/tunnel/222.222.22.2-111.111.11.1/require; > spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec > esp/tunnel/111.111.11.1-222.222.22.2/require; > // > + racoon with the keys in /usr/local/etc/racoon/psk.txt > setkey -f /etc/ipsec.conf > > Local gateway: > > ifconfig fxp0 111.111.11.1 netmask 0xffffffff alias > ifconfig gif0 create tunnel 111.111.11.1 222.222.22.2 > ifconfig gif0 inet 192.168.0.1 222.222.22.2 netmask 0xffffff00 > setkey -FP > setkey -F > > ipsec.conf: > // > spdadd 192.168.0.0/24 0.0.0.0/0 any -P out ipsec > esp/tunnel/111.111.11.1-222.222.22.2/require; > spdadd 0.0.0.0/0 192.168.0.0/24 any -P in ipsec > esp/tunnel/222.222.22.2-111.111.11.1/require; > // > > + racoon with the keys in /usr/local/etc/racoon/psk.txt > setkey -f /etc/ipsec.conf > and the connection on the gate drops down. > the error is: /kernel: gif_output: recursively called too many times(2) > > i'm wondering what if any troubles because of that RedHat gate with the > masquarade or because of my stupidy. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 11: 0:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from vmmr1.verisignmail.com (vmmr1.verisignmail.com [216.168.230.137]) by hub.freebsd.org (Postfix) with ESMTP id 06ED337B429 for ; Thu, 24 Jan 2002 11:00:30 -0800 (PST) Received: from vmms1.verisignmail.com (vmms1.verisignmail.com [10.166.0.138]) by vmmr1.verisignmail.com (Mirapoint) with ESMTP id ABO53456; Thu, 24 Jan 2002 14:00:29 -0500 (EST) Received: from there ([212.16.11.122]) by vmms1.verisignmail.com (Mirapoint) with SMTP id AHX11812; Thu, 24 Jan 2002 14:00:25 -0500 (EST) Message-Id: <200201241900.AHX11812@vmms1.verisignmail.com> Content-Type: text/plain; charset="koi8-r" From: dr3node To: anderson@centtech.com Subject: Re: Can't set up an IPsec tunnel. Date: Thu, 24 Jan 2002 21:56:27 +0300 X-Mailer: KMail [version 1.3.2] References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> In-Reply-To: <3C50588C.7200324B@centtech.com> Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 24 January 2002 21:55, you wrote: > IPSEC won't work through masquarading boxes or NAT firewalls. > > Eric is there any way way to cheat? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 11: 6:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe25.law12.hotmail.com [64.4.18.82]) by hub.freebsd.org (Postfix) with ESMTP id C234F37B426 for ; Thu, 24 Jan 2002 11:05:50 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 24 Jan 2002 11:05:50 -0800 X-Originating-IP: [24.20.227.61] From: "Lawrence Sica" To: , "dr3node" Cc: References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> Subject: Re: Can't set up an IPsec tunnel. Date: Thu, 24 Jan 2002 11:06:09 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 24 Jan 2002 19:05:50.0510 (UTC) FILETIME=[23640CE0:01C1A50A] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Eric Anderson" To: "dr3node" Cc: Sent: Thursday, January 24, 2002 10:55 AM Subject: Re: Can't set up an IPsec tunnel. > IPSEC won't work through masquarading boxes or NAT firewalls. > you have to do lan-to-lan tunneling to get it to work. It will work i have done it. Big thing is allowing the firewall to pass esp. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 11: 6:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 9362E37B404 for ; Thu, 24 Jan 2002 11:06:24 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0OJ6NK28560; Thu, 24 Jan 2002 13:06:23 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA20377; Thu, 24 Jan 2002 13:06:22 -0600 (CST) Message-ID: <3C505AFD.52FF9ADE@centtech.com> Date: Thu, 24 Jan 2002 13:05:33 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: dr3node Cc: freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> <200201241900.AHX11812@vmms1.verisignmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As far as I know, no, because that would be like a "man in the middle" attack (I think). Like this: A <--- B ---> C If A is talking to C via IPSEC, A tells C it's IP (the true IP) and C tells A it's IP (its true IP, behind the masquaraded host), but A sees C as B's IP address. How does it know that C knows that B exists? Maybe there is a way to forward or tunnel certain protocols through the Linux box, but this doesn't sound like a good idea to me. You could always use the old crusty SSH tunneling VPN's.. :) Eric P.S. - Don't ask how to do it with SSH. It's been too long. dr3node wrote: > > On Thursday 24 January 2002 21:55, you wrote: > > IPSEC won't work through masquarading boxes or NAT firewalls. > > > > Eric > > is there any way way to cheat? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 11: 8:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id E71C237B499 for ; Thu, 24 Jan 2002 11:07:47 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0OJ7lK28583; Thu, 24 Jan 2002 13:07:47 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA20427; Thu, 24 Jan 2002 13:07:46 -0600 (CST) Message-ID: <3C505B52.58822BEC@centtech.com> Date: Thu, 24 Jan 2002 13:06:58 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Lawrence Sica Cc: dr3node , freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can you post that here? Any changes you needed to make to allow the ESP to be passed, and any tricks you needed to know to do it? Lawrence Sica wrote: > > ----- Original Message ----- > From: "Eric Anderson" > To: "dr3node" > Cc: > Sent: Thursday, January 24, 2002 10:55 AM > Subject: Re: Can't set up an IPsec tunnel. > > > IPSEC won't work through masquarading boxes or NAT firewalls. > > > > you have to do lan-to-lan tunneling to get it to work. It will work i have > done it. Big thing is allowing the firewall to pass esp. > > --Larry > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 11:22:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe50.law12.hotmail.com [64.4.18.22]) by hub.freebsd.org (Postfix) with ESMTP id 4536837B400 for ; Thu, 24 Jan 2002 11:22:08 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 24 Jan 2002 11:22:07 -0800 X-Originating-IP: [24.20.227.61] From: "Lawrence Sica" To: References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> <3C505B52.58822BEC@centtech.com> Subject: Re: Can't set up an IPsec tunnel. Date: Thu, 24 Jan 2002 11:22:27 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 24 Jan 2002 19:22:07.0969 (UTC) FILETIME=[6A007510:01C1A50C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Eric Anderson" To: "Lawrence Sica" Cc: "dr3node" ; Sent: Thursday, January 24, 2002 11:06 AM Subject: Re: Can't set up an IPsec tunnel. > Can you post that here? Any changes you needed to make to allow the ESP to be > passed, and any tricks you needed to know to do it? > I'll look up my notes, I used an article on daemonnews as my basis but i do remember having to allow with ipfw esp to pass throught ipfw add allow esp from any to any for example Also some udp stuff too, the ports are in /etc/services...and /etc/protocols has info on esp you needto let through. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 11:26:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.recruit2recruit.net (pc-62-30-156-58-hw.blueyonder.co.uk [62.30.156.58]) by hub.freebsd.org (Postfix) with ESMTP id A483337B41C for ; Thu, 24 Jan 2002 11:26:36 -0800 (PST) content-class: urn:content-classes:message Subject: Re: Can't set up an IPsec tunnel. Date: Thu, 24 Jan 2002 19:26:35 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 X-MS-TNEF-Correlator: Thread-Topic: Re: Can't set up an IPsec tunnel. Thread-Index: AcGlDQkHs3TNzMS7SaWUYllfYbfIkA== From: "Kerin Millar" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Haven't had much experience with IPSEC myself but maybe this document = will help: http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html Of course it is Linux specific but it seems to cover the masquerading = topic adequately, and presumably the parts about setting up the firewall = should be easily adaptable to IPFW. Here is an interesting excerpt from = the document: If you are setting up a masqueraded VPN server, you will also have to = obtain and install the following two packages:=20 To redirect the inbound TCP/UDP traffic (the 1723/tcp PPTP control = channel or the 500/udp ISAKMP channel), you need the appropriate = ipportfw port-forwarding kernel patch and configuration tool from = http://www.ox.compsoc.org.uk/~steve/portforwarding.html. Port forwarding = has been incorporated into the 2.2.x kernel. See man ipmasqadm for = configuration details. If ipmasqadm is not included with your = distribution it can be obtained at http://juanjox.kernelnotes.org/.=20 To redirect the initial inbound tunnel traffic (GRE for PPTP and ESP for = IPsec), you need the ipfwd generic-IP redirector from = http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/.=20 You do not need port forwarding or ipfwd if you are masquerading only = clients." Regards, Kerin Millar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 11:30:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 15B8E37B400 for ; Thu, 24 Jan 2002 11:30:28 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0OJUQK29156; Thu, 24 Jan 2002 13:30:26 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA21341; Thu, 24 Jan 2002 13:30:26 -0600 (CST) Message-ID: <3C5060A1.AEA49AB9@centtech.com> Date: Thu, 24 Jan 2002 13:29:37 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Kerin Millar Cc: freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the real problem is he has a SEPARATE host in between his two IPSEC boxes. Eric Kerin Millar wrote: > > Haven't had much experience with IPSEC myself but maybe this document will help: http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html > > Of course it is Linux specific but it seems to cover the masquerading topic adequately, and presumably the parts about setting up the firewall should be easily adaptable to IPFW. Here is an interesting excerpt from the document: > > > If you are setting up a masqueraded VPN server, you will also have to obtain and install the following two packages: > > To redirect the inbound TCP/UDP traffic (the 1723/tcp PPTP control channel or the 500/udp ISAKMP channel), you need the appropriate ipportfw port-forwarding kernel patch and configuration tool from http://www.ox.compsoc.org.uk/~steve/portforwarding.html. Port forwarding has been incorporated into the 2.2.x kernel. See man ipmasqadm for configuration details. If ipmasqadm is not included with your distribution it can be obtained at http://juanjox.kernelnotes.org/. > > To redirect the initial inbound tunnel traffic (GRE for PPTP and ESP for IPsec), you need the ipfwd generic-IP redirector from http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/. > You do not need port forwarding or ipfwd if you are masquerading only clients." > > > Regards, > > Kerin Millar > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 11:46: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by hub.freebsd.org (Postfix) with ESMTP id 056AD37B400 for ; Thu, 24 Jan 2002 11:46:00 -0800 (PST) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 4E76B1A01F; Thu, 24 Jan 2002 13:45:58 -0600 (CST) Message-ID: <007001c1a50f$79c2b320$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Lawrence Sica" , , "dr3node" Cc: References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> Subject: Re: Can't set up an IPsec tunnel. Date: Thu, 24 Jan 2002 13:44:01 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org And opening up 500/udp Tom Veldhouse ----- Original Message ----- From: "Lawrence Sica" To: ; "dr3node" Cc: Sent: Thursday, January 24, 2002 1:06 PM Subject: Re: Can't set up an IPsec tunnel. > > ----- Original Message ----- > From: "Eric Anderson" > To: "dr3node" > Cc: > Sent: Thursday, January 24, 2002 10:55 AM > Subject: Re: Can't set up an IPsec tunnel. > > > > IPSEC won't work through masquarading boxes or NAT firewalls. > > > > you have to do lan-to-lan tunneling to get it to work. It will work i have > done it. Big thing is allowing the firewall to pass esp. > > --Larry > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 12: 1:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 96D6437B404 for ; Thu, 24 Jan 2002 12:01:44 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA17779; Thu, 24 Jan 2002 13:01:32 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0OK1V237582; Thu, 24 Jan 2002 13:01:31 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15440.26651.603917.777527@caddis.yogotech.com> Date: Thu, 24 Jan 2002 13:01:31 -0700 To: anderson@centtech.com Cc: dr3node , freebsd-security@FreeBSD.ORG Subject: Re: Can't set up an IPsec tunnel. In-Reply-To: <3C50588C.7200324B@centtech.com> References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > IPSEC won't work through masquarading boxes or NAT firewalls. Not easily, anyway. You have to do special things to make it work through NAT, like double-encapsulating it. Nate > > i've read everything i could find. > > that is the latest try: > > Remote host: > > > > ifconfig gif0 create tunnel 222.222.22.2 111.111.11.1 > > ifconfig gif0 inet 222.222.22.2 192.168.0.1 netmask 0xffffff00 > > setkey -FP > > setkey -F > > ipsec.conf: > > // > > spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec > > esp/tunnel/222.222.22.2-111.111.11.1/require; > > spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec > > esp/tunnel/111.111.11.1-222.222.22.2/require; > > // > > + racoon with the keys in /usr/local/etc/racoon/psk.txt > > setkey -f /etc/ipsec.conf > > > > Local gateway: > > > > ifconfig fxp0 111.111.11.1 netmask 0xffffffff alias > > ifconfig gif0 create tunnel 111.111.11.1 222.222.22.2 > > ifconfig gif0 inet 192.168.0.1 222.222.22.2 netmask 0xffffff00 > > setkey -FP > > setkey -F > > > > ipsec.conf: > > // > > spdadd 192.168.0.0/24 0.0.0.0/0 any -P out ipsec > > esp/tunnel/111.111.11.1-222.222.22.2/require; > > spdadd 0.0.0.0/0 192.168.0.0/24 any -P in ipsec > > esp/tunnel/222.222.22.2-111.111.11.1/require; > > // > > > > + racoon with the keys in /usr/local/etc/racoon/psk.txt > > setkey -f /etc/ipsec.conf > > and the connection on the gate drops down. > > the error is: /kernel: gif_output: recursively called too many times(2) > > > > i'm wondering what if any troubles because of that RedHat gate with the > > masquarade or because of my stupidy. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------ > Eric Anderson anderson@centtech.com Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 12: 6:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id DB93337B402 for ; Thu, 24 Jan 2002 12:06:45 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA18010; Thu, 24 Jan 2002 13:06:37 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0OK6ag37633; Thu, 24 Jan 2002 13:06:36 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15440.26956.433891.236940@caddis.yogotech.com> Date: Thu, 24 Jan 2002 13:06:36 -0700 To: anderson@centtech.com Cc: dr3node , freebsd-security@FreeBSD.ORG Subject: Re: Can't set up an IPsec tunnel. In-Reply-To: <3C505AFD.52FF9ADE@centtech.com> References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> <200201241900.AHX11812@vmms1.verisignmail.com> <3C505AFD.52FF9ADE@centtech.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > As far as I know, no, because that would be like a "man in the middle" attack (I > think). Like this: > > A <--- B ---> C > > If A is talking to C via IPSEC, A tells C it's IP (the true IP) and C tells A > it's IP (its true IP, behind the masquaraded host), but A sees C as B's IP > address. How does it know that C knows that B exists? It doesn't matter, since B can't read/modify the traffic A or C generated. It can certainly mess with the headers all it wants, but that won't help it figure out what is going on. (Again, this assumes that A & C have authenticated themselves correctly, per the IPSEC specification. :) Nate > dr3node wrote: > > > > On Thursday 24 January 2002 21:55, you wrote: > > > IPSEC won't work through masquarading boxes or NAT firewalls. > > > > > > Eric > > > > is there any way way to cheat? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------ > Eric Anderson anderson@centtech.com Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 12:12:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id B2FD937B428 for ; Thu, 24 Jan 2002 12:12:43 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0OKCgK00226; Thu, 24 Jan 2002 14:12:42 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id OAA22665; Thu, 24 Jan 2002 14:12:42 -0600 (CST) Message-ID: <3C506A89.AFC3EF38@centtech.com> Date: Thu, 24 Jan 2002 14:11:53 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: dr3node , freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> <200201241900.AHX11812@vmms1.verisignmail.com> <3C505AFD.52FF9ADE@centtech.com> <15440.26956.433891.236940@caddis.yogotech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not saying B can modify the data, I'm saying A can't trust C's data, since it appears to come from B, and C builds it as if it's coming from C, with no knowledge that B is NAT'ing.. Nate Williams wrote: > > > As far as I know, no, because that would be like a "man in the middle" attack (I > > think). Like this: > > > > A <--- B ---> C > > > > If A is talking to C via IPSEC, A tells C it's IP (the true IP) and C tells A > > it's IP (its true IP, behind the masquaraded host), but A sees C as B's IP > > address. How does it know that C knows that B exists? > > It doesn't matter, since B can't read/modify the traffic A or C > generated. > > It can certainly mess with the headers all it wants, but that won't help > it figure out what is going on. > > (Again, this assumes that A & C have authenticated themselves correctly, > per the IPSEC specification. :) > > Nate > > > dr3node wrote: > > > > > > On Thursday 24 January 2002 21:55, you wrote: > > > > IPSEC won't work through masquarading boxes or NAT firewalls. > > > > > > > > Eric > > > > > > is there any way way to cheat? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > ------------------------------------------------------------------ > > Eric Anderson anderson@centtech.com Centaur Technology > > If at first you don't succeed, sky diving is probably not for you. > > ------------------------------------------------------------------ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 12:14:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 598F437B400 for ; Thu, 24 Jan 2002 12:14:48 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA18351; Thu, 24 Jan 2002 13:14:45 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0OKEj237741; Thu, 24 Jan 2002 13:14:45 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15440.27444.625825.317011@caddis.yogotech.com> Date: Thu, 24 Jan 2002 13:14:44 -0700 To: anderson@centtech.com Cc: Nate Williams , dr3node , freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. In-Reply-To: <3C506A89.AFC3EF38@centtech.com> References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> <200201241900.AHX11812@vmms1.verisignmail.com> <3C505AFD.52FF9ADE@centtech.com> <15440.26956.433891.236940@caddis.yogotech.com> <3C506A89.AFC3EF38@centtech.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I'm not saying B can modify the data, I'm saying A can't trust C's > data, since it appears to come from B, and C builds it as if it's > coming from C, with no knowledge that B is NAT'ing.. Unless you do the double encapsulation thing, which allows external/third parties to modify the headers (and only the headers), because the integrity checks are done on the actual data. This type of IPSEC tunneling may end up becoming a standard part of IPSEC in the future, since I've heard rumors that the IETF is going to accept it. Nate > > > As far as I know, no, because that would be like a "man in the middle" attack (I > > > think). Like this: > > > > > > A <--- B ---> C > > > > > > If A is talking to C via IPSEC, A tells C it's IP (the true IP) and C tells A > > > it's IP (its true IP, behind the masquaraded host), but A sees C as B's IP > > > address. How does it know that C knows that B exists? > > > > It doesn't matter, since B can't read/modify the traffic A or C > > generated. > > > > It can certainly mess with the headers all it wants, but that won't help > > it figure out what is going on. > > > > (Again, this assumes that A & C have authenticated themselves correctly, > > per the IPSEC specification. :) > > > > Nate > > > > > dr3node wrote: > > > > > > > > On Thursday 24 January 2002 21:55, you wrote: > > > > > IPSEC won't work through masquarading boxes or NAT firewalls. > > > > > > > > > > Eric > > > > > > > > is there any way way to cheat? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > -- > > > ------------------------------------------------------------------ > > > Eric Anderson anderson@centtech.com Centaur Technology > > > If at first you don't succeed, sky diving is probably not for you. > > > ------------------------------------------------------------------ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------ > Eric Anderson anderson@centtech.com Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 13:16: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from fe070.worldonline.dk (fe070.worldonline.dk [212.54.64.208]) by hub.freebsd.org (Postfix) with SMTP id 2F93237B400 for ; Thu, 24 Jan 2002 13:15:55 -0800 (PST) Received: (qmail 22075 invoked by uid 0); 24 Jan 2002 21:15:10 -0000 Received: from unknown (HELO dpws) (213.237.14.128) by fe070.worldonline.dk with SMTP; 24 Jan 2002 21:15:10 -0000 Message-ID: <02d401c1a51c$9487a730$0301a8c0@dpws> From: "Dennis Pedersen" To: Subject: FreeBSD 4,4 && racoon && tunnel && nat? Date: Thu, 24 Jan 2002 22:17:49 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I need to make a VPN tunnel between 2 lokations and i have no posibility of getting a 'real' ipaddress for each of the FreeBSD box's so i need to use nat. But how to i conf gif and setkey? Does my gifconfig include the IP address of the 'wan' NIC on my BSD box or the real ip adress my router was assigned? What about setkey, what ip do i specify there? - the outside nics ip or the ip of the natting router? Another thing that has been bugging me a bit is, do i have to specify anything out of the ordenary in order to one of the box'es to have 2 or more tunnels to the box? spdadd 192.168.2.0/24 192.168.3.0/24 any -P out ipsec esp/tunnel/a.a.a.a-x.x.x.x/require; spdadd 192.168.3.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/x.x.x.x-a.a.a.a./require; Regards Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 13:27:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.ipfw.org (CPE004F490166EB.cpe.net.cable.rogers.com [24.103.112.161]) by hub.freebsd.org (Postfix) with ESMTP id 5A9AF37B480 for ; Thu, 24 Jan 2002 13:26:53 -0800 (PST) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.ipfw.org (Postfix) with ESMTP id B3503312D; Thu, 24 Jan 2002 16:26:51 -0500 (EST) Date: Thu, 24 Jan 2002 16:26:51 -0500 From: Peter Chiu X-Mailer: The Bat! (v1.53bis) Reply-To: Peter Chiu X-Priority: 3 (Normal) Message-ID: <765180644.20020124162651@ipfw.org> To: dr3node Cc: freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. In-Reply-To: <200201241551.AHW96968@vmms1.verisignmail.com> References: <200201241551.AHW96968@vmms1.verisignmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Check this out. http://www.alisa.org/~jjr/vpn/ Thursday, January 24, 2002, 10:47:26 AM, you wrote: d> The situation is: d> [office network 192.168.0.0/24] d> | d> \/ d> [gate: FreeBSD 4.5-RC] d> [fxp1 192.168.0.1] d> [natd] d> [fxp0 192.168.4.11] d> [default gateway 192.168.4.1] d> | d> \/ d> [gate: 192.168.4.1 (not mine)] d> [RedHat 6.1] d> [masquarade everything(tcp, udp) going from my fbsd gate as from 111.111.11.1] d> [masquarade everything(tcp, udp) coming from internet to 111.111.11.1 to my d> fbsd gate so i almost have real ip on my gate] d> | d> \/ d> (internet) d> | d> \/ d> [host on collocation: FreeBSD 4.5-RC] d> [ip: 222.222.22.2] d> i need to set up the tunnel between my 2 freebsd hosts so everything in and d> out the office network'll go trough the host on collocation. (office)->>(fbsd gate)->(tunnel)->(fbsd host)->(internet) d> and i just can't do that. d> and nobody knows how to do that. d> please help me somebody or my boss will rape and kill me(or kill and rape me). d> Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 13:53:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B8A8B37B416; Thu, 24 Jan 2002 13:53:28 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0OLrSn75456; Thu, 24 Jan 2002 13:53:28 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Thu, 24 Jan 2002 13:53:28 -0800 (PST) Message-Id: <200201242153.g0OLrSn75456@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:08 Security Advisory FreeBSD, Inc. Topic: race condition during exec may allow local root compromise Category: core Module: kernel Announced: 2002-01-24 Credits: Logan Gabriel , Robert Watson , Dag-Erling Smørgrav Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. FreeBSD 4.4-STABLE prior to the correction date. Corrected: 2002-01-22 17:22:59 UTC (4-STABLE, RELENG_4) 2002-01-23 23:05:00 UTC (4.4-RELEASE-p4, RELENG_4_4) 2002-01-23 23:05:53 UTC (4.3-RELEASE-p24, RELENG_4_3) FreeBSD only: NO I. Background When a process is started from a set-user-ID or set-group-ID binary, it is marked so that attempts to attach to it with debugging hooks fail. To allow such attachments would allow a user to subvert the process and gain elevated privileges. II. Problem Description A race condition exists in the FreeBSD exec system call implementation. It is possible for a user to attach a debugger to a process while it is exec'ing, but before the kernel has determined that the process is set-user-ID or set-group-ID. All versions of FreeBSD 4.x prior to FreeBSD 4.5-RELEASE are vulnerable to this problem. The problem has been corrected by marking processes that have started but not yet completed exec with an `in-exec' state. Attempts to debug a process in the in-exec state will fail. III. Impact Local users may be able to gain increased privileges on the local system. IV. Workaround None. Do not allow untrusted users to gain access to the local system. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.4-STABLE, or the RELENG_4_3 or RELENG_4_4 security branch, dated after the respective correction date. 2) To patch your present system: a) Download the relevant patch from the following location: [FreeBSD 4.4-STABLE, or RELENG_4_3 and RELENG_4_4 security branches] ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch.asc [FreeBSD 4.3-RELEASE only] ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch.asc b) Verify the detached PGP signature using your PGP utility. c) Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. 3) FreeBSD 4.4-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.4-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. Since this vulnerability involves the FreeBSD kernel which is often locally customized on installed systems, a universal binary upgrade package is not feasible. This package includes a patched version of the GENERIC kernel which should be suitable for use on many systems. Systems requiring a customized kernel must use an alternative solution. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec-02.08.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec-02.08.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-exec-02.08.tgz The new kernel is named /kernel.GENERIC to avoid conflict with the default kernel name (``/kernel''). To cause the system to boot automatically with the new kernel, add the following line to /boot/loader.conf: kernel="/kernel.GENERIC" and reboot the system to load the new kernel. The old kernel is still available and can be manually loaded in the boot loader in case of problems. VI. Correction details The following list contains the $FreeBSD$ revision number of the files that were corrected in the FreeBSD source. Path Revision Branch - ------------------------------------------------------------------------- src/sys/conf/newvers.sh RELENG_4_4 1.44.2.17.2.5 RELENG_4_3 1.44.2.14.2.14 src/sys/kern/kern_exec.c RELENG_4 1.107.2.13 RELENG_4_4 1.107.2.8.2.1 RELENG_4_3 1.107.2.5.2.2 src/sys/kern/sys_process.c RELENG_4 1.51.2.3 RELENG_4_4 1.51.2.1.4.1 RELENG_4_3 1.51.2.1.2.1 src/sys/miscfs/procfs/procfs.h RELENG_4 1.32.2.3 RELENG_4_4 1.32.2.2.2.1 RELENG_4_3 1.32.2.1.2.2 src/sys/miscfs/procfs/procfs_ctl.c RELENG_4 1.20.2.2 RELENG_4_4 1.20.2.1.4.1 RELENG_4_3 1.20.2.1.2.1 src/sys/miscfs/procfs/procfs_dbregs.c RELENG_4 1.4.2.3 RELENG_4_4 1.4.2.2.2.1 RELENG_4_3 1.4.2.1.2.1 src/sys/miscfs/procfs/procfs_fpregs.c RELENG_4 1.11.2.3 RELENG_4_4 1.11.2.2.2.1 RELENG_4_3 1.11.2.1.2.1 src/sys/miscfs/procfs/procfs_mem.c RELENG_4 1.46.2.3 RELENG_4_4 1.46.2.2.2.1 RELENG_4_3 1.46.2.1.2.2 src/sys/miscfs/procfs/procfs_regs.c RELENG_4 1.10.2.3 RELENG_4_4 1.10.2.2.2.1 RELENG_4_3 1.10.2.1.2.1 src/sys/miscfs/procfs/procfs_status.c RELENG_4 1.20.2.4 RELENG_4_4 1.20.2.3.4.1 RELENG_4_3 1.20.2.3.2.1 src/sys/miscfs/procfs/procfs_vnops.c RELENG_4 1.76.2.7 RELENG_4_4 1.76.2.5.2.1 RELENG_4_3 1.76.2.3.2.2 src/sys/sys/proc.h RELENG_4 1.99.2.6 RELENG_4_4 1.99.2.5.4.1 RELENG_4_3 1.99.2.5.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPFCAl1UuHi5z0oilAQGyiQP/V2byHL40v23S1q4PanobNUPhKUQBKsVI OCmBowy2r7Ka0GPDFxAko/xeXnZmM9lvZ0PqMdpy5god27txxAtXmvmJjMPc3dRK SbJGvfrGSrRMvXR8rrpIOugq0mkMePiXsS8RDAkcAHAXpFF0MVuQfoaQYykn+LiV i6D4RvGxGZw= =ywM6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 14:15:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from kuguar.offshorecode.com (kuguar.offshorecode.com [193.41.161.122]) by hub.freebsd.org (Postfix) with ESMTP id 3A0B037B476 for ; Thu, 24 Jan 2002 14:11:40 -0800 (PST) Received: by kuguar.offshorecode.com (Postfix, from userid 1001) id 977E95D0AD; Thu, 24 Jan 2002 22:11:32 +0000 (GMT) Date: Fri, 25 Jan 2002 00:11:32 +0200 From: "Vadim E. Martysh" To: dr3node Cc: freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. Message-ID: <20020125001132.A856@kuguar.offshorecode.com> References: <200201241551.AHW96968@vmms1.verisignmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200201241551.AHW96968@vmms1.verisignmail.com>; from rtfm@webburo.ru on Thu, Jan 24, 2002 at 06:47:26PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jan 24, 2002 at 06:47:26PM +0300, dr3node wrote: > The situation is: > > [office network 192.168.0.0/24] > | > \/ > [gate: FreeBSD 4.5-RC] > [fxp1 192.168.0.1] > [natd] > [fxp0 192.168.4.11] > [default gateway 192.168.4.1] > | > \/ > [gate: 192.168.4.1 (not mine)] > [RedHat 6.1] > [masquarade everything(tcp, udp) going from my fbsd gate as from 111.111.11.1] > [masquarade everything(tcp, udp) coming from internet to 111.111.11.1 to my > fbsd gate so i almost have real ip on my gate] > | > \/ > (internet) > | > \/ > [host on collocation: FreeBSD 4.5-RC] > [ip: 222.222.22.2] > > i need to set up the tunnel between my 2 freebsd hosts so everything in and > out the office network'll go trough the host on collocation. > (office)->(fbsd gate)->(tunnel)->(fbsd host)->(internet) > and i just can't do that. > and nobody knows how to do that. > please help me somebody or my boss will rape and kill me(or kill and rape me). > > Thank you. The thing below is not really IPSec (although, you might run real IPSec on top of the link described), but anyways..... If you can get (which you most probably can) port 22/tcp (in fact, anything/tcp) from one host to another, there can be a very easy way to get a secure IP link between the two points. It is very much like demand-dialing, except you don't dial a number. ppp(8) or pppd(8) might be very very helpful (pppd is prefered to ppp if building a tunnel between different environments, eg., a linux and *bsd box). 2.3.7+ pppds support 'pty' option that allows a program's stdin/stdout pair to be used instead of a conventional character device (a pseudo-tty is allocated). The algorithm is straightforward: user@host1:~>pppd pty 'ssh -t [-i identityfile] user@host2 \ /path/to/pppd [options]' [options] -t (force pty allocation) is important. The question 'why' is probably a little more complicated than what it might seem from the first glance, so skip it for now. pppd(8) and ppp(8) provide comparatively easy ways to recover the link loss ("persistant dialing") as well as "demand-dialing" to save traffic. This odd method of setting up a secure tunnel between hosts has a number of positive issues about it (ie, only 1 tcp port has to be reachable through all of the masqarades and firewalls with even a single-direction connection setup being quite enough), however, there are negative ones as well. The one I've used to suffer from is a flush of the translation table on a box in between (eg., someone does ipnat -F -C -f /etc/ipnat.rules). An extra suid program (or a public key to a priveledged account) is yet another one. Also, pppd 2.3.9 I've used (which was a pretty long time ago) has to be patched a little bit to compile under FreeBSD 4.x. (Hm..just discovered pppd(8) is 2.3.5 as my 4.3-RELEASE box with a minimal set of security fixes...well, nowdays ppp(8) is even better) I anyway found the idea worth sharing after having played with it for some time. 'Conventional' IPsec (which I happen to be using since OpenBSD 2.6 out) is nice, but sometimes an easy straightforward solution happens to better than a lot of time spent on its nontrivial onetime configuration. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Vadim E. Martysh Chief Researcher Offshorithms Co. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 14:56:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id E081D37B41B for ; Thu, 24 Jan 2002 14:56:54 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0OMurK04766 for ; Thu, 24 Jan 2002 16:56:53 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id QAA27523 for ; Thu, 24 Jan 2002 16:56:52 -0600 (CST) Message-ID: <3C509103.BFEFC823@centtech.com> Date: Thu, 24 Jan 2002 16:56:03 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPSEC Compression Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How do I turn on compression with an IPSEC tunnel? -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 15: 1:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 7343C37B417 for ; Thu, 24 Jan 2002 15:01:10 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id QAA24756; Thu, 24 Jan 2002 16:01:08 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0ON18039158; Thu, 24 Jan 2002 16:01:08 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15440.37427.282920.247916@caddis.yogotech.com> Date: Thu, 24 Jan 2002 16:01:07 -0700 To: anderson@centtech.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC Compression In-Reply-To: <3C509103.BFEFC823@centtech.com> References: <3C509103.BFEFC823@centtech.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > How do I turn on compression with an IPSEC tunnel? I think you're confusing IPSEC with SSH. The former doesn't have a standard way of pre-compressing packets, while the latter does b/c it's done in userland. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 15: 6:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 06F9E37B416 for ; Thu, 24 Jan 2002 15:06:21 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g0ON6KK05021; Thu, 24 Jan 2002 17:06:20 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id RAA27796; Thu, 24 Jan 2002 17:06:19 -0600 (CST) Message-ID: <3C50933A.B6549089@centtech.com> Date: Thu, 24 Jan 2002 17:05:30 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: freebsd-security@freebsd.org Subject: Re: IPSEC Compression References: <3C509103.BFEFC823@centtech.com> <15440.37427.282920.247916@caddis.yogotech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, racoon does it, I think, or else things like: compression_algorithm deflate wouldn't be in the config files. So I suppose my question should have been: How do I turn on compression with racoon for an IPSEC tunnel? Eric Nate Williams wrote: > > > How do I turn on compression with an IPSEC tunnel? > > I think you're confusing IPSEC with SSH. The former doesn't have a > standard way of pre-compressing packets, while the latter does b/c it's > done in userland. > > Nate -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 16:10:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay01.connectit.co.za (firewall-1.connectit.co.za [196.14.84.194]) by hub.freebsd.org (Postfix) with ESMTP id D489F37B416 for ; Thu, 24 Jan 2002 16:10:19 -0800 (PST) Received: by relay01.connectit.co.za (Postfix, from userid 500) id 6BD816FC9E; Thu, 24 Jan 2002 22:47:50 +0200 (SAST) Received: from acenet.co.za (acenet.co.za [196.25.152.246]) by relay01.connectit.co.za (Postfix) with ESMTP id A7E8330111 for ; Thu, 24 Jan 2002 22:47:48 +0200 (SAST) Date: Fri, 25 Jan 2002 02:19:30 +0200 Message-Id: <200201250219.AA188154144@acenet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Cole" Reply-To: To: Subject: Ipsec Problems X-Mailer: X-AntiVirus: scanned for viruses by Netralink.com SMTP Server (http://www.netralink.com/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Im running ipsec on freebsd 4.5 RC1, with racoon and a preshared key Im communicating with another freebsd machine I am using ppp for the connection to the internet. I can get both of them talking to each other, pinging each other. My problem lies when downloading from the other machine over ftp, my download seems to drop to 0k/s every 15-20 seconds, i have set the lifetime time to 7200 sec in the racoon.conf file. i would like to know if there is anyone that could help me with this problem or has experienced this problem Thanx Cole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 17:42: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id C825937B400 for ; Thu, 24 Jan 2002 17:41:58 -0800 (PST) Received: from dialup-209.245.139.214.dial1.sanjose1.level3.net ([209.245.139.214] helo=blossom.cjclark.org) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16TvNK-0003tc-00 for security@freebsd.org; Thu, 24 Jan 2002 17:41:55 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g0P1fqd93074 for security@freebsd.org; Thu, 24 Jan 2002 17:41:52 -0800 (PST) (envelope-from cjc) Date: Thu, 24 Jan 2002 17:41:52 -0800 From: "Crist J. Clark" To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Message-ID: <20020124174152.K87663@blossom.cjclark.org> References: <200201242153.g0OLrSn75456@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200201242153.g0OLrSn75456@freefall.freebsd.org>; from security-advisories@FreeBSD.ORG on Thu, Jan 24, 2002 at 01:53:28PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jan 24, 2002 at 01:53:28PM -0800, FreeBSD Security Advisories wrote: [snip] > Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. Just to be clear, this isn't an issue in CURRENT? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 17:49:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id A5BF937B417; Thu, 24 Jan 2002 17:49:24 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id E05EB2D; Thu, 24 Jan 2002 19:49:23 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g0P1nNM90952; Thu, 24 Jan 2002 19:49:23 -0600 (CST) (envelope-from nectar) Date: Thu, 24 Jan 2002 19:49:23 -0600 From: "Jacques A. Vidrine" To: "Crist J. Clark" Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Message-ID: <20020125014923.GA90940@madman.nectar.cc> References: <200201242153.g0OLrSn75456@freefall.freebsd.org> <20020124174152.K87663@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020124174152.K87663@blossom.cjclark.org> User-Agent: Mutt/1.3.25i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jan 24, 2002 at 05:41:52PM -0800, Crist J. Clark wrote: > On Thu, Jan 24, 2002 at 01:53:28PM -0800, FreeBSD Security Advisories wrote: > [snip] > > > Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. > > Just to be clear, this isn't an issue in CURRENT? No, -CURRENT was previously fixed, ~ 2 months ago. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 20:36: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from whiterose.net (whiterose.net [64.65.220.94]) by hub.freebsd.org (Postfix) with ESMTP id 084AF37B41E for ; Thu, 24 Jan 2002 20:35:44 -0800 (PST) Received: from ccridernote (cn131426-a.harris1.pa.home.com [24.39.186.157]) by whiterose.net (Postfix) with SMTP id BAC2F4B919 for ; Thu, 24 Jan 2002 23:29:30 -0500 (EST) From: "Robert Myers" To: Subject: RE: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Date: Thu, 24 Jan 2002 23:38:16 -0500 Message-ID: <002901c1a55a$1bfe60e0$0501a8c0@ccridernote> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200201242153.g0OLrSn75456@freefall.freebsd.org> X-Mimeole: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This advisory seems to indicate a problem with 4.2-RELEASE. Can anyone shed any light on whether or not this is the case, and what if any action I could take for a 4.2-RELEASE system? Robert Myers ccrider@whiterose.net MCSE,CCA,CCNA Systems administrator for White Rose Inernet Service http://whiterose.net -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of FreeBSD Security Advisories Sent: Thursday, January 24, 2002 4:53 PM To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:08.exec -----BEGIN PGP SIGNED MESSAGE----- ============================================================================ = FreeBSD-SA-02:08 Security Advisory FreeBSD, Inc. Topic: race condition during exec may allow local root compromise Category: core Module: kernel Announced: 2002-01-24 Credits: Logan Gabriel , Robert Watson , Dag-Erling Smørgrav Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. FreeBSD 4.4-STABLE prior to the correction date. Corrected: 2002-01-22 17:22:59 UTC (4-STABLE, RELENG_4) 2002-01-23 23:05:00 UTC (4.4-RELEASE-p4, RELENG_4_4) 2002-01-23 23:05:53 UTC (4.3-RELEASE-p24, RELENG_4_3) FreeBSD only: NO I. Background When a process is started from a set-user-ID or set-group-ID binary, it is marked so that attempts to attach to it with debugging hooks fail. To allow such attachments would allow a user to subvert the process and gain elevated privileges. II. Problem Description A race condition exists in the FreeBSD exec system call implementation. It is possible for a user to attach a debugger to a process while it is exec'ing, but before the kernel has determined that the process is set-user-ID or set-group-ID. All versions of FreeBSD 4.x prior to FreeBSD 4.5-RELEASE are vulnerable to this problem. The problem has been corrected by marking processes that have started but not yet completed exec with an `in-exec' state. Attempts to debug a process in the in-exec state will fail. III. Impact Local users may be able to gain increased privileges on the local system. IV. Workaround None. Do not allow untrusted users to gain access to the local system. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.4-STABLE, or the RELENG_4_3 or RELENG_4_4 security branch, dated after the respective correction date. 2) To patch your present system: a) Download the relevant patch from the following location: [FreeBSD 4.4-STABLE, or RELENG_4_3 and RELENG_4_4 security branches] ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch.asc [FreeBSD 4.3-RELEASE only] ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch.asc b) Verify the detached PGP signature using your PGP utility. c) Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. 3) FreeBSD 4.4-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.4-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. Since this vulnerability involves the FreeBSD kernel which is often locally customized on installed systems, a universal binary upgrade package is not feasible. This package includes a patched version of the GENERIC kernel which should be suitable for use on many systems. Systems requiring a customized kernel must use an alternative solution. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec -02.08.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec -02.08.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-exec-02.08.tgz The new kernel is named /kernel.GENERIC to avoid conflict with the default kernel name (``/kernel''). To cause the system to boot automatically with the new kernel, add the following line to /boot/loader.conf: kernel="/kernel.GENERIC" and reboot the system to load the new kernel. The old kernel is still available and can be manually loaded in the boot loader in case of problems. VI. Correction details The following list contains the $FreeBSD$ revision number of the files that were corrected in the FreeBSD source. Path Revision Branch - ------------------------------------------------------------------------- src/sys/conf/newvers.sh RELENG_4_4 1.44.2.17.2.5 RELENG_4_3 1.44.2.14.2.14 src/sys/kern/kern_exec.c RELENG_4 1.107.2.13 RELENG_4_4 1.107.2.8.2.1 RELENG_4_3 1.107.2.5.2.2 src/sys/kern/sys_process.c RELENG_4 1.51.2.3 RELENG_4_4 1.51.2.1.4.1 RELENG_4_3 1.51.2.1.2.1 src/sys/miscfs/procfs/procfs.h RELENG_4 1.32.2.3 RELENG_4_4 1.32.2.2.2.1 RELENG_4_3 1.32.2.1.2.2 src/sys/miscfs/procfs/procfs_ctl.c RELENG_4 1.20.2.2 RELENG_4_4 1.20.2.1.4.1 RELENG_4_3 1.20.2.1.2.1 src/sys/miscfs/procfs/procfs_dbregs.c RELENG_4 1.4.2.3 RELENG_4_4 1.4.2.2.2.1 RELENG_4_3 1.4.2.1.2.1 src/sys/miscfs/procfs/procfs_fpregs.c RELENG_4 1.11.2.3 RELENG_4_4 1.11.2.2.2.1 RELENG_4_3 1.11.2.1.2.1 src/sys/miscfs/procfs/procfs_mem.c RELENG_4 1.46.2.3 RELENG_4_4 1.46.2.2.2.1 RELENG_4_3 1.46.2.1.2.2 src/sys/miscfs/procfs/procfs_regs.c RELENG_4 1.10.2.3 RELENG_4_4 1.10.2.2.2.1 RELENG_4_3 1.10.2.1.2.1 src/sys/miscfs/procfs/procfs_status.c RELENG_4 1.20.2.4 RELENG_4_4 1.20.2.3.4.1 RELENG_4_3 1.20.2.3.2.1 src/sys/miscfs/procfs/procfs_vnops.c RELENG_4 1.76.2.7 RELENG_4_4 1.76.2.5.2.1 RELENG_4_3 1.76.2.3.2.2 src/sys/sys/proc.h RELENG_4 1.99.2.6 RELENG_4_4 1.99.2.5.4.1 RELENG_4_3 1.99.2.5.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPFCAl1UuHi5z0oilAQGyiQP/V2byHL40v23S1q4PanobNUPhKUQBKsVI OCmBowy2r7Ka0GPDFxAko/xeXnZmM9lvZ0PqMdpy5god27txxAtXmvmJjMPc3dRK SbJGvfrGSrRMvXR8rrpIOugq0mkMePiXsS8RDAkcAHAXpFF0MVuQfoaQYykn+LiV i6D4RvGxGZw= =ywM6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 20:43:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id B589A37B416 for ; Thu, 24 Jan 2002 20:43:56 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id g0P4hnC19463; Thu, 24 Jan 2002 20:43:49 -0800 (PST) (envelope-from emechler) Date: Thu, 24 Jan 2002 20:43:49 -0800 From: Erick Mechler To: Robert Myers Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Message-ID: <20020124204349.B19034@techometer.net> References: <200201242153.g0OLrSn75456@freefall.freebsd.org> <002901c1a55a$1bfe60e0$0501a8c0@ccridernote> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <002901c1a55a$1bfe60e0$0501a8c0@ccridernote>; from Robert Myers on Thu, Jan 24, 2002 at 11:38:16PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: This advisory seems to indicate a problem with 4.2-RELEASE. :: :: Can anyone shed any light on whether or not this is the case, and what if :: any action I could take for a 4.2-RELEASE system? The answer to your first question is right in the advisory: Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. FreeBSD 4.4-STABLE prior to the correction date. That would include 4.2-RELEASE. The answer to your second question can be found on the FreeBSD website. According to http://www.freebsd.org/security/#adv, your version of FreeBSD isn't supported by the Security Team anymore so you should probably upgrade. However, that's not to say that you can't find someone else who is willing to backport the patch for you. Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 21: 4:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-131.dsl.lsan03.pacbell.net [63.207.60.131]) by hub.freebsd.org (Postfix) with ESMTP id 6CEDD37B404; Thu, 24 Jan 2002 21:04:36 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EBBE066B74; Thu, 24 Jan 2002 21:04:35 -0800 (PST) Date: Thu, 24 Jan 2002 21:04:35 -0800 From: Kris Kennaway To: "Crist J. Clark" Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Message-ID: <20020124210435.A58760@xor.obsecurity.org> References: <200201242153.g0OLrSn75456@freefall.freebsd.org> <20020124174152.K87663@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020124174152.K87663@blossom.cjclark.org>; from cjc@freebsd.org on Thu, Jan 24, 2002 at 05:41:52PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 24, 2002 at 05:41:52PM -0800, Crist J. Clark wrote: > On Thu, Jan 24, 2002 at 01:53:28PM -0800, FreeBSD Security Advisories wro= te: > [snip] >=20 > > Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEA= SE. >=20 > Just to be clear, this isn't an issue in CURRENT? Since -current isn't a supported product yet we don't release advisories for it, but it's usually true that when a fix is made in 4.x it's already been made in -current and MFCed. Kris --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8UOdjWry0BWjoQKURAh3TAKCrdj16Ay/zrNzMyYTdl64rGHQhiQCgrf7U M+clNUimkHXhRMeSnJEtsio= =iJ4d -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 24 21:46:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 0F4F537B400 for ; Thu, 24 Jan 2002 21:46:09 -0800 (PST) Received: from dialup-209.245.139.214.dial1.sanjose1.level3.net ([209.245.139.214] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16TzBM-0007CR-00; Thu, 24 Jan 2002 21:46:01 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g0P5jAB93877; Thu, 24 Jan 2002 21:45:10 -0800 (PST) (envelope-from cjc) Date: Thu, 24 Jan 2002 21:45:02 -0800 From: "Crist J. Clark" To: Kris Kennaway Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Message-ID: <20020124214502.M87663@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200201242153.g0OLrSn75456@freefall.freebsd.org> <20020124174152.K87663@blossom.cjclark.org> <20020124210435.A58760@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020124210435.A58760@xor.obsecurity.org>; from kris@obsecurity.org on Thu, Jan 24, 2002 at 09:04:35PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jan 24, 2002 at 09:04:35PM -0800, Kris Kennaway wrote: > On Thu, Jan 24, 2002 at 05:41:52PM -0800, Crist J. Clark wrote: > > On Thu, Jan 24, 2002 at 01:53:28PM -0800, FreeBSD Security Advisories wrote: > > [snip] > > > > > Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. > > > > Just to be clear, this isn't an issue in CURRENT? > > Since -current isn't a supported product yet we don't release > advisories for it, but it's usually true that when a fix is made in > 4.x it's already been made in -current and MFCed. Sorry, guess I'm living in some kind of timewarp. I had to go back to SAs from 3.x-STABLE days for ones that included patches for both -STABLE and -CURRENT. I hadn't really noticed the policy had changed (or perhaps has just become more consistent). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 8:55:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 2422F37B41D for ; Fri, 25 Jan 2002 08:55:10 -0800 (PST) Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id 8612324412 for ; Fri, 25 Jan 2002 10:55:08 -0600 (CST) Message-Id: <5.1.0.14.0.20020125103418.04610160@pop3s.schulte.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 25 Jan 2002 10:54:07 -0600 To: security@freebsd.org From: Christopher Schulte Subject: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 ) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This seems to be a security issue, since an admin may think users are locked out, when in fact they are not. System: 4.4-RELEASE-p4 Sshd: default per 4.4-p4 install ( OpenSSH_2.3.0 FreeBSD localisations 20011202 ) The man page for sshd tells us: ----- When a user successfully logs in, sshd does the following: [snip 1,2] 3. Checks /etc/nologin and /var/run/nologin; if one exists, it prints the contents and quits (unless root). ----- I noticed this when I was upgrading from 4.4-RELEASE to RELENG_4_4 yesterday on a server. Example: box1=newly updated FreeBSD. box2=offsite server to test login to box1 box1# pw useradd foo ( then define password ) box1# echo test > /var/run/nologin box1# ln -s /var/run/nologin /etc/nologin ( just for good measure, man page for sshd lists both files ) telnetd on box1 honors the nologin file: box2# telnet box1 Trying 123.123.123.123... Connected to box1. Escape character is '^]'. FreeBSD/i386 (box1) (ttypd) login: foo Password: test Connection closed by foreign host. yet sshd still allows access: box2# ssh -l foo box1 foo@box1's password: Last login: Fri Jan 25 10:40:46 2002 from 1.2.3.4 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.4-RELEASE-p4 (BOX1) #3: Thu Jan 24 16:57:53 CST 2002 $ exit Connection to box1 closed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 9:12:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id BBF6B37B400; Fri, 25 Jan 2002 09:12:16 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16U9w8-000GGB-00; Fri, 25 Jan 2002 19:14:48 +0200 From: Sheldon Hearn To: Christopher Schulte Cc: security@freebsd.org, green@FreeBSD.org Subject: Re: sshd not honoring /var/run/nologin ( OpenSSH_2.3.0 FreeBSD localisations 20011202 ) In-reply-to: Your message of "Fri, 25 Jan 2002 10:54:07 CST." <5.1.0.14.0.20020125103418.04610160@pop3s.schulte.org> Date: Fri, 25 Jan 2002 19:14:48 +0200 Message-ID: <62506.1011978888@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 25 Jan 2002 10:54:07 CST, Christopher Schulte wrote: > The man page for sshd tells us: > > ----- > When a user successfully logs in, sshd does the following: > [snip 1,2] > > 3. Checks /etc/nologin and /var/run/nologin; if one exists, it > prints the contents and quits (unless root). This is a bug in the manpage. This check is only enforced if the UseLogin sshd option is true. See session.c for evidence. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 11: 0:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from serv2.vsi.ru (serv2.vsi.ru [80.82.32.11]) by hub.freebsd.org (Postfix) with ESMTP id 30FB937B427 for ; Fri, 25 Jan 2002 11:00:14 -0800 (PST) Received: (from nobody@localhost) by serv2.vsi.ru (8.9.3/8.9.3) id VAA03128 for security@freebsd.org; Fri, 25 Jan 2002 21:55:25 +0300 (MSK) (envelope-from oleg@oleg.vsi.ru) To: security@freebsd.org Subject: FreeBSD-SA-02:08.exec patch for 4.0-RELEASE systems Message-ID: <1011984925.3c51aa1dd5d4d@webmail.vsi.ru> Date: Fri, 25 Jan 2002 21:55:25 +0300 (MSK) From: Oleg Derevenetz MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.6 X-Originating-IP: 80.82.32.19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 4.0-RELEASE systems seems to be affected with problems in this advisory. My company use a number of 4.0-RELEASE systems that are not upgradable for some reasons. So I wrote a patch for these systems (below). Can anybody tell me, are these changes in code sufficient to avoid problems listed in advisory ? Index: sys/kern/kern_exec.c diff -u sys/kern/kern_exec.c.orig sys/kern/kern_exec.c --- kern_exec.c.orig Tue Jul 10 22:15:28 2001 +++ kern_exec.c Fri Jan 25 14:38:21 2002 @@ -113,6 +113,15 @@ imgp = &image_params; /* + * Lock the process and set the P_INEXEC flag to indicate that + * it should be left alone until we're done here. This is + * necessary to avoid race conditions - e.g. in ptrace() - + * that might allow a local user to illicitly obtain elevated + * privileges. + */ + p->p_flag |= P_INEXEC; + + /* * Initialize part of the common data */ imgp->proc = p; @@ -333,6 +342,12 @@ VREF(ndp->ni_vp); p->p_textvp = ndp->ni_vp; + /* + * Clear the P_INEXEC flag + * as we're now a bona fide freshly-execed process. + */ + p->p_flag &= ~P_INEXEC; + /* * If tracing the process, trap to debugger so breakpoints * can be set before the program executes. @@ -385,6 +400,8 @@ return (0); exec_fail: + /* we're done here, clear P_INEXEC */ + p->p_flag &= ~P_INEXEC; if (imgp->vmspace_destroyed) { /* sorry, no more process anymore. exit gracefully */ exit1(p, W_EXITCODE(0, SIGABRT)); Index: sys/kern/sys_process.c diff -u sys/kern/sys_process.c.orig sys/kern/sys_process.c --- sys_process.c.orig Sun Nov 21 22:03:10 1999 +++ sys_process.c Fri Jan 25 14:40:29 2002 @@ -220,6 +220,10 @@ if (!PRISON_CHECK(curp, p)) return (ESRCH); + /* Can't trace a process that's currently exec'ing. */ + if ((p->p_flag & P_INEXEC) != 0) + return EAGAIN; + /* * Permissions check */ Index: sys/miscfs/procfs/procfs_ctl.c diff -u sys/miscfs/procfs/procfs_ctl.c.orig sys/miscfs/procfs/procfs_ctl.c --- procfs_ctl.c.orig Wed Dec 8 11:59:36 1999 +++ procfs_ctl.c Fri Jan 25 14:42:19 2002 @@ -110,6 +110,10 @@ { int error; + /* Can't trace a process that's currently exec'ing. */ + if ((p->p_flag & P_INEXEC) != 0) + return EAGAIN; + /* * Attach - attaches the target process for debugging * by the calling process. Index: sys/miscfs/procfs/procfs_dbregs.c diff -u sys/miscfs/procfs/procfs_dbregs.c.orig sys/miscfs/procfs/procfs_dbregs.c --- procfs_dbregs.c.orig Wed Dec 8 11:59:36 1999 +++ procfs_dbregs.c Fri Jan 25 14:48:36 2002 @@ -62,6 +62,10 @@ char *kv; int kl; + /* Can't trace a process that's currently exec'ing. */ + if ((p->p_flag & P_INEXEC) != 0) + return EAGAIN; + if (p_trespass(curp, p)) return (EPERM); kl = sizeof(r); Index: sys/miscfs/procfs/procfs_fpregs.c diff -u sys/miscfs/procfs/procfs_fpregs.c.orig sys/miscfs/procfs/procfs_fpregs.c --- procfs_fpregs.c.orig Wed Dec 8 11:59:37 1999 +++ procfs_fpregs.c Fri Jan 25 14:50:05 2002 @@ -59,6 +59,10 @@ char *kv; int kl; + /* Can't trace a process that's currently exec'ing. */ + if ((p->p_flag & P_INEXEC) != 0) + return EAGAIN; + if (p_trespass(curp, p)) return EPERM; kl = sizeof(r); Index: sys/miscfs/procfs/procfs_mem.c diff -u sys/miscfs/procfs/procfs_mem.c.orig sys/miscfs/procfs/procfs_mem.c --- procfs_mem.c.orig Mon Dec 20 21:26:58 1999 +++ procfs_mem.c Fri Jan 25 15:01:13 2002 @@ -255,7 +255,11 @@ * means that KMEM_GROUP can't change without editing procfs.h! * All in all, quite yucky. */ - + + /* Can't trace a process that's currently exec'ing. */ + if ((p->p_flag & P_INEXEC) != 0) + return EAGAIN; + if (p_trespass(curp, p) && !(uio->uio_rw == UIO_READ && procfs_kmemaccess(curp))) Index: sys/miscfs/procfs/procfs_regs.c diff -u sys/miscfs/procfs/procfs_regs.c.orig sys/miscfs/procfs/procfs_regs.c --- procfs_regs.c.orig Sun Nov 21 22:03:19 1999 +++ procfs_regs.c Fri Jan 25 14:50:44 2002 @@ -60,6 +60,10 @@ char *kv; int kl; + /* Can't trace a process that's currently exec'ing. */ + if ((p->p_flag & P_INEXEC) != 0) + return EAGAIN; + if (p_trespass(curp, p)) return EPERM; kl = sizeof(r); Index: sys/miscfs/procfs/procfs_status.c diff -u sys/miscfs/procfs/procfs_status.c.orig sys/miscfs/procfs/procfs_status.c --- procfs_status.c.orig Mon Dec 27 19:03:38 1999 +++ procfs_status.c Fri Jan 25 14:57:57 2002 @@ -183,7 +183,8 @@ * Linux behaviour is to return zero-length in this case. */ - if (p->p_args && (ps_argsopen ||!p_trespass(curp, p))) { + if (p->p_args && (ps_argsopen || ((p->p_flag & P_INEXEC) == 0 && + !p_trespass(curp, p)))) { bp = p->p_args->ar_args; buflen = p->p_args->ar_length; buf = 0; Index: sys/miscfs/procfs/procfs_vnops.c diff -u sys/miscfs/procfs/procfs_vnops.c.orig sys/miscfs/procfs/procfs_vnops.c --- procfs_vnops.c.orig Thu Dec 16 02:02:08 1999 +++ procfs_vnops.c Fri Jan 25 15:05:10 2002 @@ -145,6 +145,11 @@ return (EBUSY); p1 = ap->a_p; + + /* Can't trace a process that's currently exec'ing. */ + if ((p2->p_flag & P_INEXEC) != 0) + return EAGAIN; + if (p_trespass(p1, p2) && !procfs_kmemaccess(p1)) return (EPERM); @@ -236,6 +241,10 @@ if (procp == NULL) { return ENOTTY; } + + /* Can't trace a process that's currently exec'ing. */ + if ((procp->p_flag & P_INEXEC) != 0) + return EAGAIN; if (p_trespass(p, procp)) return EPERM; Index: sys/sys/proc.h diff -u sys/sys/proc.h.orig sys/sys/proc.h --- proc.h.orig Fri Jan 28 23:40:18 2000 +++ proc.h Fri Jan 25 14:58:53 2002 @@ -289,6 +289,7 @@ #define P_JAILED 0x1000000 /* Process is in jail */ #define P_OLDMASK 0x2000000 /* need to restore mask before pause */ #define P_ALTSTACK 0x4000000 /* have alternate signal stack */ +#define P_INEXEC 0x8000000 /* Process is in execve(). */ /* * MOVE TO ucred.h? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 11:51:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f171.law7.hotmail.com [216.33.237.171]) by hub.freebsd.org (Postfix) with ESMTP id 603CF37B400 for ; Fri, 25 Jan 2002 11:51:30 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 25 Jan 2002 11:51:30 -0800 Received: from 200.23.10.253 by lw7fd.law7.hotmail.msn.com with HTTP; Fri, 25 Jan 2002 19:51:29 GMT X-Originating-IP: [200.23.10.253] From: "=?iso-8859-1?B?SXbhbiBFZGdhcmRvIFbhenF1ZXogU2FudG9z?=" To: freebsd-security@FreeBSD.ORG Subject: unsubscribe freebsd-security Date: Fri, 25 Jan 2002 19:51:29 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 25 Jan 2002 19:51:30.0264 (UTC) FILETIME=[AED31580:01C1A5D9] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe freebsd-security _________________________________________________________________ MSN Photos es la manera más sencilla de compartir e imprimir sus fotos: http://photos.latam.msn.com/Support/WorldWide.aspx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 15: 5:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 83CB937B400 for ; Fri, 25 Jan 2002 15:05:42 -0800 (PST) Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id g0PN5f741367 for ; Fri, 25 Jan 2002 18:05:41 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 25 Jan 2002 18:05:37 -0500 (EST) From: Robert Simmons To: freebsd-security@freebsd.org Subject: theo Message-ID: <20020125175928.H41011-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Lets say someone has a machine they don't have console access to, but they know that the OS comes back every time they reboot the fucker. The kernel is on the old hard drive, with the swap garbage. The brand spanking new OS is mirrored on a twed. How can I tell that the core team's brand spanking newly de scriptkiddified kernel is the one that boots? dmesg? BTW, there isn't a floppy installed, nor a CD_ROM. Also, you win, you people get the prize for the most security alerts in one year. :) Robert Simmons Systems Administrator http://www.wlcg.com/ E3E2 C83A 95A2 DDDC BF7F 6889 74B6 5850 880E B566 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8UeTFdLZYUIgOtWYRA0WUAJwPjBg/vQtqHeICIEZq5ru3o8Y3DACgo5H1 L+E8eAkNkU9TiPxf9gsfMPc= =3yoL -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 15:19:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 5FF0537B400 for ; Fri, 25 Jan 2002 15:19:28 -0800 (PST) Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id g0PNJR741510 for ; Fri, 25 Jan 2002 18:19:27 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 25 Jan 2002 18:19:22 -0500 (EST) From: Robert Simmons To: freebsd-security@freebsd.org Subject: thanks Message-ID: <20020125181705.N41395-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I'm glad someone actually listened to and read the problem report about cvs. I was stuck in DES land for a while. Robert Simmons Systems Administrator http://www.wlcg.com/ E3E2 C83A 95A2 DDDC BF7F 6889 74B6 5850 880E B566 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8Uef/dLZYUIgOtWYRA1J5AJoDKk5Gnwae9QaNTlNUhIHXdJHmugCcCRBT OXFelMZU9Jk1Z0cYFTyLxYM= =Wf+S -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 15:20:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id E15CE37B400 for ; Fri, 25 Jan 2002 15:20:22 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g0PNKKM77293; Fri, 25 Jan 2002 15:20:20 -0800 (PST) (envelope-from jan@caustic.org) Date: Fri, 25 Jan 2002 15:20:19 -0800 (PST) From: "f.johan.beisser" X-X-Sender: jan@localhost To: Robert Simmons Cc: freebsd-security@FreeBSD.ORG Subject: Re: theo In-Reply-To: <20020125175928.H41011-100000@mail.wlcg.com> Message-ID: <20020125151048.C32624-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 25 Jan 2002, Robert Simmons wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Lets say someone has a machine they don't have console access to, but they > know that the OS comes back every time they reboot the fucker. > > The kernel is on the old hard drive, with the swap garbage. The brand > spanking new OS is mirrored on a twed. How can I tell that the core > team's brand spanking newly de scriptkiddified kernel is the one that > boots? dmesg? generally, i can tell via an ls -al /kernel, and checking the timestamp. failing that, i can look at the output from uname: FreeBSD pogo.caustic.org 4.4-STABLE FreeBSD 4.4-STABLE #1: Wed Nov 14 11:14:38 PST 2001 root@pogo.caustic.org:/usr/src/sys/compile/POGO i386 and looking at that alone, i can tell (i tend to rebuild the kernel once each major change/kernel level patch. so, in this case, the timestamp on the uname output (Wed Nov 14 11:14:38 PST 2001) tells me that this is the kernel i build ages ago. should i do more frequent rebuilds, the string "FreeBSD 4.4-STABLE #1" would tell me which build number of the kernel (since building POGO's first kernel) i have. if what you're refrencing is the specific kernel loaded by the loader, unless you change it at boot time (unload kernel, load , boot), it will default to /kernel. > BTW, there isn't a floppy installed, nor a CD_ROM. that's fine, you can change the device that the kernel is loaded from if you really wish too. > Also, you win, you people get the prize for the most security alerts in > one year. :) thanks. i tend to be glad to see so many security alerts. makes me feel like someone is finding, and fixing, problems in the OS. "Security is not a product, it is a process" and all that jazz. btw, anyone know who said that? i'm inclined to think it's bruce schneier. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 15:22:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id F09E037B41B for ; Fri, 25 Jan 2002 15:22:19 -0800 (PST) Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id g0PNM8741549; Fri, 25 Jan 2002 18:22:08 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 25 Jan 2002 18:22:04 -0500 (EST) From: Robert Simmons To: "f.johan.beisser" Cc: freebsd-security@FreeBSD.ORG Subject: Re: theo In-Reply-To: <20020125151048.C32624-100000@localhost> Message-ID: <20020125182148.X41395-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Thank you, if I knew you I would kiss you. Robert Simmons Systems Administrator http://www.wlcg.com/ E3E2 C83A 95A2 DDDC BF7F 6889 74B6 5850 880E B566 On Fri, 25 Jan 2002, f.johan.beisser wrote: > On Fri, 25 Jan 2002, Robert Simmons wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > Lets say someone has a machine they don't have console access to, but they > > know that the OS comes back every time they reboot the fucker. > > > > The kernel is on the old hard drive, with the swap garbage. The brand > > spanking new OS is mirrored on a twed. How can I tell that the core > > team's brand spanking newly de scriptkiddified kernel is the one that > > boots? dmesg? > > generally, i can tell via an ls -al /kernel, and checking the timestamp. > failing that, i can look at the output from uname: > > FreeBSD pogo.caustic.org 4.4-STABLE FreeBSD 4.4-STABLE #1: Wed Nov 14 > 11:14:38 PST 2001 root@pogo.caustic.org:/usr/src/sys/compile/POGO i386 > > and looking at that alone, i can tell (i tend to rebuild the kernel once > each major change/kernel level patch. so, in this case, the timestamp on > the uname output (Wed Nov 14 11:14:38 PST 2001) tells me that this is the > kernel i build ages ago. > > should i do more frequent rebuilds, the string "FreeBSD 4.4-STABLE #1" > would tell me which build number of the kernel (since building POGO's > first kernel) i have. > > if what you're refrencing is the specific kernel loaded by the loader, > unless you change it at boot time (unload kernel, load , boot), > it will default to /kernel. > > > BTW, there isn't a floppy installed, nor a CD_ROM. > > that's fine, you can change the device that the kernel is loaded from if > you really wish too. > > > Also, you win, you people get the prize for the most security alerts in > > one year. :) > > thanks. i tend to be glad to see so many security alerts. makes me feel > like someone is finding, and fixing, problems in the OS. "Security is not > a product, it is a process" and all that jazz. > > btw, anyone know who said that? i'm inclined to think it's bruce schneier. > > > > -------/ f. johan beisser /--------------------------------------+ > http://caustic.org/~jan jan@caustic.org > "John Ashcroft is really just the reanimated corpse > of J. Edgar Hoover." -- Tim Triche > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8UeigdLZYUIgOtWYRA/NuAKC8yNAKlFQ4MZ/81x3Vc2yvH1uhcQCaA4mo v6Eamd5j5v4Wd1YjtdBoZWc= =tDzk -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 15:24:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id 2D82737B402 for ; Fri, 25 Jan 2002 15:24:12 -0800 (PST) Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id g0PNOB741596 for ; Fri, 25 Jan 2002 18:24:11 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Fri, 25 Jan 2002 18:24:08 -0500 (EST) From: Robert Simmons To: freebsd-security@freebsd.org Message-ID: <20020125182313.Y41395-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org mQCNAzF7MY4AAAEEAK7qBgPuBejER5HQbQlsOldk3ZVWXlRj54raz3IbuAUrDrQL h3g57T9QY++f3Mot2LAf5lDJbsMfWrtwPrPwCCFRYQd6XH778a+l4ju5axyjrt/L Ciw9RrOC+WaPv3lIdLuqYge2QRC1LvKACIPNbIcgbnLeRGLovFUuHi5z0oilAAUR tDdGcmVlQlNEIFNlY3VyaXR5IE9mZmljZXIgPHNlY3VyaXR5LW9mZmljZXJAZnJl ZWJzZC5vcmc+iQCVAwUQMX6yrOJgpPLZnQjrAQHyowQA1Nv2AY8vJIrdp2ttV6RU tZBYnI7gTO3sFC2bhIHsCvfVU3JphfqWQ7AnTXcD2yPjGcchUfc/EcL1tSlqW4y7 PMP4GHZp9vHog1NAsgLC9Y1P/1cOeuhZ0pDpZZ5zxTo6TQcCBjQA6KhiBFP4TJql 3olFfPBh3B/Tu3dqmEbSWpuJAJUDBRAxfJs9H3+pCANY/L0BAZmXA/0RGlDw0ceq q9V0UJTLOqX4DShMJypnFM0CwrygZ2GBpg+cnTy8Qj0hZz3D7YWlG+c1YDE4340t n5BIka7muHbhkYKjeMWO1UQLCEHjEiEwTmXgWWX9qGvTbYna+T7pkvbkPW73X1jK bHppNjGkRvQUqMuVr8vFcUTmGFMKU/An9okAlQMFEDF7PcL1FVv7jlQtXQEBqTwD /0kgb+NElrNBsqibrAzDznYL9nSoEsnLsp03fTT33MyNBh4L0+eWRnRRKNDhNKkL xR6ti/oh+FWc1jqDIXYfHgJsQWWimd8DVzjLG1cq2LWRI3rAHL+SLdKaq18OE9Dh DfWnrdxJ7kDdqgdyO9a6o8ulbhtra4dUoY/eDtJK3oA5iQCVAwUQMXsyqWtaZ42B sqd5AQHKjAQAvolI30Nyu3IyTfNeCb/DvOe9tlOn/o+VUDNJiE/PuBe1s2Y94a/P BfcohpKC2kza3NiW6lLTp00OWQsuu0QAPc02vYOyseZWy4y3Phnw60pWzLcFdemT 0GiYS5Xm1o9nAhPFciybn9j1q8UadIlIq0wbqWgdInBT8YI/l4f5sf6JAJUDBRAx ezKXVS4eLnPSiKUBAc5OBACIXTlKqQC3B53qt7bNMV46m81fuw1PhKaJEI033mCD ovzyEFFQeOyRXeu25Jg9Bq0Sn37ynISucHSmt2tUD5W0+p1MUGyTqnfqejMUWBzO v4Xhp6a8RtDdUMBOTtro16iulGiRrCKxzVgEl4i+9Z0ZiE6BWlg5AetoF5n3mGk1 l4hGBBARAgAGBQI6mZ2JAAoJEL/AaH52ufYWNxkAniOKkqhjryhTLnLa3EiAdBnl mg6ZAJ9oiqP4WqoT97Jc7SdZF5wwk7Soc4hGBBARAgAGBQI34kAvAAoJEBbXyagi pcjB3pQAoKG8WSW9OImLl8d8r3ETPXg2L6w1AKD5UOxWFdwKdKtcfboLb7ZGPUSr rYhGBBARAgAGBQI31R25AAoJECiOXQ9EvEXjX/gAoJN42Hiaqp/y12OdHzmkWmyR HH7LAKD0f3bZHdqAXHnWb+sNVmtB1Aw1t4hGBBARAgAGBQI5rUYiAAoJECykWk8f gFSoh7EAn0bIrmHE67WveE/Tq+wJj4mVPn6qAJ9tcz8nDKpriFP3nsq4owJvxigY DIhGBBARAgAGBQI2JjKmAAoJEDGD19/M8MOw7VMAoNppwJWmjsfdS1zhL+1wNYlK e6emAJ975jEKSrtMXPv9WI0TtULbXFsNJ4kAlQMFEDHtaL8yHCJwL7XtqQEBN8UE ANC6eKp4zVUAFtutq7IlrQp75bXcisb12PpXCByTfoUCO+keGg0B+V/vDcvyEL2A NwAdirpZi/J+nfrFWIUt7fNr/tS2hsCCXIJu8NlQQyu1nRKCVkbnKyxXRzmjDDV8 gBx0F6/Y6fhuE3YlvDZEzahw5ixlUOb1vcFYFq+9nWiciQCVAwUQNFhOFjxztoTO 1QFNAQGosAP/WWSL9zux5e8k3efDWEH00JPM10watbFmRkRIpfbEjALS91TDjesi JJdCcmks4KpivhCHNR6m5nZ8OqUZF4uEbmVdKO3kZPvnWx6HeMBQ81JdJvfRephd +f4+tICj+8pCeL2Y2yecy/5EzsLVesAkAI1/NARi8VNu+KLA1MY9vDKJAJUDBTA3 0UneRCKkQtZj3eEBAcnAA/4kK83/5Co5AGGJfJyuy2UzQAjw5rNpYnNUuT93kHd6 DFtn0IvXusnKHhocgUDpztXQ98uWM602aw63/UhWIOrcm/LVjWAFAp3K0f/14MDp cUr1XMuKJBE3KQrH0XwahQ9ng/l09lsA+tJmSzWCVwLZ359s7FHaepyyCsc68WRo lokAmQMFEDjSd7Ba/qoe5tAA+QEBYl8EH0xvXHC98JOYhuI/LRJfKlJs+UKtz8NP y6PJR4lFqowz+0zCL0i3kCzAZ6/DQu3QGd9U12wUgk1HFkKa3+4uEWI9UztMv+P7 PMxAWXmU1D6JrsLEhMoZGAXITM2xA7SjYJ8PmTxC7arxbcBtcHML7UC/VOOTXYpt 32RPpag0y1vZl0atPohGBBARAgAGBQI2UXtRAAoJEF5tclhkX8VaXSgAn07nfstE SQXUj0sViiGSb4FKYchNAKCa8XqqtwRyxakgsn52S5igUPunAokAlQMFEDkjJqtl YKmsNPn51QEBW0wD/j4AalJ2e8j9nwU18PhpilklLbERzJEVXPuZS5Md9alubqW2 j4uQr/0sBsjM76HmxpG9a+51v4OaCJpIy5aHPxRd7/iYfYsKgTsrq+p73JTiOHEo hwjPDTvX81Ery22h7UdzpcU0EIAE20avOMjPExbH7QZcyHMUM9Q5l0WkJ6CqiD8D BRA5Iya3b8javX+am6IRAu8YAJ0V0ZYtgmJyqDq71w+7U5N/xj5DSwCbBQo6x/9K g/PzZ170/xV44/OBbe6IRgQQEQIABgUCN9FM8AAKCRBySnNxMX00GLBhAJ9rujlp a2U084+jG6EbtOyEIbdwAQCfWjY4MCRJ1GwennkuRaYxmGiRfvOIRgQQEQIABgUC OSo2vwAKCRB6kLKn4NkggaHXAJ0RSgMxrrgRrLkG3YRqi/gQAh7utACgvFGpRDIn 9G/AhuiLxSFjFUGfRYGIPwMFEDV1FqR9ANmus9E6axECeG0AoK3sK7BUk1tAmzDl IoH08uFGHA+VAJwKv3UMto61B1qanclmJ/KYtYZzj4kAlQMFEDQEeyybYRoiu/jt CQEBrdID/RAKy/IKl8QWBMG3c5f9O6kUkOxIVn3xkN9fObVecWFAzGbL9yKulfK+ AEKodZskYcnjGv+FhIjLwJUnAUndyHHHQlfydiZZgkDq96UgruA2/PTJerop7MZ3 p6Z3RqCZ9Jgn6dXG/5rKBAuTOEtEKmHF4GgcHbnnXqw+UNW4bqihiD8DBRA0lKWU ohsjs05duGwRAv8CAKD36k5K1h3ndEM5KftUNb/SYTfiSQCfa+8xLpUqNpOUXOfe +St7WgdvViGJARUDBRA34qkwoi+pe7fj72sBATmxB/sEVxI3YFQYFQU7wmjRyoyF mwAocnrghKVu2fvRvLXboKUaizmn2FluOCHXlhZdeNxhu05nF4HWxtprbe/3o2wb VnwUmdSWi0f+BmcnSlh+sXb23EOc5YWqtmrXNd+JuzHjR/IA9ZUhh38mKEJiBpwk /bmK6rBzLP6kNXUI/X2eS8u7ya8ZnpwGOhrkI1rW5WNmekwnkGOT8cOSiGpYw0hW tWJd5Sz7e9liEvt2oXDhgb5qLbAaNlNml9FZudssQKC7V3ZToKnMdozWJbPEiruH bjrrSx3KIHbc+7Woamosq2NBGRB/nGLrtnqFFN3uM951T2uFcZhrvOYQTemNHXQs iQB1AwUQMuDekqLNRJrnJUqZAQGSsgMAilGoDNvDfM6TyMLdSHcc/aKnra7mU16U zgO82y1XVKEIBxNB4weDYZ/PsshqzTM+Fy0eIQnelPzUq3waUWzu0wqedhRi0gO/ MXiWco3cueTq3w9/MMaO77R4hPTSOFdKiQCVAwUQMZ9n8LNaYutZnzI9AQHjEQP+ NDqDWDVlFKiN+ChyjU+24ER0MhDXWR9EFhJMu57nX2AV/r+5Er0kK/SdDXcqn9Eu x6YkZpVOBt+TJDiYvjS3TygBiGPcp/Wkq8I2PhQtKxG4ZuZCBvsdt2r2xWlEURDQ /mjUwc1Eol+bPp8UxGzDiqIokLDdN34Dbv6UZQ1qXISIRgQQEQIABgUCOWQL3wAK CRDDdWeG/OEZmDN9AJ4oyz/lYQVIfQj9ntcedaN0++urIACfayhKdgnGbtb2jMZX ds8EQFR8mPSIRgQQEQIABgUCOOD4ZgAKCRDJ41IwxUJ81BsNAJ4u/cYoiv+5Zoh4 TFD5yT7fEyAvRgCg98ym18zgxQV1DHf0/YfW3o14du6IPwMFEDYko8PKEf7YTQpW 6xEC2wAAnjeB0zn/U+4t8bclglcFECAxosGZAKCGFtEY2LWs2myqCyADfQQI7PRh ZIhGBBARAgAGBQI5riX0AAoJENQGtbKArRTdNZMAn0auIBmX8AkFHGzqotk8nt7N AIzgAJ0XVOghM+u5xtw/YDvNt9AbsjeTL4hGBBARAgAGBQI40nYsAAoJEPBy4C68 JkYN4WcAn2yP3RUpNcC5n+uHoqJkIH8N0XpnAJwKoGX+9iMIErz2QY4Jk5TrUJDY IohGBBARAgAGBQI5BNnJAAoJEPYcyLWu8zhHfh0AoLpRZeqhKU85msXt3QXNd4PV 4Av1AKCbXNmzVS6HMjXB5WgK9WpHXB4WZYhGBBARAgAGBQI57oUFAAoJECPnhum+ 7ZRuDxUAnj+YVod4wRKYpp5xSBYaY4Q715OcAKCK1akWzoLJjFWL2eNFpwtyrdgS OIhGBBARAgAGBQI57oVSAAoJECAVMdWEXf7dxg4AnihvfE9gG9cxQnjvreGJiaNz HHAzAJsG3t8mMuAUuuXQZMcj7ddTLzrdrIhGBBARAgAGBQI57o4gAAoJEML8hqol OUaLjRMAnR63rRZcfO5JMWMs1agFuA5yUyDPAKDx+Ujxwbwmmv51XoqsW++dm07M Kog/AwUQOf5IWnfOKcWPoS4gEQIybgCfY6SVwbn1YU9D8zvrPLFk6iTf7ZEAnR0Q I7g2ZxmURl9t3pPw4Q5OZxmmiEYEEBECAAYFAjoZ9l8ACgkQvhpT6zI73uZ5ygCe N2uwNIKNlve8H1RPzE5idKHVd2UAn2xncU4MzWVWB0p3stKDapNrSlr6iEYEEBEC AAYFAjoayscACgkQB5oFL6O4NUlLTwCfSRr/sxT4mkN9MMMnPgM9BMuX91kAn16I J4I4BkzhruhVw57EmfZJ2hV3iQCVAwUQOiFULh0dUWPziF9ZAQF7KAQAz3C4uevJ 52l8DcQIyvbDsJ1F1moSM4VyTGlQ3h/yCvhMNCV8AeO3HzPv/trlRo0tH0S9vIK0 jIlS+Sluu867zFmV7ElC4g7FlWCD4Q+v6D2aeVGKwQMtq5nphHJe/f/6fcQUsUik n+KGWqCxPr4cCP0nZ+vo3xusZrCefgJGHuyIRgQQEQIABgUCOc5FigAKCRA5fJvC 92JfhAHRAJ4zAbRQThtxHKJvnaJn1MTOHNk8tgCgqjVuMOMyzCv7qH5I5RfFwesm dOSJARUDBRA6Gsqkv8plHjvdG4cBAfhHB/9lCTNpMvNSiDndGIr09xtau3AZfPtM qI6GhbkhTxJsrYjvx03Fob3cRyAK8Fe2rs4tTbsXJHziBuGNjPjE57dvZ2fjdD82 FN+CV0uTkfDD5FfI6inN2x+DSd5319hCQHfDmrL+ynWY8v7zym5uZvoNFM3n1JJr ZEWIeeviqk+Kceyr1Pvhs1wopJR/Iidl4M8GohpgmMWHnkJE6p47ogiz+RblR1zZ bfg+OeW4p6e29Cc7ZZj1gPuiwzxyVUJYUSvGEv77mOH4HC1/i7JQQEFlO2iqHz41 Y1NPNw+d0jGlVYrTmOyD64h7PPx8BfqckzExLm+O0En2hTtxf8FMIPJwiEYEEBEC AAYFAjw9q+EACgkQdLZYUIgOtWYoBgCfUs9s6Te/w9tv+gQYzW1w9rqKsUgAoJ9e ElPlKFmnwdvMdXQmZ2K/w/dpmQGiBDqagVgRBACGDo8I3+6JLj+hG9d6W1o4DaJi lDQ7XWuuDy1rZ8uijmbZaQlqBPvstbF99txqBC5TMEuJLO3mjHwHn76XIEVeQReg y8K++DZOiIZJijfj+JBsITdpk3qfcsUc6nlw2OErhSWDdi5eY2d6buoxTSxnoDAS 5Cbyr0LhPSM7A9ea6wCg1LcgFPq6dX1DbuBz/Z6KlkeulLkD/0JHYA3zk9qJOq6a SFx0uqcB5d3tUp3QOL8bmy+or21GFqBF4/pJ7olYK+q0wTdN1LJaR6/qIYe2lGHx vavN+dXyOaMzdXoI17x75K9adAnGmCIK6pxNWkMqj5wWxed+AJ3nrNx/MQsTKVb7 v9ITTBHZj4H5RGbfLNVtrZ+S0On5A/9Tdj4uEoq7HZp8uag9IlDDklLAVm6SHZI6 jCCxe35KSAzNYuPXr36GWbtW+FaBY2ZWQPHOStLkNtUrcXsK1LGxAaqsnQzYRche /c2repkFcal4AhPSu0pbf5Vu4swaBlpUSxkRu1G5fwKSKQ1UOquJqvcqFDKPSFNR EPHNCcWYPrQgVG9ueSBDdW5kYXJpIDxhY3VuZGFyaUB3bGNnLmNvbT6IVwQTEQIA FwUCOpqBWAULBwoDBAMVAwIDFgIBAheAAAoJEBHMcroBcwdzWaUAn2GallqvbFhp OLaih+mxiC4NjSvXAJ9e/qo5n6Cg575eLsdPY8VzNs+COIhGBBARAgAGBQI6mog8 AAoJEL/AaH52ufYWucUAoLahRg9yWMOLOZIpiQgdVMYCkHj5AJsHNd7r9D7yMgcf 6jM0I0quk4LMHYhGBBARAgAGBQI6p61xAAoJEB4QK93sJBFPNSMAmgKw9oQXdbhU IKVs4zPQ3JbI1dnaAKDHXOsTEwsS5ZJkdzRRULq4V+zU8YhGBBARAgAGBQI6p6wn AAoJEOXU4dATTF45R3oAoPlUPdKXu/Era5OLokrQ0vA8hi2LAJwKHlj0RJ+isyhl sX0JsJAdUBMFvYhGBBARAgAGBQI8PawrAAoJEHS2WFCIDrVmMtYAniD/aQVLQXcE fZFLODLC7k18PmH3AJ96KL37QZCBOjbmYZX+fWwiajEX37kBDQQ6moFbEAQA1loN X9oEbCDnjVsgbj6diuvYlhI4CIzncVzXgSREMSeRCMMQpw2KLvWmpxYIZ36IpnyT Ka79LkQ1EU9+e5Mvwb8dbjQTiTURt0rS1/1dVFQZR2MXDLp65LI7yb3u1QZNjKQX foNl6vXyDKbbcdtAloY5PsEUO9dUttOuaKLTVRcAAwUEAKicf2bFFBnoWBAPwJhN 8NZsRuR21/ipcWeiqHXwefX51FIj+iaiaQIUbq5XHqfzP4pagEgjyWsg6zvlpq/l ZXOIihL7a6MJf9vg2NODviw1DiJIv7wX3p5TSmTx55+pyZvDYMu4NqkTQIlSnMhO t0hFF9xjUFEQOe7ilKkUg2lpiEYEGBECAAYFAjqagVsACgkQEcxyugFzB3Nj/ACf VKQdXVAlEYNtGFrZgjSSdiSvc6MAoJzMf5uFDV7ydOo7oeeDS3OuNdYQmQENAziJ ZQwAAAEIALIflq+a5TJ5+rkJl6u4NtaEgeggoufIFy2O0luplLaE+3swE0MfG7Hr 9b9yNLjMOD7/ZakIy4/54ph910K7qx1r3swo97gPuiDf11AhPzpmMe3miP2EV3Xe oL0e69GF/AwZ/KB4im+/WMMqwHmF4OjWZX4PWG7QA3YM+mRg8x4768SothxKx1sM O/ll1lAqryyzkWO3hODuOs7UiCPy0PgFBtlZ/qJU8VR/8z1vWX6aTDcl3plT6MXi QuBGWXb/jHHfUEC7s5BtmWtA/Sdxf/oVDothMg48otI6tetzf/Rp6asaPmmOH99+ QE2At4YYbtK3a7/ss7YTjRlJFDED9SsABRG0OU1pY3Jvc29mdCBTZWN1cml0eSBS ZXNwb25zZSBDZW50ZXIgPHNlY3VyZUBtaWNyb3NvZnQuY29tPokBFQMFEDiJZQyN GUkUMQP1KwEBmCkH/ReYt47MhLQ8lk+thpNwnwWpFMYnhi1189sZy+GHp44pCdQ7 dfubR2/JiCIjlXqtR6Mu5NzSnjt3l217ss11/X+iuZR4fjOTNFz1b77M/OwTPNNk ZTxL5nJ3BIBcTDKRaErTk5oZt5nXUPpzIwM/GQ17A9okL6qOFcreNR/a6cO8DiPB gbvgrs560+NpEk2lBBP7yvaHJqwqQnRQCZ15uqhtIl/BlxEYE32XWgu+k1RxrRRu W3NX9Q0cEXmioSiI+1V31E0H6Pa8e7Vy/EORsNopRgiZr/JBON0vCrDfUTlwjUuf pCnM2VBvNi/O3C2BhJoL9hEF0X0rzQN87j1wpO6JARUDBRA4jIFR/6uy0GMwPK8B AS5lB/9rOkn/35961yqfROBooGW1g9CrM/3hX+jZf0z4NUYOoLoXQQGM9kVDpmsn ADytOJ2xNgle9WWEzPLfcwJv4C7o1Yp4UAHeNKOzUH6hFCz7QzfkQ+dYaZCoL8r0 qrUyNQJ263FDupo5NBt4XCDTd0zYfbUkbeHKsECKTB6tJVtUzD9jMUjq9LVaqY/+ 4/NQSjOOhImlA1khF9oTypR+jloaAflEal3/Cuo1ibHgd6j1dYjHQy7pX3iOnlRA dpG445U+Y3uEzsqiZVY1hK46ICZF+r19Xm7gPC3p0Jo5/K7oXepKnfgn0zjm496p 6l++ie973TTRW844JLMmLZ82h/14iEYEEBECAAYFAjsCmw4ACgkQv8Bofna59hYp 4wCgs6xPf24ksXldI9fwFAensBh1ZnMAn0i1eWEmbCOuOrJ/NA4TmTZ8qgVfiEYE EBECAAYFAjw9rGUACgkQdLZYUIgOtWbJqwCfVAqV9nWBpp31sXX07KrlB0DHpxYA n1OPQM6sgUFMS2IH3XLBgz1ToCB1mQCPAy7QlNwAAAEEAKMNCpEGP2868gPmT+5I LWveARJEFRQius+CP8hHG331YAywbeLmllnFUNLEKBKSlX9gyNL7/KKZXCaK1hbf aB7jC0f6KyK68dOeMR1jkpw73NqCi6/U9RqMBDGzzMz5dnDoqz9s5f33xrYZC+qw TKmGyh0mcFaCzJ21/+6ZWS/tABEBAAG0LEVsZWN0cm9uaWMgRnJvbnRpZXIgRm91 bmRhdGlvbiA8ZWZmQGVmZi5vcmc+iQEVAwUQMjd/P2sge5mp/i7lAQFvbAf+MS77 9L7gsRC6j6BDPw6cWL5faGT1WOUmmpNQNQUIr8xPG2B1FBsulYvR73gYBUfRgjfq y2g3Pmxwb8b/efO06rh2Rb6Ij0IxovRUkP+wvnNZZ0DS1KhgAI0NEaDS6ZpQBi21 tfdQsyWth5jhTPAgYRqFsWXmIhM8OmouNA5MUBfs43+vrAvurUTBUUbXtTDtMksU TvgwvFHxTMBhFhSwe0fE78eNMg99Oq0DptWNyLjufV46KsMklyOQ43WndaVeUyer cnUlHRpI9BvhD6eJoax/Xg5/Y3Wzeg+GoNPnR+kB4fEfQQlxoVnqVDoPw3kbtT/2 uCnDMJzFNOt4b88uFokAlQMFEC7Q9k36pYRz7/JiaQEB/LAEALXZe2z6sEWSEWFB qiuBteDn85I+DoZKgsU3AoNWoQnNDxIZUnlhjeVC8sUeSKpHvhtxT+cmimkclawy Z+ISc4db0YmuEE9CQBdaGsa9fBa1zN50hFLTC0AWQCoSdbCJ9pugTWKI9gCwhmXD d0KTgHMfoFj+Gqg+//smU1ZULZbYiQCVAwUQLtD9b2vrl+SY3vDhAQGQZwP+J68V xdRQ/S1aIF0NplVofTbGDGd9HXfMWO1gy5T6kyQrenEiwq1lTh3aGDP19mftfnC7 J7u6U1OeRxPVAjt3O0Q7RF9GLqjHThPqC/4eEVp4i+O9UM3DTv9uU86qz8JZIwa3 SKpDNA5EEglxgbmgc+ge5NwonmxVmG2zq2kiYQ2JAJUDBRAu0JWWNkCBjDT0xHEB AdEvA/wKsTTeCI8w3QlUxHtpHGaf9cX2xCn0a0mY5kXHK9meTK9bWEzagzFFWZKF aV7CDS6mFSwHZrKIAJiBSEgrfqavtsOlJOoZHusn5VP61XPzTZDgaB1dRpUqcVvh ttn37FERduUO/kaACO2qr1x3HFqf4p6iogRCXD2Igo7NgZ8AX4kAkwMFEC7QlWad tf/umVkv7QEBDNAD8PJfriU6ss2+fTENIV8wZWAS55mOfWkabQIFQZy3MAeNGWsB 5RRF6HQklM5pVybqWc9keCZmMXPOZ5Bt+kd37qQ6RXZjHV+i4MlHx7A4xUT5Vq4L 1d7VgDj9WQDFWNGaU1Sz6fIM1qpXCF2Q6BqVAY7ntS1QzL2asUs0lb94tYg/AwUQ M44PWPeU6b2MCWLVEQIUFgCgwGECqHVLAP0Yno6au8fJL6sAPHwAn3wUgFzCUW5a tC8HvEGYTgYSjHljiEYEEBECAAYFAjtmzI0ACgkQv8Bofna59hYP/gCgtKWvMxpJ CjaRFl8PE/HWioyDScEAn1A1iEXGuDv8lg8sxnQ7UPmCVwr5iEYEEBECAAYFAjw9 rJYACgkQdLZYUIgOtWYwcwCfdBKl1/Nmghy6SqNhho/pqoZAzLgAnjHwmVe61BwF m0pG/BtJpsFp/+EHtCBEaXNjYXJkIG9sZGVyIGtleSAtIGl0J3MgcmV2b2tlZIkA lQMFEDI58Sqdtf/umVkv7QEBC+MEAJk7xjzJg71jUZ4yOzxZplUReFofe5W/r7ns QRgpHoeVRnFp1KbxUNF7yqGsn+6n5SaDqgKOPQ4bHiBY7953eUmKNLzbULm8/kw7 B9l/0Q4OijdqLfYP+gj+TooYyGAEZLMoRAmQeA0IFivHv4oBsOs62CutBNOX0akT HuHxYvEviD8DBRAzjg9Y95TpvYwJYtURAjr2AJ94SqJiXnq+8vzydoEFx9/uAvLO fwCfXTOJDCpWq/viAxvd2FH2me6Gde+JAJUDBRAzjg+SNkCBjDT0xHEBAcIyA/4i Rh/0g3C6cu5jMRIdsZvfURgp/E7houoQHAcTJb/Ki/pq/i84W7h/txD/gyR7x9tc jej99/zO/50a+FENETUAEOHI3PdR/HjHuKFHY8gJ4HZaIAh8OQcZHhXPtom4YiDi 8AMvKAln+VtMQz6NNIP1Heaxsp89m2btyYPsyIzqIYkBFQMFEDOOD6trIHuZqf4u 5QEBv84IAIdjeUqAsZv6EMtwNq/Vp9zDBGmjF8RXglEmtmcDtAJ6EPrdjnxjLvHe gwvGeDQnqC+CG7X2ydc8YtGy+6ZYqlXIB7mBHrRQqudXTZbBIZz8W4HVRsoI/YJy F+hcW/KECYjC1431tZ4mzwPZHJdJiDmLRM/tuhQJteSIHKkfjWzW2iex/fCkEib0 Xqb09o1fzNzUd1b/x4XmCZeCScIBVpG3yKRBZJqgHl0RN7KNuhPfg/Cy4UrrQGDC ZzQx31ASQIq/RUnj6A9/0Fkc/u2uOG9epvNCux72oEa+O338L+cGRi37UeABejXC CGMVL1yXevBWLRUdO6+OYgbO9g9yCg+IRgQQEQIABgUCO2bMkAAKCRC/wGh+drn2 FnfvAJ0RQ9+VWZXHwCH2eljiwPuAHli5gwCgntgDZjcu07kPZK69rfmxr7ptgOWI RgQQEQIABgUCPD2smQAKCRB0tlhQiA61ZqO1AJ9evBRHrfbUL3Z0y43zz3UIM+WQ dwCgsZFYnJV2lVM6cd/QHp36amn3s/OZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumff yEwfLTcXQjhKzOahzxpoomuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3S mLr5KV40Us1w0UC64cwtA46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4g FuKNoR2eqnAaJvjnAT8J/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/ nIan6fm2uf2kSV9A7ZxEGrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+ rm+nxEvyev+jaLuOQBDfebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYA PSXT2QAFEbQlU3VTRSBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokB FQMFEDbhLUfkWLKHsco8RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvL EMvuCZHiY2COUg5QdmPQ8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3n hyhAC9iudP2u1YQY37GbB6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCO pEqizhx1cqDKNZnsI/1X11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04n li5CXQMEbiqYYMOu8iaA8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxp eGKEQY8iBrDeDyB3wHmjqY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0E d7LmAD0l09kBAW04B/4pWH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILe ow/K9JfhdwGvY8LRxWRLhn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTL mDgC4rs1iAAl3f089sRGBafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hP kBYeXcwbCjdrVGFOzqx+AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBY jPrtWMkdXJSUXbR6Q7PiRZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoM OiaZA0M5fFoo54KgRIh0zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQ nkDjEAAKq6ROVACgjhDM/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdY XdOuGn4ZiEYEEBECAAYFAjtmzYgACgkQv8Bofna59haq0gCdEIVXNudiuoTJafu3 wKXq8/Stc2MAnRyJJKu6tnM8j85Ft58bIGEQRVjPiEYEEBECAAYFAjw9rL0ACgkQ dLZYUIgOtWZeswCbB448TZriZ3t/vuQz+tV8D/472FcAmwSMaOx/8i+J7MDp2D7g 56GIZ2rnmQCNAzuXyIMBhgEEAMZ2zihTJyts0KEJnx8Q2XpbeWtC5l0dlH6nnPZA jGHFAWXxCpFRnx5LXN5VzH75VRvN5xm+fhIAfikfm9aoxVs5CffY6YC/qRaP8Ss6 qefzR6Yxx/PImttrIrKTcY4I2/oj1jpssMhok9R6RHsHEGeg9SvaSW0ROaCVPMXQ I2HJAAURtChDRVJUIENvb3JkaW5hdGlvbiBDZW50ZXIgPGNlcnRAY2VydC5vcmc+ iQCVAwUQO5fIg6CVPMXQI2HJAQEdaQP+LUyn/GbvO9yDCHQGk+jPdNpnid/QlFtO HNwarI9tLtt0g21sxv6zak264ngwT7bp55WYHk8/nwXGiy6WdJFkMA17M2AU8NJJ jSRpj0lNheml8LXfZt0ao5nRFEBDpXZaia3p/4a1mM8vZekRjTAfw9UR+4jOVP7c FmUw1lkr8BSIRgQQEQIABgUCO5z6yAAKCRBdive2pwqEYzsRAJ9xOLxxwmye6s95 MaA03KWmFhnpvgCdHi68X1/OievJNN4rr3x/cHeNm+KJAJUDBRA7nP2iBhx+7yCx klkBATioBACHAvafe2g3uV3yhE+8oB9MmiIn0qq9N2IYWmhQmLy/f1NIZJ4mqVjF qCRsr1BrSrddFUVUjy4Txmdz7vyvlfjj4lNO5yw2zaQVuuE1E6RukeLn0v3pCz5o VA4RFw+7RMhyQZSCjbNl4MEBT+Gfno5TMnXNOhmB4y4rQ3uZcAeMbohGBBARAgAG BQI7nMQcAAoJEEkI6HrAePTSDykAoIlH9nTk5ay4QlqHd8lMO6Om+qHwAKCiX2xO vIhLdBK2aoDF3CJ0zxlxiIkAlQMFEDudCxpd4CDvp5/bDwEBqCQD/jZy5z8ca0D2 hwBHRNgNvZNPZcgytozjI0vahVmmkz9kOyVijSu3tMvVoVi6Hmn1FaEUsWFOMJFV Ilw3hvnfzcA+mLZD0DGqryhMhgOy9QEbCZXW2iVuWblRn2EThR6ceMiyHKWXYfe9 gRZrqk0JOj5Za4C+hWpy0+PqkDfI/FzWiEYEEBECAAYFAjux42YACgkQT9ok4Xqr XRjJNACgquKOP0dyY0iH4pJQj/L9Hfr+haYAn1uGQ4pVcixRCoYBKgJm1vkm2Me6 iEYEEBECAAYFAjuzaLIACgkQv8Bofna59hY46wCfXYqlJjogPOtC5oJ7YnK0JH2/ uzwAn2VsZAsBA58EpeQuha2HWWq3XrkniEYEEBECAAYFAjw9rOgACgkQdLZYUIgO tWaaJwCeOjBl9wJWbKUzPqcfkmWwwEpmPngAnA0OVypILzWUZLUVCTiV8e8sTjGG mQGiBDvW+XMRBAD0MxOIuLFOwW26G0VUvcdTcUGTxUhy0YS5/EHTdKL2K0tQDPmx mr9QXJ+l5CYCuvZK5ikTjrucSu/M/ABMgGt93XWpDzMuFQcBBIkLaPQKRdwjRXzD uZrrAPvNQ4XyF+Q6j2RbCZDDhbNiwr2XCLJNPg181/XOL7u9htbg7waAlwCg//6P Gigku+vRuly+5JDX6/PRWX8EALD87QZFvsKDThj6mUYrnQs3vRDBXNdDnl/XUNHs IvbOvmSPtxAj7iQG1Z+0At7gMShuNYvoTQjhsFfflOiE/UBm/SYZC6foLjCR5HhR jFoZODhaN+O12wKoHjvVYI7tX5CNgktkRfXlLck5SOk0sOJ7oxlGmPIGas0exRrx 73wQBACptfz907OIxEjVwenN1ia2lfQ8zoVNMrDX6XgMSspAAxgTpptPGZqt0+0N xqqRz4HlZVMXhNUACHdGh54OTUMtgERq2tLhaHNC3fMUpw8167hbzsMvz99lKE94 ptfYtIWO3R5xxfB0VZUxrDWz/pULv8+xwaZPqP0U+kSWl6ro07QmUGF1bCBBZGFt IFNwaW5lbGxpIDxwc3BpbmVsbEB3bGNnLmNvbT6IWAQQEQIAGAUCO9b5cwgLAwkI BwIBCgIZAQUbAwAAAAAKCRC7eCpoSfIYOeogAKDzpSFLygvhHjzTW3c2VfTkeYVl VgCfXBknZJAcoC6x2oQSjxRLfaiURLCIRgQQEQIABgUCO9cRIgAKCRC/wGh+drn2 Fn5tAJ9Tct8ZQJw1Gh+udOMwkvLKZCDoAwCfe7NzOldWLTylTORK0EzUMMuFvC+I RgQQEQIABgUCPD2tCgAKCRB0tlhQiA61ZpsHAJ9UVbDALMbKIj1l/eAvISPlCqur 0QCfQi1i/UKyXh2fwAjy9t+BL9wzDua5Ag0EO9b5dBAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/3l/WrAyA99ZpqElO+wTjLd2xavn8WuDwj5fHlWEiY4HFCBhWy7TuYV2 2x61Dxy7xx9ouo5ePse0jyNNYLPypsKpguLeg67zXmU2SOyAARE6ZcE3BFCQt4tT A94X9SvlZ2i37xuGZ5PdM1WLafYCF0xBd4CSuzgkTeTu9ZgVXtToq6H+BTfuMeNX G2+PrmcjQwautt1Zn0PHMrN5M7rRGDAsESDzmST/8kuM2SpsBSSfS4Y4ni+hcyLp bCSpls1lhjcDGOk4oC4vUq0auWp0r3ISkyLMVfKSAfv6zT0Gvxit/kscvDmIdKZA 8DrvQcY9teA2gR5OEkZp9xPnKgrHqEaITAQYEQIADAUCO9b5dAUbDAAAAAAKCRC7 eCpoSfIYOcGXAKC1Gs70/0QrcmRqxVu4IUvggiUPFgCcCfDP+XLbjW4UTYoPazGy /GZW9K2ZAaIEPBoAvREEAMPVcs6Wsib627ucdUVf55tESDZpgs8oe4YggBmUmb+E 3IDKJ4P7n5/aEE6DbVbKTFEizM0z2HVFwXlD2LW3DVUoHyf4Yyq6PuznbIMDqfd6 yo6pOR/6rwuTGklpani2YrwoagPdzQBAQ9i4aCYiqxR8m5CnGejHZVFeFKtceMRT AKDK61gHxn223zMPGIuLE9TuHw5w2wQAumzmsLLjQlGsdeZVuU4Hz5CGrWIa4l3W WnaBRYQJM9a2L6ueuJwBu5NVu0m04vq+mBBDOeazQJHvKVC63OR9N5+9xrejmUM8 DSxuEgqztShcIlpcTKJ+nG1hSG+29nXqcjTtMx+NLd1iNFtMLN16hSM3CFMfT7Qi SxobNNFODuUD/0X1VuEuUJAapntv+5Y8zSETj+Ij842OoIiO+TzhyG2kbUe/B6/c g1di7l//uVI26nJu8jfMUYuvT3JLJWAwe54xUAAUBxZsveX7t7p5PyS3e9BK6d9Q FilTj4Iekydqk9FmwM4RoQ4D+QNg7T/17FaPHRE/UnCHZdQUc3I5Cb/XtC5Sb2Jl cnQgSGlsdG9uIFNpbW1vbnMsIEpyLiA8cnNpbW1vbnNAd2xjZy5jb20+iF0EExEC AB0FAjwaAL0FCQHhM4AFCwcKAwQDFQMCAxYCAQIXgAAKCRB0tlhQiA61Zu49AJ0S 9tID5EYD5gYl7T67byP514bmLwCgn8+xHRyQpdUzdoNNUVtpv33Bbi25Ag0EPBoA xhAIAPOzb59EC/Zg16tlwzC09W5CGhANnYcKxs/yZkt9V4DERIgL6IxHFsGrl9er ih6ffbW7TqLwZJITc53WDQqiH+nwIfWuIl/egLrsPLBjdieXyS62T2+X0tESsiFh j5qDAt1aQVO6FmkmJLtr63R/vUlGTcAp/p4VitqrcoL2TfIgS4wcGyeh8KOZ8Qgr 5gfLU4xapv1rzYd6rJRSQRqlz4Jv4Dnc5LHWNToC/Cc+GNm6z3ZQnuiYv9PTsK5p p16Fe5JVq+dU4vZ57uWhr18IhNXNiV/Epm2r0Gi/8JwgUJg8G7/LsJP3jGAbkBXo Mv06VJSklGvy3prokPEGjd8IGNMAAwUIAO99Gz5r3a6UvX5UgfBqk2F4iHPT2hfo xRkQUcaI/60vmsKrXBlfbuTQCwUv3nSLu1r3g9LMPAcu1EEVCYSvOQ4mYr9jNrIo fFmXlyWZ4f1R4506sTtXJXGyIvA1mXip00IoREdu/+wW7e697vf1T17EZxRnfrrs LRajJ5WH6QbmFj9jZ+cHqsXiU97J+EFOccV4E2qYpLqlQIhT4rVRa2ZFcjWEjcC+ x1JZ6DDO9S8cAUjPy1RdXESQYu3prMS52dwKSg0KCTXVS45YsEqDQZvd4R2lY2pZ or0dGVG25nwL0l/Vx8atC+CTfhPiwPgTsNocQBTXYDLHLP/8+JU1GYOITAQYEQIA DAUCPBoAxgUJAeEzgAAKCRB0tlhQiA61ZgoBAJ4iNoHyIVYHLofkWbxXbfaQ/1Ug dACbB3mhTm3xWMIE68H/IVGIpws/xdo= =fHXO -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 16: 6:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.pwhsnet.com (adsl-64-164-36-143.dsl.scrm01.pacbell.net [64.164.36.143]) by hub.freebsd.org (Postfix) with ESMTP id 0DE7337B42F for ; Fri, 25 Jan 2002 16:05:58 -0800 (PST) Received: from zeus (patrick@zeus [192.168.0.35] (may be forged)) by apollo.pwhsnet.com (8.11.6/8.11.6) with SMTP id g0Q051G00713 for ; Fri, 25 Jan 2002 16:05:01 -0800 (PST) (envelope-from patrick@pwhsnet.com) From: Patrick Fish (patrick@pwhsnet.com) Message-ID: <004401c1a5fc$d905eb70$2300a8c0@zeus> To: References: <200201242153.g0OLrSn75456@freefall.freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Date: Fri, 25 Jan 2002 16:03:12 -0800 Organization: PWHS Networks MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When i do: #cd /usr/src #patch -p /root/exec-43R.patch ....It takes a long time, is it supposed to? -- Patrick Fish - patrick@pwhsnet.com PWHS Networks - http://www.pwhsnet.com ----- Original Message ----- From: "FreeBSD Security Advisories" To: "FreeBSD Security Advisories" Sent: Thursday, January 24, 2002 1:53 PM Subject: FreeBSD Security Advisory FreeBSD-SA-02:08.exec > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-02:08 Security Advisory > FreeBSD, Inc. > > Topic: race condition during exec may allow local root compromise > > Category: core > Module: kernel > Announced: 2002-01-24 > Credits: Logan Gabriel , > Robert Watson , > Dag-Erling Smørgrav > Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. > FreeBSD 4.4-STABLE prior to the correction date. > Corrected: 2002-01-22 17:22:59 UTC (4-STABLE, RELENG_4) > 2002-01-23 23:05:00 UTC (4.4-RELEASE-p4, RELENG_4_4) > 2002-01-23 23:05:53 UTC (4.3-RELEASE-p24, RELENG_4_3) > FreeBSD only: NO > > I. Background > > When a process is started from a set-user-ID or set-group-ID binary, > it is marked so that attempts to attach to it with debugging hooks > fail. To allow such attachments would allow a user to subvert the > process and gain elevated privileges. > > II. Problem Description > > A race condition exists in the FreeBSD exec system call > implementation. It is possible for a user to attach a debugger to a > process while it is exec'ing, but before the kernel has determined > that the process is set-user-ID or set-group-ID. > > All versions of FreeBSD 4.x prior to FreeBSD 4.5-RELEASE are > vulnerable to this problem. The problem has been corrected by marking > processes that have started but not yet completed exec with an > `in-exec' state. Attempts to debug a process in the in-exec state > will fail. > > III. Impact > > Local users may be able to gain increased privileges on the local > system. > > IV. Workaround > > None. Do not allow untrusted users to gain access to the local > system. > > V. Solution > > One of the following: > > 1) Upgrade your vulnerable FreeBSD system to 4.4-STABLE, or the > RELENG_4_3 or RELENG_4_4 security branch, dated after the respective > correction date. > > 2) To patch your present system: > > a) Download the relevant patch from the following location: > > [FreeBSD 4.4-STABLE, or RELENG_4_3 and RELENG_4_4 security branches] > > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch.asc > > [FreeBSD 4.3-RELEASE only] > > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch.asc > > b) Verify the detached PGP signature using your PGP utility. > > c) Execute the following commands as root: > > # cd /usr/src > # patch -p < /path/to/patch > > Recompile your kernel as described in > http://www.freebsd.org/handbook/kernelconfig.html > and reboot the system. > > 3) FreeBSD 4.4-RELEASE systems: > > An experimental upgrade package is available for users who wish to > provide testing and feedback on the binary upgrade process. This > package may be installed on FreeBSD 4.4-RELEASE systems only, and is > intended for use on systems for which source patching is not practical > or convenient. > > If you use the upgrade package, feedback (positive or negative) to > security-officer@FreeBSD.org is requested so we can improve the > process for future advisories. > > Since this vulnerability involves the FreeBSD kernel which is often > locally customized on installed systems, a universal binary upgrade > package is not feasible. This package includes a patched version of > the GENERIC kernel which should be suitable for use on many systems. > Systems requiring a customized kernel must use an alternative > solution. > > During the installation procedure, backup copies are made of the files > which are replaced by the package. These backup copies will be > reinstalled if the package is removed, reverting the system to a > pre-patched state. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec -02.08.tgz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec -02.08.tgz.asc > > Verify the detached PGP signature using your PGP utility. > > # pkg_add security-patch-exec-02.08.tgz > > The new kernel is named /kernel.GENERIC to avoid conflict with the > default kernel name (``/kernel''). To cause the system to boot > automatically with the new kernel, add the following line to > /boot/loader.conf: > > kernel="/kernel.GENERIC" > > and reboot the system to load the new kernel. The old kernel is still > available and can be manually loaded in the boot loader in case of > problems. > > VI. Correction details > > The following list contains the $FreeBSD$ revision number of the > files that were corrected in the FreeBSD source. > > Path Revision > Branch > - ------------------------------------------------------------------------ - > src/sys/conf/newvers.sh > RELENG_4_4 1.44.2.17.2.5 > RELENG_4_3 1.44.2.14.2.14 > src/sys/kern/kern_exec.c > RELENG_4 1.107.2.13 > RELENG_4_4 1.107.2.8.2.1 > RELENG_4_3 1.107.2.5.2.2 > src/sys/kern/sys_process.c > RELENG_4 1.51.2.3 > RELENG_4_4 1.51.2.1.4.1 > RELENG_4_3 1.51.2.1.2.1 > src/sys/miscfs/procfs/procfs.h > RELENG_4 1.32.2.3 > RELENG_4_4 1.32.2.2.2.1 > RELENG_4_3 1.32.2.1.2.2 > src/sys/miscfs/procfs/procfs_ctl.c > RELENG_4 1.20.2.2 > RELENG_4_4 1.20.2.1.4.1 > RELENG_4_3 1.20.2.1.2.1 > src/sys/miscfs/procfs/procfs_dbregs.c > RELENG_4 1.4.2.3 > RELENG_4_4 1.4.2.2.2.1 > RELENG_4_3 1.4.2.1.2.1 > src/sys/miscfs/procfs/procfs_fpregs.c > RELENG_4 1.11.2.3 > RELENG_4_4 1.11.2.2.2.1 > RELENG_4_3 1.11.2.1.2.1 > src/sys/miscfs/procfs/procfs_mem.c > RELENG_4 1.46.2.3 > RELENG_4_4 1.46.2.2.2.1 > RELENG_4_3 1.46.2.1.2.2 > src/sys/miscfs/procfs/procfs_regs.c > RELENG_4 1.10.2.3 > RELENG_4_4 1.10.2.2.2.1 > RELENG_4_3 1.10.2.1.2.1 > src/sys/miscfs/procfs/procfs_status.c > RELENG_4 1.20.2.4 > RELENG_4_4 1.20.2.3.4.1 > RELENG_4_3 1.20.2.3.2.1 > src/sys/miscfs/procfs/procfs_vnops.c > RELENG_4 1.76.2.7 > RELENG_4_4 1.76.2.5.2.1 > RELENG_4_3 1.76.2.3.2.2 > src/sys/sys/proc.h > RELENG_4 1.99.2.6 > RELENG_4_4 1.99.2.5.4.1 > RELENG_4_3 1.99.2.5.2.1 > - ------------------------------------------------------------------------ - > > VII. References > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBPFCAl1UuHi5z0oilAQGyiQP/V2byHL40v23S1q4PanobNUPhKUQBKsVI > OCmBowy2r7Ka0GPDFxAko/xeXnZmM9lvZ0PqMdpy5god27txxAtXmvmJjMPc3dRK > SbJGvfrGSrRMvXR8rrpIOugq0mkMePiXsS8RDAkcAHAXpFF0MVuQfoaQYykn+LiV > i6D4RvGxGZw= > =ywM6 > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 16:14:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [216.135.64.135]) by hub.freebsd.org (Postfix) with SMTP id 31A9B37B404 for ; Fri, 25 Jan 2002 16:14:33 -0800 (PST) Received: (qmail 9226 invoked by uid 1000); 26 Jan 2002 00:14:31 -0000 Date: Fri, 25 Jan 2002 19:14:31 -0500 From: Chris Johnson To: Patrick Fish Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Message-ID: <20020125191431.B8953@palomine.net> References: <200201242153.g0OLrSn75456@freefall.freebsd.org> <004401c1a5fc$d905eb70$2300a8c0@zeus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <004401c1a5fc$d905eb70$2300a8c0@zeus>; from patrick@pwhsnet.com on Fri, Jan 25, 2002 at 04:03:12PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jan 25, 2002 at 04:03:12PM -0800, Patrick Fish wrote: > When i do: > #cd /usr/src > #patch -p /root/exec-43R.patch patch -p < /root/exec-43R.patch Chris --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8UfTmyeUEMvtGLWERArrDAKCYJHv++OuzhHiQA5Eda42RuW3OMwCg1r4k 8cAS4ghWxwPB5c6S9O1CvFU= =pa/k -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 25 19:41:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe19.pav1.hotmail.com [64.4.30.123]) by hub.freebsd.org (Postfix) with ESMTP id CCA0437B429 for ; Fri, 25 Jan 2002 19:40:57 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 25 Jan 2002 19:40:57 -0800 X-Originating-IP: [66.185.84.77] From: "jack xiao" To: , Subject: isakmpd with AES Date: Fri, 25 Jan 2002 22:42:13 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 26 Jan 2002 03:40:57.0352 (UTC) FILETIME=[43B7A080:01C1A61B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org SGksDQoNCkRvZXMgYW55Ym9keSBoYXZlIHRoZSBleHBlcmllbmNlIG9uIHdvcmtpbmcgaXNha21w ZCB3aXRoIEFFUyBlbmNyeXB0aW9uIGluIHBoYXNlIDI/IEkgc2V0IGEgbmV3IGNvbmZpZ3VhcnRp b24gZm9yIHRoYXQsIGJ1dCBnb3QgInVuc3VwcG9ydGVkIGVuY3J5dGlvcG4gYWxnb3JpdGhtIiBl cnJvciBtZXNzYWdlLiBTaG91bGQgSSBjb21waWxlIHRoZSBpc2FrbXBkIGluY2x1ZGluZyBBRVMg aW4gc29tZXdoZXJlPyBUaGFua3MgYSBsb3QhDQoNCkphY2sNCg== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 1:53: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from myethome.com (u172-43.u203-203.giga.net.tw [203.203.172.43]) by hub.freebsd.org (Postfix) with SMTP id 7DF6C37B400; Sat, 26 Jan 2002 01:49:00 -0800 (PST) From: vip_d@jton.con.tw To: vip_3@hinet.met Subject: ´£«e´À±zªº±¡¤H·Ç³Æ¤@¥÷¶q¨­­q§@ªºÂ§ª«! (¤w±½¬r) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_1f1BvkW7JmhWSz416A" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <20020126094900.7DF6C37B400@hub.freebsd.org> Date: Sat, 26 Jan 2002 01:49:00 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_1f1BvkW7JmhWSz416A Content-Type: multipart/alternative; boundary="----=_NextPart_1f1BvkW7JmhWSz416AAA" ------=_NextPart_1f1BvkW7JmhWSz416AAA Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable ****=B1=A1=A4H=B8`=B1j=A5=B4=BC=F6=AA=F9=B0=D3=AB~**** =B4=A3=BF=F4=B1z=A4=B5=A6~=AA=BA=B1=A1=A4H=B8`=AD=E8=A6n=ACO=A4j=A6~=AA=EC=A4T =A5=BB=BA=F4=A7Y=A4=E9=B0_=B6}=A9l=B1=B5=A8=FC=B9w=AC=F9=B1=A1=A4H=C2=A7=AA=AB! =A8=C3=B7=C7=B3=C6=A6n=C2=A7=ADn=B0e=B5=B9=B1z!! =3D=3D=3D=3D=3D=3D=AFk=B7R=B1z=AA=BA=B1=A1=A4H=3D=3D=3D=3D=3D=3D=3D =A7=D6=A5=B4=B6}=AA=FE=A5[=C0=C9=AE=D7,=B4=A3=ABe=B4=C0=B1z=AA=BA=B1=A1=A4H=B7=C7=B3=C6=A4@=A5=F7=B6q=A8=AD=ADq=A7@=AA=BA=C2=A7=AA=AB! http://sexbox.ohbi.net/ =A5=BB=BA=F4=AF=B8=B6i=A4f=B6W=B9L1000=BA=D8=BA=EB=AB~=A4=CE=A8k=A4k=A7=C9=B2=C4=A4=A7=B6=A1=A5=CE=AB~! =AC=FC=C4R=B1=A1=A4H=C1=CA=AA=AB=BA=F4,=B7P=C1=C2=B1z=AA=BA=A5=FA=C1{,=AF=AC=B1z=A6=B3=AD=D3=AC=FC=A6n=AA=BA=A4@=A4=D1 ------=_NextPart_1f1BvkW7JmhWSz416AAA-- ------=_NextPart_1f1BvkW7JmhWSz416A Content-Type: application/octet-stream; name="C:\My Documents\sexbox\sexbox.htm" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="sexbox.htm" PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT6s/MRSsaGkSMHKqqu69DwvdGl0bGU+DQo8bWV0YSBodHRw LWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1iaWc1Ij4N CjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+DQo8IS0tDQouYTkgeyAgZm9udC1mYW1pbHk6ICK3c7LT qfrF6SI7IGZvbnQtc2l6ZTogOXB0fQ0KLS0+DQo8L3N0eWxlPg0KPC9oZWFkPg0KDQo8Ym9keSBi Z2NvbG9yPSIjRkZGRkZGIiBsZWZ0bWFyZ2luPSIwIiB0b3BtYXJnaW49IjAiIG1hcmdpbndpZHRo PSIwIiBtYXJnaW5oZWlnaHQ9IjAiPg0KPGNlbnRlcj4NCiAgPHRhYmxlIHdpZHRoPSI1MDAiIGJv cmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIxIiBjbGFzcz0iYTkiPg0KICAg IDx0ciBhbGlnbj0iY2VudGVyIiBiZ2NvbG9yPSIjRkZGRkZGIj4gDQogICAgICA8dGQ+PGEgaHJl Zj0iaHR0cDovL3NleGJveC5vaGJpLm5ldC8iPjxpbWcgc3JjPSJodHRwOi8vaG9tZS5raW1vLmNv bS50dy9zdXBlcnN1cGVyODYvc2V4Ym94L3NvZ29fbG9nby5naWYiIHdpZHRoPSIzNTIiIGhlaWdo dD0iNzAiIGJvcmRlcj0iMCI+PC9hPjxicj4NCiAgICAgICAgPHRhYmxlIHdpZHRoPSI1MDAiIGJv cmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIwIj4NCiAgICAgICAgICA8dHIg Ymdjb2xvcj0iI0ZGRTZGRSI+IA0KICAgICAgICAgICAgPHRkIGJnY29sb3I9IiNGRjk5Q0MiPiZu YnNwOzwvdGQ+DQogICAgICAgICAgPC90cj4NCiAgICAgICAgPC90YWJsZT4NCiAgICAgICAgPHRh YmxlIHdpZHRoPSI1MDAiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIw IiBjbGFzcz0iYTkiIGJnY29sb3I9IiNGRkZGRkYiPg0KICAgICAgICAgIDx0cj4NCiAgICAgICAg ICAgIDx0ZD4NCiAgICAgICAgICAgICAgPHRhYmxlIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjEi IGNlbGxwYWRkaW5nPSIyIiBjbGFzcz0iYTkiIHdpZHRoPSI1MDAiPg0KICAgICAgICAgICAgICAg IDx0ciBiZ2NvbG9yPSIjREREREZGIiBhbGlnbj0iY2VudGVyIiBjbGFzcz0iYTkiPiANCiAgICAg ICAgICAgICAgICAgIDx0ZCBjbGFzcz0iYTkiIHdpZHRoPSIxMTMiPjxhIGhyZWY9Imh0dHA6Ly9z ZXhib3gub2hiaS5uZXQvc2hvd3Jvb20vdmlldy5waHA/Qz01MzYiPjxpbWcgc3JjPSJodHRwOi8v dXMuZjEueWFob29mcy5jb20vdXNlcnMvNjhkYzI1ZTgvYmMvc2V4Ym94L3BhNDhzLmpwZz9iY09j Q2s4QVVRaDE3MGFZIiB3aWR0aD0iODAiIGhlaWdodD0iNjQiIGJvcmRlcj0iMCI+PC9hPjwvdGQ+ DQogICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9IjE0MyI+PGEgaHJlZj0iaHR0cDovL3NleGJv eC5vaGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTU3NiI+PGltZyBzcmM9Imh0dHA6Ly9ob21l LmtpbW8uY29tLnR3L3N1cGVyc3VwZXI4Ni9zZXhib3gvRkc1MjRfQV9TLmpwZyIgd2lkdGg9Ijgw IiBoZWlnaHQ9IjgwIiBib3JkZXI9IjAiPjwvYT48L3RkPg0KICAgICAgICAgICAgICAgICAgPHRk IHdpZHRoPSIxMDYiPjxhIGhyZWY9Imh0dHA6Ly9zZXhib3gub2hiaS5uZXQvc2hvd3Jvb20vdmll dy5waHA/Qz05MSI+PGltZyBzcmM9Imh0dHA6Ly91cy5mMS55YWhvb2ZzLmNvbS91c2Vycy82OGRj MjVlOC9iYy9zZXhib3gvQzMwMF9BX3MuanBnP2JjT2NDazhBcENfUXNYTlgiIHdpZHRoPSI4MCIg aGVpZ2h0PSI4NCIgYm9yZGVyPSIwIj48L2E+PC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCB3 aWR0aD0iMTE3Ij48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcu cGhwP0M9MTQ3Ij48aW1nIHNyYz0iaHR0cDovL2hvbWUua2ltby5jb20udHcvc3VwZXJzdXBlcjg2 L3NleGJveC9sYjI1NnMuanBnIiB3aWR0aD0iODAiIGhlaWdodD0iODAiIGJvcmRlcj0iMCI+PC9h PjwvdGQ+DQogICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICA8dHIgYmdjb2xv cj0iI0ZGRkZGRiIgYWxpZ249ImNlbnRlciI+IA0KICAgICAgICAgICAgICAgICAgPHRkIHdpZHRo PSIxMTMiPg0KICAgICAgICAgICAgICAgICAgICA8cD48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9o YmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9NTM2Ij6+ULvuuUMtrGaqTCANCiAgICAgICAgICAg ICAgICAgICAgICDBs6++q6w8L2E+PC9wPg0KICAgICAgICAgICAgICAgICAgICA8cD48YSBocmVm PSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9NTM2Ij6vU73moUcg DQogICAgICAgICAgICAgICAgICAgICAgMTYwpLg8L2E+PC9wPg0KICAgICAgICAgICAgICAgICAg PC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCBjbGFzcz0iYTkiIHdpZHRoPSIxNDMiPjxhIGhy ZWY9Imh0dHA6Ly9zZXhib3gub2hiaS5uZXQvc2hvd3Jvb20vdmlldy5waHA/Qz01NzYiPqz8sOqt 7LjLtmmkZqRrqcqm27yiv8c8YnI+DQogICAgICAgICAgICAgICAgICAgIK9TveahRyA2OTmkuDwv YT48L3RkPg0KICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIxMDYiPg0KICAgICAgICAgICAg ICAgICAgICA8cD48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcu cGhwP0M9OTEiPqTppbuzeqn6qvi49bNKPC9hPjwvcD4NCiAgICAgICAgICAgICAgICAgICAgPHA+ PGEgaHJlZj0iaHR0cDovL3NleGJveC5vaGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTkxIj6v U73moUcgDQogICAgICAgICAgICAgICAgICAgICAgMTgwpLg8L2E+PC9wPg0KICAgICAgICAgICAg ICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMTE3Ij48YSBocmVmPSJo dHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9MTQ3Ij5MQjI1Ni2sS6Sn pGsopGopPGJyPg0KICAgICAgICAgICAgICAgICAgICCvU73moUcgNjUwpLg8L2E+PC90ZD4NCiAg ICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgIDx0ciBiZ2NvbG9yPSIjRkZGRkND IiBhbGlnbj0iY2VudGVyIj4gDQogICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9IjExMyI+PGEg aHJlZj0iaHR0cDovL3NleGJveC5vaGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTY0Ij48aW1n IHNyYz0iaHR0cDovL3VzLmYxLnlhaG9vZnMuY29tL3VzZXJzLzY4ZGMyNWU4L2JjL3NleGJveC9m czQxNnMuanBnP2JjT2NDazhBQ2htWVAzcE0iIHdpZHRoPSI4MCIgaGVpZ2h0PSI4MCIgYm9yZGVy PSIwIj48L2E+PC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMTQzIj48YSBocmVm PSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9NjcyIj48aW1nIHNy Yz0iaHR0cDovL2hvbWUua2ltby5jb20udHcvc3VwZXJzdXBlcjg2L3NleGJveC9GMjAxX0Ffcy5q cGciIHdpZHRoPSI4MCIgaGVpZ2h0PSI4MCIgYm9yZGVyPSIwIj48L2E+PC90ZD4NCiAgICAgICAg ICAgICAgICAgIDx0ZCB3aWR0aD0iMTA2Ij48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0 L3Nob3dyb29tL3ZpZXcucGhwP0M9MjgzIj48aW1nIHNyYz0iaHR0cDovL3VzLmYxLnlhaG9vZnMu Y29tL3VzZXJzLzY4ZGMyNWU4L2JjL3NleGJveC9tMjE3cy5qcGc/YmNPY0NrOEE5RUt6R3c1VCIg d2lkdGg9IjgwIiBoZWlnaHQ9IjgwIiBib3JkZXI9IjAiPjwvYT48L3RkPg0KICAgICAgICAgICAg ICAgICAgPHRkIHdpZHRoPSIxMTciPjxhIGhyZWY9Imh0dHA6Ly9zZXhib3gub2hiaS5uZXQvc2hv d3Jvb20vdmlldy5waHA/Qz0xMjMiPjxpbWcgc3JjPSJodHRwOi8vdXMuZjEueWFob29mcy5jb20v dXNlcnMvNjhkYzI1ZTgvYmMvc2V4Ym94L2IxMTRzLmpwZz9iY09jQ2s4QVFWaDNNbldIIiB3aWR0 aD0iODAiIGhlaWdodD0iODAiIGJvcmRlcj0iMCI+PC9hPjwvdGQ+DQogICAgICAgICAgICAgICAg PC90cj4NCiAgICAgICAgICAgICAgICA8dHIgYmdjb2xvcj0iI0ZGRkZGRiIgYWxpZ249ImNlbnRl ciI+IA0KICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIxMTMiPg0KICAgICAgICAgICAgICAg ICAgICA8cD48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhw P0M9NjQiPqdOpfrF3KfOwHMgDQogICAgICAgICAgICAgICAgICAgICAgKLVMuXGwyik8L2E+PC9w Pg0KICAgICAgICAgICAgICAgICAgICA8cD48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0 L3Nob3dyb29tL3ZpZXcucGhwP0M9NjQiPq9TveY6NDkwpLg8L2E+PC9wPg0KICAgICAgICAgICAg ICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMTQzIj48YSBocmVmPSJo dHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9NjcyIj6t7LjLtmmkZrlH r3Wm173ot1CkaqbRpEfF3KfOwHM8YnI+DQogICAgICAgICAgICAgICAgICAgIK9TveahRyA1ODAg pLg8YnI+DQogICAgICAgICAgICAgICAgICAgIDwvYT4gPC90ZD4NCiAgICAgICAgICAgICAgICAg IDx0ZCB3aWR0aD0iMTA2Ij4NCiAgICAgICAgICAgICAgICAgICAgPHA+PGEgaHJlZj0iaHR0cDov L3NleGJveC5vaGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTI4MyI+rPyw6ldFVCANCiAgICAg ICAgICAgICAgICAgICAgICC87bfGskc8L2E+PC9wPg0KICAgICAgICAgICAgICAgICAgICA8cD48 YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9MjgzIj6v U73mOjQ5MKS4PC9hPjwvcD4NCiAgICAgICAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICAg ICAgICA8dGQgd2lkdGg9IjExNyI+IA0KICAgICAgICAgICAgICAgICAgICA8cD48YSBocmVmPSJo dHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9MTIzIj6k6aW7qN+ka62m PC9hPjwvcD4NCiAgICAgICAgICAgICAgICAgICAgPHA+PGEgaHJlZj0iaHR0cDovL3NleGJveC5v aGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTEyMyI+r1O95joxNjUwpLg8L2E+PC9wPg0KICAg ICAgICAgICAgICAgICAgICA8L3RkPg0KICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAg ICAgIDwvdGFibGU+DQogICAgICAgICAgICA8L3RkPg0KICAgICAgICAgIDwvdHI+DQogICAgICAg IDwvdGFibGU+DQogICAgICA8L3RkPg0KICAgIDwvdHI+DQogIDwvdGFibGU+DQogIDx0YWJsZSB3 aWR0aD0iNTAwIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCI+DQog ICAgPHRyIGJnY29sb3I9IiNGRkU2RkUiPiANCiAgICAgIDx0ZCBiZ2NvbG9yPSIjRkY5OUNDIj4m bmJzcDs8L3RkPg0KICAgIDwvdHI+DQogIDwvdGFibGU+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwv aHRtbD4NCg== ------=_NextPart_1f1BvkW7JmhWSz416A-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 1:59:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by hub.freebsd.org (Postfix) with ESMTP id 426F437B400 for ; Sat, 26 Jan 2002 01:59:45 -0800 (PST) Received: from there (kajsa.energyhq.org [192.168.0.1]) by energyhq.homeip.net (Postfix) with SMTP id EE7CD3FC07; Sat, 26 Jan 2002 10:59:39 +0100 (CET) Content-Type: text/plain; charset="iso-8859-1" From: Miguel Mendez Organization: Energy HQ To: Robert Simmons , freebsd-security@freebsd.org Subject: Re: theo Date: Sat, 26 Jan 2002 10:59:11 +0100 X-Mailer: KMail [version 1.3.2] References: <20020125175928.H41011-100000@mail.wlcg.com> In-Reply-To: <20020125175928.H41011-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020126095939.EE7CD3FC07@energyhq.homeip.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday 26 January 2002 00:05, Robert Simmons wrote: Hi, > Lets say someone has a machine they don't have console access to, but they > know that the OS comes back every time they reboot the fucker. That cursing is totally redundant. > The kernel is on the old hard drive, with the swap garbage. The brand > spanking new OS is mirrored on a twed. How can I tell that the core > team's brand spanking newly de scriptkiddified kernel is the one that > boots? dmesg? Jesus H Christ, are you sure you are a Systems Admin? Those are totally newbie questions. man ls ; man dmesg; man uname And this is FreeBSD, not your typical Linux crap, our kernels actually work :) Cheers, -- Miguel Mendez - flynn@energyhq.homeip.net EnergyHQ :: http://energyhq.homeip.net FreeBSD - The power to serve! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 3:49: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id A03D937B404 for ; Sat, 26 Jan 2002 03:48:57 -0800 (PST) Received: from mail.wlcg.com (mail.wlcg.com [198.92.199.5]) by mail.wlcg.com (8.11.6/8.11.6) with ESMTP id g0QBmua23970 for ; Sat, 26 Jan 2002 06:48:56 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Sat, 26 Jan 2002 06:48:53 -0500 (EST) From: Robert Simmons To: freebsd-security@freebsd.org Subject: Spork Message-ID: <20020126064653.A23956-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD mail 4.5-RC FreeBSD 4.5-RC #0: Tue Jan 15 15:19:55 EST 2002 root@mail:/usr/obj/usr/src/sys/WASABI i386 My friend wrote NTP. udel monkeys....... Give us our code back :) Robert Simmons Systems Administrator http://www.wlcg.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 4: 5:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from faui02.informatik.uni-erlangen.de (faui02.informatik.uni-erlangen.de [131.188.30.102]) by hub.freebsd.org (Postfix) with ESMTP id 04EEF37B402 for ; Sat, 26 Jan 2002 04:05:08 -0800 (PST) Received: (from msfriedl@localhost) by faui02.informatik.uni-erlangen.de (8.9.1/8.1.16-FAU) id NAA00843; Sat, 26 Jan 2002 13:05:01 +0100 (MET) Date: Sat, 26 Jan 2002 13:05:01 +0100 From: Markus Friedl To: jack xiao Cc: tech@openbsd.org, freebsd-security@FreeBSD.ORG Subject: Re: isakmpd with AES Message-ID: <20020126120501.GA28939@faui02> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org if you want to use AES in phase2 then your kernel's ipsec-code needs to support AES. On Fri, Jan 25, 2002 at 10:42:13PM -0500, jack xiao wrote: > Hi, > > Does anybody have the experience on working isakmpd with AES encryption in phase 2? I set a new configuartion for that, but got "unsupported encrytiopn algorithm" error message. Should I compile the isakmpd including AES in somewhere? Thanks a lot! > > Jack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 9:13:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f31.law14.hotmail.com [64.4.21.31]) by hub.freebsd.org (Postfix) with ESMTP id 9F92837B404 for ; Sat, 26 Jan 2002 09:13:12 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 26 Jan 2002 09:13:12 -0800 Received: from 209.124.192.249 by lw14fd.law14.hotmail.msn.com with HTTP; Sat, 26 Jan 2002 17:13:12 GMT X-Originating-IP: [209.124.192.249] From: "William J. Borskey" To: freebsd-security@freebsd.org Subject: weird server activity Date: Sat, 26 Jan 2002 09:13:12 -0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 26 Jan 2002 17:13:12.0504 (UTC) FILETIME=[BC21AB80:01C1A68C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am running FreeBSD 4.4. I use Apache-fp and openssh. About a week ago my system went down and I wasnt able to log in or look at any web pages. I could connect, but it woud not spawn a process to log me in, or serve me a web document. I got someone to reboot the machine from the console, I was then able to log into the machine. Starting processes was slow but top reports normal system loads. Then after about an hour the machine would no longer run any processes and quickly shut me out by killing the sshd i was connected with. I did get a chance to look at some of my logs, not all unfortuantly. The httpd-access file had some weird sequences of windows sounding paths, but it wasnt code red or anything like code red: 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET "-" 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" i havnt been able to look at any other logs and i doubt that that has anything to do with it. William Borskey _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 9:23:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from jgj.org.uk (public1-leed1-4-cust166.leed.broadband.ntl.com [80.0.0.166]) by hub.freebsd.org (Postfix) with SMTP id F1F4A37B402 for ; Sat, 26 Jan 2002 09:23:36 -0800 (PST) Received: (qmail 81900 invoked from network); 26 Jan 2002 17:25:20 -0000 Received: from sean.jgj.org.uk (192.168.243.89) by rufus.jgj.org.uk with SMTP; 26 Jan 2002 17:25:20 -0000 Date: Sat, 26 Jan 2002 17:23:35 +0000 Subject: Re: weird server activity Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v480) From: James Jeffrey To: freebsd-security@freebsd.org Content-Transfer-Encoding: 7bit In-Reply-To: Message-Id: <6DBE5096-1281-11D6-B090-003065A1F05E@jgj.org.uk> X-Mailer: Apple Mail (2.480) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, As a very low grade FreeBSD'ian I'm ready to get shot down in flames here but... I think the logs are a red herring, its just various attempts to exploit IIS which wont effect you, I get them all the time. This dosen't really sound like a security problem as such, I suppose it could be some kind of DoS, but from my limited experience it is more likely to be leaky software and your running out of memory or something. Does your website have any active content? Any cgi-scripts or the like that could be generating problems? I have seen similar symptoms on Solaris webserves that were caused by badly written web-backend software exhausting the virtual memory, and I once wrote a cgi-script which did much the same to a FreeBSD box..... :( regards, James Jeffrey (CCSA, CCSE) james@jgj.org.uk On Saturday, January 26, 2002, at 05:13 , William J. Borskey wrote: > I am running FreeBSD 4.4. I use Apache-fp and openssh. About a week ago > my system went down and I wasnt > able to log in or look at any web pages. I could connect, but it woud > not spawn a process to log me in, or serve me a > web document. I got someone to reboot the machine from the console, I > was then able to log into the machine. > Starting processes was slow but top reports normal system loads. Then > after about an hour the machine would no > longer run any processes and quickly shut me out by killing the sshd i > was connected with. I did get a chance to > look at some of my logs, not all unfortuantly. The httpd-access file > had some weird sequences of windows > sounding paths, but it wasnt code red or anything like code red: > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /MSADC/root.exe?/c+dir > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 > 200 "-" "-" > i havnt been able to look at any other logs and i doubt that that has > anything to do with it. > > William Borskey > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 9:26:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.conwaycorp.net (mail.conwaycorp.net [24.144.1.33]) by hub.freebsd.org (Postfix) with SMTP id 714E037B400 for ; Sat, 26 Jan 2002 09:26:37 -0800 (PST) Received: (qmail 16783 invoked from network); 26 Jan 2002 17:15:59 -0000 Received: from unknown (HELO win2ks) (24.144.26.25) by mail.conwaycorp.net with SMTP; 26 Jan 2002 17:15:59 -0000 Message-ID: <000c01c1a68d$ca50d860$191a9018@win2ks> From: "Chad Bishop" To: References: Subject: Re: weird server activity Date: Sat, 26 Jan 2002 11:20:45 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org do you have any crontabs? how much ram and cpu clock does this machine have? have you noticed any evidence of an intrusion? ----- Original Message ----- From: "William J. Borskey" To: Sent: Saturday, January 26, 2002 11:13 AM Subject: weird server activity > I am running FreeBSD 4.4. I use Apache-fp and openssh. About a week ago my > system went down and I wasnt > able to log in or look at any web pages. I could connect, but it woud not > spawn a process to log me in, or serve me a > web document. I got someone to reboot the machine from the console, I was > then able to log into the machine. > Starting processes was slow but top reports normal system loads. Then after > about an hour the machine would no > longer run any processes and quickly shut me out by killing the sshd i was > connected with. I did get a chance to > look at some of my logs, not all unfortuantly. The httpd-access file had > some weird sequences of windows > sounding paths, but it wasnt code red or anything like code red: > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 > 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 > 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > i havnt been able to look at any other logs and i doubt that that has > anything to do with it. > > William Borskey > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 9:32:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by hub.freebsd.org (Postfix) with ESMTP id 251D537B41E for ; Sat, 26 Jan 2002 09:32:26 -0800 (PST) Received: from there (kajsa.energyhq.org [192.168.0.1]) by energyhq.homeip.net (Postfix) with SMTP id EF0013FC07; Sat, 26 Jan 2002 18:32:26 +0100 (CET) Content-Type: text/plain; charset="iso-8859-1" From: Miguel Mendez Organization: Energy HQ To: "William J. Borskey" , freebsd-security@freebsd.org Subject: Re: weird server activity Date: Sat, 26 Jan 2002 18:32:00 +0100 X-Mailer: KMail [version 1.3.2] References: In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020126173226.EF0013FC07@energyhq.homeip.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday 26 January 2002 18:13, William J. Borskey wrote: Hi there, > sounding paths, but it wasnt code red or anything like code red: No, it's not Code Red, it's Nimda IIRC. I used to get it on my server all the time until I got tired of it and banned 213/8 with ipfw. Unless you are getting lots of requests and have a high number in MaxSpareServers I don't see how this alone could have caused the machine to be unable to spawn more preocesses. If possible run some network monitoring software like e.g. snort and watch for DoS attempts, but I would discard the worm being the cause. Cheers, -- Miguel Mendez - flynn@energyhq.homeip.net EnergyHQ :: http://energyhq.homeip.net FreeBSD - The power to serve! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 13:36: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from nic.upatras.gr (nic.upatras.gr [150.140.129.30]) by hub.freebsd.org (Postfix) with SMTP id E546C37B402 for ; Sat, 26 Jan 2002 13:35:51 -0800 (PST) Received: (qmail 14108 invoked from network); 26 Jan 2002 21:32:36 -0000 Received: from dialup3-ceid-dialinpool-9.upatras.gr (HELO hades.hell.gr) (root@150.140.128.201) by nic.upatras.gr with SMTP; 26 Jan 2002 21:32:36 -0000 Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id g0QIXjP00741; Sat, 26 Jan 2002 20:33:45 +0200 (EET) (envelope-from keramida@freebsd.org) Date: Sat, 26 Jan 2002 20:33:45 +0200 From: Giorgos Keramidas To: Robert Simmons Cc: freebsd-security@freebsd.org Subject: Re: theo Message-ID: <20020126183344.GA659@hades.hell.gr> References: <20020125175928.H41011-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline In-Reply-To: <20020125175928.H41011-100000@mail.wlcg.com> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2002-01-25 18:05:37, Robert Simmons wrote: >=20 > Lets say someone has a machine they don't have console access to, but they > know that the OS comes back every time they reboot the fucker. >=20 > The kernel is on the old hard drive, with the swap garbage. The brand > spanking new OS is mirrored on a twed. How can I tell that the core > team's brand spanking newly de scriptkiddified kernel is the one that > boots? dmesg? Unless this is not available in 4-STABLE (haven't seen one around here for a while), you can always check out: $ sysctl kern.bootfile kern.bootfile: /boot/kernel/kernel Anyway. About those security alerts. The very fact that they *are* coming out, in my personal view, means that someone is actually looking into those security problems and people that develop FreeBSD don't just hide their head in the sand, and shout "NO, NO, WE ARE NOT EXPLOITABLE! WE NEVER WERE! GO AWAY NOW." Accepting the fact that problems do exist, in all software, and actually doing something about it is a Good Thing(TM), IMHO :) Cheers, --=20 Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org} FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/ FreeBSD: The power to serve . . . . http://www.freebsd.org/ --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8UvaI1g+UGjGGA7YRArtKAKCDvtdEB2yy0e5jRPa/TpIvvbetOgCgkzzd zVghpYhXwpJEjAE69bKbzO0= =IrbB -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 17:28:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from taiwan.com (u172-43.u203-203.giga.net.tw [203.203.172.43]) by hub.freebsd.org (Postfix) with SMTP id A87EB37B400; Sat, 26 Jan 2002 17:27:14 -0800 (PST) Received: from tpts7 by mars.seed.net.tw with SMTP id icuF59PDfT9jNgClfYvCJFGwD0C2; Sun, 27 Jan 2002 09:23:30 +0800 Message-ID: From: vip_7@pcmail.con.tw To: vip_8@kimo.com.tm Subject: **±¡¤H¸`±j¥´¼öªù°Ó«~** (¤w±½¬r) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_cPF06vWerNc61f5q" X-Mailer: ZRAVD9V24oSZVnBWlyduTsIG X-Priority: 3 X-MSMail-Priority: Normal Date: Sat, 26 Jan 2002 17:27:14 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_cPF06vWerNc61f5q Content-Type: multipart/alternative; boundary="----=_NextPart_cPF06vWerNc61f5qAA" ------=_NextPart_cPF06vWerNc61f5qAA Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable =A5=BB=BA=F4=AF=B8=B6i=A4f=B6W=B9L1000=BA=D8=BA=EB=AB~=A4=CE=A8k=A4k=A7=C9=B2=C4=A4=A7=B6=A1=A5=CE=AB~! =AC=FC=C4R=B1=A1=A4H=C1=CA=AA=AB=BA=F4,=B7P=C1=C2=B1z=AA=BA=A5=FA=C1{,=AF=AC=B1z=A6=B3=AD=D3=AC=FC=A6n=AA=BA=A4@=A4=D1 =3D=3D=3D=3D=3D=3D=AFk=B7R=B1z=AA=BA=B1=A1=A4H=3D=3D=3D=3D=3D=3D=3D =B4=A3=BF=F4=B1z=A4=B5=A6~=AA=BA=B1=A1=A4H=B8`=AD=E8=A6n=ACO=A4j=A6~=AA=EC=A4T =A5=BB=BA=F4=A7Y=A4=E9=B0_=B6}=A9l=B1=B5=A8=FC=B9w=AC=F9=B1=A1=A4H=C2=A7=AA=AB! =A8=C3=B7=C7=B3=C6=A6n=C2=A7=ADn=B0e=B5=B9=B1z!! ****=B1=A1=A4H=B8`=B1j=A5=B4=BC=F6=AA=F9=B0=D3=AB~**** =A7=D6=A5=B4=B6}=AA=FE=A5[=C0=C9=AE=D7,=B4=A3=ABe=B4=C0=B1z=AA=BA=B1=A1=A4H=B7=C7=B3=C6=A4@=A5=F7=B6q=A8=AD=ADq=A7@=AA=BA=C2=A7=AA=AB! http://sexbox.ohbi.net/ ------=_NextPart_cPF06vWerNc61f5qAA-- ------=_NextPart_cPF06vWerNc61f5q Content-Type: application/octet-stream; name="C:\My Documents\sexbox\sexbox.htm" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="sexbox.htm" PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT6s/MRSsaGkSMHKqqu69DwvdGl0bGU+DQo8bWV0YSBodHRw LWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1iaWc1Ij4N CjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+DQo8IS0tDQouYTkgeyAgZm9udC1mYW1pbHk6ICK3c7LT qfrF6SI7IGZvbnQtc2l6ZTogOXB0fQ0KLS0+DQo8L3N0eWxlPg0KPC9oZWFkPg0KDQo8Ym9keSBi Z2NvbG9yPSIjRkZGRkZGIiBsZWZ0bWFyZ2luPSIwIiB0b3BtYXJnaW49IjAiIG1hcmdpbndpZHRo PSIwIiBtYXJnaW5oZWlnaHQ9IjAiPg0KPGNlbnRlcj4NCiAgPHRhYmxlIHdpZHRoPSI1MDAiIGJv cmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIxIiBjbGFzcz0iYTkiPg0KICAg IDx0ciBhbGlnbj0iY2VudGVyIiBiZ2NvbG9yPSIjRkZGRkZGIj4gDQogICAgICA8dGQ+PGEgaHJl Zj0iaHR0cDovL3NleGJveC5vaGJpLm5ldC8iPjxpbWcgc3JjPSJodHRwOi8vaG9tZS5raW1vLmNv bS50dy9zdXBlcnN1cGVyODYvc2V4Ym94L3NvZ29fbG9nby5naWYiIHdpZHRoPSIzNTIiIGhlaWdo dD0iNzAiIGJvcmRlcj0iMCI+PC9hPjxicj4NCiAgICAgICAgPHRhYmxlIHdpZHRoPSI1MDAiIGJv cmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIwIj4NCiAgICAgICAgICA8dHIg Ymdjb2xvcj0iI0ZGRTZGRSI+IA0KICAgICAgICAgICAgPHRkIGJnY29sb3I9IiNGRjk5Q0MiPiZu YnNwOzwvdGQ+DQogICAgICAgICAgPC90cj4NCiAgICAgICAgPC90YWJsZT4NCiAgICAgICAgPHRh YmxlIHdpZHRoPSI1MDAiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIw IiBjbGFzcz0iYTkiIGJnY29sb3I9IiNGRkZGRkYiPg0KICAgICAgICAgIDx0cj4NCiAgICAgICAg ICAgIDx0ZD4NCiAgICAgICAgICAgICAgPHRhYmxlIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjEi IGNlbGxwYWRkaW5nPSIyIiBjbGFzcz0iYTkiIHdpZHRoPSI1MDAiPg0KICAgICAgICAgICAgICAg IDx0ciBiZ2NvbG9yPSIjREREREZGIiBhbGlnbj0iY2VudGVyIiBjbGFzcz0iYTkiPiANCiAgICAg ICAgICAgICAgICAgIDx0ZCBjbGFzcz0iYTkiIHdpZHRoPSIxMTMiPjxhIGhyZWY9Imh0dHA6Ly9z ZXhib3gub2hiaS5uZXQvc2hvd3Jvb20vdmlldy5waHA/Qz01MzYiPjxpbWcgc3JjPSJodHRwOi8v dXMuZjEueWFob29mcy5jb20vdXNlcnMvNjhkYzI1ZTgvYmMvc2V4Ym94L3BhNDhzLmpwZz9iY09j Q2s4QVVRaDE3MGFZIiB3aWR0aD0iODAiIGhlaWdodD0iNjQiIGJvcmRlcj0iMCI+PC9hPjwvdGQ+ DQogICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9IjE0MyI+PGEgaHJlZj0iaHR0cDovL3NleGJv eC5vaGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTU3NiI+PGltZyBzcmM9Imh0dHA6Ly9ob21l LmtpbW8uY29tLnR3L3N1cGVyc3VwZXI4Ni9zZXhib3gvRkc1MjRfQV9TLmpwZyIgd2lkdGg9Ijgw IiBoZWlnaHQ9IjgwIiBib3JkZXI9IjAiPjwvYT48L3RkPg0KICAgICAgICAgICAgICAgICAgPHRk IHdpZHRoPSIxMDYiPjxhIGhyZWY9Imh0dHA6Ly9zZXhib3gub2hiaS5uZXQvc2hvd3Jvb20vdmll dy5waHA/Qz05MSI+PGltZyBzcmM9Imh0dHA6Ly91cy5mMS55YWhvb2ZzLmNvbS91c2Vycy82OGRj MjVlOC9iYy9zZXhib3gvQzMwMF9BX3MuanBnP2JjT2NDazhBcENfUXNYTlgiIHdpZHRoPSI4MCIg aGVpZ2h0PSI4NCIgYm9yZGVyPSIwIj48L2E+PC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCB3 aWR0aD0iMTE3Ij48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcu cGhwP0M9MTQ3Ij48aW1nIHNyYz0iaHR0cDovL2hvbWUua2ltby5jb20udHcvc3VwZXJzdXBlcjg2 L3NleGJveC9sYjI1NnMuanBnIiB3aWR0aD0iODAiIGhlaWdodD0iODAiIGJvcmRlcj0iMCI+PC9h PjwvdGQ+DQogICAgICAgICAgICAgICAgPC90cj4NCiAgICAgICAgICAgICAgICA8dHIgYmdjb2xv cj0iI0ZGRkZGRiIgYWxpZ249ImNlbnRlciI+IA0KICAgICAgICAgICAgICAgICAgPHRkIHdpZHRo PSIxMTMiPg0KICAgICAgICAgICAgICAgICAgICA8cD48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9o YmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9NTM2Ij6+ULvuuUMtrGaqTCANCiAgICAgICAgICAg ICAgICAgICAgICDBs6++q6w8L2E+PC9wPg0KICAgICAgICAgICAgICAgICAgICA8cD48YSBocmVm PSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9NTM2Ij6vU73moUcg DQogICAgICAgICAgICAgICAgICAgICAgMTYwpLg8L2E+PC9wPg0KICAgICAgICAgICAgICAgICAg PC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCBjbGFzcz0iYTkiIHdpZHRoPSIxNDMiPjxhIGhy ZWY9Imh0dHA6Ly9zZXhib3gub2hiaS5uZXQvc2hvd3Jvb20vdmlldy5waHA/Qz01NzYiPqz8sOqt 7LjLtmmkZqRrqcqm27yiv8c8YnI+DQogICAgICAgICAgICAgICAgICAgIK9TveahRyA2OTmkuDwv YT48L3RkPg0KICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIxMDYiPg0KICAgICAgICAgICAg ICAgICAgICA8cD48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcu cGhwP0M9OTEiPqTppbuzeqn6qvi49bNKPC9hPjwvcD4NCiAgICAgICAgICAgICAgICAgICAgPHA+ PGEgaHJlZj0iaHR0cDovL3NleGJveC5vaGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTkxIj6v U73moUcgDQogICAgICAgICAgICAgICAgICAgICAgMTgwpLg8L2E+PC9wPg0KICAgICAgICAgICAg ICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMTE3Ij48YSBocmVmPSJo dHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9MTQ3Ij5MQjI1Ni2sS6Sn pGsopGopPGJyPg0KICAgICAgICAgICAgICAgICAgICCvU73moUcgNjUwpLg8L2E+PC90ZD4NCiAg ICAgICAgICAgICAgICA8L3RyPg0KICAgICAgICAgICAgICAgIDx0ciBiZ2NvbG9yPSIjRkZGRkND IiBhbGlnbj0iY2VudGVyIj4gDQogICAgICAgICAgICAgICAgICA8dGQgd2lkdGg9IjExMyI+PGEg aHJlZj0iaHR0cDovL3NleGJveC5vaGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTY0Ij48aW1n IHNyYz0iaHR0cDovL3VzLmYxLnlhaG9vZnMuY29tL3VzZXJzLzY4ZGMyNWU4L2JjL3NleGJveC9m czQxNnMuanBnP2JjT2NDazhBQ2htWVAzcE0iIHdpZHRoPSI4MCIgaGVpZ2h0PSI4MCIgYm9yZGVy PSIwIj48L2E+PC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMTQzIj48YSBocmVm PSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9NjcyIj48aW1nIHNy Yz0iaHR0cDovL2hvbWUua2ltby5jb20udHcvc3VwZXJzdXBlcjg2L3NleGJveC9GMjAxX0Ffcy5q cGciIHdpZHRoPSI4MCIgaGVpZ2h0PSI4MCIgYm9yZGVyPSIwIj48L2E+PC90ZD4NCiAgICAgICAg ICAgICAgICAgIDx0ZCB3aWR0aD0iMTA2Ij48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0 L3Nob3dyb29tL3ZpZXcucGhwP0M9MjgzIj48aW1nIHNyYz0iaHR0cDovL3VzLmYxLnlhaG9vZnMu Y29tL3VzZXJzLzY4ZGMyNWU4L2JjL3NleGJveC9tMjE3cy5qcGc/YmNPY0NrOEE5RUt6R3c1VCIg d2lkdGg9IjgwIiBoZWlnaHQ9IjgwIiBib3JkZXI9IjAiPjwvYT48L3RkPg0KICAgICAgICAgICAg ICAgICAgPHRkIHdpZHRoPSIxMTciPjxhIGhyZWY9Imh0dHA6Ly9zZXhib3gub2hiaS5uZXQvc2hv d3Jvb20vdmlldy5waHA/Qz0xMjMiPjxpbWcgc3JjPSJodHRwOi8vdXMuZjEueWFob29mcy5jb20v dXNlcnMvNjhkYzI1ZTgvYmMvc2V4Ym94L2IxMTRzLmpwZz9iY09jQ2s4QVFWaDNNbldIIiB3aWR0 aD0iODAiIGhlaWdodD0iODAiIGJvcmRlcj0iMCI+PC9hPjwvdGQ+DQogICAgICAgICAgICAgICAg PC90cj4NCiAgICAgICAgICAgICAgICA8dHIgYmdjb2xvcj0iI0ZGRkZGRiIgYWxpZ249ImNlbnRl ciI+IA0KICAgICAgICAgICAgICAgICAgPHRkIHdpZHRoPSIxMTMiPg0KICAgICAgICAgICAgICAg ICAgICA8cD48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhw P0M9NjQiPqdOpfrF3KfOwHMgDQogICAgICAgICAgICAgICAgICAgICAgKLVMuXGwyik8L2E+PC9w Pg0KICAgICAgICAgICAgICAgICAgICA8cD48YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0 L3Nob3dyb29tL3ZpZXcucGhwP0M9NjQiPq9TveY6NDkwpLg8L2E+PC9wPg0KICAgICAgICAgICAg ICAgICAgPC90ZD4NCiAgICAgICAgICAgICAgICAgIDx0ZCB3aWR0aD0iMTQzIj48YSBocmVmPSJo dHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9NjcyIj6t7LjLtmmkZrlH r3Wm173ot1CkaqbRpEfF3KfOwHM8YnI+DQogICAgICAgICAgICAgICAgICAgIK9TveahRyA1ODAg pLg8YnI+DQogICAgICAgICAgICAgICAgICAgIDwvYT4gPC90ZD4NCiAgICAgICAgICAgICAgICAg IDx0ZCB3aWR0aD0iMTA2Ij4NCiAgICAgICAgICAgICAgICAgICAgPHA+PGEgaHJlZj0iaHR0cDov L3NleGJveC5vaGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTI4MyI+rPyw6ldFVCANCiAgICAg ICAgICAgICAgICAgICAgICC87bfGskc8L2E+PC9wPg0KICAgICAgICAgICAgICAgICAgICA8cD48 YSBocmVmPSJodHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9MjgzIj6v U73mOjQ5MKS4PC9hPjwvcD4NCiAgICAgICAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAgICAg ICAgICA8dGQgd2lkdGg9IjExNyI+IA0KICAgICAgICAgICAgICAgICAgICA8cD48YSBocmVmPSJo dHRwOi8vc2V4Ym94Lm9oYmkubmV0L3Nob3dyb29tL3ZpZXcucGhwP0M9MTIzIj6k6aW7qN+ka62m PC9hPjwvcD4NCiAgICAgICAgICAgICAgICAgICAgPHA+PGEgaHJlZj0iaHR0cDovL3NleGJveC5v aGJpLm5ldC9zaG93cm9vbS92aWV3LnBocD9DPTEyMyI+r1O95joxNjUwpLg8L2E+PC9wPg0KICAg ICAgICAgICAgICAgICAgICA8L3RkPg0KICAgICAgICAgICAgICAgIDwvdHI+DQogICAgICAgICAg ICAgIDwvdGFibGU+DQogICAgICAgICAgICA8L3RkPg0KICAgICAgICAgIDwvdHI+DQogICAgICAg IDwvdGFibGU+DQogICAgICA8L3RkPg0KICAgIDwvdHI+DQogIDwvdGFibGU+DQogIDx0YWJsZSB3 aWR0aD0iNTAwIiBib3JkZXI9IjAiIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iMCI+DQog ICAgPHRyIGJnY29sb3I9IiNGRkU2RkUiPiANCiAgICAgIDx0ZCBiZ2NvbG9yPSIjRkY5OUNDIj4m bmJzcDs8L3RkPg0KICAgIDwvdHI+DQogIDwvdGFibGU+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwv aHRtbD4NCg== ------=_NextPart_cPF06vWerNc61f5q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 20: 9:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (mail.tgd.net [209.81.25.10]) by hub.freebsd.org (Postfix) with ESMTP id 41B4337B402 for ; Sat, 26 Jan 2002 20:09:45 -0800 (PST) Received: by mail.tgd.net (Postfix, from userid 1001) id 10D0120F0A; Sat, 26 Jan 2002 20:09:45 -0800 (PST) Date: Sat, 26 Jan 2002 20:09:44 -0800 From: Sean Chittenden To: freebsd-security@freebsd.org Subject: MIT Kerberos kadmind unable to start... Message-ID: <20020126200944.E8408@ninja1.internal> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just upgraded to 1.2.3 and thought it'd be a nice idea to kill and restart the new kadmin and krb5kdc's, however, now I'm getting the following error: # /usr/local/sbin/kadmind kadmind: Cannot set GSS-API authentication names. kadmind in free(): warning: chunk is already free kadmind in free(): warning: chunk is already free Anyone else having similar problems? I've been able to reproduce this on two different boxes and am now down both of my slave KDCs. <:~( Anyone have any ideas? -sc -- Sean Chittenden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 26 20:22:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (mail.tgd.net [209.81.25.10]) by hub.freebsd.org (Postfix) with ESMTP id 6376937B404 for ; Sat, 26 Jan 2002 20:22:21 -0800 (PST) Received: by mail.tgd.net (Postfix, from userid 1001) id 7CD6D20F0A; Sat, 26 Jan 2002 20:22:20 -0800 (PST) Date: Sat, 26 Jan 2002 20:22:20 -0800 From: Sean Chittenden To: freebsd-security@freebsd.org Subject: Re: MIT Kerberos kadmind unable to start... [RESOLVED] Message-ID: <20020126202220.G8408@ninja1.internal> References: <20020126200944.E8408@ninja1.internal> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020126200944.E8408@ninja1.internal>; from "sean@chittenden.org" on Sat, Jan 26, 2002 at = 08:09:44PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I just upgraded to 1.2.3 and thought it'd be a nice idea to kill and > restart the new kadmin and krb5kdc's, however, now I'm getting the > following error: > > # /usr/local/sbin/kadmind > kadmind: Cannot set GSS-API authentication names. > kadmind in free(): warning: chunk is already free > kadmind in free(): warning: chunk is already free Somehow I managed to zero out the kadmind.keytab's (scratches head). The following fixed the problem: kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw kadmin.local: q host# /usr/local/sbin/kadmind ktrace is sweet. Sorry for responding to my own question. -sc -- Sean Chittenden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message