From owner-freebsd-security Sun Mar 24 13:38: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D0EE637B404 for ; Sun, 24 Mar 2002 13:38:06 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA21712; Sun, 24 Mar 2002 14:37:52 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020324143624.02d12a50@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 24 Mar 2002 14:37:48 -0700 To: Makoto Matsushita , security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib In-Reply-To: <20020323032436X.matusita@jp.FreeBSD.org> References: <20020319135610H.matusita@jp.FreeBSD.org> <4.3.2.7.2.20020318093713.0325b420@localhost> <20020318165239.GA36452@peitho.fxp.org> <20020319135610H.matusita@jp.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:24 AM 3/22/2002, Makoto Matsushita wrote: >I've just tried to build FreeBSD/i386 4.5-RELEASE-p2. It is composed of: > >* Using latest RELENG_4_5's source code to build. >* Ports and packages are comes from recent ports (different from 4.5-RELEASE). >* Doc and XFree86 3.x distributions are the same of 4.5-RELEASE. >* Release documents are comes from bmah's latest RELENG_4_5 snapshots (thanks!) Fantastic! This is what I want to install on new machines. Can the FreeBSD Project arrange to do similar builds between releases, especially when there are major glitches such as the OpenSSH local root hole and the zlib mess? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 24 13:43:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from franklin.nt.tas.gov.au (franklin-ext.nt.tas.gov.au [202.7.15.61]) by hub.freebsd.org (Postfix) with ESMTP id E374737B417 for ; Sun, 24 Mar 2002 13:43:12 -0800 (PST) Received: from franklin.nt.tas.gov.au (localhost [127.0.0.1]) by franklin.nt.tas.gov.au (8.11.5/8.11.5) with ESMTP id g2OLh6n23151 for ; Mon, 25 Mar 2002 08:43:06 +1100 (EST) Received: from tasmail.com (swan.tasmail.com [202.7.15.18]) by franklin.nt.tas.gov.au (8.11.5/8.11.5) with SMTP id g2OLh4523143 for ; Mon, 25 Mar 2002 08:43:05 +1100 (EST) Date: Mon, 25 Mar 2002 08:43:05 +1100 (EST) Message-Id: <200203242143.g2OLh4523143@franklin.nt.tas.gov.au> From: "Andrew Griffiths" To: security@freebsd.org Importance: Normal X-Mailer: VisualMail 3.0 ( http://www.minter.com.ar/visualmail ) Subject: page fault. Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, While testing some code to show the stack ranges on systems, I noticed that freebsd wouldn't segfault when it accessed memory below esp, or the stack bottom. Not sure whether its a problem, but I think its worth noting. Andrew Griffiths -- www.tasmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 24 14:25:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from k6.locore.ca (k6.locore.ca [198.96.117.170]) by hub.freebsd.org (Postfix) with ESMTP id 9D2FE37B405 for ; Sun, 24 Mar 2002 14:25:49 -0800 (PST) Received: (from jake@localhost) by k6.locore.ca (8.11.6/8.11.6) id g2OMZH913494; Sun, 24 Mar 2002 17:35:17 -0500 (EST) (envelope-from jake) Date: Sun, 24 Mar 2002 17:35:16 -0500 From: Jake Burkholder To: Andrew Griffiths Cc: security@FreeBSD.ORG Subject: Re: page fault. Message-ID: <20020324173516.V90182@locore.ca> References: <200203242143.g2OLh4523143@franklin.nt.tas.gov.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200203242143.g2OLh4523143@franklin.nt.tas.gov.au>; from nullptr@tasmail.com on Mon, Mar 25, 2002 at 08:43:05AM +1100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Apparently, On Mon, Mar 25, 2002 at 08:43:05AM +1100, Andrew Griffiths said words to the effect of; > Hello, > > While testing some code to show the stack ranges on systems, I noticed that freebsd wouldn't segfault when it accessed memory below esp, or the stack bottom. > > Not sure whether its a problem, but I think its worth noting. You mean numerically higher addresses than %esp? Like this? int main(void) { volatile int *v; int a; for (v = &a;; v++) printf("%p: %#x\n", v, *v); } I depends how far you go. A bunch of stuff is copied out to the top of the stack by the kernel so you have some slush to work through. In either direction you'll eventually get a segfault (sigbus in the above case because you run into kernel address space). > > Andrew Griffiths > > -- > www.tasmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 24 15:43:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 7B92B37B400 for ; Sun, 24 Mar 2002 15:43:13 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.6) id g2ONgV643436; Sun, 24 Mar 2002 18:42:31 -0500 (EST) (envelope-from wollman) Date: Sun, 24 Mar 2002 18:42:31 -0500 (EST) From: Garrett Wollman Message-Id: <200203242342.g2ONgV643436@khavrinen.lcs.mit.edu> To: Cy Schubert - CITS Open Systems Group Cc: security@FreeBSD.ORG Subject: Re: strange behaviour on /tmp In-Reply-To: <200203240753.g2O7rJL28515@cwsys.cwsent.com> References: <20020323214227.A37349@ldc.ro> <200203240753.g2O7rJL28515@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > The FIPS standard I speak of has been revoked. FIPS 151-2 is incorporated in IEEE Std. 1003.1-2001, so there is no longer any need for it. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 7:32:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from web14804.mail.yahoo.com (web14804.mail.yahoo.com [216.136.224.220]) by hub.freebsd.org (Postfix) with SMTP id 7CE3937B416 for ; Mon, 25 Mar 2002 07:32:07 -0800 (PST) Message-ID: <20020325153207.66991.qmail@web14804.mail.yahoo.com> Received: from [198.88.119.219] by web14804.mail.yahoo.com via HTTP; Mon, 25 Mar 2002 07:32:07 PST Date: Mon, 25 Mar 2002 07:32:07 -0800 (PST) From: krzysztof Strzelczyk Subject: Kernel error?? Hacked?? Bad NIC?? To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I'm getting some weird actively from my primary DNS server. I have two aliases to one NIC that box as it also acts as a non-anonymous ftp server. Interface fxp0 IP is xxx.xxx.xxx.11 alias0 is xxx.xxx.xxx.4 alias1 is xxx.xxx.xxx.15 I can send and receive ping requests from this interface however I can only ping the .15 alias. The .11 ip address and the .4 alias return 'sendto: host down'. Is this a sign of a NIC going bad?? Here is that latest actively in my logs that I can not explain: >opensocket_f: bind ([xxx.xxx.xxx.11]): can't assign requested address. >Using kernel phase-lock loop 2040 >Using kernel phase-lock loop 2041 >Kernel pll status change 2040 >Kernel pll status change 2041 It almost smells like someone has hacked this box and disabled ping to the IPs he wants to use for his purposes. How could I best check on this? Is there a way to disable ping to certain IP addresses on a NIC. IPF is not loaded on this box. Thanks for any help -chris __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 7:51:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id CCB7A37B404 for ; Mon, 25 Mar 2002 07:51:11 -0800 (PST) Received: (qmail 42712 invoked by uid 1000); 25 Mar 2002 15:53:11 -0000 Date: Mon, 25 Mar 2002 16:53:11 +0100 From: Bart Matthaei To: krzysztof Strzelczyk Cc: freebsd-security@freebsd.org Subject: Re: Kernel error?? Hacked?? Bad NIC?? Message-ID: <20020325165311.D32155@heresy.dreamflow.nl> References: <20020325153207.66991.qmail@web14804.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020325153207.66991.qmail@web14804.mail.yahoo.com>; from cs052279@yahoo.com on Mon, Mar 25, 2002 at 07:32:07AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > I can send and receive ping requests from this > interface however I can only ping the .15 alias. The > .11 ip address and the .4 alias return 'sendto: host > down'. Is this a sign of a NIC going bad?? Neh. Probably a routing table problem. Show us a ifconfig -a + netstat -nr. > Here is that latest actively in my logs that I can not > explain: >=20 > >opensocket_f: bind ([xxx.xxx.xxx.11]): can't assign > requested address. Just an application thats trying to open a port thats already in use. Your syslog should show what program is barfing on this. > >Using kernel phase-lock loop 2040 > >Using kernel phase-lock loop 2041 >=20 > >Kernel pll status change 2040 > >Kernel pll status change 2041 Isn't this spewed out by ntpd ? > It almost smells like someone has hacked this box and > disabled ping to the IPs he wants to use for his > purposes. How could I best check on this? Is there a > way to disable ping to certain IP addresses on a NIC.=20 > IPF is not loaded on this box. If you want our opinion on syslog messages, it's wise to show us entire lines instead of fragments. This way we can see what program is trying to tell you something. Your box is probably fine. Get some coffee and relax ;) (although paranoia can be a good thing, don't overdo it). Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Eat drink and be merry, for tomorrow they may make it illegal. --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8n0fngcc6pR+tCegRAoyAAJ4upJxp0lSyZk4HLIi4ii97YuE3HQCgm+Vn xZP/mdWj7vrSA6EPzJIMWgs= =zj6o -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 7:53: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 0230837B404 for ; Mon, 25 Mar 2002 07:53:02 -0800 (PST) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id SAA72150; Mon, 25 Mar 2002 18:52:49 +0300 (MSK) Received: from IBMKA.star.spb.ru (217.195.79.241 [217.195.79.241]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GY0AJCNX; Mon, 25 Mar 2002 18:52:38 +0300 Date: Mon, 25 Mar 2002 18:52:43 +0300 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <7131186123.20020325185243@internethelp.ru> To: krzysztof Strzelczyk Cc: freebsd-security@freebsd.org Subject: Re: Kernel error?? Hacked?? Bad NIC?? In-reply-To: <20020325153207.66991.qmail@web14804.mail.yahoo.com> References: <20020325153207.66991.qmail@web14804.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello krzysztof, Monday, March 25, 2002, 6:32:07 PM, you wrote: kS> Hello, kS> I'm getting some weird actively from my primary kS> DNS server. I have two aliases to one NIC that box as kS> it also acts as a non-anonymous ftp server. kS> Interface fxp0 kS> IP is xxx.xxx.xxx.11 kS> alias0 is xxx.xxx.xxx.4 kS> alias1 is xxx.xxx.xxx.15 kS> I can send and receive ping requests from this kS> interface however I can only ping the .15 alias. The kS> .11 ip address and the .4 alias return 'sendto: host kS> down'. Is this a sign of a NIC going bad?? Do you have any packet-filtering software on this box? If yes, what your ruleset looks like? Do you perform pings from that very machine, or from machine in local segment, or from machine behind the router(s)? kS> Here is that latest actively in my logs that I can not kS> explain: >>opensocket_f: bind ([xxx.xxx.xxx.11]): can't assign kS> requested address. Which process is complaining? >>Using kernel phase-lock loop 2040 >>Using kernel phase-lock loop 2041 >>Kernel pll status change 2040 >>Kernel pll status change 2041 kS> It almost smells like someone has hacked this box and kS> disabled ping to the IPs he wants to use for his kS> purposes. How could I best check on this? Is there a kS> way to disable ping to certain IP addresses on a NIC. kS> IPF is not loaded on this box. kS> Thanks for any help kS> -chris ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 8: 2:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from web14806.mail.yahoo.com (web14806.mail.yahoo.com [216.136.224.222]) by hub.freebsd.org (Postfix) with SMTP id 5B35F37B419 for ; Mon, 25 Mar 2002 08:02:07 -0800 (PST) Message-ID: <20020325160207.47002.qmail@web14806.mail.yahoo.com> Received: from [198.88.119.219] by web14806.mail.yahoo.com via HTTP; Mon, 25 Mar 2002 08:02:07 PST Date: Mon, 25 Mar 2002 08:02:07 -0800 (PST) From: krzysztof Strzelczyk Subject: Re: Kernel error?? Hacked?? Bad NIC?? To: "Nickolay A.Kritsky" Cc: freebsd-security@freebsd.org In-Reply-To: <7131186123.20020325185243@internethelp.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No, no packet filtering. I can preform ping from this machine. ntpd is complaining about the kernel phase-lock. Thanks -chris --- "Nickolay A. Kritsky" wrote: > Hello krzysztof, > > Monday, March 25, 2002, 6:32:07 PM, you wrote: > > kS> Hello, > > kS> I'm getting some weird actively from my > primary > kS> DNS server. I have two aliases to one NIC that > box as > kS> it also acts as a non-anonymous ftp server. > > kS> Interface fxp0 > kS> IP is xxx.xxx.xxx.11 > kS> alias0 is xxx.xxx.xxx.4 > kS> alias1 is xxx.xxx.xxx.15 > > kS> I can send and receive ping requests from this > kS> interface however I can only ping the .15 alias. > The > kS> .11 ip address and the .4 alias return 'sendto: > host > kS> down'. Is this a sign of a NIC going bad?? > > Do you have any packet-filtering software on this > box? If yes, what > your ruleset looks like? > Do you perform pings from that very machine, or from > machine in local > segment, or from machine behind the router(s)? > > kS> Here is that latest actively in my logs that I > can not > kS> explain: > > >>opensocket_f: bind ([xxx.xxx.xxx.11]): can't > assign > kS> requested address. > > Which process is complaining? > > >>Using kernel phase-lock loop 2040 > >>Using kernel phase-lock loop 2041 > > >>Kernel pll status change 2040 > >>Kernel pll status change 2041 > > kS> It almost smells like someone has hacked this > box and > kS> disabled ping to the IPs he wants to use for his > kS> purposes. How could I best check on this? Is > there a > kS> way to disable ping to certain IP addresses on a > NIC. > kS> IPF is not loaded on this box. > > kS> Thanks for any help > kS> -chris > > > ;------------------------------------------- > ; NKritsky > ; mailto:nkritsky@internethelp.ru > > __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 8:28: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 45A3337B405 for ; Mon, 25 Mar 2002 08:27:57 -0800 (PST) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id TAA96612; Mon, 25 Mar 2002 19:27:44 +0300 (MSK) Received: from IBMKA.star.spb.ru (217.195.79.241 [217.195.79.241]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GY0AJC3G; Mon, 25 Mar 2002 19:27:33 +0300 Date: Mon, 25 Mar 2002 19:27:39 +0300 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <9833281396.20020325192739@internethelp.ru> To: Kerberus Cc: krzysztof Strzelczyk , freebsd-security@freebsd.org Subject: Re[2]: Kernel error?? Hacked?? Bad NIC?? In-reply-To: <1017075634.14168.84.camel@vpan.netwolves.com> References: <20020325153207.66991.qmail@web14804.mail.yahoo.com> <7131186123.20020325185243@internethelp.ru> <1017075634.14168.84.camel@vpan.netwolves.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Kerberus, Monday, March 25, 2002, 8:00:33 PM, you wrote: K> Do I smell a bad subnet mask some where in there ??? It can be a problem. krzystof, can you send us output of `ifconfig -a' ? ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 10: 6:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id 789EA37B404 for ; Mon, 25 Mar 2002 10:06:39 -0800 (PST) Received: from MIKELT ([216.241.67.81]) by caerulus.cerintha.com (8.11.3/8.11.3) with SMTP id g2PI6WR14128 for ; Mon, 25 Mar 2002 13:06:33 -0500 (EST) Message-ID: <001e01c1d427$cbf61640$2801010a@MIKELT> From: "Michael Scheidell" To: Subject: LaBrea on FBSD 4.5 not working? Date: Mon, 25 Mar 2002 13:06:32 -0500 Organization: Secnap Network Security, LLC. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Trying to get LaBrea running on FBSD 4.5. (yes, I used the -z option) It starts (or doesn't? doesn't show up in ps or ps -uroot) killall will kill it. /var/log/messages shows it changing promis mode on interface. it should emulate an interface on unused ips (respond to pings) and capture connections. ping to unused ip failes, doesn't show up in log. telnet or http connection to unused ip failes and doesn't show up in log. have latest csv of ports and libpcap. What did I do wrong? -- Michael Scheidell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 10: 7:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from hokkshideh2.jetcafe.org (hokkshideh2.jetcafe.org [205.147.43.8]) by hub.freebsd.org (Postfix) with ESMTP id 6240237B405; Mon, 25 Mar 2002 10:07:22 -0800 (PST) Received: from hokkshideh2.jetcafe.org (localhost [127.0.0.1]) by hokkshideh2.jetcafe.org (8.11.6/8.11.6) with ESMTP id g2PI6AR05307; Mon, 25 Mar 2002 10:06:10 -0800 (PST) (envelope-from dave@hokkshideh2.jetcafe.org) Message-Id: <200203251806.g2PI6AR05307@hokkshideh2.jetcafe.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: krzysztof Strzelczyk Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Kernel error?? Hacked?? Bad NIC?? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 25 Mar 2002 10:06:05 -0800 From: Dave Hayes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org krzysztof Strzelczyk writes: > Interface fxp0 > IP is xxx.xxx.xxx.11 > alias0 is xxx.xxx.xxx.4 > alias1 is xxx.xxx.xxx.15 If the alias1 was the last command you did, this would also look like the behavior I would expect from an arp cache that took only the very last IP entry and assigned that to your MAC address. Just a thought. ------ Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org >>> The opinions expressed above are entirely my own <<< Nasrudin was sitting talking with a friend as dusk fell. "Light a candle", the man said, "because it is dark now. There is one just by your left side." "How can I tell my right from my left in the dark, you fool?" came the reply. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 11:42: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe71.pav1.hotmail.com [64.4.30.206]) by hub.freebsd.org (Postfix) with ESMTP id 4248B37B417 for ; Mon, 25 Mar 2002 11:41:57 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 25 Mar 2002 11:41:57 -0800 X-Originating-IP: [207.112.2.1] From: "jack xiao" To: Cc: Subject: MTU of gif with IPSec tunnel Date: Mon, 25 Mar 2002 14:37:51 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 25 Mar 2002 19:41:57.0073 (UTC) FILETIME=[1F8C5410:01C1D435] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I set IPSec tunnel with isakmpd under FreeBSD on gif interfaces for multiple destinations. But I find it seems I get worse performance than I set it without gif interfaces, especially when doing FTP. I suspect the issues is on gif MTU. After doing some test on gif MTU, I find we can't lower the MTU less than 1280, which is the minimum value we can reach. If I increase MTU over 1480, it will cause lots of fragmentation during FTP. If I set it between 1280 and 1480, there is not much difference on the total bandwidth. I am wondering the proper MTU value for gif interfcae when setting IPSec tunnel on it. Does anybody have any ideas about this? Thanks. Jack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 19:37:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from oxmail.ox.ac.uk (oxmail1.ox.ac.uk [129.67.1.2]) by hub.freebsd.org (Postfix) with ESMTP id 8E58537B416 for ; Mon, 25 Mar 2002 19:37:13 -0800 (PST) Received: from heraldgate2.oucs.ox.ac.uk ([163.1.2.50] helo=frontend2.herald.ox.ac.uk ident=exim) by oxmail.ox.ac.uk with esmtp (Exim 3.34 #2) id 16phlo-0007m3-01 for freebsd-security@freebsd.org; Tue, 26 Mar 2002 03:37:12 +0000 Received: from dhcp1025.wadham.ox.ac.uk ([163.1.161.25] helo=piii600.wadham.ox.ac.uk) by frontend2.herald.ox.ac.uk with esmtp (Exim 3.32 #1) id 16phlo-0001Vp-00 for freebsd-security@freebsd.org; Tue, 26 Mar 2002 03:37:12 +0000 X-Info-RBL1: ox.ac.uk filters email against various lists. X-Info-RBL2: If your replies bounce, try sending them to cperciva@sfu.ca Message-Id: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Tue, 26 Mar 2002 03:37:10 +0000 To: freebsd-security@freebsd.org From: Colin Percival Subject: It's time for those 2048-, 3072-, and 4096-bit keys? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In light of DJB's widely-cited paper (http://cr.yp.to/papers.html#nfscircuit) on integer factorization circuits, along with subsequent analysis which suggests that such attacks might be practical, is it time to change the default key sizes in OpenSSH? While the practicality of the cracking machine proposed is still a matter of debate, it seems that the risk is sufficient, and the cost of increasing key sizes is sufficiently small, that there is little justfication for not switching to a larger default key size. While a couple years ago it might have been argued that the initial cost of generating longer keys would be excessive, I can now generate a 4096-bit in about 30 seconds on a rather low-end box, so I don't think key generation time is particularly relevant any more. Is there any other reason for not changing the default key size? Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 25 19:49:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d53.as28.nwbl0.wi.voyager.net [169.207.69.53]) by hub.freebsd.org (Postfix) with ESMTP id 2C5AC37B41B for ; Mon, 25 Mar 2002 19:49:48 -0800 (PST) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.2/8.12.2) with ESMTP id g2Q9m7UH013129; Tue, 26 Mar 2002 03:48:07 -0600 (CST) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.2/8.12.2/Submit) with ESMTP id g2Q9lnBB013126; Tue, 26 Mar 2002 03:48:06 -0600 (CST) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Tue, 26 Mar 2002 03:47:49 -0600 (CST) From: Mike Silbersack To: Colin Percival Cc: freebsd-security@freebsd.org Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? In-Reply-To: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca> Message-ID: <20020326034234.Q10197-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 26 Mar 2002, Colin Percival wrote: > Is there any other reason for not changing the default key size? > > Colin Percival Versions of ssh which use RSAREF (those compiled before the patent ended, basically) can't handle keys over 1024 bits in length, IIRC. Hence, you'd have to be very careful when bumping up the size of sshv1 keys on a system which may have old clients connection. However, I think it _would_ be safe to bump up the sshv1 session key from 768 to the largest possible key < 1024 bits in the default options. (I would say 1024 bits, but I believe that there's also some stipulation that host key length != session key length.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 26 2:49:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id D5E0737B417 for ; Tue, 26 Mar 2002 02:49:05 -0800 (PST) Received: (qmail 98210 invoked by uid 1000); 26 Mar 2002 10:49:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Mar 2002 10:49:08 -0000 Date: Tue, 26 Mar 2002 02:49:00 -0800 (PST) From: Jason Stone X-X-Sender: To: Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? In-Reply-To: <20020326034234.Q10197-100000@patrocles.silby.com> Message-ID: <20020326021747.C11536-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > However, I think it _would_ be safe to bump up the sshv1 session key > from 768 to the largest possible key < 1024 bits in the default > options. (I would say 1024 bits, but I believe that there's also some > stipulation that host key length != session key length.) This is correct - a 1024-bit hostkey causes sessions keys to be 1152-bits which will break rsaref-based clients. An 896-bit hostkey yields the desired 1024-bit session keys. Of course rsaref is old, buggy, copyright-encumbered, and ought not be used anymore under any circumstances. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8oFIjswXMWWtptckRAmnWAKDyY2LJeg04Ufj6sOSTuOibPzK2qQCfTu00 dMf+5M+dGdwOqp8SbhtyZS4= =b/im -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 26 6:34:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id 1E69D37B405 for ; Tue, 26 Mar 2002 06:34:40 -0800 (PST) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16ps20-0000JD-00 for security@freebsd.org; Tue, 26 Mar 2002 06:34:36 -0800 Received: from moti (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with SMTP id 1FD43207B8 for ; Tue, 26 Mar 2002 09:38:40 -0500 (EST) Message-ID: <02f001c1d4d3$8ae70b30$fd6e34c6@moti> From: "Moti Levy" To: Subject: secure levels question . Date: Tue, 26 Mar 2002 09:35:56 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi , I'm building a new mail relay for my company ( it was a hard fight but freebsd won ! ) i figured I can set secure level 1 but not two since a mail server needs access to write on disks . am i right ? Moti To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 26 6:52:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by hub.freebsd.org (Postfix) with ESMTP id 48EE937B416 for ; Tue, 26 Mar 2002 06:52:22 -0800 (PST) Received: by energyhq.homeip.net (Postfix, from userid 1001) id DD3673FC5B; Tue, 26 Mar 2002 15:53:02 +0100 (CET) Date: Tue, 26 Mar 2002 15:53:02 +0100 From: Miguel Mendez To: Moti Levy Cc: security@freebsd.org Subject: Re: secure levels question . Message-ID: <20020326155302.A26448@energyhq.homeip.net> Mail-Followup-To: Moti Levy , security@freebsd.org References: <02f001c1d4d3$8ae70b30$fd6e34c6@moti> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.2.5.1i In-Reply-To: <02f001c1d4d3$8ae70b30$fd6e34c6@moti>; from moti@flncs.com on Tue, Mar 26, 2002 at 09:35:56AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 26, 2002 at 09:35:56AM -0500, Moti Levy wrote: Hi, > Hi , > I'm building a new mail relay for my company ( it was a hard fight but > freebsd won ! ) > i figured I can set secure level 1 but not two since a mail server needs > access to write on disks . > am i right ? No, I run my mail server at level 3. What you cannot do when running at high security levels is write to the raw disk, you still can write data to normal files, just not to the device. That's the reason why you can't use newfs once your securelevel is set to 2. Cheers, --=20 Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk FreeBSD - The power to serve! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 26 9:57: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 712A737B416 for ; Tue, 26 Mar 2002 09:56:53 -0800 (PST) Received: (qmail 23307 invoked by uid 1000); 26 Mar 2002 17:57:14 -0000 Date: Tue, 26 Mar 2002 18:57:14 +0100 From: "Karsten W. Rohrbach" To: Mike Silbersack Cc: Colin Percival , freebsd-security@freebsd.org Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020326185714.F22539@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Mike Silbersack , Colin Percival , freebsd-security@freebsd.org References: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca> <20020326034234.Q10197-100000@patrocles.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="aPdhxNJGSeOG9wFI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020326034234.Q10197-100000@patrocles.silby.com>; from silby@silby.com on Tue, Mar 26, 2002 at 03:47:49AM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --aPdhxNJGSeOG9wFI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike Silbersack(silby@silby.com)@2002.03.26 03:47:49 +0000: >=20 > Versions of ssh which use RSAREF (those compiled before the patent ended, > basically) can't handle keys over 1024 bits in length, IIRC. Hence, you'd > have to be very careful when bumping up the size of sshv1 keys on a system > which may have old clients connection. shouldn't the v1 protocol be killed anyway? ;-) i guess in the states you still got a lot of rsa driven clients, eh? in case of field upgradeability of the clients, i would switch to v2 (which actually is what i did on several public systems) and the users are very happy about the new features (like twofish, etc) that it gives them. /k --=20 > "Niklaus Wirth has lamented that, whereas Europeans pronounce his name > correctly (Ni-klows Virt), Americans invariably mangle it into > (Nick-les Worth). Which is to say that Europeans call him by name, but > Americans call him by value." KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --aPdhxNJGSeOG9wFI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8oLZ5M0BPTilkv0YRAiBmAJ42BQLdQEl7c/LKTS2xKADGuErThQCfZCMc OmngsG5Uwgp70naam39n5tQ= =wf/t -----END PGP SIGNATURE----- --aPdhxNJGSeOG9wFI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 26 10:28: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d32.as7.nwbl0.wi.voyager.net [169.207.128.160]) by hub.freebsd.org (Postfix) with ESMTP id CA96A37B41E for ; Tue, 26 Mar 2002 10:27:54 -0800 (PST) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.2/8.12.2) with ESMTP id g2R0QHUH015744; Tue, 26 Mar 2002 18:26:17 -0600 (CST) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.2/8.12.2/Submit) with ESMTP id g2R0QErk015741; Tue, 26 Mar 2002 18:26:16 -0600 (CST) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Tue, 26 Mar 2002 18:26:14 -0600 (CST) From: Mike Silbersack To: "Karsten W. Rohrbach" Cc: Colin Percival , Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? In-Reply-To: <20020326185714.F22539@mail.webmonster.de> Message-ID: <20020326182003.F15545-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 26 Mar 2002, Karsten W. Rohrbach wrote: > Mike Silbersack(silby@silby.com)@2002.03.26 03:47:49 +0000: > > > > Versions of ssh which use RSAREF (those compiled before the patent ended, > > basically) can't handle keys over 1024 bits in length, IIRC. Hence, you'd > > have to be very careful when bumping up the size of sshv1 keys on a system > > which may have old clients connection. > > shouldn't the v1 protocol be killed anyway? ;-) i guess in the states > you still got a lot of rsa driven clients, eh? in case of field > upgradeability of the clients, i would switch to v2 (which actually is > what i did on several public systems) and the users are very happy about > the new features (like twofish, etc) that it gives them. > > /k Yes, upgrading clients to v2 would be best. However, I don't think that locking out v1 users would be the best way to achieve that. The most likely result of doing so would be people falling back to telnet. I'm not too concerned about the v1 keylength, as it is obsolete. I'll look into what it would take to change the default one of these days when I have time. What does slightly concern me is the RSA usage in sshv2 which has appeared recently. Increasing the keylength for those uses seems like a good idea in the long run. However, I haven't even looked at the keylengths used in that case yet; they may already be more than long enough. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 26 10:33:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 67AE537B41D for ; Tue, 26 Mar 2002 10:33:40 -0800 (PST) Received: from [192.168.0.56] (helo=DAVE) by chaos.evolve.za.net with smtp (Exim 3.34 #1) id 16pvl9-000G3a-00; Tue, 26 Mar 2002 20:33:27 +0200 Message-ID: <003401c1d4f4$ac9a8100$3800a8c0@DAVE> From: "Dave Raven" To: "Moti Levy" , References: <02f001c1d4d3$8ae70b30$fd6e34c6@moti> Subject: Re: secure levels question . Date: Tue, 26 Mar 2002 20:32:59 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org no. You can run it at any level, level 2 doesn't allow raw disk access, you won't be worried by this. Dave Raven. OpteqSec. ----- Original Message ----- From: "Moti Levy" To: Sent: Tuesday, March 26, 2002 4:35 PM Subject: secure levels question . > Hi , > I'm building a new mail relay for my company ( it was a hard fight but > freebsd won ! ) > i figured I can set secure level 1 but not two since a mail server needs > access to write on disks . > am i right ? > Moti > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 26 11:36:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id EDEA837B41D; Tue, 26 Mar 2002 11:36:37 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2QJab850196; Tue, 26 Mar 2002 11:36:37 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 26 Mar 2002 11:36:37 -0800 (PST) Message-Id: <200203261936.g2QJab850196@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:19.squid Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:19 Security Advisory FreeBSD, Inc. Topic: squid heap buffer overflow in DNS handling Category: ports Module: squid24 Announced: 2002-03-26 Credits: zen-parse Affects: squid port prior to version 2.4_9 Corrected: 2002-03-22 00:19:55 UTC FreeBSD only: NO I. Background The Squid Internet Object Cache is a web proxy/cache. II. Problem Description Incorrect handling of compressed DNS responses could result in a heap buffer overflow. The squid port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains thousands of third- party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.5 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A malicious DNS server (or an attacker spoofing a DNS server) could respond to DNS requests from squid with a specially crafted answer that would trigger the heap buffer overflow bug. This could crash the squid process. This bug is not known to be exploitable. IV. Workaround 1) Deinstall the squid port/package if you have it installed. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/ [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. 3) Download a new port skeleton for the squid port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/www/squid24/Makefile 1.89 ports/www/squid24/distinfo 1.64 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPKDNPVUuHi5z0oilAQGQJQP+KfkRVCuIlwzQazMv7K6+KAIAwBkm2EdZ lVA2MCnzfxtWW23ZGIRnE6gW2gzzT4C3Ccrkg4llriVCIj4rdQ08UOSqF9JAZBWV 2RfYdTMUSeHEgYbkn0od9xeGc8zW3VltCH/I3ky/StWmMZv5eH9j6mPBddEeQG/y Nuz/Ms0oJrI= =m4VV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 26 15:16:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from lothlorien.tangledhelix.net (lothlorien.tangledhelix.net [198.88.76.131]) by hub.freebsd.org (Postfix) with ESMTP id 4E9D937B400 for ; Tue, 26 Mar 2002 15:16:35 -0800 (PST) Received: (from dan@localhost) by lothlorien.tangledhelix.net id g2QNGYG00933 for freebsd-security@freebsd.org; Tue, 26 Mar 2002 18:16:34 -0500 (EST) Date: Tue, 26 Mar 2002 18:16:34 -0500 From: Dan Lowe To: freebsd-security@freebsd.org Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020326181634.A919@lothlorien.tangledhelix.net> Reply-To: dan@tangledhelix.com Mail-Followup-To: freebsd-security@freebsd.org References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020326182003.F15545-100000@patrocles.silby.com>; from silby@silby.com on Tue, Mar 26, 2002 at 06:26:14PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Previously, Mike Silbersack wrote: > > Yes, upgrading clients to v2 would be best. However, I don't think that > locking out v1 users would be the best way to achieve that. The most > likely result of doing so would be people falling back to telnet. On a system where security is of any concern whatsoever, why would telnet be available in the first place? -- Beware! To touch these wires is instant death. Anyone found doing so will be prosecuted. -Sign at a railroad station To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 4:43: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id D54A537B41D for ; Wed, 27 Mar 2002 04:42:56 -0800 (PST) Received: (from mwlucas@localhost) by blackhelicopters.org (8.11.6/8.11.6) id g2RCgat87060; Wed, 27 Mar 2002 07:42:36 -0500 (EST) (envelope-from mwlucas) Date: Wed, 27 Mar 2002 07:42:36 -0500 From: Michael Lucas To: Dan Lowe Cc: freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020327074236.B86929@blackhelicopters.org> References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020326181634.A919@lothlorien.tangledhelix.net>; from dan@tangledhelix.com on Tue, Mar 26, 2002 at 06:16:34PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 26, 2002 at 06:16:34PM -0500, Dan Lowe wrote: > Previously, Mike Silbersack wrote: > > > > Yes, upgrading clients to v2 would be best. However, I don't think that > > locking out v1 users would be the best way to achieve that. The most > > likely result of doing so would be people falling back to telnet. > > On a system where security is of any concern whatsoever, why would telnet > be available in the first place? I just dealt with a group of "senior" admins here in Detroit who weren't familiar with the problems of telneting to their Ciscos. Ethereal was quite the shock to them. :-) It's taken us years to basically scrub telnet off the map, and it's still not gone. SSHv1 is far better than telnet, and there are any number of v1 clients still out there. Please don't make it any harder than it absolutely has to be. Perhaps a comment in the file, "we recommend using v2 whenever possible", so people stumble across it frequently even if they don't bother reading the docs? ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org my FreeBSD column: http://www.oreillynet.com/pub/q/Big_Scary_Daemons http://www.blackhelicopters.org/~mwlucas/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 6: 0:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id 3A51737B419 for ; Wed, 27 Mar 2002 06:00:07 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g2RE06630896 for security@freebsd.org; Wed, 27 Mar 2002 09:00:06 -0500 (EST) (envelope-from bv) Date: Wed, 27 Mar 2002 09:00:06 -0500 From: Bill Vermillion To: security@freebsd.org Subject: Question on su / possible hole Message-ID: <20020327140006.GA30556@wjv.com> Reply-To: bv@wjv.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't know if this is where I should ask, so apologies if it's the wrong place. There is a wheel group and only people who are in the wheel group are to be able to su to the root account. I like that approach because even if people has the root password they can't su to root. However I have found that if non-wheel-group user can su to a user who has wheel privledges - the the non-wheel user can su to root. Since BSD doesn't use the EUID/EGID methods in SysV so you know who the user is in reality, it would seem perhaps logical to use the login id of the person to check wheel group privledges. I have noted that this appears to me anyway, and may have missed something else, that this is only way you can tell who the original user is. Because of this way to bypass not having a wheel group entry for a user - this seems to me to be a potential security hole. IOW if you have made sure those in wheel are authenticated so you know for sure who they are you may assume that they are safe. I realize that it falls back to the user in the wheel group who has had their password compromised. It just strike me as odd with all the other safeguards in place that this one can occur. Does anyone know the reason behind this design, it it was done this way purposely. Am I being overly paranoid about this? Thanks. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 6: 4: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c17126.kelvn1.qld.optusnet.com.au [210.49.48.239]) by hub.freebsd.org (Postfix) with ESMTP id 636CD37B400 for ; Wed, 27 Mar 2002 06:04:04 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g2RE3TO10503; Thu, 28 Mar 2002 00:03:29 +1000 (EST) (envelope-from akm) Date: Thu, 28 Mar 2002 00:03:29 +1000 From: Andrew Kenneth Milton To: Bill Vermillion Cc: security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020328000329.E40004@zeus.theinternet.com.au> References: <20020327140006.GA30556@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020327140006.GA30556@wjv.com>; from bv@wjv.com on Wed, Mar 27, 2002 at 09:00:06AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Bill Vermillion ]---------------------- | | However I have found that if non-wheel-group user can su to a | user who has wheel privledges - the the non-wheel user can su to | root. So they can simply login as the user with wheel access and circumvent any further checking anyway. They'd need the password after all. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 6:24:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id 2451537B400 for ; Wed, 27 Mar 2002 06:24:49 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g2REOXr31088; Wed, 27 Mar 2002 09:24:33 -0500 (EST) (envelope-from bv) Date: Wed, 27 Mar 2002 09:24:33 -0500 From: Bill Vermillion To: Andrew Kenneth Milton Cc: security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020327142432.GB30556@wjv.com> Reply-To: bv@wjv.com References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020328000329.E40004@zeus.theinternet.com.au> User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke: > +-------[ Bill Vermillion ]---------------------- > | > | However I have found that if non-wheel-group user can su to a > | user who has wheel privledges - the the non-wheel user can su to > | root. > So they can simply login as the user with wheel access and circumvent > any further checking anyway. They'd need the password after all. Not if you make sure that the user with the wheel access is coming from a designated place - eg a particular link - an assigned static IP for example. IOW besides knowing who the user is and their password, you also know WHERE they. They do need the password of course. But if you expand the wheel concept to the point that you can only become root if you are a named user in this group - IOW a trusted user - then the system would be more secure. It strikes me as strange because at first glance a person would think that only people were are in the wheel group could become root. I never knew that you could bypass this until I was just experimenting the other day. The man pages on su says "Only users who are members of group 0 can su to root" It does say this about the environment USER "The user ID is always the effective ID ..." But BSD doesn't retain the real ID as in SysV. [I'm not a fan of SysV so don't get me wrong] It just strike me as wrong. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 6:35:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c17126.kelvn1.qld.optusnet.com.au [210.49.48.239]) by hub.freebsd.org (Postfix) with ESMTP id 26D0737B417 for ; Wed, 27 Mar 2002 06:35:13 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g2REZ6310776; Thu, 28 Mar 2002 00:35:06 +1000 (EST) (envelope-from akm) Date: Thu, 28 Mar 2002 00:35:06 +1000 From: Andrew Kenneth Milton To: Bill Vermillion Cc: Andrew Kenneth Milton , security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020328003506.F40004@zeus.theinternet.com.au> References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020327142432.GB30556@wjv.com>; from bv@wjv.com on Wed, Mar 27, 2002 at 09:24:33AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Bill Vermillion ]---------------------- | On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke: | > +-------[ Bill Vermillion ]---------------------- | > | | > | However I have found that if non-wheel-group user can su to a | > | user who has wheel privledges - the the non-wheel user can su to | > | root. | | > So they can simply login as the user with wheel access and circumvent | > any further checking anyway. They'd need the password after all. | | They do need the password of course. But if you expand the wheel | concept to the point that you can only become root if you are a | named user in this group - IOW a trusted user - then the system | would be more secure. So remove world execute access from su, make an su-users group and chgrp su with that group ? I think you have the tools you need to do what you want d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 6:40:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from usermail0.netnitco.net (usermail0.netnitco.net [216.176.128.8]) by hub.freebsd.org (Postfix) with ESMTP id F2D3937B41B for ; Wed, 27 Mar 2002 06:40:51 -0800 (PST) Received: from mypc (goatmilk.thing.nu [216.176.156.116]) by usermail0.netnitco.net (8.11.4/8.10.1/052400) with SMTP id g2REeoS75709 for ; Wed, 27 Mar 2002 08:40:50 -0600 (CST) Message-ID: <00e801c1d59d$2b463e10$4400000a@nitco.com> Reply-To: "Josh Snyder" From: "Josh Snyder" To: Subject: NAT / Firewall Question Date: Wed, 27 Mar 2002 08:39:14 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am going to be setting up a box to do NAT with my Ameritech ADSL (Alcatel SpeedTouch USB modem) and I was wondering if there was any reason that I should use FreeBSD with ipfw/ipfilter ( I don't really know the difference) rather than Linux with iptables? I fully admit that I haven't really researched the two options throughly and I've only setup a very basic one rule NAT configuration for my friend. I was hoping that you all may have some insight as to why or if FreeBSD makes a better NAT / Firewall box. Thanks, --Josh Snyder To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 6:54:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from usermail0.netnitco.net (usermail0.netnitco.net [216.176.128.8]) by hub.freebsd.org (Postfix) with ESMTP id 88E7337B416 for ; Wed, 27 Mar 2002 06:54:15 -0800 (PST) Received: from mypc (goatmilk.thing.nu [216.176.156.116]) by usermail0.netnitco.net (8.11.4/8.10.1/052400) with SMTP id g2REsDS80010; Wed, 27 Mar 2002 08:54:13 -0600 (CST) Message-ID: <00fb01c1d59f$09bdbaf0$4400000a@nitco.com> Reply-To: "Josh Snyder" From: "Josh Snyder" To: "David Wolfskill" Cc: References: <200203271446.g2REkc187754@bunrab.catwhisker.org> Subject: Re: NAT / Firewall Question Date: Wed, 27 Mar 2002 08:52:37 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm sorry, I assumed that security oriented folks in the open source world would probably be familar with more than 1 security solution. I know that many people on the list use FreeBSD for firewalling, but I'm sure many have probably used some other type of firewall at one time or another. I wanted to get a general opinion from more expierenced folks as to whether or not I should look at Linux or FreeBSD. However, if there is a more specific list that covers the users of multiple types of open source firewall solutions that you are aware of, please forward that address to me so that I may address my question there. Thank You. --Josh ----- Original Message ----- From: "David Wolfskill" To: Sent: Wednesday, March 27, 2002 8:46 AM Subject: Re: NAT / Firewall Question > Why would you expect folks subscribed to freebsd-security to have any > particular familiarity with Linux? > > Anyway, I use a FreeBSD box for my firewall here at home, also ADSL. > > Cheers, > david > -- > David H. Wolfskill david@catwhisker.org > I believe it would be irresponsible (and thus, unethical) for me to advise, > recommend, or support the use of any product that is or depends on any > Microsoft product for any purpose other than personal amusement. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 6:57:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id 121EC37B419 for ; Wed, 27 Mar 2002 06:57:21 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g2REv7H31378; Wed, 27 Mar 2002 09:57:07 -0500 (EST) (envelope-from bv) Date: Wed, 27 Mar 2002 09:57:07 -0500 From: Bill Vermillion To: Andrew Kenneth Milton Cc: security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020327145706.GC30556@wjv.com> Reply-To: bv@wjv.com References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020328003506.F40004@zeus.theinternet.com.au> User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 12:35:06AM +1000, Andrew Kenneth Milton thus spoke: > +-------[ Bill Vermillion ]---------------------- > | On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke: > | > +-------[ Bill Vermillion ]---------------------- > | > | > | > | However I have found that if non-wheel-group user can su to a > | > | user who has wheel privledges - the the non-wheel user can su to > | > | root. > | > | > So they can simply login as the user with wheel access and circumvent > | > any further checking anyway. They'd need the password after all. > | > | They do need the password of course. But if you expand the wheel > | concept to the point that you can only become root if you are a > | named user in this group - IOW a trusted user - then the system > | would be more secure. > So remove world execute access from su, make an su-users group and > chgrp su with that group ? > I think you have the tools you need to do what you want d8) Now why didn't I think of that. Thanks. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 7: 8:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 2576F37B400 for ; Wed, 27 Mar 2002 07:08:11 -0800 (PST) Received: (qmail 76690 invoked by uid 1000); 27 Mar 2002 15:08:31 -0000 Date: Wed, 27 Mar 2002 16:08:31 +0100 From: Bart Matthaei To: Josh Snyder Cc: freebsd-security@freebsd.org Subject: Re: NAT / Firewall Question Message-ID: <20020327160830.A75406@heresy.dreamflow.nl> References: <00e801c1d59d$2b463e10$4400000a@nitco.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <00e801c1d59d$2b463e10$4400000a@nitco.com>; from nightrav@netnitco.net on Wed, Mar 27, 2002 at 08:39:14AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > I am going to be setting up a box to do NAT with my Ameritech ADSL (Alcat= el > SpeedTouch USB modem) and I was wondering if there was any reason that I > should use FreeBSD with ipfw/ipfilter ( I don't really know the differenc= e) > rather than Linux with iptables? I fully admit that I haven't really > researched the two options throughly and I've only setup a very basic one > rule NAT configuration for my friend. I was hoping that you all may have > some insight as to why or if FreeBSD makes a better NAT / Firewall box. It doesn't. It's just a question of what your used to. I like the freebsd "feel" a lot better compared to linux.=20 Same thing when it comes down to ipfw/ipf versus iptables. iptables has the same functionality, but is in my eyes, too complex, when you compare it to ipfw/ipf. There used to be a difference in performance between linux and (free)bsd wh= en it comes down to firewalling and routing, but with the birth of the 2.4 kernel and i= ptables, this difference has vanished. B. --=20 Bart Matthaei bart@dreamflow.nl=20 Eat drink and be merry, for tomorrow they may make it illegal. --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8oeBugcc6pR+tCegRAifwAKCOwnXsNctWO/JypUBVhzkVywQScwCfe2v/ WAF1rZxTS/BMpcvFeS+j9gw= =atKV -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 7:50:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c17126.kelvn1.qld.optusnet.com.au [210.49.48.239]) by hub.freebsd.org (Postfix) with ESMTP id 5193A37B400 for ; Wed, 27 Mar 2002 07:50:53 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g2RFoj811062; Thu, 28 Mar 2002 01:50:45 +1000 (EST) (envelope-from akm) Date: Thu, 28 Mar 2002 01:50:44 +1000 From: Andrew Kenneth Milton To: Bill Vermillion Cc: Andrew Kenneth Milton , security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020328015044.G40004@zeus.theinternet.com.au> References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <20020327145706.GC30556@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020327145706.GC30556@wjv.com>; from bv@wjv.com on Wed, Mar 27, 2002 at 09:57:07AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Bill Vermillion ]---------------------- | | Now why didn't I think of that. Sometimes you just need to talk it through with someone d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 7:53:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by hub.freebsd.org (Postfix) with ESMTP id 3698637B416 for ; Wed, 27 Mar 2002 07:53:22 -0800 (PST) Received: from localhost (lcl234.zbzoom.net [208.236.36.234]) by pittgoth.com (8.11.6/8.11.6) with SMTP id g2RFtfq52237; Wed, 27 Mar 2002 10:55:41 -0500 (EST) (envelope-from darklogik@pittgoth.com) Date: Wed, 27 Mar 2002 11:01:00 -0500 From: Tom Rhodes To: Michael Lucas Cc: dan@tangledhelix.com, freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-Id: <20020327110100.6d638389.darklogik@pittgoth.com> In-Reply-To: <20020327074236.B86929@blackhelicopters.org> References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.:kAuWAFj2)lPva" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.:kAuWAFj2)lPva Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 27 Mar 2002 07:42:36 -0500 Michael Lucas wrote: > On Tue, Mar 26, 2002 at 06:16:34PM -0500, Dan Lowe wrote: > > Previously, Mike Silbersack wrote: > > > > > > Yes, upgrading clients to v2 would be best. However, I don't > > > think that locking out v1 users would be the best way to achieve > > > that. The most likely result of doing so would be people > > > falling back to telnet. > > > > On a system where security is of any concern whatsoever, why would > > telnet be available in the first place? > > I just dealt with a group of "senior" admins here in Detroit who > weren't familiar with the problems of telneting to their Ciscos. > Ethereal was quite the shock to them. :-) > > It's taken us years to basically scrub telnet off the map, and it's > still not gone. SSHv1 is far better than telnet, and there are any > number of v1 clients still out there. Please don't make it any > harder than it absolutely has to be. > > Perhaps a comment in the file, "we recommend using v2 whenever > possible", so people stumble across it frequently even if they don't > bother reading the docs? How about a nice addition to the ssh manual pages just because I do not think they describe things well enough. For instance, when I first started using scp(1), I fought like hell before I figured it out. I do not feel the manual page had a clear description of how to use scp(1). It did, however, cover the options well... I think that it should describe how to use protocol 2, I also think it should point you to a reference of the use options. Opinions? > > ==ml > > -- > Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org > my FreeBSD column: http://www.oreillynet.com/pub/q/Big_Scary_Daemons > > http://www.blackhelicopters.org/~mwlucas/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Tom (Darklogik) Rhodes www.FreeBSD.org -The Power To Serve www.Pittgoth.com -Pittgoth Discussion Portal trhodes@ {Pittgoth.com, FreeBSD.org} --=.:kAuWAFj2)lPva Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8oezAwPmgiRuevUMRAhLZAKCL7MrD6ClvW+dX4qASoLCLEIHY3gCg6p62 KJvApIOtEXYMH/ETFFOyn9M= =A+qb -----END PGP SIGNATURE----- --=.:kAuWAFj2)lPva-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 7:55:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 7D03D37B41D for ; Wed, 27 Mar 2002 07:55:38 -0800 (PST) Received: (from mwlucas@localhost) by blackhelicopters.org (8.11.6/8.11.6) id g2RFtVx88335; Wed, 27 Mar 2002 10:55:31 -0500 (EST) (envelope-from mwlucas) Date: Wed, 27 Mar 2002 10:55:31 -0500 From: Michael Lucas To: Tom Rhodes Cc: dan@tangledhelix.com, freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020327105531.A88300@blackhelicopters.org> References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020327110100.6d638389.darklogik@pittgoth.com>; from darklogik@pittgoth.com on Wed, Mar 27, 2002 at 11:01:00AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Mar 27, 2002 at 11:01:00AM -0500, Tom Rhodes wrote: > On Wed, 27 Mar 2002 07:42:36 -0500 > Michael Lucas wrote: > > > > Perhaps a comment in the file, "we recommend using v2 whenever > > possible", so people stumble across it frequently even if they don't > > bother reading the docs? > > How about a nice addition to the ssh manual pages just because I do > not think they describe things well enough. For instance, when I > first started using scp(1), I fought like hell before I figured it > out. I do not feel the manual page had a clear description of how > to use scp(1). It did, however, cover the options well... I think > that it should describe how to use protocol 2, I also think it should > point you to a reference of the use options. Certainly a possibility. However, this is contrib code. Be sure to ask your mentor about altering contrib code. Upon investigation, I see that even the config file is contrib code. Heck, Tom, you're a FreeBSD committer now, certainly you could become an OpenSSH -doc committer too. :-) ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org my FreeBSD column: http://www.oreillynet.com/pub/q/Big_Scary_Daemons http://www.blackhelicopters.org/~mwlucas/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 8: 8:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from rhadamanth.submonkey.net (pc4-card4-0-cust162.cdf.cable.ntl.com [80.4.14.162]) by hub.freebsd.org (Postfix) with ESMTP id 9B96F37B419 for ; Wed, 27 Mar 2002 08:08:09 -0800 (PST) Received: from setantae by rhadamanth.submonkey.net with local (Exim 3.35 #1) id 16qFsr-000Fuh-00; Wed, 27 Mar 2002 16:02:45 +0000 Date: Wed, 27 Mar 2002 16:02:45 +0000 From: Ceri To: Tom Rhodes Cc: Michael Lucas , dan@tangledhelix.com, freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020327160245.GA60990@submonkey.net> Mail-Followup-To: Ceri , Tom Rhodes , Michael Lucas , dan@tangledhelix.com, freebsd-security@FreeBSD.ORG References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020327110100.6d638389.darklogik@pittgoth.com> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Mar 27, 2002 at 11:01:00AM -0500, Tom Rhodes wrote: > On Wed, 27 Mar 2002 07:42:36 -0500 > Michael Lucas wrote: > > > On Tue, Mar 26, 2002 at 06:16:34PM -0500, Dan Lowe wrote: > > > Previously, Mike Silbersack wrote: > > > > > > > > Yes, upgrading clients to v2 would be best. However, I don't > > > > think that locking out v1 users would be the best way to achieve > > > > that. The most likely result of doing so would be people > > > > falling back to telnet. > > > > > > On a system where security is of any concern whatsoever, why would > > > telnet be available in the first place? > > > > I just dealt with a group of "senior" admins here in Detroit who > > weren't familiar with the problems of telneting to their Ciscos. > > Ethereal was quite the shock to them. :-) > > > > It's taken us years to basically scrub telnet off the map, and it's > > still not gone. SSHv1 is far better than telnet, and there are any > > number of v1 clients still out there. Please don't make it any > > harder than it absolutely has to be. > > > > Perhaps a comment in the file, "we recommend using v2 whenever > > possible", so people stumble across it frequently even if they don't > > bother reading the docs? > > How about a nice addition to the ssh manual pages just because I do > not think they describe things well enough. For instance, when I > first started using scp(1), I fought like hell before I figured it > out. I do not feel the manual page had a clear description of how > to use scp(1). It did, however, cover the options well... I think > that it should describe how to use protocol 2, I also think it should > point you to a reference of the use options. I think the scp(1) manpages are clear enough, to be honest. I mean, the syntax is essentially just a mix between cp(1) and ssh(1), except that it treats a destination filename containing a ':' as a hostname:path combination. I can even tab-complete with scp over the network (and so could you, with the correct tcsh incantations). I would imagine that any problems you had with scp(1) were more rooted in the "getting my key working" area than with actually typing # scp foo wibble quux host.example.com:/tmp Surely ? Therefore perhaps we just need a doc on how to get keys working (and I'm not convinced we need that, but I've been using ssh for a long time). Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 8:16:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by hub.freebsd.org (Postfix) with ESMTP id 8C4B537B405 for ; Wed, 27 Mar 2002 08:16:51 -0800 (PST) Received: from localhost (lcl234.zbzoom.net [208.236.36.234]) by pittgoth.com (8.11.6/8.11.6) with SMTP id g2RG0wq52259; Wed, 27 Mar 2002 11:00:58 -0500 (EST) (envelope-from darklogik@pittgoth.com) Date: Wed, 27 Mar 2002 11:06:16 -0500 From: Tom Rhodes To: bv@wjv.com Cc: security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-Id: <20020327110616.58e6ead1.darklogik@pittgoth.com> In-Reply-To: <20020327140006.GA30556@wjv.com> References: <20020327140006.GA30556@wjv.com> X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.xl/oJmUFZ,c6cB" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.xl/oJmUFZ,c6cB Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 27 Mar 2002 09:00:06 -0500 Bill Vermillion wrote: > I don't know if this is where I should ask, so apologies if it's > the wrong place. Perhaps... > Bill > > -- > Bill Vermillion - bv @ wjv . com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > What I do with my server, users that are in the wheel group MUST use ssh(1) v2 key authentication. If you read the ssh documentation, there is a way you can restrict access to IP address also. You may wish to investigate the use of ssh(1) for your system ;) -- Tom (Darklogik) Rhodes www.FreeBSD.org -The Power To Serve www.Pittgoth.com -Pittgoth Discussion Portal trhodes@ {Pittgoth.com, FreeBSD.org} --=.xl/oJmUFZ,c6cB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8oe38wPmgiRuevUMRAkbwAJ4+4kL+6yzwuonaiin5gVZ4/idd6ACdGT9I drvX92TPEy1lJ/2zh8yQQqc= =vMm7 -----END PGP SIGNATURE----- --=.xl/oJmUFZ,c6cB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 8:22:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by hub.freebsd.org (Postfix) with ESMTP id 0480837B419 for ; Wed, 27 Mar 2002 08:22:44 -0800 (PST) Received: from localhost (lcl234.zbzoom.net [208.236.36.234]) by pittgoth.com (8.11.6/8.11.6) with SMTP id g2RGP5q52296; Wed, 27 Mar 2002 11:25:06 -0500 (EST) (envelope-from darklogik@pittgoth.com) Date: Wed, 27 Mar 2002 11:30:22 -0500 From: Tom Rhodes To: Michael Lucas Cc: dan@tangledhelix.com, freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-Id: <20020327113022.00351ae5.darklogik@pittgoth.com> In-Reply-To: <20020327105531.A88300@blackhelicopters.org> References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> <20020327105531.A88300@blackhelicopters.org> X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.V_r(hBot7Uk+ox" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.V_r(hBot7Uk+ox Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 27 Mar 2002 10:55:31 -0500 Michael Lucas wrote: > On Wed, Mar 27, 2002 at 11:01:00AM -0500, Tom Rhodes wrote: > > On Wed, 27 Mar 2002 07:42:36 -0500 > > Michael Lucas wrote: > > > > > > Perhaps a comment in the file, "we recommend using v2 whenever > > > possible", so people stumble across it frequently even if they > > > don't bother reading the docs? > > > > How about a nice addition to the ssh manual pages just because I > > do not think they describe things well enough. For instance, when > > I first started using scp(1), I fought like hell before I figured > > it out. I do not feel the manual page had a clear description of > > how to use scp(1). It did, however, cover the options well... I > > think that it should describe how to use protocol 2, I also think > > it should point you to a reference of the use options. > > Certainly a possibility. However, this is contrib code. Be sure to > ask your mentor about altering contrib code. Upon investigation, I > see that even the config file is contrib code. > > Heck, Tom, you're a FreeBSD committer now, certainly you could > become an OpenSSH -doc committer too. :-) Haha ;) I'll be honest, my mailbox is full already. I'll come up with some kind of an idea. At first, the ideas that came to me were to edit the committers guide and/or email the OpenBSD project, in that aspect, maybe I can kill 2 birds with one stone. Is there a reason that the ssh(1) information in the committers guide a little, well, out of date? > > ==ml > > -- > Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org > my FreeBSD column: http://www.oreillynet.com/pub/q/Big_Scary_Daemons > > http://www.blackhelicopters.org/~mwlucas/ > -- Tom (Darklogik) Rhodes www.FreeBSD.org -The Power To Serve www.Pittgoth.com -Pittgoth Discussion Portal trhodes@ {Pittgoth.com, FreeBSD.org} --=.V_r(hBot7Uk+ox Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8ofOiwPmgiRuevUMRAk5bAJ42lIMr1l6Zr+NSZDDt3wOHhewrfwCgqsLg twWTOKsi1w6w/+LrOUd7f5Y= =0VWr -----END PGP SIGNATURE----- --=.V_r(hBot7Uk+ox-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 8:44:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from casbah.it.northwestern.edu (casbah.it.northwestern.edu [129.105.16.52]) by hub.freebsd.org (Postfix) with ESMTP id CE13F37B400 for ; Wed, 27 Mar 2002 08:44:45 -0800 (PST) Received: (from mailnull@localhost) by casbah.it.northwestern.edu (8.8.7/8.8.7) id KAA17657; Wed, 27 Mar 2002 10:44:38 -0600 (CST) Received: from GLACIER.northwestern.edu (glacier.tss.northwestern.edu [129.105.188.51]) by casbah.acns.nwu.edu via smap (V2.0) id xma016987; Wed, 27 Mar 02 10:43:56 -0600 Message-Id: <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> X-Sender: dpalmer@casbah.it.northwestern.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 27 Mar 2002 10:43:33 -0600 To: Andrew Kenneth Milton From: Damien Palmer Subject: Re: Question on su / possible hole Cc: security@FreeBSD.ORG In-Reply-To: <20020328003506.F40004@zeus.theinternet.com.au> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: >So remove world execute access from su, make an su-users group and chgrp >su with that group ? Since su already belongs to the wheel group, and we are trying to restrict su access to people in the wheel group, wouldn't it be simpler to just chmod the command, so only the owner and the group have executable permissions on it, and leave it in the wheel group? Or is there another reasoning behind creating a new group that I am not seeing? -Damien Palmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 8:48:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c17126.kelvn1.qld.optusnet.com.au [210.49.48.239]) by hub.freebsd.org (Postfix) with ESMTP id B03FC37B404 for ; Wed, 27 Mar 2002 08:48:37 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g2RGmRC11501; Thu, 28 Mar 2002 02:48:27 +1000 (EST) (envelope-from akm) Date: Thu, 28 Mar 2002 02:48:27 +1000 From: Andrew Kenneth Milton To: Damien Palmer Cc: Andrew Kenneth Milton , security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020328024827.I40004@zeus.theinternet.com.au> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu>; from dpalmer@northwestern.edu on Wed, Mar 27, 2002 at 10:43:33AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Damien Palmer ]---------------------- | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: | >So remove world execute access from su, make an su-users group and chgrp | >su with that group ? | | Since su already belongs to the wheel group, and we are trying to restrict | su access to people in the wheel group, wouldn't it be simpler to just | chmod the command, so only the owner and the group have executable | permissions on it, and leave it in the wheel group? Or is there another | reasoning behind creating a new group that I am not seeing? Neatness? -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 8:53:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from rhadamanth.submonkey.net (pc4-card4-0-cust162.cdf.cable.ntl.com [80.4.14.162]) by hub.freebsd.org (Postfix) with ESMTP id 496A537B41A for ; Wed, 27 Mar 2002 08:53:42 -0800 (PST) Received: from setantae by rhadamanth.submonkey.net with local (Exim 3.35 #1) id 16qGg3-000GB6-00; Wed, 27 Mar 2002 16:53:35 +0000 Date: Wed, 27 Mar 2002 16:53:35 +0000 From: Ceri To: Andrew Kenneth Milton Cc: Damien Palmer , security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020327165335.GA61997@submonkey.net> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> <20020328024827.I40004@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020328024827.I40004@zeus.theinternet.com.au> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote: > +-------[ Damien Palmer ]---------------------- > | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: > | >So remove world execute access from su, make an su-users group and chgrp > | >su with that group ? > | > | Since su already belongs to the wheel group, and we are trying to restrict > | su access to people in the wheel group, wouldn't it be simpler to just > | chmod the command, so only the owner and the group have executable > | permissions on it, and leave it in the wheel group? Or is there another > | reasoning behind creating a new group that I am not seeing? > > Neatness? If only wheel has execute access on su, then only people in wheel can su. Note that anyone can use su, they just can't su to root if they're not in wheel. Creating a new group wouldn't work anyway. su explicitly checks that the user calling it is in a group with gid=0, otherwise known as wheel. Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 8:58: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c17126.kelvn1.qld.optusnet.com.au [210.49.48.239]) by hub.freebsd.org (Postfix) with ESMTP id C864837B41F for ; Wed, 27 Mar 2002 08:57:31 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g2RGvMQ11623; Thu, 28 Mar 2002 02:57:22 +1000 (EST) (envelope-from akm) Date: Thu, 28 Mar 2002 02:57:22 +1000 From: Andrew Kenneth Milton To: Ceri Cc: Andrew Kenneth Milton , Damien Palmer , security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020328025722.J40004@zeus.theinternet.com.au> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> <20020328024827.I40004@zeus.theinternet.com.au> <20020327165335.GA61997@submonkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020327165335.GA61997@submonkey.net>; from setantae@submonkey.net on Wed, Mar 27, 2002 at 04:53:35PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Ceri ]---------------------- | On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote: | > +-------[ Damien Palmer ]---------------------- | > | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: | > | >So remove world execute access from su, make an su-users group and chgrp | > | >su with that group ? | > | | > | Since su already belongs to the wheel group, and we are trying to restrict | > | su access to people in the wheel group, wouldn't it be simpler to just | > | chmod the command, so only the owner and the group have executable | > | permissions on it, and leave it in the wheel group? Or is there another | > | reasoning behind creating a new group that I am not seeing? | > | > Neatness? | | If only wheel has execute access on su, then only people in wheel can su. | Note that anyone can use su, they just can't su to root if they're not in | wheel. | | Creating a new group wouldn't work anyway. | su explicitly checks that the user calling it is in a group | with gid=0, otherwise known as wheel. New group is to restrict hopping from noWheelUser1 -> wheelUser2 -> root if noWheelUser1 can't execute su they can't get to wheelUser2 I'm just providing solutions, I'm not going to try to provide a rationalisation for why it's a problem d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 9: 4:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from rhadamanth.submonkey.net (pc4-card4-0-cust162.cdf.cable.ntl.com [80.4.14.162]) by hub.freebsd.org (Postfix) with ESMTP id E269D37B417 for ; Wed, 27 Mar 2002 09:04:33 -0800 (PST) Received: from setantae by rhadamanth.submonkey.net with local (Exim 3.35 #1) id 16qGqa-000GHu-00; Wed, 27 Mar 2002 17:04:28 +0000 Date: Wed, 27 Mar 2002 17:04:28 +0000 From: Ceri To: Andrew Kenneth Milton Cc: Damien Palmer , security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020327170428.GB62360@submonkey.net> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> <20020328024827.I40004@zeus.theinternet.com.au> <20020327165335.GA61997@submonkey.net> <20020328025722.J40004@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020328025722.J40004@zeus.theinternet.com.au> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 02:57:22AM +1000, Andrew Kenneth Milton wrote: > +-------[ Ceri ]---------------------- > | On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote: > | > +-------[ Damien Palmer ]---------------------- > | > | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: > | > | >So remove world execute access from su, make an su-users group and chgrp > | > | >su with that group ? > | > | > | > | Since su already belongs to the wheel group, and we are trying to restrict > | > | su access to people in the wheel group, wouldn't it be simpler to just > | > | chmod the command, so only the owner and the group have executable > | > | permissions on it, and leave it in the wheel group? Or is there another > | > | reasoning behind creating a new group that I am not seeing? > | > > | > Neatness? > | > | If only wheel has execute access on su, then only people in wheel can su. > | Note that anyone can use su, they just can't su to root if they're not in > | wheel. > | > | Creating a new group wouldn't work anyway. > | su explicitly checks that the user calling it is in a group > | with gid=0, otherwise known as wheel. > > New group is to restrict hopping from noWheelUser1 -> wheelUser2 -> root > > if noWheelUser1 can't execute su they can't get to wheelUser2 Oh right. Sorry. Tune in next week to see if I can manage to read an entire thread :) Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 9:48:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 79F9937B419 for ; Wed, 27 Mar 2002 09:48:30 -0800 (PST) Received: (from mwlucas@localhost) by blackhelicopters.org (8.11.6/8.11.6) id g2RHmRg88690; Wed, 27 Mar 2002 12:48:27 -0500 (EST) (envelope-from mwlucas) Date: Wed, 27 Mar 2002 12:48:26 -0500 From: Michael Lucas To: Tom Rhodes Cc: dan@tangledhelix.com, freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020327124826.A88673@blackhelicopters.org> References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> <20020327105531.A88300@blackhelicopters.org> <20020327113022.00351ae5.darklogik@pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020327113022.00351ae5.darklogik@pittgoth.com>; from darklogik@pittgoth.com on Wed, Mar 27, 2002 at 11:30:22AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org (any followups should be directed to -doc) On Wed, Mar 27, 2002 at 11:30:22AM -0500, Tom Rhodes wrote: > > Is there a reason that the ssh(1) information in the committers > guide a little, well, out of date? > Because no new -doc committer has taken the time to write up their experiences with SSH to make it work correctly. ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org my FreeBSD column: http://www.oreillynet.com/pub/q/Big_Scary_Daemons http://www.blackhelicopters.org/~mwlucas/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 10:29:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.unsam.edu.ar (ns2.unsam.edu.ar [170.210.48.2]) by hub.freebsd.org (Postfix) with ESMTP id 0AD8837B416 for ; Wed, 27 Mar 2002 10:29:52 -0800 (PST) Received: from pi.iib.unsam.edu.ar (pi.iib.unsam.edu.ar [192.168.10.11]) by www.unsam.edu.ar (8.9.3/8.9.3) with ESMTP id PAA78543 for ; Wed, 27 Mar 2002 15:29:49 -0300 (ART) (envelope-from fernan@pi.iib.unsam.edu.ar) Received: (from fernan@localhost) by pi.iib.unsam.edu.ar (8.11.3/8.11.3) id g2RITlJ02297 for freebsd-security@freebsd.org; Wed, 27 Mar 2002 15:29:47 -0300 (ART) (envelope-from fernan) Date: Wed, 27 Mar 2002 15:29:47 -0300 From: Fernan Aguero To: FreeBSD Security Subject: using ssh to run remote commands? Message-ID: <20020327152947.B443@iib.unsam.edu.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-PGP-Key: http://genoma.unsam.edu.ar/~fernan/pubkey.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'd like to know how to run remote commands using ssh. I know I can do it as myself, but I'd like to know how can I set up my systems to allow non-login users (root, operator, amanda) to run remote commands on other hosts. Specifically, I want to now how can i run restore on the backup server (the one holding the tape drive) to recover full filesystems to a remote host. Obviously this should be done as either root or some other privileged user. All examples point to rsh, and I'd like to know if this can be done securely using ssh. Thanks in advance for any comments or pointers, Fernan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 10:33:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id AA40B37B405 for ; Wed, 27 Mar 2002 10:33:22 -0800 (PST) Received: from switchblade.cyberpunkz.org (rob@localhost.cyberpunkz.org [127.0.0.1]) by switchblade.cyberpunkz.org (8.12.2/8.12.2-rda) with ESMTP id g2RIXKIN037154 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 27 Mar 2002 12:33:21 -0600 (CST)?g (envelope-from rob@switchblade.cyberpunkz.org)ś Posted-Date: Wed, 27 Mar 2002 12:33:21 -0600 (CST) Abuse-Contact: abuse@cyberpunkz.org Received: (from rob@localhost) by switchblade.cyberpunkz.org (8.12.2/8.12.1/Submit) id g2RIXK2p037153 for security@freebsd.org; Wed, 27 Mar 2002 12:33:20 -0600 (CST)?g (envelope-from rob) Date: Wed, 27 Mar 2002 12:33:20 -0600 From: Rob Andrews To: security@freebsd.org Subject: sudo.. a better way maybe? Message-ID: <20020327123320.T82300@switchblade.cyberpunkz.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PmA2V3Z32TCmWXqI" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Organization: Cyberpunk Alliance Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PmA2V3Z32TCmWXqI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I've had some thoughts about sudo after the dialog about su earlier. Thought maybe someone might be able to shed some light on something I've been attempting to figure out how to put into action on machines of mine. While I've heard it being done I have yet to see any real support or documentation which might help me to support the following. Sudo is safe provided that a users password and account are not compromised by an outside forced intrusion. However. In the event that someone does gain access to a user account which does have sudo permission on the machine (This happened during a period where there was an openssh bug which allowed users on another system to gain passwords being used by other system users which were logging into remote system via the hacked system) it would be a simple thing to just sudo with the users current password which they already have in hand. I've seen this done on linux systems and when we attempted to do much the same thing on a freebsd system it choked and died on us. Using pam we wanted to create a new sudo password file which pam would use to authenticate the user. Our attempts failed at the time due to sudo ending up crashing after repeated attempts to access the password file. It just made sense to attempt to do a compare of the users current system password and fail that password for sudo should a user attempt to use it. Forcing the user to pick a new password that is in a separate database from the regular password file gives a small comfort zone that before was not able to be used with regard to sudo. If anyone has any ideas or documentation dealing with this subject I'd be most appreciative for pointing me in the correct direction. I don't really like having the only way to gain access to the systems with rsa keypairs, but thusfar it seemed like the most logical solution to the problem I was having. I mean its not completely safe either way. But the lack of plaintext passwords was the best alternative to my concerns about sudo access. Thanks in advance.. Rob Andrews http://cyberpunkz.org/ --PmA2V3Z32TCmWXqI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8ohBvAXwJ9YLqJJURAsILAJ4q3n5xLU1Gadi4+VF7E6rHH7K8kwCeIt3J KrAAuDBvLR3yL0xXKZsgAjE= =ugbu -----END PGP SIGNATURE----- --PmA2V3Z32TCmWXqI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 10:36:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id AE04037B405 for ; Wed, 27 Mar 2002 10:35:57 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g2RIZnf33310; Wed, 27 Mar 2002 13:35:49 -0500 (EST) (envelope-from bv) Date: Wed, 27 Mar 2002 13:35:48 -0500 From: Bill Vermillion To: Tom Rhodes Cc: freebsd-security@freebsd.org Subject: Re: Question on su / possible hole Message-ID: <20020327183548.GI30556@wjv.com> Reply-To: bv@wjv.com References: <20020327140006.GA30556@wjv.com> <20020327110616.58e6ead1.darklogik@pittgoth.com> <20020327180713.GF30556@wjv.com> <20020327133238.48e32908.darklogik@pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020327133238.48e32908.darklogik@pittgoth.com> User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Mar 27, 2002 at 01:32:38PM -0500, Tom Rhodes thus spoke: > On Wed, 27 Mar 2002 13:07:13 -0500 > Bill Vermillion wrote: > > > On Wed, Mar 27, 2002 at 11:06:16AM -0500, Tom Rhodes thus spoke: > > > On Wed, 27 Mar 2002 09:00:06 -0500 > > > Bill Vermillion wrote: > > > > > > > I don't know if this is where I should ask, so apologies if it's > > > > the wrong place. > > > > > What I do with my server, users that are in the wheel group MUST > > > use ssh(1) v2 key authentication. If you read the ssh > > > documentation, there is a way you can restrict access to IP > > > address also. You may wish to investigate the use of ssh(1) for > > > your system ;) > > Well I do use ssh and that is the only access other than for some > > who are locked into their own ftp area. > > But if a user comes in with ssh he can still su to a wheel user if > > he figures out their password, and then su to root even if the > > wheel group user use SSH to get in. > > So even if you restrict by IP the users who have wheel access, what > > is to prevent someone who is not in that group from SUing to one > > who is. > > That was the point I was trying to make. > > Someone else pointed out that I could make a group that could su > > to root and take off the other permssion on su - but that takes > > away the other functionality of su - many think it only means > > super user - and not substitute user - so you can assume the > > indentity and environment of another. > I'm sorry, I thought you wanted to know WHO the user is that is trying > to access su(1). My mistake hehe. Well, couldn't you remove the > remove use of root completely? And only do administrative tasks > locally? Or are you not around the box enough. Paranoia is good, > but over paranoia can lead to health problems ;) What I'm tyring to get across is that perhaps the funtionality of su might be changed to look at who the user really is that is invoking the su to root and permit only su to root for those in wheel, while leaving the su to anyone else available for normal users. With my servers being exposed to the world I am as careful as I can and one of those has only three accounts with shell access. I drive to the colo every month or so visit them - to make sure I don't smell smoke or have the drive bearings going. At 130AM it's only a 15 minute drive - in traffic it's nasty. And I have to remember to bring the security badge and my right hand for the biometric scan after the badge turns it on. I just felt that the su man page is misleading in that it basically says only members of the wheel group [if it exists] can su to root. But su to another user in wheel and su to root is not even listed as a bug. A friend of mine verified that this 'hole' has existed as far back as the 4.3-Reno he used. With today's heightened security I'm just thinking it could be time to tighten up that potential hole. Your thought on changing permissions is good and I may implement that. Just an additional safeguard if some other program springs a leak and permits access where it should not. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 10:43:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 6CDFE37B419 for ; Wed, 27 Mar 2002 10:43:17 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g2RIhGK29462; Wed, 27 Mar 2002 12:43:16 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id MAA18368; Wed, 27 Mar 2002 12:43:15 -0600 (CST) Message-ID: <3CA21285.9AD3074F@centtech.com> Date: Wed, 27 Mar 2002 12:42:13 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Fernan Aguero Cc: FreeBSD Security Subject: Re: using ssh to run remote commands? References: <20020327152947.B443@iib.unsam.edu.ar> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Running remote commands with SSH is the same as running them with rsh. Examples: User A wants to run App on HOST as him/herself: As User A: ssh HOST App User A wants to run App on HOST as User B: ssh userb@HOST App You just have to make sure you set your keys up on the corresponding side. SSH's manpage is pretty decent and should help you with all that stuff. ssh should be pretty much a drop in replacement for rsh. Eric Fernan Aguero wrote: > > I'd like to know how to run remote commands using ssh. > I know I can do it as myself, but I'd like to know how can I set up my > systems to allow non-login users (root, operator, amanda) to run > remote commands on other hosts. > > Specifically, I want to now how can i run restore on the backup server > (the one holding the tape drive) to recover full filesystems to a > remote host. > Obviously this should be done as either root or some other privileged > user. > > All examples point to rsh, and I'd like to know if this can be done > securely using ssh. > > Thanks in advance for any comments or pointers, > > Fernan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 10:44:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 43ADE37B422 for ; Wed, 27 Mar 2002 10:44:41 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA12149; Wed, 27 Mar 2002 11:44:36 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g2RIiU409752; Wed, 27 Mar 2002 11:44:30 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15522.4878.525099.369944@caddis.yogotech.com> Date: Wed, 27 Mar 2002 11:44:30 -0700 To: bv@wjv.com Cc: Tom Rhodes , freebsd-security@FreeBSD.ORG Subject: Re: Question on su / possible hole In-Reply-To: <20020327183548.GI30556@wjv.com> References: <20020327140006.GA30556@wjv.com> <20020327110616.58e6ead1.darklogik@pittgoth.com> <20020327180713.GF30556@wjv.com> <20020327133238.48e32908.darklogik@pittgoth.com> <20020327183548.GI30556@wjv.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > What I'm tyring to get across is that perhaps the funtionality of > su might be changed to look at who the user really is that is > invoking the su to root and permit only su to root for those in > wheel, while leaving the su to anyone else available for normal > users. Then restrict su, as others have pointed out. There should be *NO* reason on your Colo box for anyone to use su, other than to gain root, correct? > I just felt that the su man page is misleading in that it basically > says only members of the wheel group [if it exists] can su to root. > But su to another user in wheel and su to root is not even listed > as a bug. That's because once you su to another user, you *ARE* the other user, and you have *ALL* the rights and privileges of that user. The chown/chmod manpages don't talk about setting /bin/sh to root.wheel and mode 4755 as a way to give everyone root access either, but it's certainly possible. The manpages are there to describe common behavior. If a user is silly enough to have an easily guessed password (or gives it out), and the root password is also easily guessed (or given out), then the computer is unsafe, regardless of su's behavior. > A friend of mine verified that this 'hole' has existed as far > back as the 4.3-Reno he used. With today's heightened security > I'm just thinking it could be time to tighten up that potential > hole. I don't consider it any more a potential hole than *any* other 'potential' hole. Should the FS disallow someone from creating setuid/setgid binaries, since there is the potential for someone to abuse that feature as well? Tools, not policy. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 11: 5:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 2260537B419 for ; Wed, 27 Mar 2002 11:05:28 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g2RJ5QOS099153; Thu, 28 Mar 2002 07:05:26 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Thu, 28 Mar 2002 07:05:26 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Fernan Aguero Cc: FreeBSD Security Subject: Re: using ssh to run remote commands? In-Reply-To: <20020327152947.B443@iib.unsam.edu.ar> Message-ID: <20020328063946.E95005-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From the client account: 1) unless you already have .ssh/identity you need to create it ssh-keygen # unless you already have .ssh/identity 2) add to authorized keys on the server account cat ~/.ssh/identity.pub | ssh user@remoteserver \ 'cat >> ~/.ssh/authorized_keys' Now you can log in without presenting a password, which is good for scripts. I'm not clear whether you want to be able to script things (meaning you need to use keys rather than passowrds), but the example here basically shows you how to pipe data from one machine to another. In terms of security, your main concern is that if someone gets at your backup server, they quickly get root access to everything you are going to back up. If possible you should disable all remote login access to your backup machine and manage backup and recovery from the console, and never log in from the other end to transfer backup data. You can have root on each machine connect to an un-priviledged acct on the backup machine to store backups, but chances are high that access to the data ammounts to a compromise anyway. This snippet from one of my backup scripts (in perl) might be useful to you: ------------- snip ------------- $compress_cmd = "gzip -c"; foreach $fs (keys %nickname) { $dump_cmd = "dump -${level} -a -f - -u ${fs}"; $store_cmd = "ssh -c blowfish -l day2bak -e none orc " . "'cat > /or1/day2_backup/dump_$nickname{$fs}_${level}.gz'"; $exitcode = system("$dump_cmd | $compress_cmd | $store_cmd"); } ------------- snip ------------- You'd want to add some error checking to this. Andrew McNaughton On Wed, 27 Mar 2002, Fernan Aguero wrote: > Date: Wed, 27 Mar 2002 15:29:47 -0300 > From: Fernan Aguero > To: FreeBSD Security > Subject: using ssh to run remote commands? > > I'd like to know how to run remote commands using ssh. > I know I can do it as myself, but I'd like to know how can I set up my > systems to allow non-login users (root, operator, amanda) to run > remote commands on other hosts. > > Specifically, I want to now how can i run restore on the backup server > (the one holding the tape drive) to recover full filesystems to a > remote host. > Obviously this should be done as either root or some other privileged > user. > > All examples point to rsh, and I'd like to know if this can be done > securely using ssh. > > Thanks in advance for any comments or pointers, > > Fernan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 11:36:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id 42F0037B404 for ; Wed, 27 Mar 2002 11:36:34 -0800 (PST) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g2RJaFb05658 for ; Wed, 27 Mar 2002 14:36:15 -0500 (EST) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g2RJaOY23460 for freebsd-security@FreeBSD.ORG; Wed, 27 Mar 2002 14:36:24 -0500 Date: Wed, 27 Mar 2002 14:36:24 -0500 From: Zvezdan Petkovic To: freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020327143624.B23316@dali.cs.wm.edu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020327110100.6d638389.darklogik@pittgoth.com>; from darklogik@pittgoth.com on Wed, Mar 27, 2002 at 11:01:00AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Mar 27, 2002 at 11:01:00AM -0500, Tom Rhodes wrote: > > How about a nice addition to the ssh manual pages just because I do > not think they describe things well enough. For instance, when I > first started using scp(1), I fought like hell before I figured it > out. I do not feel the manual page had a clear description of how > to use scp(1). It did, however, cover the options well... I think > that it should describe how to use protocol 2, I also think it should > point you to a reference of the use options. > > Opinions? My opinion is that this is absolutely clear to anybody who had ever read a manual page and knows that [] stand for optional things: SYNOPSIS scp [-pqrvBC46] [-F ssh_config] [-S program] [-P port] [-c cipher] [-i identity_file] [-o ssh_option] [[user@]host1:]file1 [...] [[user@]host2:]file2 It's absolutely clear that to copy from local to remote computer one uses: scp file1 user@host:file2 and from remote to local scp user@host:file1 file2 What's not clear about it? Careful reading of other ssh man pages makes it clear how to set up your public keys and config files. I don't have any complaints about ssh man pages and have a very positive experience with OpenSSH setup on my network compared with the comercial SSH about two or three years ago (confusion with adding 2 to everything [ssh2, sshd2], total inability to use old config files for anything, etc.) -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 11:38:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by hub.freebsd.org (Postfix) with ESMTP id 86E2537B417 for ; Wed, 27 Mar 2002 11:38:51 -0800 (PST) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id LAA55689 for ; Wed, 27 Mar 2002 11:38:44 -0800 (PST) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id g2RJd0965401 for ; Wed, 27 Mar 2002 11:39:00 -0800 (PST) (envelope-from greg@thistle.bogs.org) Message-Id: <200203271939.g2RJd0965401@thistle.bogs.org> To: security@FreeBSD.ORG X-To: Nate Williams X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: Re: Question on su / possible hole In-reply-to: Your message of "Wed, 27 Mar 2002 11:44:30 MST." <15522.4878.525099.369944@caddis.yogotech.com> Reply-To: gkshenaut@ucdavis.edu Date: Wed, 27 Mar 2002 11:39:00 -0800 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <15522.4878.525099.369944@caddis.yogotech.com>, Nate Williams cleopede: >> What I'm tyring to get across is that perhaps the funtionality of >> su might be changed to look at who the user really is that is >> invoking the su to root and permit only su to root for those in >> wheel, while leaving the su to anyone else available for normal >> users. > >Then restrict su, as others have pointed out. There should be *NO* >reason on your Colo box for anyone to use su, other than to gain root, >correct? Someone might want to use it to become another user besides root--this is something I do from time to time--but the question is, should ordinary (i.e., nonwheel users) be allowed to do that even if they know the password? I think perhaps not, so I add my vote for making /usr/bin/su mode 4554. However, I point out that if you know the password you can always do "{telnet,ssh} -l wheeluser localhost" which is much the same from the power perspective as "su wheeluser". Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 12:16:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id CEF6237B400 for ; Wed, 27 Mar 2002 12:16:14 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by w2xo.pgh.pa.us (8.11.6/8.11.3) with ESMTP id g2RKG0P21916; Wed, 27 Mar 2002 20:16:01 GMT (envelope-from durham@w2xo.pgh.pa.us) Date: Wed, 27 Mar 2002 20:16:00 +0000 (GMT) From: Jim Durham To: Fernan Aguero Cc: FreeBSD Security Subject: Re: using ssh to run remote commands? In-Reply-To: <20020327152947.B443@iib.unsam.edu.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 27 Mar 2002, Fernan Aguero wrote: > I'd like to know how to run remote commands using ssh. > I know I can do it as myself, but I'd like to know how can I set up my > systems to allow non-login users (root, operator, amanda) to run > remote commands on other hosts. > > Specifically, I want to now how can i run restore on the backup server > (the one holding the tape drive) to recover full filesystems to a > remote host. > Obviously this should be done as either root or some other privileged > user. > > All examples point to rsh, and I'd like to know if this can be done > securely using ssh. > You can do this pretty easily with 'expect'. You will need to have your private/public key set installed properly so you don't have to put a password in your script. At that point, just have expect spawn ssh and connect to the backup machine and execute the commands. All these kinds of things are frought with danger. At least, this way, the only thing that could really kill you is someone getting your private key. Putting a password in your script is even worse, though. You might also investigate rsync over ssh for backups. You could fire this off as a cron job from the backup. -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 13:37:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 7768A37B416 for ; Wed, 27 Mar 2002 13:37:36 -0800 (PST) Received: (from anthony@localhost) by slc.edu (8.11.1/8.11.1) id g2RLd1u33246 for freebsd-security@freebsd.org; Wed, 27 Mar 2002 16:39:01 -0500 (EST) (envelope-from anthony) Date: Wed, 27 Mar 2002 16:39:01 -0500 From: Anthony Schneider To: freebsd-security@freebsd.org Subject: a possible solution (re: su thread) Message-ID: <20020327163901.A33089@mail.slc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable So, with all the discussion about the wheel group and su, I figured I'd come right out to the community about a project I've had in mind for some months, but which I will likely be able to do given that some time will be freed up in the next month or two (graduation :). The tool, quite simply, is an access "gate" to more security sensitive executables. The inspiration behind this comes from several places, but namely that UNIX permissions are not adequate for more elaborate user isolations schema. For instance, take su as an example: 1) only users in group wheel should be allowed to su to root. 2) certain users should not be allowed to su to any other account whatsoever. 3) certain users should be allowed to su to certain accounts, but not root. What this tool would do is be a wrapper, acting very much like sudo, but which would not run setuid root. Let's call the tool swrap for now. swrap would be setgid binary, and other security sensitive executables would be located in, say, /usr/local/swrap/bin. The actual executables would be symlinks to swrap, so for instance, su would be /usr/bin/su -> /usr/local/bin/swrap, with the actual binary in /usr/local/swrap/bin/su, permed gid executable only for gid swrap. /usr/local/bin/swrap would be setgid swrap. The actual swrap binary would determine binname =3D strrchr(argv[0], '/'); binname++;, and read its rc file, /usr/local/swrap/etc/swrap.conf for an entry like such: entry su { # individual users allowed to execute su ulist =3D [anthony, mark, sally, james, jessica] # groups allowed to execute su glist =3D [staff, users] # log specifications for specific users and groups log[ulist[anthony]] =3D [syslog] log[ulist[*]] =3D [syslog, "/mnt/lognfs/swrap.log"] ... # log all attempts by unauthorized users log[*] =3D [syslog, "/mnt/lognfs/swrap.log"] } The actual config language could be expanded upon greatly, possibly to include a list of allowed flags (so ulist[mark] could not su to sally, but could su to jessica, and ulist[sally] could su to mark, but not james...). The grammar is simple, and would not take up too many cpu cycles to parse for each invocation. This is, admittedly, very similar to sudo, but it would in effect be creating domains in which executables, attempted to be invoked by particular users/groups, could somewhat securely run, without the tool itself having to be setuid root. Possible other binaries to be included: ssh (and all of its s*=20 children), telnet, ftp, sendmail, lynx, ping, traceroute, ps, w...you get the idea. This is very much influenced by how more and more common open systems are these days, and how restrictions on basic utilities are a=20 necessity. If anyone has any input, criticism, encouraging words for someone who wants to write a tool that might be aggressively shot down for its likeness to another tool, please feel free to dump them on me. -Anthony. ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyiO/UACgkQ+rDjkNht5F3QlgCfU5OD6ETMi4zw1aCYFna0DuS1 8YIAn39Tcho+o/zweLXYMar/06vb7cr5 =mquT -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 14:13:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 1564837B400 for ; Wed, 27 Mar 2002 14:13:37 -0800 (PST) Received: (from anthony@localhost) by slc.edu (8.11.1/8.11.1) id g2RMF2N33677 for freebsd-security@FreeBSD.ORG; Wed, 27 Mar 2002 17:15:02 -0500 (EST) (envelope-from anthony) Date: Wed, 27 Mar 2002 17:15:02 -0500 From: Anthony Schneider To: freebsd-security@FreeBSD.ORG Subject: Re: a possible solution (re: su thread) Message-ID: <20020327171502.A33652@mail.slc.edu> References: <20020327163901.A33089@mail.slc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LZvS9be/3tNcYl/X" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020327163901.A33089@mail.slc.edu>; from aschneid@mail.slc.edu on Wed, Mar 27, 2002 at 04:39:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline oh, by the way, as another person mentioned to me already, this idea is also quite akin to notions in the trustedbsd paradigm. he's right, it is. the idea is that the tool would be extremely portable across *NIX platforms. it would of course in no way stand above trustedbsd, and that is not my intention. it would, however, somewhat mirror access control policies in trustedbsd in userland. again, any ideas on how to make this more flexible, secure, etc., are wolcomed. -Anthony. ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --LZvS9be/3tNcYl/X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyiRGYACgkQ+rDjkNht5F1EnwCaAyFEYBy/O2m3wzZ91dEgL9fh pxkAoKtsc99kvEyZUhus0bGyBaidWKND =kxP0 -----END PGP SIGNATURE----- --LZvS9be/3tNcYl/X-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 14:57: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from asterix.b28-30.bme.hu (asterix.b28-30.bme.hu [152.66.231.79]) by hub.freebsd.org (Postfix) with ESMTP id EB0EA37B404; Wed, 27 Mar 2002 14:57:00 -0800 (PST) Received: from mininx (helo=localhost) by asterix.b28-30.bme.hu with local-esmtp (Exim 3.34 #13) id 16qMLr-0000lb-00; Wed, 27 Mar 2002 23:57:07 +0100 Date: Wed, 27 Mar 2002 23:57:07 +0100 (CET) From: mininx X-X-Sender: mininx@asterix.b28-30.bme.hu To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org, Subject: loop-aes (porting) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I'm looking for people helping to port loop-aes (www.sourceforge.net/projects/loop-aes) under FreeBSD. It is a type of crypted fs just like CFS. But since i had many problems with CFS (unsolved prolbems, and there was no answers for it from the writer and either from the mailing list) i decided to port this really good stuff under FreeBSD. if you have time/energy, and have ideas (because I don't have any) where to start feel free to mail me. regards mininx ps: sorry for crossposting... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 16: 7:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id D5D6737B416 for ; Wed, 27 Mar 2002 16:07:31 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 7BBF91C0C; Thu, 28 Mar 2002 00:07:30 +0000 (GMT) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g2S06wh01169; Thu, 28 Mar 2002 01:06:58 +0100 Date: Thu, 28 Mar 2002 01:06:58 +0100 From: Krzysztof Zaraska To: "Josh Snyder" Cc: security@FreeBSD.org Subject: Re: NAT / Firewall Question Message-Id: <20020328010658.07dcd02c.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <00e801c1d59d$2b463e10$4400000a@nitco.com> References: <00e801c1d59d$2b463e10$4400000a@nitco.com> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 27 Mar 2002 08:39:14 -0600 Josh Snyder wrote: > I am going to be setting up a box to do NAT with my Ameritech ADSL (Alcatel > SpeedTouch USB modem) and I was wondering if there was any reason that I > should use FreeBSD with ipfw/ipfilter ( I don't really know the difference) In short... ipfilter is more advanced and employs more in-depth checks. > rather than Linux with iptables? I fully admit that I haven't really > researched the two options throughly and I've only setup a very basic one > rule NAT configuration for my friend. I was hoping that you all may have > some insight as to why or if FreeBSD makes a better NAT / Firewall box. Okay, here are some my personal thoughts on the subject: - ipfw is the simplest of all three, and the easiest to set up, however NAT has to be done with an external application (like natd or with pppd). It has some limitations (you can't do active FTP for example, but every decent client supports passive mode nowadays), but works well for me as a simple firewall and I'd recommend it for such purposes. - ipfilter is the most powerful and flexible, doing NAT is simple, rulesets may be a bit tricky, but I found it to be very well documented; for a home firewall it may be an overkill, unless you can't live without active FTP and similar stuff. - iptables is a good firewall, it can do a lot (NAT, active FTP, even more) but I find it overcomplicated from the user's point of view Generally I prefer BSD-based firewalls to Linux-based because of simplicity: you can build a FreeBSD firewall having installed only the base system plus a handful of ports (e.g. some text editor if you are not a vi fan), while with Linux you may easily end up with dozens of packages and complicated dependencies between them. I would also recommend to browse through some documentation (like HOWTOs, etc.) on all of these firewalls, just to see how each of them matches your needs. Good luck, Krzysztof -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 16:38:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id C810937B404 for ; Wed, 27 Mar 2002 16:38:11 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020328003811.FRDN1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Thu, 28 Mar 2002 00:38:11 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2S0c6T95220; Wed, 27 Mar 2002 16:38:06 -0800 (PST) (envelope-from cjc) Date: Wed, 27 Mar 2002 16:38:06 -0800 From: "Crist J. Clark" To: Ceri Cc: Tom Rhodes , Michael Lucas , dan@tangledhelix.com, freebsd-security@FreeBSD.org Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020327163806.U89885@blossom.cjclark.org> References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> <20020327160245.GA60990@submonkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020327160245.GA60990@submonkey.net>; from setantae@submonkey.net on Wed, Mar 27, 2002 at 04:02:45PM +0000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Mar 27, 2002 at 04:02:45PM +0000, Ceri wrote: [snip] > I think the scp(1) manpages are clear enough, to be honest. > I mean, the syntax is essentially just a mix between cp(1) and ssh(1), > except that it treats a destination filename containing a ':' as a > hostname:path combination. For anyone who ever used rcp(1), scp(1) is obvious. Just like how ssh(1) replaces rsh(1). The ssh(1) suite was meant as a drop-in replacement for the BSD r* tools. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 16:45:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 7B48E37B417 for ; Wed, 27 Mar 2002 16:45:30 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020328004530.VPLE2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Thu, 28 Mar 2002 00:45:30 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2S0jPq95249; Wed, 27 Mar 2002 16:45:25 -0800 (PST) (envelope-from cjc) Date: Wed, 27 Mar 2002 16:45:25 -0800 From: "Crist J. Clark" To: Fernan Aguero Cc: FreeBSD Security Subject: Re: using ssh to run remote commands? Message-ID: <20020327164525.V89885@blossom.cjclark.org> References: <20020327152947.B443@iib.unsam.edu.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020327152947.B443@iib.unsam.edu.ar>; from fernan@iib.unsam.edu.ar on Wed, Mar 27, 2002 at 03:29:47PM -0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Mar 27, 2002 at 03:29:47PM -0300, Fernan Aguero wrote: > I'd like to know how to run remote commands using ssh. > I know I can do it as myself, but I'd like to know how can I set up my > systems to allow non-login users (root, operator, amanda) to run > remote commands on other hosts. > > Specifically, I want to now how can i run restore on the backup server > (the one holding the tape drive) to recover full filesystems to a > remote host. > Obviously this should be done as either root or some other privileged > user. > > All examples point to rsh, and I'd like to know if this can be done > securely using ssh. rsh(1) and ssh(1) have the same syntax. All of the rsh(1) command lines in your examples will work. The only difference is how the authentication works. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 21:13:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [212.242.89.130]) by hub.freebsd.org (Postfix) with SMTP id B301037B419 for ; Wed, 27 Mar 2002 21:13:09 -0800 (PST) Received: (qmail 66874 invoked by uid 1007); 28 Mar 2002 05:13:04 -0000 Date: Thu, 28 Mar 2002 05:13:04 +0000 From: Alex Holst To: security@freebsd.org Subject: Re: sudo.. a better way maybe? Message-ID: <20020328051304.GA63631@area51.dk> References: <20020327123320.T82300@switchblade.cyberpunkz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20020327123320.T82300@switchblade.cyberpunkz.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Rob Andrews (rob@cyberpunkz.org): > Sudo is safe provided that a users password and account are not compromised > by an outside forced intrusion. However. In the event that someone does > gain access to a user account which does have sudo permission on the machine > (This happened during a period where there was an openssh bug which allowed > users on another system to gain passwords being used by other system users > which were logging into remote system via the hacked system) it would be > a simple thing to just sudo with the users current password which they > already have in hand. This sounds like a policy question. First, if you are running vulnerable or trojaned software, all bets are off anyway. Install a file integrity checker. Second, most users wouldn't need blanket sudo access. Staff *might* need blanket sudo access. If you are so worried about compromised accounts, why are you using password-based authentication for logins and sudo access in the first place? Get a two factor authentication solution. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 22:33:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from digger1.defence.gov.au (digger1.defence.gov.au [203.5.217.4]) by hub.freebsd.org (Postfix) with ESMTP id B581737B417 for ; Wed, 27 Mar 2002 22:33:54 -0800 (PST) Received: from dsto-ms2.dsto.defence.gov.au (dsto-ms2.dsto.defence.gov.au [131.185.2.150]) by digger1.defence.gov.au (8.10.1/8.10.1) with ESMTP id g2S6WcS25058 for ; Thu, 28 Mar 2002 17:02:38 +1030 (CST) Received: from muttley.dsto.defence.gov.au (unverified) by dsto-ms2.dsto.defence.gov.au (Content Technologies SMTPRS 4.1.5) with ESMTP id for ; Thu, 28 Mar 2002 17:03:37 +1030 Received: from salex001.dsto.defence.gov.au (salex001.dsto.defence.gov.au [131.185.2.9]) by muttley.dsto.defence.gov.au (8.9.3/8.9.3/8.9.3.LMD.990513) with ESMTP id PAA18404 for ; Thu, 28 Mar 2002 15:58:06 +0930 (CST) Received: from squirm.dsto.defence.gov.au ([131.185.75.211]) by salex001.dsto.defence.gov.au with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id FVNC1XJ2; Thu, 28 Mar 2002 16:58:04 +1030 Date: Thu, 28 Mar 2002 16:51:17 +1030 (CST) From: "Wilkinson,Alex" X-X-Sender: wilkinsa@squirm.dsto.defence.gov.au Reply-To: Alex.Wilkinson@dsto.defence.gov.au To: FreeBSD-Security@freebsd.org Subject: pf OR ipf ? Message-ID: <20020328165033.S76574-100000@squirm.dsto.defence.gov.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy Crew, Is it possible to use OpenBSD's pf (Packet Filter - Firewall) with FreeBSD ? Or shall I use IPF ? Comments, suggestions, *wisdom* ;) ? Thanks - Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 22:46:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [212.242.89.130]) by hub.freebsd.org (Postfix) with SMTP id 9A9EC37B417 for ; Wed, 27 Mar 2002 22:46:41 -0800 (PST) Received: (qmail 75236 invoked by uid 1007); 28 Mar 2002 06:46:40 -0000 Date: Thu, 28 Mar 2002 06:46:40 +0000 From: Alex Holst To: security@freebsd.org Subject: Re: pf OR ipf ? Message-ID: <20020328064640.GA74780@area51.dk> References: <20020328165033.S76574-100000@squirm.dsto.defence.gov.au> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20020328165033.S76574-100000@squirm.dsto.defence.gov.au> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Wilkinson,Alex (Alex.Wilkinson@dsto.defence.gov.au): > Howdy Crew, > > Is it possible to use OpenBSD's pf (Packet Filter - Firewall) with FreeBSD ? pf currently runs only on OpenBSD. Jordan Hubbard has expressed annoyance with the fact that there are now three filters (ipfw, ipf and pf) so it seems unlikely that FreeBSD is going to port it. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 22:46:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id EB16437B41B for ; Wed, 27 Mar 2002 22:46:44 -0800 (PST) Received: from tarmap.nospam.schulte.org (tarmap.schulte.org [209.134.156.198]) by clink.schulte.org (Postfix) with ESMTP id 33D7124424; Thu, 28 Mar 2002 00:46:43 -0600 (CST) Message-Id: <5.1.0.14.0.20020328004006.040094d0@pop3s.schulte.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 28 Mar 2002 00:46:38 -0600 To: Alex.Wilkinson@dsto.defence.gov.au, FreeBSD-Security@freebsd.org From: Christopher Schulte Subject: Re: pf OR ipf ? In-Reply-To: <20020328165033.S76574-100000@squirm.dsto.defence.gov.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:51 PM 3/28/2002 +1030, Wilkinson,Alex wrote: >Is it possible to use OpenBSD's pf (Packet Filter - Firewall) with FreeBSD ? >Or shall I use IPF ? Nope. Use IPF or IPFW with FreeBSD. There was a long thread on this topic on comp.unix.bsd.freebsd.misc in Feb 2002. Probably elsewhere too. In a nutshell, OpenBSD's PF only exists because of licensing issues with IPF. No such problems exist on FreeBSD, so PF is not really needed. Thus, I don't think there's any compelling reason to port it to FreeBSD. > - Alex -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 27 22:56:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 1EF6C37B41D for ; Wed, 27 Mar 2002 22:56:02 -0800 (PST) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id g2S6txsd004196; Thu, 28 Mar 2002 17:55:59 +1100 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id g2S6twk5004181; Thu, 28 Mar 2002 17:55:59 +1100 (EST) From: Darren Reed Message-Id: <200203280655.g2S6twk5004181@cairo.anu.edu.au> Subject: Re: pf OR ipf ? To: Alex.Wilkinson@dsto.defence.gov.au Date: Thu, 28 Mar 2002 17:55:58 +1100 (Australia/NSW) Cc: FreeBSD-Security@FreeBSD.ORG In-Reply-To: <20020328165033.S76574-100000@squirm.dsto.defence.gov.au> from "Wilkinson,Alex" at Mar 28, 2002 04:51:17 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Wilkinson,Alex, sie said: > > Howdy Crew, > > Is it possible to use OpenBSD's pf (Packet Filter - Firewall) with FreeBSD ? > Or shall I use IPF ? You should use IPF on FreeBSD AND OpenBSD. Why use PF when you can use IPF ? :) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 0:37:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.voljatel.si (mail.voljatel.si [217.72.64.15]) by hub.freebsd.org (Postfix) with ESMTP id B07A037B400 for ; Thu, 28 Mar 2002 00:37:23 -0800 (PST) Received: from pxna.hide.voljatel.si (pehta.voljatel.si [217.72.64.8]) by mail.voljatel.si (Postfix) with SMTP id D09B553501 for ; Thu, 28 Mar 2002 09:37:17 +0100 (CET) Date: Thu, 28 Mar 2002 09:39:57 +0100 From: Damir Horvat To: freebsd-security@freebsd.org Subject: Re: using ssh to run remote commands? Message-Id: <20020328093957.0bd6a3b0.damir@voljatel.si> In-Reply-To: <20020327152947.B443@iib.unsam.edu.ar> References: <20020327152947.B443@iib.unsam.edu.ar> Organization: Voljatel telekomunikacije d.d. X-Mailer: Sylpheed version 0.7.2 (GTK+ 1.2.10; i386-portbld-freebsd4.4) X-Operating-System: home brewed unix Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 27 Mar 2002 15:29:47 -0300 Fernan Aguero wrote: > I'd like to know how to run remote commands using ssh. This has allready been explained as I can see. But the nice thing about this whole thing is being lazy. I do all my MRTG's like this .... No need for SNMPD. example: ssh user@mailserver grep sent /var/log/maillog | wc -l ssh user@mailserver grep deferred /var/log/maillog | wc -l you feed this to MRTG and get nice graph of sent and deferred mails. Like I said, being lazy is a good thing. regards, damir -- ................................. Damir Horvat System administrator VOLJATEL telekomunikacije d.d. Smartinska 106 SI-1000 Ljubljana Slovenia . Tel. +386.(0)1.5875 832 Fax. +386.(0)1.5875 899 www.voljatel.si E-mail: damir.horvat@voljatel.si ................................. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 0:41: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta01ps.bigpond.com (mta01ps.bigpond.com [144.135.25.133]) by hub.freebsd.org (Postfix) with ESMTP id E7D6637B41B for ; Thu, 28 Mar 2002 00:40:52 -0800 (PST) Received: from MICHAEL2 ([144.135.25.78]) by mta01ps.bigpond.com (Netscape Messaging Server 4.15) with SMTP id GTODG200.9X1 for ; Thu, 28 Mar 2002 18:40:50 +1000 Received: from CPE-203-45-56-251.vic.bigpond.net.au ([203.45.56.251]) by PSMAM04.mailsvc.email.bigpond.com(MailRouter V3.0i 92/84590); 28 Mar 2002 18:40:49 Message-ID: <001201c1d634$431afc50$2e01a8c0@MICHAEL2> From: "Michael Phaze" To: References: <200203280655.g2S6twk5004181@cairo.anu.edu.au> Subject: Re: pf OR ipf ? Date: Thu, 28 Mar 2002 19:40:44 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Howdy Crew, > > > > Is it possible to use OpenBSD's pf (Packet Filter - Firewall) with FreeBSD ? > > Or shall I use IPF ? > > You should use IPF on FreeBSD AND OpenBSD. > > Why use PF when you can use IPF ? :) > > Darren > Its probably a backlash against the lack of a code merge into FreeBSD Stable of IPFilter (being 3.4.20) and the latest version of IPFilter being 3.4.25 :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 0:46:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 2663237B41F for ; Thu, 28 Mar 2002 00:46:21 -0800 (PST) Received: (qmail 57688 invoked by uid 1000); 28 Mar 2002 08:46:15 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Mar 2002 08:46:15 -0000 Date: Thu, 28 Mar 2002 00:46:05 -0800 (PST) From: Jason Stone X-X-Sender: To: Fernan Aguero Cc: FreeBSD Security Subject: Re: using ssh to run remote commands? In-Reply-To: <20020327152947.B443@iib.unsam.edu.ar> Message-ID: <20020328003857.J5333-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'd like to know how to run remote commands using ssh. I know I can do > it as myself, but I'd like to know how can I set up my systems to > allow non-login users (root, operator, amanda) to run remote commands > on other hosts. You can't - ssh will always try to run a command by calling the user's shell, so unless you patch it, you _must_ give the user a valid shell. The best you can do is to give the user a valid shell but an invalid password (eg, "*") and use ssh keys to authenticate. For additional security, you can specify a command along with the key in the authorized_keys file so that the key can _only_ be used to run that command (and not to get a shell). man ssh, ssh-keygen. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8othXswXMWWtptckRAsYLAJ9Xkk7nHT5v96DxvTIiagd0elMvAACgn1qO 4TtJLt7YCkrAMmgWtskX7sk= =jZLv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 0:58:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from nelly.internal.irrelevant.org (irrelevant.demon.co.uk [158.152.220.121]) by hub.freebsd.org (Postfix) with ESMTP id C9E2537B41C for ; Thu, 28 Mar 2002 00:58:33 -0800 (PST) Received: from simond by nelly.internal.irrelevant.org with local (Exim 3.35 #1) id 16qVhm-0000rZ-00; Thu, 28 Mar 2002 08:56:22 +0000 Date: Thu, 28 Mar 2002 08:56:22 +0000 From: Simon Dick To: Michael Phaze Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: pf OR ipf ? Message-ID: <20020328085622.GB2725@irrelevant.org> References: <200203280655.g2S6twk5004181@cairo.anu.edu.au> <001201c1d634$431afc50$2e01a8c0@MICHAEL2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001201c1d634$431afc50$2e01a8c0@MICHAEL2> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 07:40:44PM +1100, Michael Phaze wrote: > > > Howdy Crew, > > > > > > Is it possible to use OpenBSD's pf (Packet Filter - Firewall) with > FreeBSD ? > > > Or shall I use IPF ? > > > > You should use IPF on FreeBSD AND OpenBSD. > > > > Why use PF when you can use IPF ? :) > > > > Darren > > > Its probably a backlash against the lack of a code merge into FreeBSD > Stable of IPFilter (being 3.4.20) and the latest version of IPFilter being > 3.4.25 > :) But 3.4.25 is in current and I guess it'll get MFCd eventually :) -- Simon Dick simond@irrelevant.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 1: 4:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id BB77E37B404 for ; Thu, 28 Mar 2002 01:04:44 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g2S93pD29346; Thu, 28 Mar 2002 11:03:51 +0200 (EET) (envelope-from domas.mituzas@delfi.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Thu, 28 Mar 2002 11:03:51 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: Jason Stone Cc: Fernan Aguero , FreeBSD Security Subject: Re: using ssh to run remote commands? In-Reply-To: <20020328003857.J5333-100000@walter> Message-ID: <20020328105535.W10792-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've been using my simplified shell for theese reasons. I use it for invoking programs/scripts in ~/bin/ (owned not by user). Here's the small source. Keep in mind it understands whitespace separated strings as different arguments, but it isn't my trouble actually. It is called dsh (dumb shell, dammit-shell, delfi-shell, whatever :) and is main component of my service http://shells.dammit.lt/ (sorry all content is in Lithuanian, but you'd find it really amusing =) Right now I'm also implementing kind of sexec idea - passing of argv as binary data structure via ssh tunnels and calling exec on remote side. Of course that should introduce additional check, as right now ability to exec is specified by how user's shell interprets -c argument. This security issue can be easily resolved by AllowExec parameter in sshd.conf. dumbsh was intermediate step to normal secure remote procedure call. BR, Domas /* $Id: main.c,v 1.6 2001/11/03 14:33:23 midom Exp $ */ #include #include #include #define MAXARGS 10 #define ONLY "bin/" int main(int ac, char **av) { char **ap, *argv[MAXARGS], *is; /* * skip first two arguments - the first gives shell name, that we * know and the second gives "-c" that we also know */ av += 2; is = av[0]; if (ac < 2) exit(0); /* build argv from stupid string */ for (ap = argv; (*ap = (char *) strsep(&is, " \t")) != NULL;) if (**ap != '\0') if (++ap >= &argv[MAXARGS]) break; /* check for l33t guys */ if (strstr(argv[0], "..") != NULL) { printf("breakin attempt\n"); exit(0); } /* limiting access and running program */ if (!strncmp(argv[0], ONLY, strlen(ONLY) - 1)) execv(argv[0], argv); return (1); } > You can't - ssh will always try to run a command by calling the user's > shell, so unless you patch it, you _must_ give the user a valid shell. > > The best you can do is to give the user a valid shell but an invalid > password (eg, "*") and use ssh keys to authenticate. For additional > security, you can specify a command along with the key in the > authorized_keys file so that the key can _only_ be used to run that > command (and not to get a shell). man ssh, ssh-keygen. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3: 6: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from atlantis.dp.ua (atlantis.dp.ua [193.108.46.1]) by hub.freebsd.org (Postfix) with ESMTP id B1F9137B400 for ; Thu, 28 Mar 2002 03:06:03 -0800 (PST) Received: from localhost (dmitry@localhost) by atlantis.dp.ua (8.11.1/8.11.1) with ESMTP id g2SB5sd64384 for ; Thu, 28 Mar 2002 13:05:56 +0200 (EET) (envelope-from dmitry@atlantis.dp.ua) Date: Thu, 28 Mar 2002 13:05:54 +0200 (EET) From: Dmitry Pryanishnikov To: Subject: FreeBSD-SA-02:18.zlib vs kern/35969, take 2 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! When fixed SA-02:18 (the one which doesn't break sys/net/zlib.c functionality) will be available? I hate both running on the kernel with the potential hole and on the broken kernel. Sincerely, Dmitry Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3: 9:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from itt.net.ua (2telekom.itt.net.ua [193.109.80.249]) by hub.freebsd.org (Postfix) with ESMTP id 4CB8337B417 for ; Thu, 28 Mar 2002 03:09:09 -0800 (PST) Received: (from root@localhost) by itt.net.ua (8.11.6/8.11.6) id g2SB8hC56975 for security@freebsd.org; Thu, 28 Mar 2002 13:08:43 +0200 (EET) Date: Thu, 28 Mar 2002 13:08:42 +0200 From: radzivilyuk@itt.net.ua (Radzivilyuk V.O.) To: security@freebsd.org Message-ID: Subject: can't su to root X-Mailer: Necrosoft Outgluk Express for UNIX Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi. Have FreeBSD 4.3.release Can't su to root. Sure type right password. $su Password: Sorry $ Accept only if login as root. Reinstall binary & kernel source + reboot, config -r CORE, make depend, make, make install, reboot Have still the same. Help understand the reason. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3:14:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from yoda.bph.ruhr-uni-bochum.de (yoda.bph.ruhr-uni-bochum.de [134.147.196.7]) by hub.freebsd.org (Postfix) with ESMTP id E457337B416 for ; Thu, 28 Mar 2002 03:14:25 -0800 (PST) Received: from bph.ruhr-uni-bochum.de (gonzo [134.147.196.22]) by yoda.bph.ruhr-uni-bochum.de (8.8.8/8.8.8) with ESMTP id MAA10234; Thu, 28 Mar 2002 12:14:04 +0100 Message-ID: <3CA2FAF1.AC8B20B0@bph.ruhr-uni-bochum.de> Date: Thu, 28 Mar 2002 12:13:54 +0100 From: Christoph Wegener Organization: Ruhr-Universitaet Bochum - Lehrstuhl fuer Biophysik X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Radzivilyuk V.O." Cc: security@FreeBSD.ORG Subject: Re: can't su to root References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, are you member of the wheel group?!? HTH Christoph "Radzivilyuk V.O." wrote: > hi. > > Have FreeBSD 4.3.release > Can't su to root. > Sure type right password. > $su > Password: > Sorry > $ > > Accept only if login as root. > Reinstall binary & kernel source > + reboot, config -r CORE, make depend, make, make install, reboot > Have still the same. > > Help understand the reason. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3:15:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id 8719937B416 for ; Thu, 28 Mar 2002 03:14:57 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g2SBDvL00807; Thu, 28 Mar 2002 13:13:57 +0200 (EET) (envelope-from domas.mituzas@delfi.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Thu, 28 Mar 2002 13:13:57 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: "Radzivilyuk V.O." Cc: security@FreeBSD.ORG Subject: Re: can't su to root In-Reply-To: Message-ID: <20020328131303.F98036-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Either you are not in group wheel (after mergemaster /etc/group could be overwritten), either su lost it's setuid flag. -- BR, Domas Mituzas DELFI Internet, UAB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3:16:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailf.telia.com (mailf.telia.com [194.22.194.25]) by hub.freebsd.org (Postfix) with ESMTP id A739B37B447 for ; Thu, 28 Mar 2002 03:16:28 -0800 (PST) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by mailf.telia.com (8.11.6/8.11.6) with ESMTP id g2SBGR526323 for ; Thu, 28 Mar 2002 12:16:27 +0100 (CET) Received: from falcon.midgard.homeip.net (h68n2fls20o913.telia.com [212.181.163.68]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id MAA08267 for ; Thu, 28 Mar 2002 12:16:26 +0100 (CET) Received: (qmail 10800 invoked by uid 1001); 28 Mar 2002 11:16:25 -0000 Date: Thu, 28 Mar 2002 12:16:25 +0100 From: Erik Trulsson To: "Radzivilyuk V.O." Cc: security@freebsd.org Subject: Re: can't su to root Message-ID: <20020328111624.GA10686@student.uu.se> Mail-Followup-To: "Radzivilyuk V.O." , security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 01:08:42PM +0200, Radzivilyuk V.O. wrote: > hi. > > Have FreeBSD 4.3.release > Can't su to root. > Sure type right password. > $su > Password: > Sorry > $ > > Accept only if login as root. > Reinstall binary & kernel source > + reboot, config -r CORE, make depend, make, make install, reboot > Have still the same. > > Help understand the reason. You must be a member of the wheel group to be able to su to root. You can check what groups you belong to with the groups(1) command. -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3:18:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id A911637B41C for ; Thu, 28 Mar 2002 03:18:04 -0800 (PST) Received: (qmail 22438 invoked by uid 1000); 28 Mar 2002 11:18:34 -0000 Date: Thu, 28 Mar 2002 12:18:34 +0100 From: Bart Matthaei To: Christoph Wegener Cc: radzivilyuk@itt.net.ua, freebsd-security@freebsd.org Subject: Re: can't su to root Message-ID: <20020328121834.S75406@heresy.dreamflow.nl> References: <3CA2FAF1.AC8B20B0@bph.ruhr-uni-bochum.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="uQr8t48UFsdbeI+V" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3CA2FAF1.AC8B20B0@bph.ruhr-uni-bochum.de>; from cwe@bph.ruhr-uni-bochum.de on Thu, Mar 28, 2002 at 12:13:54PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > are you member of the wheel group?!? Hasn't to do anything with the wheel group. If the user isn't in the wheel group, he'd get a "Not in the correct group to su root"-error. The problem is probably the lack of a suid-bit. Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Eat drink and be merry, for tomorrow they may make it illegal. --uQr8t48UFsdbeI+V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8ovwKgcc6pR+tCegRAkiEAKCdcYYpcxHdgQZBpHA0lOjJKGaimwCbBHsc DVdPLWExpfANtdzsIl9f09o= =FNW2 -----END PGP SIGNATURE----- --uQr8t48UFsdbeI+V-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3:21: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from pawh.myip.org (h150n1fls32o846.telia.com [213.65.237.150]) by hub.freebsd.org (Postfix) with ESMTP id 2544737B422 for ; Thu, 28 Mar 2002 03:20:57 -0800 (PST) Received: from localhost (pawh@localhost) by pawh.myip.org (8.11.3/8.11.1) with ESMTP id g2SBKZm50132; Thu, 28 Mar 2002 12:20:35 +0100 (CET) (envelope-from pawh_thm@swipnet.se) X-Authentication-Warning: pawh.myip.org: pawh owned process doing -bs Date: Thu, 28 Mar 2002 12:20:34 +0100 (CET) From: =?ISO-8859-1?Q?Peter_Hagstr=F6m?= X-X-Sender: To: Erik Trulsson Cc: "Radzivilyuk V.O." , Subject: Re: can't su to root In-Reply-To: <20020328111624.GA10686@student.uu.se> Message-ID: <20020328121812.F50054-100000@pawh.myip.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No! It=B4s not a problem with the group... when it is, su will return: you are not in the correct group to su root. On Thu, 28 Mar 2002, Erik Trulsson wrote: > On Thu, Mar 28, 2002 at 01:08:42PM +0200, Radzivilyuk V.O. wrote: > > hi. > > > > Have FreeBSD 4.3.release > > Can't su to root. > > Sure type right password. > > $su > > Password: > > Sorry > > $ > > > > Accept only if login as root. > > Reinstall binary & kernel source > > + reboot, config -r CORE, make depend, make, make install, reboot > > Have still the same. > > > > Help understand the reason. > > You must be a member of the wheel group to be able to su to root. > You can check what groups you belong to with the groups(1) command. > > > -- > > Erik Trulsson > ertr1013@student.uu.se > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3:28:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from yoda.bph.ruhr-uni-bochum.de (yoda.bph.ruhr-uni-bochum.de [134.147.196.7]) by hub.freebsd.org (Postfix) with ESMTP id 4546537B416 for ; Thu, 28 Mar 2002 03:28:25 -0800 (PST) Received: from bph.ruhr-uni-bochum.de (gonzo [134.147.196.22]) by yoda.bph.ruhr-uni-bochum.de (8.8.8/8.8.8) with ESMTP id MAA11268; Thu, 28 Mar 2002 12:27:45 +0100 Message-ID: <3CA2FE13.190412F1@bph.ruhr-uni-bochum.de> Date: Thu, 28 Mar 2002 12:27:16 +0100 From: Christoph Wegener Organization: Ruhr-Universitaet Bochum - Lehrstuhl fuer Biophysik X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Bart Matthaei Cc: radzivilyuk@itt.net.ua, freebsd-security@FreeBSD.ORG Subject: Re: can't su to root References: <3CA2FAF1.AC8B20B0@bph.ruhr-uni-bochum.de> <20020328121834.S75406@heresy.dreamflow.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, YES, you are right - I unfortunately read to quick and missed his error message - SORRY if I give a wrong hint... Thanx for correction... Christoph Bart Matthaei wrote: > > are you member of the wheel group?!? > > Hasn't to do anything with the wheel group. > If the user isn't in the wheel group, he'd get a "Not in the correct > group to su root"-error. > > The problem is probably the lack of a suid-bit. > > Regards, > > Bart > > -- > Bart Matthaei bart@dreamflow.nl > > Eat drink and be merry, for tomorrow they may make it illegal. > > ---------------------------------------------------------------------- > Part 1.2Type: application/pgp-signature -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 3:52: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from itt.net.ua (2telekom.itt.net.ua [193.109.80.249]) by hub.freebsd.org (Postfix) with ESMTP id 4414937B405 for ; Thu, 28 Mar 2002 03:51:54 -0800 (PST) Received: (from root@localhost) by itt.net.ua (8.11.6/8.11.6) id g2SBpds63198 for security@freebsd.org; Thu, 28 Mar 2002 13:51:39 +0200 (EET) Date: Thu, 28 Mar 2002 13:51:39 +0200 From: radzivilyuk@itt.net.ua (Radzivilyuk V.O.) To: security@freebsd.org Message-ID: Subject: re: can't su to root X-Mailer: Necrosoft Outgluk Express for UNIX Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org $ls -l /usr/bin/su -r-sr-xr-x 1 root wheel 8168 Apr 21 2001 /usr/bin/su for that who don't understand me - *i am in wheel group* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 4:20:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from scribble.fsn.hu (scribble.fsn.hu [193.224.40.95]) by hub.freebsd.org (Postfix) with SMTP id C41D137B404 for ; Thu, 28 Mar 2002 04:20:33 -0800 (PST) Received: (qmail 3305 invoked by uid 1000); 28 Mar 2002 12:20:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Mar 2002 12:20:40 -0000 Date: Thu, 28 Mar 2002 13:20:40 +0100 (CET) From: Attila Nagy To: Alex Holst Cc: security@freebsd.org Subject: Re: pf OR ipf ? In-Reply-To: <20020328064640.GA74780@area51.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, > pf currently runs only on OpenBSD. Jordan Hubbard has expressed > annoyance with the fact that there are now three filters (ipfw, ipf and > pf) so it seems unlikely that FreeBSD is going to port it. I'm sad to hear that. I think diversity is a good thing. With FreeBSD if you are paranoid you can set up your firewall rules in two packet filters, which has a different codebase. So if one fails, it is unlikely that the other will too. I think it is good to have more than one packet filter in the kernel :) With PF some more features could be also ported, like the bridge support. And that would be a good thing also. --------[ Free Software ISOs - ftp://ftp.fsn.hu/pub/CDROM-Images/ ]------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Free Software Network (FSN.HU) phone @work: +361 210 1415 (194) cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 4:40:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id C6C7E37B41C for ; Thu, 28 Mar 2002 04:40:40 -0800 (PST) Received: (qmail 64362 invoked by uid 1000); 28 Mar 2002 12:40:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Mar 2002 12:40:40 -0000 Date: Thu, 28 Mar 2002 04:40:31 -0800 (PST) From: Jason Stone X-X-Sender: To: Subject: make world and setuid bits In-Reply-To: <20020328131303.F98036-100000@axis.tdd.lt> Message-ID: <20020328043119.V5333-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are there make variables that can be set to prevent "make world" from installing binaries as setuid? Currently, I always run something like "find -perms -4000 | xargs chmod u-s" after doing a make world, but this seems inelegant, prone to human error, and dangerous as there's a (potentially quite long) period in which there are still many setuid binaries.... make options to allow the prevention of "setuid root", "all setuid", or "all setuid and all setgid" would be nice. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8ow9IswXMWWtptckRAkZYAJ9S6Cchf5Cz8rtqAkjjYTp/GBCvdQCfbYx6 L1AGZQV/R96Shfpl9C383Fc= =NwdP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 4:44:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 4799337B416 for ; Thu, 28 Mar 2002 04:44:20 -0800 (PST) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id PAA79046; Thu, 28 Mar 2002 15:43:26 +0300 (MSK) Received: from IBMKA.star.spb.ru (217.195.79.241 [217.195.79.241]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GY0AJDXD; Thu, 28 Mar 2002 15:43:13 +0300 Date: Thu, 28 Mar 2002 15:43:22 +0300 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <159278930741.20020328154322@internethelp.ru> To: radzivilyuk@itt.net.ua ((Radzivilyuk V.O.)) Cc: freebsd-security@freebsd.org Subject: Re[2]: can't su to root In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Radzivilyuk, Thursday, March 28, 2002, 2:51:39 PM, you wrote: RVO> $ls -l /usr/bin/su RVO> -r-sr-xr-x 1 root wheel 8168 Apr 21 2001 /usr/bin/su RVO> for that who don't understand me - RVO> *i am in wheel group* /usr/src/usr.bin/su/su.c is quite simple. Why don't you add some debugging strings in there? grepping su.c for "Sorry" you can see the only one reason for stderring this string: ;---------------begin cut from su.c-------------------- /* if target requires a password, verify it */ if (*pwd->pw_passwd) { #ifdef SKEY #ifdef WHEELSU if (iswheelsu) { pwd = getpwnam(username); } #endif /* WHEELSU */ p = skey_getpass("Password:", pwd, 1); if (!(!strcmp(pwd->pw_passwd, skey_crypt(p, pwd->pw_passwd, pwd, 1)) #ifdef WHEELSU || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass))) #endif /* WHEELSU */ )) { #else p = getpass("Password:"); if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { #endif #ifdef KERBEROS if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p))) #endif { fprintf(stderr, "Sorry\n"); syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username, user, ontty()); exit(1); } } #ifdef WHEELSU if (iswheelsu) { pwd = getpwnam(user); } #endif /* WHEELSU */ } ;----------------end cut --------------------------------- Depending on your values of WHEELSU, SKEY and KERBEROS you need to add only 2-3 debug strings. Try this. I hope it will help you. It helps me quite often. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 4:57:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 80FAF37B405 for ; Thu, 28 Mar 2002 04:57:12 -0800 (PST) Received: (qmail 27919 invoked by uid 1000); 28 Mar 2002 12:57:43 -0000 Date: Thu, 28 Mar 2002 13:57:43 +0100 From: Bart Matthaei To: "Radzivilyuk V.O." Cc: freebsd-security@freebsd.org Subject: Re: can't su to root Message-ID: <20020328135743.T75406@heresy.dreamflow.nl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mvpLiMfbWzRoNl4x" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from radzivilyuk@itt.net.ua on Thu, Mar 28, 2002 at 01:51:39PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --mvpLiMfbWzRoNl4x Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 28, 2002 at 01:51:39PM +0200, Radzivilyuk V.O. wrote: >=20 > $ls -l /usr/bin/su > -r-sr-xr-x 1 root wheel 8168 Apr 21 2001 /usr/bin/su >=20 > for that who don't understand me - > *i am in wheel group* It's a longshot, but make sure /usr isn't mounted with the nosuid option. (use mount to check this) Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 Eat drink and be merry, for tomorrow they may make it illegal. --mvpLiMfbWzRoNl4x Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8oxNHgcc6pR+tCegRAoQ9AJsG/L4m3m3uqL+sHun3P40sJ9sjiQCffMTK hmu0bbiweguGxvMn/1McDFQ= =YXyQ -----END PGP SIGNATURE----- --mvpLiMfbWzRoNl4x-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 5: 4:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id BAFCF37B41A for ; Thu, 28 Mar 2002 05:04:18 -0800 (PST) Received: from [192.168.0.56] (helo=DAVE) by chaos.evolve.za.net with smtp (Exim 3.34 #1) id 16qZYx-000Owd-00; Thu, 28 Mar 2002 15:03:32 +0200 Message-ID: <005d01c1d658$e6d6fdc0$3800a8c0@DAVE> From: "Dave Raven" To: "Radzivilyuk V.O." , References: Subject: Re: can't su to root Date: Thu, 28 Mar 2002 15:02:57 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Scanner: exiscan *16qZYx-000Owd-00*ibq6SatlBFo* (Opteq (www.optec.co.za)) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org check /etc/login.access Isn't that a possibility as well? Only thing I can think of. may have something like -:root:ALL Dave Raven. OpteqSec. ----- Original Message ----- From: "Radzivilyuk V.O." To: Sent: Thursday, March 28, 2002 1:51 PM Subject: re: can't su to root > > $ls -l /usr/bin/su > -r-sr-xr-x 1 root wheel 8168 Apr 21 2001 /usr/bin/su > > for that who don't understand me - > *i am in wheel group* > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 5: 7:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from itt.net.ua (2telekom.itt.net.ua [193.109.80.249]) by hub.freebsd.org (Postfix) with ESMTP id D8B7837B404 for ; Thu, 28 Mar 2002 05:06:35 -0800 (PST) Received: (from root@localhost) by itt.net.ua (8.11.6/8.11.6) id g2SD6MI74310 for security@freebsd.org; Thu, 28 Mar 2002 15:06:22 +0200 (EET) Date: Thu, 28 Mar 2002 15:06:22 +0200 From: radzivilyuk@itt.net.ua (Radzivilyuk V.O.) To: security@freebsd.org Message-ID: Subject: re: can't su root X-Mailer: Necrosoft Outgluk Express for UNIX Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Once upon a time a very long ago the Maugly set nosuid for mount on /usr. Uptime is rise. The memory is gone. He write the mail waiting for advise. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 5:12:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from default.eng.eircom.net (default.eng.eircom.net [159.134.242.160]) by hub.freebsd.org (Postfix) with ESMTP id 8410D37B405 for ; Thu, 28 Mar 2002 05:12:38 -0800 (PST) Received: from default.eng.eircom.net (localhost [127.0.0.1]) by default.eng.eircom.net (8.12.2/8.12.2) with ESMTP id g2SDCanE030560 for ; Thu, 28 Mar 2002 13:12:36 GMT Received: (from ryand@localhost) by default.eng.eircom.net (8.12.2/8.12.2/Submit) id g2SDCaWn027414 for security@freebsd.org; Thu, 28 Mar 2002 13:12:36 GMT Date: Thu, 28 Mar 2002 13:12:36 +0000 From: Dave Ryan To: security@freebsd.org Subject: Re: pf OR ipf ? Message-ID: <20020328131236.GB30961@default.eircom.net> References: <20020328064640.GA74780@area51.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i Organization: Eircom CIRT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Attila Nagy said the following on Thu, Mar 28, 2002 at 01:20:40PM +0100, > > pf currently runs only on OpenBSD. Jordan Hubbard has expressed > > annoyance with the fact that there are now three filters (ipfw, ipf and > > pf) so it seems unlikely that FreeBSD is going to port it. > I'm sad to hear that. I think diversity is a good thing. With FreeBSD if > you are paranoid you can set up your firewall rules in two packet filters, > which has a different codebase. So if one fails, it is unlikely that the > other will too. > I think it is good to have more than one packet filter in the kernel :) Sure its always a good thing to add more code to your kernel. I would focus on bringing assurance to the existing code as opposed to porting in something else to perform the same function. > With PF some more features could be also ported, like the bridge support. > And that would be a good thing also. I fail to see the relevance in discussing PF on a FreeBSD mailing list, if you have suggestions sign on to tech or misc. What is so wrong with ipfw that there needs to be another packet filter brought under FreeBSD? I'm glad I have the option of pf on OpenBSD now, but I can't see a good reason to import it for the sake of yet another packet filter. I personally choose ipfw when running FreeBSD and I am very very happy with pf under OpenBSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 6:31:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 4779237B405 for ; Thu, 28 Mar 2002 06:31:25 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id HAA20380 for ; Thu, 28 Mar 2002 07:31:18 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 28 Mar 2002 07:31:03 -0700 To: security@FreeBSD.ORG From: Brett Glass Subject: Is FreeBSD susceptible to this vulnerability? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Apparently, several UNIX-like operating systems can be penetrated via XDMCP/UDP; see http://www.procheckup.com/security_info/vuln_pr0208.html Is FreeBSD vulnerable? What about the other BSDs? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 6:54:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d129.as29.nwbl0.wi.voyager.net [169.207.73.131]) by hub.freebsd.org (Postfix) with ESMTP id EB35537B404 for ; Thu, 28 Mar 2002 06:54:04 -0800 (PST) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.2/8.12.2) with ESMTP id g2SKqVUH024760; Thu, 28 Mar 2002 14:52:31 -0600 (CST) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.2/8.12.2/Submit) with ESMTP id g2SKqPll024757; Thu, 28 Mar 2002 14:52:28 -0600 (CST) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Thu, 28 Mar 2002 14:52:24 -0600 (CST) From: Mike Silbersack To: Attila Nagy Cc: Alex Holst , Subject: Re: pf OR ipf ? In-Reply-To: Message-ID: <20020328144718.L24744-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 28 Mar 2002, Attila Nagy wrote: > Hello, > > > pf currently runs only on OpenBSD. Jordan Hubbard has expressed > > annoyance with the fact that there are now three filters (ipfw, ipf and > > pf) so it seems unlikely that FreeBSD is going to port it. > I'm sad to hear that. I think diversity is a good thing. With FreeBSD if > you are paranoid you can set up your firewall rules in two packet filters, > which has a different codebase. So if one fails, it is unlikely that the > other will too. > I think it is good to have more than one packet filter in the kernel :) > > With PF some more features could be also ported, like the bridge support. > And that would be a good thing also. > > --------[ Free Software ISOs - ftp://ftp.fsn.hu/pub/CDROM-Images/ ]------- > Attila Nagy e-mail: Attila.Nagy@fsn.hu > Free Software Network (FSN.HU) phone @work: +361 210 1415 (194) The primary reason that pf (and iptables, and Microsoft's win32 layer) have not been ported to FreeBSD is lack of developer time. If you believe that PF would be a good thing, go ahead and port it over. If the code was unobtrusive, I'm sure it would make it into the tree. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 6:58:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 72FD937B419 for ; Thu, 28 Mar 2002 06:58:21 -0800 (PST) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.32 #1) id 16qbLu-0003mA-00; Thu, 28 Mar 2002 14:58:10 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 16qbLv-0004xx-00; Thu, 28 Mar 2002 14:58:11 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? In-reply-to: Your message of "Thu, 28 Mar 2002 07:31:03 MST." <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 28 Mar 2002 14:58:11 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Apparently, several UNIX-like operating systems can be penetrated via > XDMCP/UDP; see > > http://www.procheckup.com/security_info/vuln_pr0208.html > > Is FreeBSD vulnerable? What about the other BSDs? (All the following is from reading the notice and having used XDM myself in the past; not from reading the code...) The notice says it's an "information leakage" vulnerability that can leak information useful for otherwise unrelated brute-force attacks. It's also more a matter of the default configurations for the XMDCP daemon rather than the code of the daemon. The FreeBSD default configuratin *is* vulnerable but doesn't gratuitously leak information (for example by providing lists of valid users). So it's no more or less vulnerable than having an open listening "telnet" service. Or an open "finger" service. However, the notice is worthwhile because it points out that such leakage can happen via services that use UDP as well as services using TCP. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7: 0:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C5DCA37B417 for ; Thu, 28 Mar 2002 07:00:34 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA23443; Thu, 28 Mar 2002 07:00:02 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23429; Thu Mar 28 06:59:53 2002 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id g2SExmN52954; Thu, 28 Mar 2002 06:59:48 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdS52949; Thu Mar 28 06:59:03 2002 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id g2SEx3p66464; Thu, 28 Mar 2002 06:59:03 -0800 (PST) Message-Id: <200203281459.g2SEx3p66464@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdN66453; Thu Mar 28 06:58:33 2002 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-Sender: schubert To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? In-Reply-To: Message from Brett Glass of "Thu, 28 Mar 2002 07:31:03 MST." <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 28 Mar 2002 06:58:33 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org>, Brett Glass w rites: > Apparently, several UNIX-like operating systems can be penetrated via > XDMCP/UDP; see > > http://www.procheckup.com/security_info/vuln_pr0208.html > > Is FreeBSD vulnerable? What about the other BSDs? This is not specifically a *BSD problem. Looking at the default Xaccess that is shipped with the XFree86-4 port this is not a problem for this particular port. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7: 3: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 50AC637B404 for ; Thu, 28 Mar 2002 07:02:57 -0800 (PST) Received: (qmail 62411 invoked by uid 1000); 28 Mar 2002 15:03:17 -0000 Date: Thu, 28 Mar 2002 16:03:17 +0100 From: "Karsten W. Rohrbach" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? Message-ID: <20020328160317.A62125@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brett Glass , security@FreeBSD.ORG References: <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org>; from brett@lariat.org on Thu, Mar 28, 2002 at 07:31:03AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brett Glass(brett@lariat.org)@2002.03.28 07:31:03 +0000: > Apparently, several UNIX-like operating systems can be penetrated via=20 > XDMCP/UDP; see >=20 > http://www.procheckup.com/security_info/vuln_pr0208.html after reading the article, i must say that the statement is lacking the word "potential" for the generic unix/X11 systems. > Is FreeBSD vulnerable? What about the other BSDs? sure in some way, every badly configured [xgkw]dm is vulnerable for logins over the network. that is what xdmcp is for. the question is, if it makes sense to enable the face-chooser, the system menu in [gkw]dm or other fancy features. if they are enabled, it is also a matter of configuration detail if the feature requires a password or not. afaik, xdm and wdm were _not_ allowing xdmcp connections by default, but this may have changed in the last months, so don't take my answer as authoritative ;-) generally spoken, xdmcp should be disabled in the default install (and it was disabled in all past distributions/ports i had my hands on). for corporate network administrators, it might be a valuable hint to check their firewall setups, if they allow for xdmcp/x11 connections across their firewalls. xdmcp is port 177 tcp/udp and remote x11 protocol is allocated ports 6000 .. 6063 tcp/udp. regards, /k --=20 > UNiX *IS* user friendly. It's just selective about who it's friends are. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8ozC1M0BPTilkv0YRApQ9AJ9+XTfF5AspiX/nnk2eFUpQ8JM6AQCdEsu3 tPipMukYTr2zjuSV9HQRHDU= =bR6G -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7: 3:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 798DE37B41B for ; Thu, 28 Mar 2002 07:03:02 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g2SF31K26290; Thu, 28 Mar 2002 09:03:01 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA14850; Thu, 28 Mar 2002 09:03:01 -0600 (CST) Message-ID: <3CA330A5.463E4595@centtech.com> Date: Thu, 28 Mar 2002 09:03:01 -0600 From: Eric Anderson Reply-To: anderson@centtech.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: David Pick Cc: Brett Glass , security@freebsd.org Subject: Re: Is FreeBSD susceptible to this vulnerability? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In /etc/X11/xdm/Xaccess: #* #any host can get a login window So I think the default install is ok.. Eric David Pick wrote: > > > Apparently, several UNIX-like operating systems can be penetrated via > > XDMCP/UDP; see > > > > http://www.procheckup.com/security_info/vuln_pr0208.html > > > > Is FreeBSD vulnerable? What about the other BSDs? > > (All the following is from reading the notice and having used > XDM myself in the past; not from reading the code...) > > The notice says it's an "information leakage" vulnerability that > can leak information useful for otherwise unrelated brute-force > attacks. > > It's also more a matter of the default configurations for the > XMDCP daemon rather than the code of the daemon. > > The FreeBSD default configuratin *is* vulnerable but doesn't > gratuitously leak information (for example by providing lists > of valid users). So it's no more or less vulnerable than having > an open listening "telnet" service. Or an open "finger" service. > However, the notice is worthwhile because it points out that > such leakage can happen via services that use UDP as well as > services using TCP. > > -- > David Pick > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7: 4: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 3C1E237B431 for ; Thu, 28 Mar 2002 07:03:28 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id CBF6154; Thu, 28 Mar 2002 09:03:25 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g2SF3PI01845; Thu, 28 Mar 2002 09:03:25 -0600 (CST) (envelope-from nectar) Date: Thu, 28 Mar 2002 09:03:25 -0600 From: "Jacques A. Vidrine" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? Message-ID: <20020328150325.GB1421@madman.nectar.cc> References: <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 07:31:03AM -0700, Brett Glass wrote: > Apparently, several UNIX-like operating systems can be penetrated via > XDMCP/UDP; see > > http://www.procheckup.com/security_info/vuln_pr0208.html > > Is FreeBSD vulnerable? What about the other BSDs? No, and this isn't exactly a `vulnerability'. It is an insecure default configuration. This ``advisory'' is mostly a marketing ploy for this ProCheckUp tool. This is ancient issue. I really don't get their `Comment' --- this has been an administration issue since XDMCP existed (decades). You can find your `Xaccess' file in /etc/X11/xdm/Xaccess or /usr/X11R6/lib/X11/xdm/Xaccess. By default, XFree86 does not allow remote hosts. Of course, this only applies if you are running xdm. You have to turn xdm on yourself --- it is not on by default. Note that wdm, gdm, and kdm have their own Xaccess files (IIRC), and these have to be checked also if you are running them (duh). Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7: 5:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 51D2737B41E for ; Thu, 28 Mar 2002 07:05:17 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id AFF5254; Thu, 28 Mar 2002 09:05:12 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g2SF5CG01864; Thu, 28 Mar 2002 09:05:12 -0600 (CST) (envelope-from nectar) Date: Thu, 28 Mar 2002 09:05:12 -0600 From: "Jacques A. Vidrine" To: David Pick Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? Message-ID: <20020328150512.GC1421@madman.nectar.cc> References: <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 02:58:11PM +0000, David Pick wrote: > The FreeBSD default configuratin *is* vulnerable Did I miss something? I do not believe it is. xdm is not run by default, and the default configuration file disallows remote connections even if it is. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7: 5:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 2677B37B42B for ; Thu, 28 Mar 2002 07:05:33 -0800 (PST) Received: (qmail 62519 invoked by uid 1000); 28 Mar 2002 15:05:54 -0000 Date: Thu, 28 Mar 2002 16:05:54 +0100 From: "Karsten W. Rohrbach" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? Message-ID: <20020328160554.B62125@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brett Glass , security@FreeBSD.ORG References: <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> <20020328160317.A62125@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="hQiwHBbRI9kgIhsi" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020328160317.A62125@mail.webmonster.de>; from karsten@rohrbach.de on Thu, Mar 28, 2002 at 04:03:17PM +0100 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --hQiwHBbRI9kgIhsi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable addition: a short check of /usr/X11R6/lib/X11/xdm/Xaccess on 4.3-R shows, that xdm allows xdmcp logins by default. /k --=20 > Sex is the poor man's opera. --G. B. Shaw KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --hQiwHBbRI9kgIhsi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8ozFSM0BPTilkv0YRAsLlAJ4kzlNNd3pxv8XIB8p3Mx7qPHb1IACfVPng l5MI5jXWi4wPgfn7IivDea4= =lrTx -----END PGP SIGNATURE----- --hQiwHBbRI9kgIhsi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7: 7:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id C6C5037B400 for ; Thu, 28 Mar 2002 07:07:28 -0800 (PST) Received: (qmail 62575 invoked by uid 1000); 28 Mar 2002 15:07:50 -0000 Date: Thu, 28 Mar 2002 16:07:50 +0100 From: "Karsten W. Rohrbach" To: Eric Anderson Cc: security@freebsd.org Subject: Re: Is FreeBSD susceptible to this vulnerability? Message-ID: <20020328160750.C62125@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Eric Anderson , security@freebsd.org References: <3CA330A5.463E4595@centtech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5QAgd0e35j3NYeGe" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3CA330A5.463E4595@centtech.com>; from anderson@centtech.com on Thu, Mar 28, 2002 at 09:03:01AM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5QAgd0e35j3NYeGe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Eric Anderson(anderson@centtech.com)@2002.03.28 09:03:01 +0000: > In /etc/X11/xdm/Xaccess: >=20 > #* #any host can get a login window >=20 > So I think the default install is ok.. i think that this is dependent on the "ancientness" of the xfree86 distribution installed. /k --=20 > question =3D ( to ) ? be : ! be; // Wm. Shakespeare KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --5QAgd0e35j3NYeGe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8ozHGM0BPTilkv0YRAgdwAJ9oJevTyQPqNbUVQI7XFgo5DpFs1ACfWfTx d51tM39CeIk72O89al9EUXA= =726+ -----END PGP SIGNATURE----- --5QAgd0e35j3NYeGe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7:12:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id BA2B737B41F for ; Thu, 28 Mar 2002 07:12:31 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA23540; Thu, 28 Mar 2002 07:11:22 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda23536; Thu Mar 28 07:11:08 2002 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id g2SFB3L53194; Thu, 28 Mar 2002 07:11:03 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdX53187; Thu Mar 28 07:10:04 2002 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id g2SFA4m66570; Thu, 28 Mar 2002 07:10:04 -0800 (PST) Message-Id: <200203281510.g2SFA4m66570@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdj66555; Thu Mar 28 07:09:13 2002 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-Sender: schubert To: David Pick Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? In-Reply-To: Message from David Pick of "Thu, 28 Mar 2002 14:58:11 GMT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 28 Mar 2002 07:09:13 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , David Pick writes: > > > Apparently, several UNIX-like operating systems can be penetrated via > > XDMCP/UDP; see > > > > http://www.procheckup.com/security_info/vuln_pr0208.html > > > > Is FreeBSD vulnerable? What about the other BSDs? > > (All the following is from reading the notice and having used > XDM myself in the past; not from reading the code...) > > The notice says it's an "information leakage" vulnerability that > can leak information useful for otherwise unrelated brute-force > attacks. > > It's also more a matter of the default configurations for the > XMDCP daemon rather than the code of the daemon. > > The FreeBSD default configuratin *is* vulnerable but doesn't > gratuitously leak information (for example by providing lists > of valid users). So it's no more or less vulnerable than having > an open listening "telnet" service. Or an open "finger" service. > However, the notice is worthwhile because it points out that > such leakage can happen via services that use UDP as well as > services using TCP. The default FreeBSD configuration, at least in the XFree86-4 port, ships with the following lines in Xaccess: ... #* #any host can get a login window ... #* CHOOSER BROADCAST #any indirect host can get a chooser .. This doesn't appear open to me (notice the lines have been commented out). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7:22:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id D259637B400 for ; Thu, 28 Mar 2002 07:22:29 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D28D354; Thu, 28 Mar 2002 09:22:23 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g2SFMN502383; Thu, 28 Mar 2002 09:22:23 -0600 (CST) (envelope-from nectar) Date: Thu, 28 Mar 2002 09:22:23 -0600 From: "Jacques A. Vidrine" To: "Karsten W. Rohrbach" Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? Message-ID: <20020328152223.GE1421@madman.nectar.cc> References: <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> <20020328160317.A62125@mail.webmonster.de> <20020328160554.B62125@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020328160554.B62125@mail.webmonster.de> User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 04:05:54PM +0100, Karsten W. Rohrbach wrote: > addition: > > a short check of /usr/X11R6/lib/X11/xdm/Xaccess on 4.3-R shows, that xdm > allows xdmcp logins by default. Yes, you are right. XFree86 3.3.6 (which shipped with 4.3, 4.4, 4.5, maybe earlier) does have * #any host can get a login window * CHOOSER BROADCAST #any indirect host can get a chooser by default. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 7:42:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id E3B9137B417 for ; Thu, 28 Mar 2002 07:42:48 -0800 (PST) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.32 #1) id 16qc33-0004Jf-00 for security@freebsd.org; Thu, 28 Mar 2002 15:42:45 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) for security@FreeBSD.ORG id 16qc35-00050S-00; Thu, 28 Mar 2002 15:42:47 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? In-reply-to: Your message of "Thu, 28 Mar 2002 06:58:33 PST." <200203281459.g2SEx3p66464@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 28 Mar 2002 15:42:47 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > This is not specifically a *BSD problem. Very true. > Looking at the default > Xaccess that is shipped with the XFree86-4 port this is not a problem > for this particular port. The Xaccess file in the port may sell be like that; the one in the XFree86-3 distribution has the problem lines. Certainly on FreeBSD 2.2.8 and FreeBSD 4.5 (RELEASEs). Of course, "xdm" is not run by default... -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 11:23:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id A8F2637B400 for ; Thu, 28 Mar 2002 11:23:12 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA24640; Thu, 28 Mar 2002 12:22:53 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020328121638.035b4100@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 28 Mar 2002 12:22:38 -0700 To: David Pick From: Brett Glass Subject: Re: Is FreeBSD susceptible to this vulnerability? Cc: security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:58 AM 3/28/2002, David Pick wrote: >The notice says it's an "information leakage" vulnerability that >can leak information useful for otherwise unrelated brute-force >attacks. True. In particular, it could facilitate brute force password guessing attacks, because it does not appear that any special measures are taken after wrong guesses. Claims that it's a "Back Orifice for UNIX" (cf The Register) are overblown, of course. BTW< It appears that Caldera reported and fixed this years ago. The issuers of the security notice probably dredged up the report and began to test other UNIX implementations. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 12: 6:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from snipe.prod.itd.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id A494837B486 for ; Thu, 28 Mar 2002 12:05:55 -0800 (PST) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by snipe.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16qg9X-0004dY-00 for freebsd-security@freebsd.org; Thu, 28 Mar 2002 12:05:43 -0800 Received: from moti (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with SMTP id 6F84B207B8 for ; Thu, 28 Mar 2002 15:09:52 -0500 (EST) Message-ID: <056f01c1d694$12084400$fd6e34c6@moti> From: "Moti Levy" To: Subject: How can I erase my fingertips . Date: Thu, 28 Mar 2002 15:03:27 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I want to stop nmap from detecting my os . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 12:12: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 79D7937B405 for ; Thu, 28 Mar 2002 12:12:03 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020328201203.ILPC1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Thu, 28 Mar 2002 20:12:03 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2SKC0D98221; Thu, 28 Mar 2002 12:12:00 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 12:12:00 -0800 From: "Crist J. Clark" To: Attila Nagy Cc: Alex Holst , security@FreeBSD.ORG Subject: Re: pf OR ipf ? Message-ID: <20020328121200.C97841@blossom.cjclark.org> References: <20020328064640.GA74780@area51.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bra@fsn.hu on Thu, Mar 28, 2002 at 01:20:40PM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 01:20:40PM +0100, Attila Nagy wrote: > Hello, > > > pf currently runs only on OpenBSD. Jordan Hubbard has expressed > > annoyance with the fact that there are now three filters (ipfw, ipf and > > pf) so it seems unlikely that FreeBSD is going to port it. > I'm sad to hear that. I think diversity is a good thing. With FreeBSD if > you are paranoid you can set up your firewall rules in two packet filters, > which has a different codebase. So if one fails, it is unlikely that the > other will too. > I think it is good to have more than one packet filter in the kernel :) > > With PF some more features could be also ported, like the bridge support. > And that would be a good thing also. There is nothing special about PF that makes bridge support easier. Afterall, there is mature bridging support for IPFilter in OpenBSD. I also recently committed a hack for IPFilter bridging support in -CURRENT. I'll put the -STABLE patches on the website listed in the headers and .sig today if anyone wants 'em. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 12:19: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 4582F37B41A for ; Thu, 28 Mar 2002 12:18:51 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020328201851.YTIW2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Thu, 28 Mar 2002 20:18:51 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2SKIob98240; Thu, 28 Mar 2002 12:18:50 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 12:18:50 -0800 From: "Crist J. Clark" To: Jason Stone Cc: security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020328121850.D97841@blossom.cjclark.org> References: <20020328131303.F98036-100000@axis.tdd.lt> <20020328043119.V5333-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020328043119.V5333-100000@walter>; from jason-fbsd-security@shalott.net on Thu, Mar 28, 2002 at 04:40:31AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 04:40:31AM -0800, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Are there make variables that can be set to prevent "make world" from > installing binaries as setuid? Currently, I always run something like > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this > seems inelegant, prone to human error, and dangerous as there's a > (potentially quite long) period in which there are still many setuid > binaries.... > > make options to allow the prevention of "setuid root", "all setuid", > or "all setuid and all setgid" would be nice. For the vast majority of users, having no setuid binaries is a really, really bad idea from a security standpoint. It forces you to do everything as root. If this is a policy on some machine somewhere, I don't that there is much of a window of vulnerability. During the installation of the new binaries, the system would be out of normal service. The system should be isolated from potentially hostile users. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 12:26:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from cianet.cianet.ind.br (cianet.funcitec.rct-sc.br [200.135.30.155]) by hub.freebsd.org (Postfix) with ESMTP id 58ECF37B42A for ; Thu, 28 Mar 2002 12:26:02 -0800 (PST) Received: (from root@localhost) by cianet.cianet.ind.br (8.11.6/8.11.3av) id g2SKPxC73853; Thu, 28 Mar 2002 17:25:59 -0300 (BRT) (envelope-from heberle@cianet.ind.br) Received: from cianet.funcitec.rct-sc.br (bkcv8r036t675pox@cianet.funcitec.rct-sc.br [200.135.30.155]) by cianet.cianet.ind.br (8.11.6/8.11.3avav) with ESMTP id g2SKPlq73839; Thu, 28 Mar 2002 17:25:47 -0300 (BRT) (envelope-from heberle@cianet.ind.br) Date: Thu, 28 Mar 2002 17:25:47 -0300 (BRT) From: Alvaro Pereira To: Moti Levy Cc: freebsd-security@freebsd.org Subject: Re: How can I erase my fingertips . In-Reply-To: <056f01c1d694$12084400$fd6e34c6@moti> Message-ID: <20020328172259.C73793-100000@cianet.cianet.ind.br> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, from /usr/src/sys/i386/conf/LINT # # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN I hope it is what you need. cya Alvaro On Thu, 28 Mar 2002, Moti Levy wrote: > I want to stop nmap from detecting my os . > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 12:35:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from harrier.csrv.uidaho.edu (harrier.csrv.uidaho.edu [129.101.119.224]) by hub.freebsd.org (Postfix) with ESMTP id 6216E37B41B for ; Thu, 28 Mar 2002 12:34:51 -0800 (PST) Received: from uidaho.edu (oblivion.csrv-staff.uidaho.edu [129.101.66.165]) by harrier.csrv.uidaho.edu (8.9.3 (PHNE_22672)/) with ESMTP id MAA22879; Thu, 28 Mar 2002 12:33:24 -0800 (PST) Message-Id: <200203282033.MAA22879@harrier.csrv.uidaho.edu> Date: Thu, 28 Mar 2002 12:33:03 -0800 (PST) From: Jon DeShirley Subject: Re: How can I erase my fingertips . To: Moti Levy Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <056f01c1d694$12084400$fd6e34c6@moti> MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 28 Mar, Moti Levy wrote: > I want to stop nmap from detecting my os . If you use ipfilter, use this rule: block in quick on xl0 proto tcp all flags FUP Also, to be truly sure: block in quick all with ipopts block in quick all with short block in quick all with frag And in your kernel (if you've read the caveats in LINT) options TCP_DROP_SYNFIN These should do a reasonably good job of hiding your from NMAP scans. Of course, these don't really hide you from passive OS fingerprinting with tools like Siphon, but that's another matter entirely. --jon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 12:40: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from pumaman.dyndns.org (rm059.isis.de [195.158.147.59]) by hub.freebsd.org (Postfix) with ESMTP id BD36137B419 for ; Thu, 28 Mar 2002 12:39:54 -0800 (PST) Received: from ws.bnet ([192.168.100.222] helo=there) by pumaman.dyndns.org with smtp (Exim 3.34 #1) id 16qggb-000Ndz-00; Thu, 28 Mar 2002 21:39:53 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Bjoern Engels To: freebsd-security@freebsd.org, Moti Levy Subject: Re: How can I erase my fingertips . Date: Thu, 28 Mar 2002 21:39:51 +0100 X-Mailer: KMail [version 1.3.2] References: <20020328172259.C73793-100000@cianet.cianet.ind.br> In-Reply-To: <20020328172259.C73793-100000@cianet.cianet.ind.br> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday, 28. March 2002 21:25, Alvaro Pereira wrote: > On Thu, 28 Mar 2002, Moti Levy wrote: > > I want to stop nmap from detecting my os . > from /usr/src/sys/i386/conf/LINT > > # > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. > This # prevents nmap et al. from identifying the TCP/IP stack, but > breaks support # for RFC1644 extensions and is not recommended for > web servers. # > options TCP_DROP_SYNFIN #drop TCP packets with > SYN+FIN > Additionally, add # RANDOM_IP_ID causes the ID field in IP packets to be randomized options RANDOM_IP_ID and change the default TTL. Bjoern --=20 "The number of Unix installations has grown to ten, with more expected" -- The Unix programmers handbook, 1972 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 12:55:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.microbsd.net (ns1.microbsd.net [4.23.122.10]) by hub.freebsd.org (Postfix) with ESMTP id 2547C37B416; Thu, 28 Mar 2002 12:55:42 -0800 (PST) Received: from 127.0.0.1 (localhost.microbsd.net [127.0.0.1]) by mail.microbsd.net (Postfix) with SMTP id 678441F08; Thu, 28 Mar 2002 15:49:18 -0500 (EST) Received: from vaio.microbsd.net (unknown [65.162.182.48]) by mail.microbsd.net (Postfix) with ESMTP id E30711F05; Thu, 28 Mar 2002 15:49:16 -0500 (EST) Subject: Re: pf OR ipf ? From: kerberus To: "Crist J. Clark" Cc: Attila Nagy , Alex Holst , security@FreeBSD.ORG In-Reply-To: <20020328121200.C97841@blossom.cjclark.org> References: <20020328064640.GA74780@area51.dk> <20020328121200.C97841@blossom.cjclark.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2-5mdk Date: 28 Mar 2002 15:54:37 -0500 Message-Id: <1017348877.4218.49.camel@vaio.microbsd.net> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ill take em Ive been waiting for ipfilter bridgeing code for FreeBSD for ages!! > There is nothing special about PF that makes bridge support > easier. Afterall, there is mature bridging support for IPFilter in > OpenBSD. I also recently committed a hack for IPFilter bridging > support in -CURRENT. I'll put the -STABLE patches on the website > listed in the headers and .sig today if anyone wants 'em. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:31:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from phucking.kicks-ass.org (c-873a70d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.58.135]) by hub.freebsd.org (Postfix) with ESMTP id 14BCA37B41F for ; Thu, 28 Mar 2002 13:30:38 -0800 (PST) Received: from phucking.kicks-ass.org (localhost.kicks-ass.org [127.0.0.1]) by phucking.kicks-ass.org (Postfix) with SMTP id 80B3E6E4 for ; Thu, 28 Mar 2002 22:29:36 +0100 (CET) Received: from 213.112.58.135 (SquirrelMail authenticated user z3l3zt) by phucking.kicks-ass.org with HTTP; Thu, 28 Mar 2002 22:29:36 +0100 (CET) Message-ID: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> Date: Thu, 28 Mar 2002 22:29:36 +0100 (CET) Subject: SSH or Telnet? From: "Jesper Wallin" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey! I've heard and seen alot of security problems related to SSH (OpenSSH) and many of my friends have been playing with alot of 0day exploits for it.. Right now I'm running the latest port version of it on a non-standard port and hope to be secured with it.. I don't accualy see the reason to not use Telnet.. All I know tells me it's old and recommend me running OpenSSH instead.. What is the best solution? Ofcause peoples are able to attack me with brute-force attacks and it's not encrypted.. well, all the peoples who've shell/ssh access are trusted and I think they know what they do.. Anyone have any idea/suggestion? //Jesper aka Z3l3zT To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:33:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts15-srv.bellnexxia.net (tomts15.bellnexxia.net [209.226.175.3]) by hub.freebsd.org (Postfix) with ESMTP id A557537B405 for ; Thu, 28 Mar 2002 13:33:27 -0800 (PST) Received: from a4ibmrrll9362k ([65.92.10.172]) by tomts15-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20020328213326.CGGC9755.tomts15-srv.bellnexxia.net@a4ibmrrll9362k> for ; Thu, 28 Mar 2002 16:33:26 -0500 Message-ID: <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> From: "Adam" To: References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> Subject: Re: SSH or Telnet? Date: Thu, 28 Mar 2002 16:33:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would highly suggest that you use telnet. As long as you keep it updated and patched you shouldnt have any problems with it.. Adam EcommIS.net "Designing Your Future" ----- Original Message ----- From: "Jesper Wallin" To: Sent: Thursday, March 28, 2002 4:29 PM Subject: SSH or Telnet? > Hey! > > > I've heard and seen alot of security problems related to SSH (OpenSSH) and > many of my friends have been playing with alot of 0day exploits for it.. > Right now I'm running the latest port version of it on a non-standard port > and hope to be secured with it.. I don't accualy see the reason to not use > Telnet.. All I know tells me it's old and recommend me running OpenSSH > instead.. > > What is the best solution? Ofcause peoples are able to attack me with > brute-force attacks and it's not encrypted.. well, all the peoples who've > shell/ssh access are trusted and I think they know what they do.. > > > Anyone have any idea/suggestion? > > //Jesper aka Z3l3zT > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:36: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.microbsd.net (ns1.microbsd.net [4.23.122.10]) by hub.freebsd.org (Postfix) with ESMTP id 7D32D37B419 for ; Thu, 28 Mar 2002 13:35:57 -0800 (PST) Received: from 127.0.0.1 (localhost.microbsd.net [127.0.0.1]) by mail.microbsd.net (Postfix) with SMTP id D9A041F08; Thu, 28 Mar 2002 16:29:38 -0500 (EST) Received: from vaio.microbsd.net (unknown [65.162.182.48]) by mail.microbsd.net (Postfix) with ESMTP id 4634E1F05; Thu, 28 Mar 2002 16:29:38 -0500 (EST) Subject: Re: SSH or Telnet? From: kerberus To: Jesper Wallin Cc: security@freebsd.org In-Reply-To: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2-5mdk Date: 28 Mar 2002 16:34:58 -0500 Message-Id: <1017351299.4219.59.camel@vaio.microbsd.net> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Do the term "clear text passwords" for telnet put fear into the thought of using it ??? everything ssh does is encrypted, you cant sniff the usernames/passwords in ssh > I've heard and seen alot of security problems related to SSH (OpenSSH) and > many of my friends have been playing with alot of 0day exploits for it.. > Right now I'm running the latest port version of it on a non-standard port > and hope to be secured with it.. I don't accualy see the reason to not use > Telnet.. All I know tells me it's old and recommend me running OpenSSH > instead.. > > What is the best solution? Ofcause peoples are able to attack me with > brute-force attacks and it's not encrypted.. well, all the peoples who've > shell/ssh access are trusted and I think they know what they do.. > > > Anyone have any idea/suggestion? > > //Jesper aka Z3l3zT > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:39:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.microbsd.net (ns1.microbsd.net [4.23.122.10]) by hub.freebsd.org (Postfix) with ESMTP id B921037B416 for ; Thu, 28 Mar 2002 13:39:46 -0800 (PST) Received: from 127.0.0.1 (localhost.microbsd.net [127.0.0.1]) by mail.microbsd.net (Postfix) with SMTP id 1BCB31F05; Thu, 28 Mar 2002 16:33:28 -0500 (EST) Received: from vaio.microbsd.net (unknown [65.162.182.48]) by mail.microbsd.net (Postfix) with ESMTP id 746431F11; Thu, 28 Mar 2002 16:33:27 -0500 (EST) Subject: Re: SSH or Telnet? From: kerberus To: Adam Cc: security@freebsd.org In-Reply-To: <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2-5mdk Date: 28 Mar 2002 16:38:47 -0500 Message-Id: <1017351528.4217.64.camel@vaio.microbsd.net> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am I actually reading this on a security list of all places ???? Are you actually suggesting the user use something that sends data over the wire such as the username, and password in clear text usable ?? Doesnt the thought of this scare you??? you telnet to remote system, someone bewtween you and remote system, say at your ISP is sniffing the wire for whatever reason, as your logging into the remote box, and guess what, now they have your access to that same box. Dont use telnet, it is very insecure, use ssh where everything is encrypted!! On Thu, 2002-03-28 at 16:33, Adam wrote: > I would highly suggest that you use telnet. As long as you keep it updated > and patched you shouldnt have any problems with it.. > > Adam > EcommIS.net > "Designing Your Future" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:42:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 3979C37B41C for ; Thu, 28 Mar 2002 13:42:05 -0800 (PST) Received: from a4ibmrrll9362k ([65.92.10.172]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20020328214204.CERB12643.tomts5-srv.bellnexxia.net@a4ibmrrll9362k>; Thu, 28 Mar 2002 16:42:04 -0500 Message-ID: <004801c1d6a1$656cc370$126cfea9@a4ibmrrll9362k> From: "Adam" To: "kerberus" Cc: References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> <1017351528.4217.64.camel@vaio.microbsd.net> Subject: Re: SSH or Telnet? Date: Thu, 28 Mar 2002 16:42:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org LOL.. Sorry bout that my mistake I meant to say SSH Adam EcommIS.net "Designing Your Future" ----- Original Message ----- From: "kerberus" To: "Adam" Cc: Sent: Thursday, March 28, 2002 4:38 PM Subject: Re: SSH or Telnet? > Am I actually reading this on a security list of all places ???? Are you > actually suggesting the user use something that sends data over the wire > such as the username, and password in clear text usable ?? Doesnt the > thought of this scare you??? you telnet to remote system, someone > bewtween you and remote system, say at your ISP is sniffing the wire for > whatever reason, as your logging into the remote box, and guess what, > now they have your access to that same box. Dont use telnet, it is very > insecure, use ssh where everything is encrypted!! > > On Thu, 2002-03-28 at 16:33, Adam wrote: > > I would highly suggest that you use telnet. As long as you keep it updated > > and patched you shouldnt have any problems with it.. > > > > Adam > > EcommIS.net > > "Designing Your Future" > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:44:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by hub.freebsd.org (Postfix) with ESMTP id 4EC0437B416 for ; Thu, 28 Mar 2002 13:44:10 -0800 (PST) Received: from cm (grebner.com [198.109.164.203]) by nyogtha.unknownkadath.net (8.12.2/8.12.2) with SMTP id g2SLuXs0040005; Thu, 28 Mar 2002 16:56:34 -0500 (EST) From: "Asenchi" To: "kerberus" , "Adam" Cc: Subject: RE: SSH or Telnet? Date: Thu, 28 Mar 2002 16:44:08 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <1017351528.4217.64.camel@vaio.microbsd.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am a little surprised by this as well. Encrypted passwords to me would mean at least a little more secure than clear text passwords. Anything that can be sniffed as easy as telnet should not be used. wow, now i have seen everything! :) asenchi -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of kerberus Sent: Thursday, March 28, 2002 4:39 PM To: Adam Cc: security@FreeBSD.ORG Subject: Re: SSH or Telnet? Am I actually reading this on a security list of all places ???? Are you actually suggesting the user use something that sends data over the wire such as the username, and password in clear text usable ?? Doesnt the thought of this scare you??? you telnet to remote system, someone bewtween you and remote system, say at your ISP is sniffing the wire for whatever reason, as your logging into the remote box, and guess what, now they have your access to that same box. Dont use telnet, it is very insecure, use ssh where everything is encrypted!! On Thu, 2002-03-28 at 16:33, Adam wrote: > I would highly suggest that you use telnet. As long as you keep it updated > and patched you shouldnt have any problems with it.. > > Adam > EcommIS.net > "Designing Your Future" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:46:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts13-srv.bellnexxia.net (tomts13.bellnexxia.net [209.226.175.34]) by hub.freebsd.org (Postfix) with ESMTP id 42EE137B419 for ; Thu, 28 Mar 2002 13:46:12 -0800 (PST) Received: from a4ibmrrll9362k ([65.92.10.172]) by tomts13-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20020328214611.BQLV25090.tomts13-srv.bellnexxia.net@a4ibmrrll9362k>; Thu, 28 Mar 2002 16:46:11 -0500 Message-ID: <005a01c1d6a1$f84b2ec0$126cfea9@a4ibmrrll9362k> From: "Adam" To: "Asenchi" Cc: References: Subject: Re: SSH or Telnet? Date: Thu, 28 Mar 2002 16:46:08 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It was a simple mistake.. I use SSH on all my machines.. Got mixed up between words while reading through it.. Adam EcommIS.net "Designing Your Future ----- Original Message ----- From: "Asenchi" To: "kerberus" ; "Adam" Cc: Sent: Thursday, March 28, 2002 4:44 PM Subject: RE: SSH or Telnet? > I am a little surprised by this as well. Encrypted passwords to me would > mean at least a little more secure than clear text passwords. Anything that > can be sniffed as easy as telnet should not be used. > > wow, now i have seen everything! :) > > asenchi > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of kerberus > Sent: Thursday, March 28, 2002 4:39 PM > To: Adam > Cc: security@FreeBSD.ORG > Subject: Re: SSH or Telnet? > > > Am I actually reading this on a security list of all places ???? Are you > actually suggesting the user use something that sends data over the wire > such as the username, and password in clear text usable ?? Doesnt the > thought of this scare you??? you telnet to remote system, someone > bewtween you and remote system, say at your ISP is sniffing the wire for > whatever reason, as your logging into the remote box, and guess what, > now they have your access to that same box. Dont use telnet, it is very > insecure, use ssh where everything is encrypted!! > > On Thu, 2002-03-28 at 16:33, Adam wrote: > > I would highly suggest that you use telnet. As long as you keep it updated > > and patched you shouldnt have any problems with it.. > > > > Adam > > EcommIS.net > > "Designing Your Future" > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:46:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmanagementsolutions.net (cpu1058.adsl.bellglobal.com [207.236.110.39]) by hub.freebsd.org (Postfix) with SMTP id 5FCE337B404 for ; Thu, 28 Mar 2002 13:46:34 -0800 (PST) Received: (qmail 7608 invoked from network); 28 Mar 2002 21:49:26 -0000 Received: from unknown (HELO LAPTOP.webmanagementsolutions.net) (bacid@90.0.0.10) by cpu1058.adsl.bellglobal.com with SMTP; 28 Mar 2002 21:49:26 -0000 Message-Id: <5.0.2.1.0.20020328164609.00b7f058@mail.webmanagementsolutions.net> X-Sender: wcwmgmt@mail.webmanagementsolutions.net X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 28 Mar 2002 16:46:29 -0500 To: From: Will Chan - Web Management Solutions Subject: Re: SSH or Telnet? In-Reply-To: <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:33 PM 28/03/2002 -0500, Adam wrote: >I would highly suggest that you use telnet. As long as you keep it updated >and patched you shouldnt have any problems with it.. > >Adam >EcommIS.net >"Designing Your Future" I hope you are being sarcastic :) *********************************************************************************** William Chan UNIX Systems Administrator Web Management Solutions - http://www.webmanagementsolutions.net Based in Ottawa, ON, CANADA -- The city that's too damn cold ! *********************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:48:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 83B2E37B436 for ; Thu, 28 Mar 2002 13:47:22 -0800 (PST) Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id 1587724422; Thu, 28 Mar 2002 15:47:20 -0600 (CST) Message-Id: <5.1.0.14.0.20020328153833.04cd4438@pop3s.schulte.org> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 28 Mar 2002 15:45:51 -0600 To: "Jesper Wallin" , From: Christopher Schulte Subject: Re: SSH or Telnet? In-Reply-To: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass .org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:29 PM 3/28/2002 +0100, Jesper Wallin wrote: >Hey! > > >I've heard and seen alot of security problems related to SSH (OpenSSH) and >many of my friends have been playing with alot of 0day exploits for it.. >Right now I'm running the latest port version of it on a non-standard port >and hope to be secured with it.. I don't accualy see the reason to not use >Telnet.. All I know tells me it's old and recommend me running OpenSSH >instead.. Like any piece of software attached to a public network port, there are risks of bugs being discovered that can lead to problems. SSHD is not the only network service to have problems. There have been semi-recent telnetd problems, too. Switching to telnet would not make your systems any more secure. In fact the loss of encryption would only decrease security/privacy. Running the service on a non standard port may fool some kid-scannerz, but you cannot rely on this for any added security. >What is the best solution? Ofcause peoples are able to attack me with >brute-force attacks and it's not encrypted.. well, all the peoples who've >shell/ssh access are trusted and I think they know what they do.. Your users may be trusted, but someone who snoops username/password pairs in transit might not be. >Anyone have any idea/suggestion? A few to start: use SSH wherever possible, packet filter the port to trusted hosts if you're overly paranoid and this is workable with your users, watch the security lists for new vulnerabilities, apply critical patches promptly, have an IDS, keep backups. >//Jesper aka Z3l3zT -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 13:49:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by hub.freebsd.org (Postfix) with ESMTP id 52A6837B43E for ; Thu, 28 Mar 2002 13:48:45 -0800 (PST) Received: from cm (www.grebner.com [198.109.164.203]) by nyogtha.unknownkadath.net (8.12.2/8.12.2) with SMTP id g2SM19s0040105; Thu, 28 Mar 2002 17:01:09 -0500 (EST) From: "Asenchi" To: "Adam" Cc: Subject: RE: SSH or Telnet? Date: Thu, 28 Mar 2002 16:48:44 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <005a01c1d6a1$f84b2ec0$126cfea9@a4ibmrrll9362k> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org oh cool. that makes sense. hey you can rely on bsd security to check you on things! :) asenchi -----Original Message----- From: Adam [mailto:adamtuttle@sympatico.ca] Sent: Thursday, March 28, 2002 4:46 PM To: Asenchi Cc: security@freebsd.org Subject: Re: SSH or Telnet? It was a simple mistake.. I use SSH on all my machines.. Got mixed up between words while reading through it.. Adam EcommIS.net "Designing Your Future ----- Original Message ----- From: "Asenchi" To: "kerberus" ; "Adam" Cc: Sent: Thursday, March 28, 2002 4:44 PM Subject: RE: SSH or Telnet? > I am a little surprised by this as well. Encrypted passwords to me would > mean at least a little more secure than clear text passwords. Anything that > can be sniffed as easy as telnet should not be used. > > wow, now i have seen everything! :) > > asenchi > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of kerberus > Sent: Thursday, March 28, 2002 4:39 PM > To: Adam > Cc: security@FreeBSD.ORG > Subject: Re: SSH or Telnet? > > > Am I actually reading this on a security list of all places ???? Are you > actually suggesting the user use something that sends data over the wire > such as the username, and password in clear text usable ?? Doesnt the > thought of this scare you??? you telnet to remote system, someone > bewtween you and remote system, say at your ISP is sniffing the wire for > whatever reason, as your logging into the remote box, and guess what, > now they have your access to that same box. Dont use telnet, it is very > insecure, use ssh where everything is encrypted!! > > On Thu, 2002-03-28 at 16:33, Adam wrote: > > I would highly suggest that you use telnet. As long as you keep it updated > > and patched you shouldnt have any problems with it.. > > > > Adam > > EcommIS.net > > "Designing Your Future" > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 14: 2:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 532D437B41C for ; Thu, 28 Mar 2002 14:02:32 -0800 (PST) Received: from hades.hell.gr (patr530-b185.otenet.gr [212.205.244.193]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g2SM2Gg1020689; Fri, 29 Mar 2002 00:02:22 +0200 (EET) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.2/8.12.2) with ESMTP id g2SM1jou002638; Fri, 29 Mar 2002 00:02:15 +0200 (EET) (envelope-from keramida@freebsd.org) Received: (from charon@localhost) by hades.hell.gr (8.12.2/8.12.2/Submit) id g2SK5ASh002006; Thu, 28 Mar 2002 22:05:10 +0200 (EET) (envelope-from keramida@freebsd.org) Date: Thu, 28 Mar 2002 22:05:09 +0200 (EET) From: Giorgos Keramidas X-X-Sender: charon@hades To: Domas Mituzas Cc: Jason Stone , Fernan Aguero , FreeBSD Security Subject: Re: using ssh to run remote commands? In-Reply-To: <20020328105535.W10792-100000@axis.tdd.lt> Message-ID: <20020328220341.D1966-100000@hades> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-03-28 11:03, Domas Mituzas wrote: > /* $Id: main.c,v 1.6 2001/11/03 14:33:23 midom Exp $ */ > > #include > #include > #include > > #define MAXARGS 10 > > #define ONLY "bin/" > > int > main(int ac, char **av) > { > char **ap, *argv[MAXARGS], *is; > /* > * skip first two arguments - the first gives shell name, that we > * know and the second gives "-c" that we also know > */ > av += 2; > is = av[0]; > if (ac < 2) > exit(0); * me puts paranoid hat on. Still, you might want to make sure that these two are in fact what you expect. I'm not sure if it *can* affect the way your shells work, but it won't hurt to check :-) Giorgos Keramidas FreeBSD Documentation Project keramida@{freebsd.org,ceid.upatras.gr} http://www.FreeBSD.org/docproj/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 14:38:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id F1A8037B41D for ; Thu, 28 Mar 2002 14:37:22 -0800 (PST) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 16qiWE-0003Gh-00 for freebsd-security@freebsd.org; Thu, 28 Mar 2002 14:37:18 -0800 Received: from moti (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with SMTP id BDDAB20696 for ; Thu, 28 Mar 2002 17:41:00 -0500 (EST) Message-ID: <000001c1d6a9$2eb649c0$fd6e34c6@moti> From: "Moti Levy" To: References: <20020328172259.C73793-100000@cianet.cianet.ind.br> Subject: Re: How can I erase my fingertips . Date: Thu, 28 Mar 2002 17:37:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Cooooool thanks Bjoern Engels Before : No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=2.54BETA31%P=i386-portbld-freebsd4.5%D=3/28%Time=3CA38B56%O=22%C=1) TSeq(Class=TR%IPID=I%TS=100HZ) After : options RANDOM_IP_ID and sysctl net.inet.ip.ttl=68 instead of 64 Remote operating system guess: AIX 4.3.2.0-4.3.3.0 on an IBM RS/* Uptime 0.003 days (since Thu Mar 28 17:25:37 2002) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Randomized ----- Original Message ----- From: "Bjoern Engels" To: ; "Moti Levy" Sent: Thursday, March 28, 2002 3:39 PM Subject: Re: How can I erase my fingertips . On Thursday, 28. March 2002 21:25, Alvaro Pereira wrote: > On Thu, 28 Mar 2002, Moti Levy wrote: > > I want to stop nmap from detecting my os . > from /usr/src/sys/i386/conf/LINT > > # > # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. > This # prevents nmap et al. from identifying the TCP/IP stack, but > breaks support # for RFC1644 extensions and is not recommended for > web servers. # > options TCP_DROP_SYNFIN #drop TCP packets with > SYN+FIN > Additionally, add # RANDOM_IP_ID causes the ID field in IP packets to be randomized options RANDOM_IP_ID and change the default TTL. Bjoern -- "The number of Unix installations has grown to ten, with more expected" -- The Unix programmers handbook, 1972 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 15:48:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id A099C37B425 for ; Thu, 28 Mar 2002 15:47:02 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.6/8.11.6) with ESMTP id g2SNgeA15554; Thu, 28 Mar 2002 20:42:40 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Thu, 28 Mar 2002 20:42:39 -0300 (ART) From: Fernando Gleiser To: Jesper Wallin Cc: Subject: Re: SSH or Telnet? In-Reply-To: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> Message-ID: <20020328201100.E6672-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 28 Mar 2002, Jesper Wallin wrote: > Hey! > > > I've heard and seen alot of security problems related to SSH (OpenSSH) and > many of my friends have been playing with alot of 0day exploits for it.. > Right now I'm running the latest port version of it on a non-standard port > and hope to be secured with it.. I don't accualy see the reason to not use > Telnet.. All I know tells me it's old and recommend me running OpenSSH > instead.. Telnet also had some remote root vulnerabities. Every program has bugs. You need to keep them up to date and apply all the security fixes. Also, having sshd runing in a non standard port doesn't buy you much. There are scanners which try to verify which service is which port and they will find out it's ssh even if it is listening in port 31337. =0) > > What is the best solution? Ofcause peoples are able to attack me with > brute-force attacks and it's not encrypted.. well, all the peoples who've > shell/ssh access are trusted and I think they know what they do.. The people may be trusted, but are you sure you can trust the networks they are loging in from? Besides sniffing, ssh protects you against other threats: 1. ssh has some protection against IP spoofing. 2. ssh has stronger authentication methods. 3. ssh protects you against session hijacking. 4. ssh lets you authenticate the server to the client. 5. ssh lets you tunnel an insecure protocol (POP, IMAP) through an encrypted connection You can use an SSL enabled telnet or IPSec for the first four, but I find ssh easier to set up if all you need is remote login/shell/file transfer. Fer > > > Anyone have any idea/suggestion? > > //Jesper aka Z3l3zT > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 16:22:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10606.mail.yahoo.com (web10606.mail.yahoo.com [216.136.130.170]) by hub.freebsd.org (Postfix) with SMTP id D935637B41B for ; Thu, 28 Mar 2002 16:22:48 -0800 (PST) Message-ID: <20020329002248.34086.qmail@web10606.mail.yahoo.com> Received: from [198.88.119.219] by web10606.mail.yahoo.com via HTTP; Thu, 28 Mar 2002 16:22:48 PST Date: Thu, 28 Mar 2002 16:22:48 -0800 (PST) From: John Brodzniski Subject: rsync mirroring question To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-513393778-1017361368=:32824" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0-513393778-1017361368=:32824 Content-Type: text/plain; charset=us-ascii Hello, I was thinking of using rsync for mirroring my IF firewall to a machine with the same set up and my apache server to a machine with the same setup. I have heard that you can use ash with to send pull files via async from another machine.&NBS; Is this wise?&NBS; I would most likely have to open up port 873 tap on my firewall internally as I'm not sure if async can log into the machine via ash or if it needs it's own port open. The mirroring would involve my firewall con fig on the firewall box.&NBS; All apache virtual directories, user home directories and Apache con fig on the web server. Has anybody been burnt by this type of setup? &NBS; -John --------------------------------- Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® --0-513393778-1017361368=:32824 Content-Type: text/html; charset=us-ascii

Hello,

I was thinking of using rsync for mirroring my IF firewall to a machine with the same set up and my apache server to a machine with the same setup.

I have heard that you can use ash with to send pull files via async from another machine.&NBS; Is this wise?&NBS; I would most likely have to open up port 873 tap on my firewall internally as I'm not sure if async can log into the machine via ash or if it needs it's own port open.

The mirroring would involve my firewall con fig on the firewall box.&NBS; All apache virtual directories, user home directories and Apache con fig on the web server.

Has anybody been burnt by this type of setup?

&NBS;

-John


Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards® --0-513393778-1017361368=:32824-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 16:32:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from shiva.enmity.org (null.enmity.org [216.17.172.1]) by hub.freebsd.org (Postfix) with SMTP id 4EBB637B41F for ; Thu, 28 Mar 2002 16:32:10 -0800 (PST) Received: (qmail 15287 invoked from network); 29 Mar 2002 00:32:01 -0000 Received: from unknown (HELO chaos.enmity.org) (192.168.0.5) by 0 with SMTP; 29 Mar 2002 00:32:01 -0000 Message-ID: X-Mailer: Superific mailer on some OS X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20020329002248.34086.qmail@web10606.mail.yahoo.com> Date: Thu, 28 Mar 2002 17:32:01 -0700 (MST) From: statik@hate.cx To: John Brodzniski Subject: RE: rsync mirroring question Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you can run rsync through ssh by adding "--rsh=/path/to/ssh" (ie. rsync --rsh=/usr/bin/ssh /path/to/files user@10.10.10.10:/where/you/want/the/files) to your rsync command. then it'll run over port 22 and have all the intrinsic benefits of using ssh. John Brodzniski forced the bits to display: > > Hello, > > I was thinking of using rsync for mirroring my IF firewall to a machine with > the same set up and my apache server to a machine with the same setup. > > I have heard that you can use ash with to send pull files via async from > another machine.&NBS; Is this wise?&NBS; I would most likely have to open up > port 873 tap on my firewall internally as I'm not sure if async can log into > the machine via ash or if it needs it's own port open. > > The mirroring would involve my firewall con fig on the firewall box.&NBS; All > apache virtual directories, user home directories and Apache con fig on the > web server. > > Has anybody been burnt by this type of setup? > > &NBS; > > -John > > > > --------------------------------- > Do You Yahoo!? > Yahoo! Movies - coverage of the 74th Academy Awards ::[ RFC 2795 ]:: "Democracy means simply the bludgeoning of the people by the people for the people." -Oscar Wilde statik@hate.cx / security engineer \ "My God, it's full of stars..." PGP fingerprint: D656 01EB 79FC 9285 F110 2AB1 D8BC B3BA BEA2 E0C5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 16:37:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from ruminary.org (chiku.ruminary.org [216.218.185.24]) by hub.freebsd.org (Postfix) with ESMTP id 3230E37B405; Thu, 28 Mar 2002 16:37:23 -0800 (PST) Received: by ruminary.org (Postfix, from userid 1000) id CF20322E13; Thu, 28 Mar 2002 16:37:07 -0800 (PST) Date: Thu, 28 Mar 2002 16:37:07 -0800 From: clark shishido To: statik@hate.cx Cc: John Brodzniski , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: rsync mirroring question Message-ID: <20020328163707.A50352@ruminary.org> References: <20020329002248.34086.qmail@web10606.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from statik@hate.cx on Thu, Mar 28, 2002 at 05:32:01PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 05:32:01PM -0700, statik@hate.cx wrote: > you can run rsync through ssh by adding "--rsh=/path/to/ssh" (ie. rsync > --rsh=/usr/bin/ssh /path/to/files user@10.10.10.10:/where/you/want/the/files) to But everybody is using the latest patched rsync right? It uses ssh by default now, no need to give it options like --rsh or -e --clark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 16:38:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 5996D37B43A for ; Thu, 28 Mar 2002 16:38:04 -0800 (PST) Received: (qmail 13009 invoked by uid 1000); 29 Mar 2002 00:37:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Mar 2002 00:37:59 -0000 Date: Thu, 28 Mar 2002 16:37:54 -0800 (PST) From: Jason Stone X-X-Sender: To: Subject: Re: make world and setuid bits In-Reply-To: <20020328121850.D97841@blossom.cjclark.org> Message-ID: <20020328161518.R5333-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Are there make variables that can be set to prevent "make world" from > > installing binaries as setuid? Currently, I always run something like > > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this > > seems inelegant, prone to human error, and dangerous as there's a > > (potentially quite long) period in which there are still many setuid > > binaries.... > > > > make options to allow the prevention of "setuid root", "all setuid", > > or "all setuid and all setgid" would be nice. > > For the vast majority of users, having no setuid binaries is a really, > really bad idea from a security standpoint. It forces you to do > everything as root. 1) For server machines that have no non-root interactive users, the "no setuid or setgid at all" option is a very good idea. 2) Even on machines that do have interactive users, there are many environments where it's possible to turn off most of the setuid root bits - I see no reason to let users on a shared machine run ping or traceroute, rsh/rlogin should never be used at all, I can get away with not providing crontab, most servers don't have printers attached and therefore have no use for lpr, etc. So, given that there's decidedly some utility in doing this, is there any reason to not do so? -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8o7dnswXMWWtptckRAu4NAKDrXhbtaSAXA5RmdFGi4Uo6WlIAgwCfR1Pb ezlNsLJfYjpxvoCvAS4HiUc= =h1lp -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 16:39:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10607.mail.yahoo.com (web10607.mail.yahoo.com [216.136.130.171]) by hub.freebsd.org (Postfix) with SMTP id DEDD837B477 for ; Thu, 28 Mar 2002 16:38:56 -0800 (PST) Message-ID: <20020329003856.62825.qmail@web10607.mail.yahoo.com> Received: from [198.88.119.219] by web10607.mail.yahoo.com via HTTP; Thu, 28 Mar 2002 16:38:56 PST Date: Thu, 28 Mar 2002 16:38:56 -0800 (PST) From: John Brodzniski Subject: rsync mirroring question To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I was thinking of using rsync for mirroring my IF firewall to a machine with the same set up and my apache server to a machine with the same setup. I have heard that you can use ash with to send pull files via async from another machine. Is this wise?; I would most likely have to open up port 873 tap on my firewall internally as I'm not sure if async can log into the machine via ash or if it needs it's own port open. The mirroring would involve my firewall con fig on the firewall box.&NBS; All apache virtual directories, user home directories and Apache con fig on the web server. Has anybody been burnt by this type of setup? -John __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 16:42:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10601.mail.yahoo.com (web10601.mail.yahoo.com [216.136.130.165]) by hub.freebsd.org (Postfix) with SMTP id 2A96D37B416 for ; Thu, 28 Mar 2002 16:42:14 -0800 (PST) Message-ID: <20020329004213.24270.qmail@web10601.mail.yahoo.com> Received: from [198.88.119.219] by web10601.mail.yahoo.com via HTTP; Thu, 28 Mar 2002 16:42:13 PST Date: Thu, 28 Mar 2002 16:42:13 -0800 (PST) From: John Brodzniski Subject: Re: rsync mirroring question To: clark shishido , statik@hate.cx, freebsd-question@freebsd.org, freebsd-security@freebsd.org Cc: John Brodzniski , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG In-Reply-To: <20020328163707.A50352@ruminary.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From what I read the default in version 2.5.4 is still rsh. Also if I would want to automate this how would I send the password. Would I have to specify this in the --password-file argument? Thanks -John --- clark shishido wrote: > On Thu, Mar 28, 2002 at 05:32:01PM -0700, > statik@hate.cx wrote: > > you can run rsync through ssh by adding > "--rsh=/path/to/ssh" (ie. rsync > > --rsh=/usr/bin/ssh /path/to/files > user@10.10.10.10:/where/you/want/the/files) to > > But everybody is using the latest patched rsync > right? > It uses ssh by default now, no need to give it > options like > --rsh or -e > > --clark > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 16:42:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10601.mail.yahoo.com (web10601.mail.yahoo.com [216.136.130.165]) by hub.freebsd.org (Postfix) with SMTP id EA02D37B41A for ; Thu, 28 Mar 2002 16:42:18 -0800 (PST) Message-ID: <20020329004213.24270.qmail@web10601.mail.yahoo.com> Received: from [198.88.119.219] by web10601.mail.yahoo.com via HTTP; Thu, 28 Mar 2002 16:42:13 PST Date: Thu, 28 Mar 2002 16:42:13 -0800 (PST) From: John Brodzniski Subject: Re: rsync mirroring question To: clark shishido , statik@hate.cx, freebsd-question@freebsd.org, freebsd-security@freebsd.org Cc: John Brodzniski , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG In-Reply-To: <20020328163707.A50352@ruminary.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From what I read the default in version 2.5.4 is still rsh. Also if I would want to automate this how would I send the password. Would I have to specify this in the --password-file argument? Thanks -John --- clark shishido wrote: > On Thu, Mar 28, 2002 at 05:32:01PM -0700, > statik@hate.cx wrote: > > you can run rsync through ssh by adding > "--rsh=/path/to/ssh" (ie. rsync > > --rsh=/usr/bin/ssh /path/to/files > user@10.10.10.10:/where/you/want/the/files) to > > But everybody is using the latest patched rsync > right? > It uses ssh by default now, no need to give it > options like > --rsh or -e > > --clark > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 16:47:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from shiva.enmity.org (null.enmity.org [216.17.172.1]) by hub.freebsd.org (Postfix) with SMTP id 5291C37B419 for ; Thu, 28 Mar 2002 16:47:01 -0800 (PST) Received: (qmail 19255 invoked from network); 29 Mar 2002 00:46:51 -0000 Received: from unknown (HELO chaos.enmity.org) (192.168.0.5) by 0 with SMTP; 29 Mar 2002 00:46:51 -0000 Message-ID: X-Mailer: Superific mailer on some OS X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20020329004213.24270.qmail@web10601.mail.yahoo.com> Date: Thu, 28 Mar 2002 17:46:51 -0700 (MST) From: statik@hate.cx To: John Brodzniski Subject: Re: rsync mirroring question Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, freebsd-question@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org to automate it you can create ssh keys and and put them in the ~/.ssh/authorized_keys file on the recieving host. John Brodzniski forced the bits to display: > From what I read the default in version 2.5.4 is still > rsh. > > Also if I would want to automate this how would I send > the password. Would I have to specify this in the > --password-file argument? > > Thanks > -John > --- clark shishido wrote: >> On Thu, Mar 28, 2002 at 05:32:01PM -0700, >> statik@hate.cx wrote: >> > you can run rsync through ssh by adding >> "--rsh=/path/to/ssh" (ie. rsync >> > --rsh=/usr/bin/ssh /path/to/files >> user@10.10.10.10:/where/you/want/the/files) to >> >> But everybody is using the latest patched rsync >> right? >> It uses ssh by default now, no need to give it >> options like >> --rsh or -e >> >> --clark >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of >> the message > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Movies - coverage of the 74th Academy Awards > http://movies.yahoo.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ::[ RFC 2795 ]:: "Democracy means simply the bludgeoning of the people by the people for the people." -Oscar Wilde statik@hate.cx / security engineer \ "My God, it's full of stars..." PGP fingerprint: D656 01EB 79FC 9285 F110 2AB1 D8BC B3BA BEA2 E0C5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 17:28:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 1D7E737B416 for ; Thu, 28 Mar 2002 17:28:46 -0800 (PST) Received: (qmail 15993 invoked by uid 1000); 29 Mar 2002 01:28:41 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Mar 2002 01:28:41 -0000 Date: Thu, 28 Mar 2002 17:28:36 -0800 (PST) From: Jason Stone X-X-Sender: To: John Brodzniski Cc: Subject: Re: rsync mirroring question In-Reply-To: <20020329004213.24270.qmail@web10601.mail.yahoo.com> Message-ID: <20020328164520.S5333-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > From what I read the default in version 2.5.4 is still rsh. The "default" from the authors is still rsh, the "default" in the freebsd ports tree has been patched to use ssh. So if you install rsync from a reasonably up-to-date ports tree, ssh will be the default and the manpage and docs will reflect this. > Also if I would want to automate this how would I send the password. > Would I have to specify this in the --password-file argument? The best thing to do is to use ssh keys instead of passwords. Check out ssh(1) and ssh-keygen(1) for details. In a nutshell, assume that the machine you want to back up is A and the machine you're backing up to is B. On machine A, run: ssh-keygen -f ~/.ssh/id_rsa -t rsa -N "" Then copy ~/.ssh/id_rsa.pub on A to ~/.ssh/authorized_keys on machine B. Then, on machine B, open the ~/.ssh/authorized_keys file in an editor and add to the beginning of the line a string like: command="rsync --server --sender -vlgtprz ",no-X11-forwarding,no-port-forwarding,no-agent-forwarding,no-pty,from="" replacing with the ip address of machine A, and replacing and as from this command which you run on A: rsync -avz MachineB: Make sure that the long string containing the restrictions and the key is all on one line, with the restrictions separated from the beginning of the key by a single space. Then test that the key can't be used to run a shell or a command other than your rsync, test that the private key can't be used from a machine other than A, etc. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8o8NIswXMWWtptckRAm0yAJ9aOKCdvQ9+ah0+coDLqtn/yZBCDACffunD nuHcEAlwElcxT3LkPfu1MpM= =G8S9 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 17:43:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 27E8F37B41B for ; Thu, 28 Mar 2002 17:43:08 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329014307.ZZQX2626.rwcrmhc51.attbi.com@blossom.cjclark.org>; Fri, 29 Mar 2002 01:43:07 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2T1h5r26741; Thu, 28 Mar 2002 17:43:05 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 17:43:04 -0800 From: "Crist J. Clark" To: Jason Stone Cc: security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020328174304.L97841@blossom.cjclark.org> References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020328161518.R5333-100000@walter>; from jason-fbsd-security@shalott.net on Thu, Mar 28, 2002 at 04:37:54PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 04:37:54PM -0800, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > Are there make variables that can be set to prevent "make world" from > > > installing binaries as setuid? Currently, I always run something like > > > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this > > > seems inelegant, prone to human error, and dangerous as there's a > > > (potentially quite long) period in which there are still many setuid > > > binaries.... > > > > > > make options to allow the prevention of "setuid root", "all setuid", > > > or "all setuid and all setgid" would be nice. > > > > For the vast majority of users, having no setuid binaries is a really, > > really bad idea from a security standpoint. It forces you to do > > everything as root. > > 1) For server machines that have no non-root interactive users, the > "no setuid or setgid at all" option is a very good idea. Some sites may use this policy, but I would never like it. It requires direct logins as root. > 2) Even on machines that do have interactive users, there are many > environments where it's possible to turn off most of the setuid root > bits - I see no reason to let users on a shared machine run ping or > traceroute, rsh/rlogin should never be used at all, I can get away with > not providing crontab, most servers don't have printers attached and > therefore have no use for lpr, etc. passwd(1), at(1), crontab(1), login(1), su(1), some or most of those would be required for almost any multiuser installation. > So, given that there's decidedly some utility in doing this, is there any > reason to not do so? If you can come up with some reasonably non-obtrusive patches to the build to control this with some make.conf(5) knobs, we can have a look at the practicallity. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 17:51:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 81A6E37B400 for ; Thu, 28 Mar 2002 17:51:42 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329015141.UCND1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Fri, 29 Mar 2002 01:51:41 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2T1pe633335; Thu, 28 Mar 2002 17:51:40 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 17:51:40 -0800 From: "Crist J. Clark" To: Adam Cc: security@FreeBSD.ORG Subject: Re: SSH or Telnet? Message-ID: <20020328175140.M97841@blossom.cjclark.org> References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k>; from adamtuttle@sympatico.ca on Thu, Mar 28, 2002 at 04:33:23PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 04:33:23PM -0500, Adam wrote: > I would highly suggest that you use telnet. As long as you keep it updated > and patched you shouldnt have any problems with it.. Dude, pass whatever the hell you are smoking down here. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 18:28:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-17.dsl.lsan03.pacbell.net [64.169.104.17]) by hub.freebsd.org (Postfix) with ESMTP id 0778C37B416 for ; Thu, 28 Mar 2002 18:28:26 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4043266D19; Thu, 28 Mar 2002 18:28:25 -0800 (PST) Date: Thu, 28 Mar 2002 18:28:25 -0800 From: Kris Kennaway To: Moti Levy Cc: freebsd-security@FreeBSD.ORG Subject: Re: How can I erase my fingertips . Message-ID: <20020328182824.B25543@xor.obsecurity.org> References: <056f01c1d694$12084400$fd6e34c6@moti> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <056f01c1d694$12084400$fd6e34c6@moti>; from moti@flncs.com on Thu, Mar 28, 2002 at 03:03:27PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Mar 28, 2002 at 03:03:27PM -0500, Moti Levy wrote: > I want to stop nmap from detecting my os . You might be able to fool (the current version of) nmap, but it's impossible to remove the characteristic features which allow one to distinguish between one IP stack and another. Kris --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8o9FIWry0BWjoQKURArhzAJ4+8G9xRU0kYTxrO8GtIX5ZeN6KIgCfd2N5 RdDM+Wt62s8SSbE1XIOEB5Q= =543T -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 18:29:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id A0C9637B41D for ; Thu, 28 Mar 2002 18:29:42 -0800 (PST) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.3.Beta2/8.12.3.Beta2) with ESMTP id g2T2TfGd048810 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 28 Mar 2002 18:29:42 -0800 (PST) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.3.Beta2/8.12.3.Beta2/Submit) id g2T2Tfav048807; Thu, 28 Mar 2002 18:29:41 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15523.53653.441767.36231@horsey.gshapiro.net> Date: Thu, 28 Mar 2002 18:29:41 -0800 From: Gregory Neil Shapiro To: Jason Stone Cc: Subject: Re: make world and setuid bits In-Reply-To: <20020328161518.R5333-100000@walter> References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> > Are there make variables that can be set to prevent "make world" from >> > installing binaries as setuid? An alternative is to let buildworld (and any other ports) install things properly but mount all of your file systems `nosuid'. I do this on partitions that shouldn't have set-user-ID binaries anyway: /dev/ad0s1a / ufs rw,userquota,groupquota 1 1 /dev/ad0s1b none swap sw 0 0 /dev/ad0s1e /var ufs rw,userquota,groupquota,nodev,nosuid 2 2 /dev/ad0s1f /tmp ufs rw,userquota,groupquota,nodev,nosuid 0 2 /dev/ad0s1g /usr ufs rw,userquota,groupquota,nodev 2 2 /dev/ad0s1h /home ufs rw,userquota,groupquota,nodev,nosuid 2 2 /dev/cd0c /cdrom cd9660 ro,noauto,nodev,nosuid 0 0 proc /proc procfs rw 0 0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 18:55:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id D949437B416; Thu, 28 Mar 2002 18:55:52 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.6) id g2T2tqi09556; Thu, 28 Mar 2002 21:55:52 -0500 (EST) (envelope-from wollman) Date: Thu, 28 Mar 2002 21:55:52 -0500 (EST) From: Garrett Wollman Message-Id: <200203290255.g2T2tqi09556@khavrinen.lcs.mit.edu> To: "Crist J. Clark" Cc: security@FreeBSD.ORG Subject: Re: make world and setuid bits In-Reply-To: <20020328174304.L97841@blossom.cjclark.org> References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <20020328174304.L97841@blossom.cjclark.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Some sites may use this policy, but I would never like it. It requires > direct logins as root. It may make some sense in limited circumstances. For example, my Kerberos KDC has only one interactive user (root), does not support network login (duh!), and is locked in a box in one of my machine rooms. *Any* escalation of privilege on that machine represents a serious security problem. > passwd(1), at(1), crontab(1), login(1), su(1), some or most of those > would be required for almost any multiuser installation. Actually, only passwd is required for most users. People who are not administrators have no need for at, crontab, or su, and the only process which normally runs login is getty. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 19:12:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 0529537B419; Thu, 28 Mar 2002 19:12:35 -0800 (PST) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g2T3CXX06185; Thu, 28 Mar 2002 20:12:33 -0700 (MST) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id 9EA7623A7A; Thu, 28 Mar 2002 20:12:33 -0700 (MST) Date: Thu, 28 Mar 2002 20:12:33 -0700 From: "David G . Andersen" To: Garrett Wollman Cc: "Crist J. Clark" , security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020328201233.A31300@cs.utah.edu> References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <20020328174304.L97841@blossom.cjclark.org> <200203290255.g2T2tqi09556@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <200203290255.g2T2tqi09556@khavrinen.lcs.mit.edu>; from wollman@lcs.mit.edu on Thu, Mar 28, 2002 at 09:55:52PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman just mooed: > > > passwd(1), at(1), crontab(1), login(1), su(1), some or most of those > > would be required for almost any multiuser installation. > > Actually, only passwd is required for most users. People who are not > administrators have no need for at, crontab, or su, and the only > process which normally runs login is getty. People who are not administrators or clueful have no need for at or crontab. They're exceptionally handy for even mere users, particularly when said users are geeks. Keeping network measurements alive, rotating your web guestbook, etc. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 20:37:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 13DC837B417; Thu, 28 Mar 2002 20:37:14 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329043712.OEIP2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Fri, 29 Mar 2002 04:37:12 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2T4b6p68808; Thu, 28 Mar 2002 20:37:06 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 20:37:06 -0800 From: "Crist J. Clark" To: Gregory Neil Shapiro Cc: Jason Stone , security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020328203706.N97841@blossom.cjclark.org> References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <15523.53653.441767.36231@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15523.53653.441767.36231@horsey.gshapiro.net>; from gshapiro@FreeBSD.ORG on Thu, Mar 28, 2002 at 06:29:41PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 06:29:41PM -0800, Gregory Neil Shapiro wrote: > >> > Are there make variables that can be set to prevent "make world" from > >> > installing binaries as setuid? > > An alternative is to let buildworld (and any other ports) install things > properly but mount all of your file systems `nosuid'. I do this on > partitions that shouldn't have set-user-ID binaries anyway: > > /dev/ad0s1a / ufs rw,userquota,groupquota 1 1 > /dev/ad0s1b none swap sw 0 0 > /dev/ad0s1e /var ufs rw,userquota,groupquota,nodev,nosuid 2 2 > /dev/ad0s1f /tmp ufs rw,userquota,groupquota,nodev,nosuid 0 2 > /dev/ad0s1g /usr ufs rw,userquota,groupquota,nodev 2 2 > /dev/ad0s1h /home ufs rw,userquota,groupquota,nodev,nosuid 2 2 > /dev/cd0c /cdrom cd9660 ro,noauto,nodev,nosuid 0 0 > proc /proc procfs rw 0 0 Yeah, I thought of that right after I sent the mail. I don't see any need for a switch to turn off all setuid's when this simple, and safer, solution is available. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 28 20:40:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 5F6E137B421 for ; Thu, 28 Mar 2002 20:40:54 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329044054.OGUI2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Fri, 29 Mar 2002 04:40:54 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2T4erj68836; Thu, 28 Mar 2002 20:40:53 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 20:40:53 -0800 From: "Crist J. Clark" To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020328204053.O97841@blossom.cjclark.org> References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <20020328174304.L97841@blossom.cjclark.org> <200203290255.g2T2tqi09556@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200203290255.g2T2tqi09556@khavrinen.lcs.mit.edu>; from wollman@lcs.mit.edu on Thu, Mar 28, 2002 at 09:55:52PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 09:55:52PM -0500, Garrett Wollman wrote: > < said: > > > Some sites may use this policy, but I would never like it. It requires > > direct logins as root. > > It may make some sense in limited circumstances. For example, my > Kerberos KDC has only one interactive user (root), does not support > network login (duh!), and is locked in a box in one of my machine > rooms. *Any* escalation of privilege on that machine represents a > serious security problem. Again, personally, if more than one user has access to the machine, I prefer to have people individual accounts and su(1) to root for the sake of an audit trail (Obviously, people who have root and physical access can almost certinly tamper with the logs, but it is still useful). YMMV. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 3:17:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id D2E0637B41B for ; Fri, 29 Mar 2002 03:17:07 -0800 (PST) Received: (qmail 42891 invoked by uid 1000); 29 Mar 2002 11:17:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Mar 2002 11:17:01 -0000 Date: Fri, 29 Mar 2002 03:16:56 -0800 (PST) From: Jason Stone X-X-Sender: To: Subject: Re: make world and setuid bits In-Reply-To: <20020328174304.L97841@blossom.cjclark.org> Message-ID: <20020329025937.G5333-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > passwd(1), at(1), crontab(1), login(1), su(1), some or most of those > would be required for almost any multiuser installation. at and crontab I don't provide, and since I use ssh exclusively, login is not necesary. passwd is usually the only binary I leave setuid. I don't want this thread to get too theological, but my preferred way of handling root users is to use ssh with rsa keys and patch sshd to log key fingerprints for root logins (actually, the current openssh finally includes this feature by default) and to totally avoide su. This gives me the accountability I desire, it ensures that all root logins are over ssh, and it makes managing root access much easier and way less error prone. As for mount -o nosuid, I do that when I can, but it's not granular enough for many circumstances. Sometimes I want to have a single setuid binary like passwd, and frequently I want to have non-root setuid binaries (I feel prety comfortable with man, for example). > If you can come up with some reasonably non-obtrusive patches to the > build to control this with some make.conf(5) knobs, we can have a look > at the practicallity. That's fair - if I do send a patch, do you suppose it's likely it would get included? I'm imagining just wrapping the assignment of BINMODE in an ifdef for the sixty-ish or so Makefiles that use it to set special bits. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8pE0tswXMWWtptckRArXSAKDcDmmdQM9bStsf3TzOYh+Yxiiv6gCgrEPn +mEofipaM61lwAwi4R19Ah8= =GuYc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 3:25:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 8EBCF37B417; Fri, 29 Mar 2002 03:25:35 -0800 (PST) Received: (from root@localhost) by portal.eltex.ru (8.11.6/8.11.3) id g2TBPW103774; Fri, 29 Mar 2002 14:25:32 +0300 (MSK) (envelope-from ark@eltex.ru) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.11.6/8.11.3av) with SMTP id g2TBPPl03764; Fri, 29 Mar 2002 14:25:25 +0300 (MSK) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: by yaksha.eltex.ru (ssmtp TIS-1.1alpha, 17 Jan 2002); Fri, 29 Mar 2002 14:09:45 +0300 Received: from undisclosed-intranet-sender id smtpdAI7657; Fri Mar 29 14:09:33 2002 Date: Fri, 29 Mar 2002 14:45:59 +0300 Message-Id: <200203291145.OAA03776@paranoid.eltex.ru> In-Reply-To: <20020328175140.M97841@blossom.cjclark.org> from ""Crist J. Clark" " Organization: "Klingon Imperial Intelligence Service" Subject: Re: SSH or Telnet? To: cjc@FreeBSD.ORG Cc: adamtuttle@sympatico.ca, security@FreeBSD.ORG X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- What's wrong with telnet? I use it frequently and i am pretty satisified with it. (I don't need to encrypt sessions, there is no sensitive information inside. Don't tell me about cleartext passwords, there are no cleartext passwords. And if you really need encryption you may run telnet over ipsec) "Crist J. Clark" said : > On Thu, Mar 28, 2002 at 04:33:23PM -0500, Adam wrote: > > I would highly suggest that you use telnet. As long as you keep it updated > > and patched you shouldnt have any problems with it.. > > Dude, pass whatever the hell you are smoking down here. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBPKRT9qH/mIJW9LeBAQHW2QP/f5kQb2ikGqjdT/O321NJ56fWyW4IkMCe RU9dl1FU4lLhAKE5f625ZvRQVzCLwW1EwHXps13dGQHrWVsBGKziLNGFszcn1jHA K+xIKIxFA8hm4oWmw4ww2HLPU7hwHuGA7h/F+gh6nbnJuogRXVb+t8c3QdsSvDiA VoFXEmA3194= =urmJ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 4:22:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.tb.by (ns.tb.by [212.98.163.84]) by hub.freebsd.org (Postfix) with ESMTP id 9A65837B416 for ; Fri, 29 Mar 2002 04:22:51 -0800 (PST) Received: from franc ([10.20.1.109]) by ns.tb.by (8.11.3/8.11.3) with ESMTP id g2TBiP543145 for ; Fri, 29 Mar 2002 13:44:26 +0200 (EET) Date: Fri, 29 Mar 2002 13:33:35 +0200 From: Dmitry Shupilov X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: Dmitry Shupilov X-Priority: 3 (Normal) Message-ID: <72250498197.20020329133335@ns.tb.by> To: security@FreeBSD.ORG Subject: Re[2]: SSH or Telnet? In-reply-To: <20020328201100.E6672-100000@cactus.fi.uba.ar> References: <20020328201100.E6672-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Don't you try to use IPSec? If you do you can use any method to connect to remote side without any fear (telnet, rlogin etc.) Dmitry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 5:52:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.tb.by (ns.tb.by [212.98.163.84]) by hub.freebsd.org (Postfix) with ESMTP id EE4C337B419 for ; Fri, 29 Mar 2002 05:52:54 -0800 (PST) Received: from franc ([10.20.1.109]) by ns.tb.by (8.11.3/8.11.3) with ESMTP id g2TDna543250; Fri, 29 Mar 2002 15:49:47 +0200 (EET) Date: Fri, 29 Mar 2002 15:38:42 +0200 From: Dmitry Shupilov X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: Dmitry Shupilov X-Priority: 3 (Normal) Message-ID: <192258005672.20020329153842@ns.tb.by> To: security@FreeBSD.ORG Cc: roam@ringlet.net Subject: Re[2]: SSH or Telnet? In-reply-To: <20020329143538.B340@straylight.oblivion.bg> References: <20020328201100.E6672-100000@cactus.fi.uba.ar> <72250498197.20020329133335@ns.tb.by> <20020329143538.B340@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Friday, March 29, 2002, 2:35:38 PM, you wrote: PP> Other than that, IPSec is a step towards a solution. If you don't like IPSec you can try VLAN's. VLAN's are what I use in my office to connect to critical hardware (routers, servers etc). But this solution is accomplished though the Cisco switches. The new Cisco switch support access lists per port (this is not Cisco advertisement:). PP> Still, I personally PP> would not trust telnet even in an IPSec environment, but then I *am* PP> somewhat paranoid :) Actually I use SSH2 in my network as well. -- Best regards, Dmitry mailto:root@ns.tb.by To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 6:40:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc-mx04.cluster1.charter.net (dc-mx04.cluster0.hsacorp.net [209.225.8.14]) by hub.freebsd.org (Postfix) with ESMTP id 5864837B429; Fri, 29 Mar 2002 06:40:10 -0800 (PST) Received: from [66.188.91.52] (HELO chris) by dc-mx04.cluster1.charter.net (CommuniGate Pro SMTP 3.5.3) with SMTP id 31361558; Fri, 29 Mar 2002 09:46:44 -0500 Message-ID: <00bb01c1d72f$5995aa60$345bbc42@mad.chartermi.net> From: "Lexion Trigue" To: Subject: OpenSSH vulnerability Date: Fri, 29 Mar 2002 08:38:10 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://online.securityfocus.com/archive/1/264657 FreeBSD includes 2.9 in the base.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 6:40:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11603.mail.yahoo.com (web11603.mail.yahoo.com [216.136.172.55]) by hub.freebsd.org (Postfix) with SMTP id AACC537B41E for ; Fri, 29 Mar 2002 06:40:16 -0800 (PST) Message-ID: <20020329144016.41468.qmail@web11603.mail.yahoo.com> Received: from [24.189.82.162] by web11603.mail.yahoo.com via HTTP; Fri, 29 Mar 2002 06:40:16 PST Date: Fri, 29 Mar 2002 06:40:16 -0800 (PST) From: Holt Grendal Subject: Fwd: OpenSSH channel_lookup() off by one exploit To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has this been fixed in freebsd? Holt --- Morgan wrote: > From: "Morgan" > To: , > Subject: OpenSSH channel_lookup() off by one exploit > Date: Wed, 27 Mar 2002 22:23:51 -0500 > > OpenSSH 2.9* Proof of Concept exploit.. > > note to moderator: read LICENCE agreement. > > > > ATTACHMENT part 2 application/x-compressed name=osshchan.tgz __________________________________________________ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 7: 9:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 082C237B41B for ; Fri, 29 Mar 2002 07:09:09 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA30582; Fri, 29 Mar 2002 07:09:02 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30580; Fri Mar 29 07:09:01 2002 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id g2TF8ug66765; Fri, 29 Mar 2002 07:08:56 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdZ66763; Fri Mar 29 07:08:49 2002 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id g2TF8mE28902; Fri, 29 Mar 2002 07:08:48 -0800 (PST) Message-Id: <200203291508.g2TF8mE28902@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdG28898; Fri Mar 29 07:08:40 2002 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-Sender: schubert To: "Lexion Trigue" Cc: security@FreeBSD.ORG Subject: Re: OpenSSH vulnerability In-Reply-To: Message from "Lexion Trigue" of "Fri, 29 Mar 2002 08:38:10 CST." <00bb01c1d72f$5995aa60$345bbc42@mad.chartermi.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 29 Mar 2002 07:08:39 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org \In message <00bb01c1d72f$5995aa60$345bbc42@mad.chartermi.net>, "Lexion Trigue" writes: > http://online.securityfocus.com/archive/1/264657 > > FreeBSD includes 2.9 in the base.. .. with all known security bugs fixed. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 7:16:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id D360137B419 for ; Fri, 29 Mar 2002 07:16:11 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id g2TFGBC21814; Fri, 29 Mar 2002 07:16:11 -0800 (PST) (envelope-from emechler) Date: Fri, 29 Mar 2002 07:16:11 -0800 From: Erick Mechler To: Holt Grendal Cc: security@FreeBSD.ORG Subject: Re: Fwd: OpenSSH channel_lookup() off by one exploit Message-ID: <20020329071611.P1414@techometer.net> References: <20020329144016.41468.qmail@web11603.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020329144016.41468.qmail@web11603.mail.yahoo.com>; from Holt Grendal on Fri, Mar 29, 2002 at 06:40:16AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: Has this been fixed in freebsd? Yup, nearly a month ago. The advisory is here: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A13.openssh.asc You can find this, and other advisories, on the FreeBSD Security page http://www.freebsd.org/security/#adv --Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 9:50:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-17.dsl.lsan03.pacbell.net [64.169.104.17]) by hub.freebsd.org (Postfix) with ESMTP id C09F037B41C for ; Fri, 29 Mar 2002 09:50:15 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3ECFF66D19; Fri, 29 Mar 2002 09:50:15 -0800 (PST) Date: Fri, 29 Mar 2002 09:50:15 -0800 From: Kris Kennaway To: Lexion Trigue Cc: security@freebsd.org Subject: Re: OpenSSH vulnerability Message-ID: <20020329095015.A45810@xor.obsecurity.org> References: <00bb01c1d72f$5995aa60$345bbc42@mad.chartermi.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <00bb01c1d72f$5995aa60$345bbc42@mad.chartermi.net>; from lexion@jeah.net on Fri, Mar 29, 2002 at 08:38:10AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 29, 2002 at 08:38:10AM -0600, Lexion Trigue wrote: > http://online.securityfocus.com/archive/1/264657 >=20 > FreeBSD includes 2.9 in the base.. This is old news..we released an advisory for this problem and corrected it a few weeks ago. Kris --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8pKlWWry0BWjoQKURAnDCAJ0UTYD5b29Qj/zcaqgup5ZL/Fpo2ACgvgoP zC2N1F/MqC0mp+8vFWAXkaY= =FxSI -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 11: 7:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable044.179-200-24.timi.mc.videotron.ca [24.200.179.44]) by hub.freebsd.org (Postfix) with ESMTP id CB45B37B400 for ; Fri, 29 Mar 2002 11:07:25 -0800 (PST) Received: from videotron.ca (silence [24.200.179.44]) by oksala.org (8.11.6/8.11.1) with ESMTP id g2TJ5nP56727; Fri, 29 Mar 2002 14:05:49 -0500 (EST) (envelope-from oksala@videotron.ca) Message-ID: <3CA4BB08.CB9E9275@videotron.ca> Date: Fri, 29 Mar 2002 14:05:44 -0500 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= Organization: www.oksala.org X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Jason Stone Cc: security@FreeBSD.ORG Subject: Re: make world and setuid bits References: <20020328043119.V5333-100000@walter> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jason Stone wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Are there make variables that can be set to prevent "make world" from > installing binaries as setuid? Currently, I always run something like > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this > seems inelegant, prone to human error, and dangerous as there's a > (potentially quite long) period in which there are still many setuid > binaries.... > > make options to allow the prevention of "setuid root", "all setuid", > or "all setuid and all setgid" would be nice. > > -Jason You can mount your filesystem whith the "nosuid" option. I think it's exactly what your are looking for. I'm using it in a jailed environment but i've never did it on my / fs. see by yourself: man mount. hope it helps To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 11:13:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (freebsddiary.org.ua [213.186.199.26]) by hub.freebsd.org (Postfix) with ESMTP id 13EE437B420; Fri, 29 Mar 2002 11:12:50 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.6/8.11.6) id g2TJCkq16188; Fri, 29 Mar 2002 21:12:46 +0200 (EET) (envelope-from never) Date: Fri, 29 Mar 2002 21:12:46 +0200 From: Nevermind To: "Crist J. Clark" Cc: Adam , security@FreeBSD.ORG, chat@FreeBSD.ORG Subject: Re: SSH or Telnet? Message-ID: <20020329191246.GB13831@nevermind.kiev.ua> References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> <20020328175140.M97841@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20020328175140.M97841@blossom.cjclark.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Crist J. Clark! On Thu, Mar 28, 2002 at 05:51:40PM -0800, you wrote: > > I would highly suggest that you use telnet. As long as you keep it updated > > and patched you shouldnt have any problems with it.. > > Dude, pass whatever the hell you are smoking down here. As far as I can see 60% of postings in freebsd-*@ starts or ends with phrase like "What are you smoking there?" :) I hope somedays it will became a standard greeting :)) -- NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 11:17:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id DFB1637B400; Fri, 29 Mar 2002 11:17:15 -0800 (PST) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16r1sB-00065L-00; Fri, 29 Mar 2002 11:17:15 -0800 Received: from moti (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with SMTP id 1A5C6207BD; Fri, 29 Mar 2002 14:21:11 -0500 (EST) Message-ID: <005801c1d756$681a7c10$fd6e34c6@moti> From: "Moti Levy" Cc: , References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> <20020328175140.M97841@blossom.cjclark.org> <20020329191246.GB13831@nevermind.kiev.ua> Subject: Re: SSH or Telnet? Date: Fri, 29 Mar 2002 14:17:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="KOI8-R" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org well they say only two god things came out of Berkley lsd and unix , and it's not a coincidence . ----- Original Message ----- From: "Nevermind" To: "Crist J. Clark" Cc: "Adam" ; ; Sent: Friday, March 29, 2002 2:12 PM Subject: Re: SSH or Telnet? > Hello, Crist J. Clark! > > On Thu, Mar 28, 2002 at 05:51:40PM -0800, you wrote: > > > > I would highly suggest that you use telnet. As long as you keep it updated > > > and patched you shouldnt have any problems with it.. > > > > Dude, pass whatever the hell you are smoking down here. > As far as I can see 60% of postings in freebsd-*@ starts or ends with > phrase like "What are you smoking there?" :) > > I hope somedays it will became a standard greeting :)) > > -- > NEVE-RIPE > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 11:20:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 1562037B426; Fri, 29 Mar 2002 11:20:34 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id B55E4AE1C1; Fri, 29 Mar 2002 11:20:33 -0800 (PST) Date: Fri, 29 Mar 2002 11:20:33 -0800 From: Alfred Perlstein To: Moti Levy Cc: security@FreeBSD.ORG, chat@FreeBSD.ORG Subject: Re: SSH or Telnet? Message-ID: <20020329192033.GW93885@elvis.mu.org> References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> <20020328175140.M97841@blossom.cjclark.org> <20020329191246.GB13831@nevermind.kiev.ua> <005801c1d756$681a7c10$fd6e34c6@moti> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <005801c1d756$681a7c10$fd6e34c6@moti> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Moti Levy [020329 11:17] wrote: > well they say only two god things came out of Berkley > lsd and unix , and it's not a coincidence . http://www.spatula.net/proc/rants/bsdlsd.src -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 11:24:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 9D42F37B400; Fri, 29 Mar 2002 11:24:42 -0800 (PST) Received: from user-119aekg.biz.mindspring.com ([66.149.58.144] helo=ns.flncs.com) by falcon.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16r1zO-0003xT-00; Fri, 29 Mar 2002 11:24:42 -0800 Received: from moti (cylex [12.27.148.78]) by ns.flncs.com (Postfix) with SMTP id E845020696; Fri, 29 Mar 2002 14:28:32 -0500 (EST) Message-ID: <007e01c1d757$6f7b6950$fd6e34c6@moti> From: "Moti Levy" To: "Alfred Perlstein" Cc: , References: <2823.213.112.58.135.1017350976.squirrel@phucking.kicks-ass.org> <000501c1d6a0$30b95bd0$126cfea9@a4ibmrrll9362k> <20020328175140.M97841@blossom.cjclark.org> <20020329191246.GB13831@nevermind.kiev.ua> <005801c1d756$681a7c10$fd6e34c6@moti> <20020329192033.GW93885@elvis.mu.org> Subject: Re: SSH or Telnet? Date: Fri, 29 Mar 2002 14:25:06 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I take it back than ... ----- Original Message ----- From: "Alfred Perlstein" To: "Moti Levy" Cc: ; Sent: Friday, March 29, 2002 2:20 PM Subject: Re: SSH or Telnet? > * Moti Levy [020329 11:17] wrote: > > well they say only two god things came out of Berkley > > lsd and unix , and it's not a coincidence . > > > http://www.spatula.net/proc/rants/bsdlsd.src > > -Alfred > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 12:28:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 33AFE37B400 for ; Fri, 29 Mar 2002 12:28:10 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329202808.RJDR2928.rwcrmhc53.attbi.com@blossom.cjclark.org>; Fri, 29 Mar 2002 20:28:08 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2TKS7p34374; Fri, 29 Mar 2002 12:28:07 -0800 (PST) (envelope-from cjc) Date: Fri, 29 Mar 2002 12:28:06 -0800 From: "Crist J. Clark" To: Dmitry Shupilov Cc: security@FreeBSD.ORG, roam@ringlet.net Subject: Re: SSH or Telnet? Message-ID: <20020329122806.V97841@blossom.cjclark.org> References: <20020328201100.E6672-100000@cactus.fi.uba.ar> <72250498197.20020329133335@ns.tb.by> <20020329143538.B340@straylight.oblivion.bg> <192258005672.20020329153842@ns.tb.by> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <192258005672.20020329153842@ns.tb.by>; from root@ns.tb.by on Fri, Mar 29, 2002 at 03:38:42PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Mar 29, 2002 at 03:38:42PM +0200, Dmitry Shupilov wrote: > Friday, March 29, 2002, 2:35:38 PM, you wrote: > > PP> Other than that, IPSec is a step towards a solution. > If you don't like IPSec you can try VLAN's. VLAN's are what I use in > my office to connect to critical hardware (routers, servers etc). But > this solution is accomplished though the Cisco switches. The new Cisco > switch support access lists per port (this is not Cisco advertisement:). Please repeat after me... 1) Switching is not a security feature. Switching is not a security feature. Switching... 2) VLANs are not a security feature. VLANs are not a security feature. VLANs... Both switching and VLANs were meant to increace _performance._ Switching never was and still is not a good security feature in any managable sense on any hardware I've seen. Cisco has tried to tack security onto VLAN implementations as an afterthought, but unless things have changed recently, they were just that, not very well implemented afterthoughts. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 13:21:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from vapour.net (vapour.net [198.96.117.180]) by hub.freebsd.org (Postfix) with ESMTP id 547F237B405 for ; Fri, 29 Mar 2002 13:21:48 -0800 (PST) Received: from vapour.net (vapour.net [198.96.117.180]) by vapour.net (8.11.6/8.11.6) with ESMTP id g2TLE4C04276; Fri, 29 Mar 2002 16:14:04 -0500 (EST) (envelope-from batsy@vapour.net) Date: Fri, 29 Mar 2002 16:14:04 -0500 (EST) From: batz To: Kris Kennaway Cc: Moti Levy , freebsd-security@FreeBSD.ORG Subject: Re: How can I erase my fingertips . In-Reply-To: <20020328182824.B25543@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 28 Mar 2002, Kris Kennaway wrote: :You might be able to fool (the current version of) nmap, but it's :impossible to remove the characteristic features which allow one to :distinguish between one IP stack and another. Actually, I remember when I was doing intrusion tests against sites with sidewinder, it seemed to shuffle its responses so that we would get different fingerprints. I never verified whether this was a sidewinder feature, or because there was a traffic director in front of it, but it is a part of intrusion testing lore anyway. Also, because these fingerprints are specific signatures, and because nmap can also be fingerprinted, one could simply write an equivalent to fakeroute, which would listen for nmap OS scans, and jumble the responses. I realize this doesn't mean altering the stack tho. Funny, the security through obscurity (there needs to be a short form for that) strategy never works, but improved security through adequate obfuscation is often reasonable, while only just a few notches down the continuum. :) -- batz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 13:58:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id BC27F37B416; Fri, 29 Mar 2002 13:58:26 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g2TLw3J08395; Fri, 29 Mar 2002 13:58:03 -0800 (PST) (envelope-from jan@caustic.org) Date: Fri, 29 Mar 2002 13:58:03 -0800 (PST) From: "f.johan.beisser" To: Alfred Perlstein Cc: Moti Levy , , Subject: Re: SSH or Telnet? In-Reply-To: <20020329192033.GW93885@elvis.mu.org> Message-ID: <20020329135727.B96787-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 29 Mar 2002, Alfred Perlstein wrote: > http://www.spatula.net/proc/rants/bsdlsd.src http://caustic.org/~jan/history.html just throught i'd share.. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 15:11:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-17.dsl.lsan03.pacbell.net [64.169.104.17]) by hub.freebsd.org (Postfix) with ESMTP id 7EE1837B420 for ; Fri, 29 Mar 2002 15:11:17 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8EDEA66D19; Fri, 29 Mar 2002 15:11:11 -0800 (PST) Date: Fri, 29 Mar 2002 15:11:11 -0800 From: Kris Kennaway To: batz Cc: Kris Kennaway , Moti Levy , freebsd-security@FreeBSD.ORG Subject: Re: How can I erase my fingertips . Message-ID: <20020329151111.A53554@xor.obsecurity.org> References: <20020328182824.B25543@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from batsy@vapour.net on Fri, Mar 29, 2002 at 04:14:04PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Mar 29, 2002 at 04:14:04PM -0500, batz wrote: > Funny, the security through obscurity (there needs to be a short form for > that) strategy never works See my domain name :-) Kris --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8pPSOWry0BWjoQKURAid8AJ9+691wTqTZUXQ84t2D9dUsnISFawCfcvws vq4wKqPsFH5PBrXGrNaQFiw= =/GA6 -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 17:45:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4]) by hub.freebsd.org (Postfix) with ESMTP id D9EF337B41A for ; Fri, 29 Mar 2002 17:45:52 -0800 (PST) Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP id 1695828E05; Fri, 29 Mar 2002 20:45:52 -0500 (EST) Date: Fri, 29 Mar 2002 20:45:52 -0500 (EST) From: Peter Leftwich X-X-Sender: To: Jason Stone Cc: Fernan Aguero , FreeBSD Security Subject: Re: using ssh to run remote commands? [ssh -T, scp/ssh flags] In-Reply-To: <20020328003857.J5333-100000@walter> Message-ID: <20020329204245.N81735-100000@earl-grey.cloud9.net> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 28 Mar 2002, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'd like to know how to run remote commands using ssh. I know I can do it as myself, but I'd like to know how can I set up my systems to allow non-login users (root, operator, amanda) to run remote commands on other hosts. > You can't - ssh will always try to run a command by calling the user's shell, so unless you patch it, you _must_ give the user a valid shell. I thought there was some way to run "ssh -T user@host" to bypass your shell, no? > The best you can do is to give the user a valid shell but an invalid password (eg, "*") and use ssh keys to authenticate. For additional security, you can specify a command along with the key in the authorized_keys file so that the key can _only_ be used to run that command (and not to get a shell). man ssh, ssh-keygen. > -Jason Why are the man page and options for the command "scp" so LIMITED compared to those of "ssh?" > I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -Mike Godwin GREAT quote, depressing, but great. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE8othXswXMWWtptckRAsYLAJ9Xkk7nHT5v96DxvTIiagd0elMvAACgn1qO > 4TtJLt7YCkrAMmgWtskX7sk= > =jZLv > -----END PGP SIGNATURE----- Please comment on "ssh -T" and "scp vs ssh options." -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 18:40:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 909AF37B400 for ; Fri, 29 Mar 2002 18:40:05 -0800 (PST) Received: (qmail 22541 invoked by uid 1000); 30 Mar 2002 02:39:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Mar 2002 02:39:59 -0000 Date: Fri, 29 Mar 2002 18:39:56 -0800 (PST) From: Jason Stone X-X-Sender: To: Peter Leftwich Cc: FreeBSD Security Subject: Re: using ssh to run remote commands? [ssh -T, scp/ssh flags] In-Reply-To: <20020329204245.N81735-100000@earl-grey.cloud9.net> Message-ID: <20020329175559.V2704-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > I'd like to know how to run remote commands using ssh. I know I > > > can do it as myself, but I'd like to know how can I set up my > > > systems to allow non-login users (root, operator, amanda) to run > > > remote commands on other hosts. > > You can't - ssh will always try to run a command by calling the > > user's shell, so unless you patch it, you _must_ give the user a > > valid shell. > I thought there was some way to run "ssh -T user@host" to bypass your > shell, no? Yes, you can have ssh run a command instead of an interactive shell by specifying it on the commandline, but that command is _always_ run as "$SHELL -c command", whether or not you force allocation (or lack thereof) of a tty. Look at session.c in the openssh distribution - note that both do_exec_pty() and do_exec_no_pty() both call do_child() to actually run your command and do_child() runs your command with: /* * Execute the command using the user's shell. This uses the -c * option to execute the command. */ argv[0] = (char *) cp; argv[1] = "-c"; argv[2] = (char *) command; argv[3] = NULL; execve(shell, argv, env); > Why are the man page and options for the command "scp" so LIMITED compared > to those of "ssh?" scp is supposed to be mostly dropin compatible with rcp, so the openssh guys don't like to add options to it. The way to specify options for scp is with -o and long ssh options - eg: scp -o Protocol=2 -o BatchMode=yes file remotehost:/path/ -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8pSV/swXMWWtptckRAu5XAKDcoqWjYwJ9ZA/8VZknzRcswiNInwCeJkof Pu4+nXtlDtXSn4UKOe5nmqM= =yq8q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 19: 4:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id A875B37B416 for ; Fri, 29 Mar 2002 19:04:48 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g2U34m338651 for ; Fri, 29 Mar 2002 22:04:48 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Fri, 29 Mar 2002 22:04:43 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: SSH or Telnet? In-Reply-To: <200203291145.OAA03776@paranoid.eltex.ru> Message-ID: <20020329220256.N38382-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 29 Mar 2002 ark@eltex.ru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > What's wrong with telnet? I use it frequently and i am pretty satisified with > it. > > (I don't need to encrypt sessions, there is no sensitive information inside. > Don't tell me about cleartext passwords, there are no cleartext passwords. Have a look at ethereal or dsniff. You will be surprised. > And if you really need encryption you may run telnet over ipsec) IPsec is a VPN solution. If someone in the LAN to which you're VPN-ing is running a sniffer, then what? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 29 19:55:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E9B237B405; Fri, 29 Mar 2002 19:55:40 -0800 (PST) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g2U3tTe08896; Fri, 29 Mar 2002 19:55:29 -0800 (PST) (envelope-from roo) Date: Fri, 29 Mar 2002 19:55:29 -0800 From: Benjamin Krueger To: Chris BeHanna Cc: FreeBSD Security , freebsd-chat@freebsd.org Subject: Re: SSH or Telnet? Message-ID: <20020329195529.B7895@rain.macguire.net> References: <200203291145.OAA03776@paranoid.eltex.ru> <20020329220256.N38382-100000@topperwein.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020329220256.N38382-100000@topperwein.dyndns.org>; from behanna@zbzoom.net on Fri, Mar 29, 2002 at 10:04:43PM -0500 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Chris BeHanna (behanna@zbzoom.net) [020329 19:05]: > On Fri, 29 Mar 2002 ark@eltex.ru wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > What's wrong with telnet? I use it frequently and i am pretty satisified with > > it. > > > > (I don't need to encrypt sessions, there is no sensitive information inside. > > Don't tell me about cleartext passwords, there are no cleartext passwords. > > Have a look at ethereal or dsniff. You will be surprised. > > > And if you really need encryption you may run telnet over ipsec) > > IPsec is a VPN solution. If someone in the LAN to which you're > VPN-ing is running a sniffer, then what? > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > I was raised by a pack of wild corn dogs. Our unsuspecting user logs in to the nameserver to update the pornserve.domain.com zone record for the new porn server (yay!). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ roo@rain:~> telnet fog Trying 10.0.0.50... Connected to fog.DOMAIN. Escape character is '^]'. HP-UX fog B.11.00 A 9000/712 (t0) login: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MEANWHILE, IN THE CAVE OF EVILDOERS! Joe Deluer, Evil Hax0r Extrodinaire, listens closely on an upstream link... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ dsniff: listening on fxp0 dsniff: trigger_tcp: decoding port 23 as telnet ----------------- 03/29/02 19:42:33 tcp rain.macguire.net.1392 -> fog.macguire.net.23 (telnet) roo test123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Ah Ha!", says Joe, "I will 0wn j00 my pretty and your delicious pr0n too!". --- "... there are no cleartext passwords." DESCRIPTION dsniff is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL protocols. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 0: 6:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116]) by hub.freebsd.org (Postfix) with ESMTP id C359937B41E for ; Sat, 30 Mar 2002 00:06:19 -0800 (PST) Received: from phoenix.vh.laserfence.net ([192.168.0.10]) by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1) id 16rDre-0003Pm-00; Sat, 30 Mar 2002 10:05:30 +0200 Date: Sat, 30 Mar 2002 10:05:28 +0200 (SAST) From: Willie Viljoen X-X-Sender: will@phoenix.vh.laserfence.net To: Jason Stone Cc: Peter Leftwich , FreeBSD Security Subject: Re: using ssh to run remote commands? [ssh -T, scp/ssh flags] In-Reply-To: <20020329175559.V2704-100000@walter> Message-ID: <20020330095740.R508-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just as a matter of interest, there is _one_ use for SSH where a valid shell on the remote host is not required. I use SSH to forward connections between an intranet server at home and my FreeBSD box at the office. This is very useful for the box at home, which has a static IP, but only an intermittant connection, to fetch my mail from the FreeBSD box, and to use the FreeBSD box as a proxy cache, without port 3128 having to be open, and with the added bonus of encryption, which gets abit more out of my tiny 56kbps connection here. To do this, the user on the remote machine need not have a shell, either /sbin/nologin or /bin/false will do the trick, depending on your preference. On the local side, create a .ssh/config file for the user as which you want to run the portforward, include options for batch mode and all that.. your file should look somewhat like this: Host apollo.laserfence.net BatchMode yes IdentityFile ~/.ssh/portfw-id-dsa Compression yes Ciphers aes256-cbc MACs hmac-sha1 LocalForward 9110:localhost:110 The portfw-id-dsa DSA key is a special one I created for this perpose only, it's a 2048-bit key with no passphrase, such that the machine can use it without supervision. DO NOT use this key for anything else, and never copy it to other machines, or any machine that is not directly under your controle and ONLY your controle. The rest of the file should be fairly self explanitory. After this is set up, have a startup script or some automata run a command similar to this when your connection comes up: ssh -f apollo.laserfence.net -N This specifies that SSH should fork to the background and take on daemonish characteristics, the -N switch specifies that SSH should _NOT_ start a shell on the remote host, nor run any commands. This basically starts up a connection and nothing else to the remote machine. Very handy for port forwarding if you don't want to establish the tunnel manually. Will On Fri, 29 Mar 2002, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > > I'd like to know how to run remote commands using ssh. I know I > > > > can do it as myself, but I'd like to know how can I set up my > > > > systems to allow non-login users (root, operator, amanda) to run > > > > remote commands on other hosts. > > > > You can't - ssh will always try to run a command by calling the > > > user's shell, so unless you patch it, you _must_ give the user a > > > valid shell. > > > I thought there was some way to run "ssh -T user@host" to bypass your > > shell, no? > > Yes, you can have ssh run a command instead of an interactive shell by > specifying it on the commandline, but that command is _always_ run as > "$SHELL -c command", whether or not you force allocation (or lack thereof) > of a tty. > > Look at session.c in the openssh distribution - note that both > do_exec_pty() and do_exec_no_pty() both call do_child() to actually > run your command and do_child() runs your command with: > > /* > * Execute the command using the user's shell. This uses the -c > * option to execute the command. > */ > argv[0] = (char *) cp; > argv[1] = "-c"; > argv[2] = (char *) command; > argv[3] = NULL; > execve(shell, argv, env); > > > > Why are the man page and options for the command "scp" so LIMITED compared > > to those of "ssh?" > > scp is supposed to be mostly dropin compatible with rcp, so the openssh > guys don't like to add options to it. The way to specify options for scp > is with -o and long ssh options - eg: > > scp -o Protocol=2 -o BatchMode=yes file remotehost:/path/ > > > -Jason > > ----------------------------------------------------------------------- > I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry > that 10 or 15 years from now, she will come to me and say "Daddy, where > were you when they took freedom of the press away from the Internet?" > -- Mike Godwin > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE8pSV/swXMWWtptckRAu5XAKDcoqWjYwJ9ZA/8VZknzRcswiNInwCeJkof > Pu4+nXtlDtXSn4UKOe5nmqM= > =yq8q > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 0:42:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 635D137B404 for ; Sat, 30 Mar 2002 00:42:31 -0800 (PST) Received: (qmail 67719 invoked by uid 1001); 30 Mar 2002 08:41:28 -0000 Date: Sat, 30 Mar 2002 03:41:28 -0500 From: "Peter C. Lai" To: ark@eltex.ru Cc: cjc@FreeBSD.ORG, adamtuttle@sympatico.ca, security@FreeBSD.ORG Subject: Re: SSH or Telnet? Message-ID: <20020330034128.B67123@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020328175140.M97841@blossom.cjclark.org> <200203291145.OAA03776@paranoid.eltex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200203291145.OAA03776@paranoid.eltex.ru>; from ark@eltex.ru on Fri, Mar 29, 2002 at 02:45:59PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Wouldn't Kerberized Telnet or SRA authentication fix the plaintext passwords problem? Of course, you'd have to make sure you don't telnet or su from that session :) On Fri, Mar 29, 2002 at 02:45:59PM +0300, ark@eltex.ru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > What's wrong with telnet? I use it frequently and i am pretty satisified with > it. > > (I don't need to encrypt sessions, there is no sensitive information inside. > Don't tell me about cleartext passwords, there are no cleartext passwords. > And if you really need encryption you may run telnet over ipsec) > > "Crist J. Clark" said : > > > On Thu, Mar 28, 2002 at 04:33:23PM -0500, Adam wrote: > > > I would highly suggest that you use telnet. As long as you keep it updated > > > and patched you shouldnt have any problems with it.. > > > > Dude, pass whatever the hell you are smoking down here. > > > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.1i > > iQCVAwUBPKRT9qH/mIJW9LeBAQHW2QP/f5kQb2ikGqjdT/O321NJ56fWyW4IkMCe > RU9dl1FU4lLhAKE5f625ZvRQVzCLwW1EwHXps13dGQHrWVsBGKziLNGFszcn1jHA > K+xIKIxFA8hm4oWmw4ww2HLPU7hwHuGA7h/F+gh6nbnJuogRXVb+t8c3QdsSvDiA > VoFXEmA3194= > =urmJ > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 1:12: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 31DD937B41B for ; Sat, 30 Mar 2002 01:11:56 -0800 (PST) Received: (qmail 67944 invoked by uid 1001); 30 Mar 2002 09:10:52 -0000 Date: Sat, 30 Mar 2002 04:10:52 -0500 From: "Peter C. Lai" To: "Crist J. Clark" Cc: Jason Stone , security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020330041052.C67123@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <20020328174304.L97841@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020328174304.L97841@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Thu, Mar 28, 2002 at 05:43:04PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can we at least have the option of being able to either 1. not build at all or 2. not setuid on stuff that should never be used (such as rlogin, rsh, rcp) on modern networks Similarly, very few people use sliplogin (or SLIP at all) or UUCP nowadays and finally, some installations don't require yp*. I found out that I can use yp* to grab the shadow password file from a solaris server on the network. I don't want that to happen if someone got to my box. (Needless to say, I don't use NIS to authenticate for anything on this segment). I know you can turn off building stuff like lp*, sendmail, and bind tools. On Thu, Mar 28, 2002 at 05:43:04PM -0800, Crist J. Clark wrote: > On Thu, Mar 28, 2002 at 04:37:54PM -0800, Jason Stone wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Are there make variables that can be set to prevent "make world" from > > > > installing binaries as setuid? Currently, I always run something like > > > > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this > > > > seems inelegant, prone to human error, and dangerous as there's a > > > > (potentially quite long) period in which there are still many setuid > > > > binaries.... > > > > > > > > make options to allow the prevention of "setuid root", "all setuid", > > > > or "all setuid and all setgid" would be nice. > > > > > > For the vast majority of users, having no setuid binaries is a really, > > > really bad idea from a security standpoint. It forces you to do > > > everything as root. > > > > 1) For server machines that have no non-root interactive users, the > > "no setuid or setgid at all" option is a very good idea. > > Some sites may use this policy, but I would never like it. It requires > direct logins as root. > > > 2) Even on machines that do have interactive users, there are many > > environments where it's possible to turn off most of the setuid root > > bits - I see no reason to let users on a shared machine run ping or > > traceroute, rsh/rlogin should never be used at all, I can get away with > > not providing crontab, most servers don't have printers attached and > > therefore have no use for lpr, etc. > > passwd(1), at(1), crontab(1), login(1), su(1), some or most of those > would be required for almost any multiuser installation. > > > So, given that there's decidedly some utility in doing this, is there any > > reason to not do so? > > > emotional responses> > > If you can come up with some reasonably non-obtrusive patches to the > build to control this with some make.conf(5) knobs, we can have a look > at the practicallity. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 1:21:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116]) by hub.freebsd.org (Postfix) with ESMTP id A39A537B48D; Sat, 30 Mar 2002 01:21:39 -0800 (PST) Received: from phoenix.vh.laserfence.net ([192.168.0.10]) by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1) id 16rF2Y-0003UG-00; Sat, 30 Mar 2002 11:20:50 +0200 Date: Sat, 30 Mar 2002 11:20:48 +0200 (SAST) From: Willie Viljoen X-X-Sender: will@phoenix.vh.laserfence.net To: peter.lai@uconn.edu Cc: ark@eltex.ru, , , Subject: Re: SSH or Telnet? In-Reply-To: <20020330034128.B67123@cowbert.2y.net> Message-ID: <20020330111532.B508-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The problem is with more than just the cleartext password when you log in... it's cleartext everything. Consider this, you log in to your home PC, and get a prompt like this: % Now you telnet to a remote machine, log in with your clear text password, nobody sees anything, and it's not a very important machine anyway, just your office box which you want to instruct to download a file with its enormous bandwidth... no harm here. Now, you finished downloading, you get another prompt: % A few hours later you come home drunk from one wild party because you had to attend to some serious tech matter on some very important corporate webserver hosted in whoknowswhereville. You see your local box prompt: % You do this: % ssh some.very.important.corporate.server.in.whoknowswhereville.com You enter your password to authenticate, you're in and fix the problem, go to sleep, everything's fine. The next morning, that very important server in whoknowswhereville is hacked and not responding to SSH sessions, why? Consider this... when you got back from the party, the % prompt you saw was not of your local box, it was the prompt on the remote machine you telnetted to. When you entered your password for the very important server, it went in clear text to your remote box, and only encrypted with a session key from there. Some malicious brat who was playing with dad's computer at the office, supposedly not downloading porn, saw your password for the very important server and after you'd fixed the problem and logged off, he logged on. If that doesn't tell you that cleartext might be a bad thing, your cube is probably under a rock, away from the imperfect world we live in today. Will On Sat, 30 Mar 2002, Peter C. Lai wrote: > Wouldn't Kerberized Telnet or SRA authentication fix the > plaintext passwords problem? > > Of course, you'd have to make sure you don't telnet or su > from that session :) > > On Fri, Mar 29, 2002 at 02:45:59PM +0300, ark@eltex.ru wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > > > What's wrong with telnet? I use it frequently and i am pretty satisified with > > it. > > > > (I don't need to encrypt sessions, there is no sensitive information inside. > > Don't tell me about cleartext passwords, there are no cleartext passwords. > > And if you really need encryption you may run telnet over ipsec) > > > > "Crist J. Clark" said : > > > > > On Thu, Mar 28, 2002 at 04:33:23PM -0500, Adam wrote: > > > > I would highly suggest that you use telnet. As long as you keep it updated > > > > and patched you shouldnt have any problems with it.. > > > > > > Dude, pass whatever the hell you are smoking down here. > > > > > > _ _ _ _ _ _ _ > > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP 6.5.1i > > > > iQCVAwUBPKRT9qH/mIJW9LeBAQHW2QP/f5kQb2ikGqjdT/O321NJ56fWyW4IkMCe > > RU9dl1FU4lLhAKE5f625ZvRQVzCLwW1EwHXps13dGQHrWVsBGKziLNGFszcn1jHA > > K+xIKIxFA8hm4oWmw4ww2HLPU7hwHuGA7h/F+gh6nbnJuogRXVb+t8c3QdsSvDiA > > VoFXEmA3194= > > =urmJ > > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 3: 1:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 8FDE737B404; Sat, 30 Mar 2002 03:01:47 -0800 (PST) Received: (from root@localhost) by portal.eltex.ru (8.11.6/8.11.3) id g2UB1Kp41306; Sat, 30 Mar 2002 14:01:20 +0300 (MSK) (envelope-from ark@eltex.ru) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.11.6/8.11.3av) with SMTP id g2UB1Cl41298; Sat, 30 Mar 2002 14:01:12 +0300 (MSK) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: by yaksha.eltex.ru (ssmtp TIS-1.1alpha, 17 Jan 2002); Sat, 30 Mar 2002 13:45:25 +0300 Received: from undisclosed-intranet-sender id smtpdhj9882; Sat Mar 30 13:45:21 2002 Message-Id: <200203301121.OAA08311@paranoid.eltex.ru> Subject: Re: SSH or Telnet? To: will@laserfence.net (Willie Viljoen) Date: Sat, 30 Mar 2002 14:21:45 +0300 (MSK) Cc: peter.lai@uconn.edu, ark@eltex.ru, cjc@FreeBSD.ORG, adamtuttle@sympatico.ca, security@FreeBSD.ORG Reply-To: ark@eltex.ru In-Reply-To: <20020330111532.B508-100000@phoenix.vh.laserfence.net> from "Willie Viljoen" at Mar 30, 2002 11:20:48 AM X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org nuqneH, I always do check what system i am on when in doubt ;) I can't drink so much to forget that ;) BTW kerberized telnet does encrypt session too. YOU (Willie Viljoen) WROTE: > > The problem is with more than just the cleartext password when you log > in... it's cleartext everything. > > Consider this, you log in to your home PC, and get a prompt like this: > > % > > Now you telnet to a remote machine, log in with your clear text password, > nobody sees anything, and it's not a very important machine anyway, just > your office box which you want to instruct to download a file with its > enormous bandwidth... no harm here. > > Now, you finished downloading, you get another prompt: > > % > > A few hours later you come home drunk from one wild party because you had > to attend to some serious tech matter on some very important corporate > webserver hosted in whoknowswhereville. > > You see your local box prompt: > > % > > You do this: > > % ssh some.very.important.corporate.server.in.whoknowswhereville.com > > You enter your password to authenticate, you're in and fix the problem, go > to sleep, everything's fine. > > The next morning, that very important server in whoknowswhereville is > hacked and not responding to SSH sessions, why? > > Consider this... when you got back from the party, the % prompt you saw > was not of your local box, it was the prompt on the remote machine you > telnetted to. > > When you entered your password for the very important server, it went in > clear text to your remote box, and only encrypted with a session key from > there. Some malicious brat who was playing with dad's computer at the > office, supposedly not downloading porn, saw your password for the very > important server and after you'd fixed the problem and logged off, he > logged on. > > If that doesn't tell you that cleartext might be a bad thing, your cube is > probably under a rock, away from the imperfect world we live in today. > > Will > > On Sat, 30 Mar 2002, Peter C. Lai wrote: > > > Wouldn't Kerberized Telnet or SRA authentication fix the > > plaintext passwords problem? > > > > Of course, you'd have to make sure you don't telnet or su > > from that session :) > > > > On Fri, Mar 29, 2002 at 02:45:59PM +0300, ark@eltex.ru wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > > What's wrong with telnet? I use it frequently and i am pretty satisified with > > > it. > > > > > > (I don't need to encrypt sessions, there is no sensitive information inside. > > > Don't tell me about cleartext passwords, there are no cleartext passwords. > > > And if you really need encryption you may run telnet over ipsec) > > > > > > "Crist J. Clark" said : > > > > > > > On Thu, Mar 28, 2002 at 04:33:23PM -0500, Adam wrote: > > > > > I would highly suggest that you use telnet. As long as you keep it updated > > > > > and patched you shouldnt have any problems with it.. > > > > > > > > Dude, pass whatever the hell you are smoking down here. > > > > > > > > > _ _ _ _ _ _ _ > > > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > > > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > > > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 6.5.1i > > > > > > iQCVAwUBPKRT9qH/mIJW9LeBAQHW2QP/f5kQb2ikGqjdT/O321NJ56fWyW4IkMCe > > > RU9dl1FU4lLhAKE5f625ZvRQVzCLwW1EwHXps13dGQHrWVsBGKziLNGFszcn1jHA > > > K+xIKIxFA8hm4oWmw4ww2HLPU7hwHuGA7h/F+gh6nbnJuogRXVb+t8c3QdsSvDiA > > > VoFXEmA3194= > > > =urmJ > > > -----END PGP SIGNATURE----- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > -- > Willie Viljoen > Private IT Consultant > > 214 Paul Kruger Avenue > Universitas > Bloemfontein > 9321 > > South Africa > > +27 51 522 15 60, a/h +27 51 522 44 36 > +27 82 404 03 27 > > will@laserfence.net > -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 4:39:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 7119937B41A for ; Sat, 30 Mar 2002 04:39:32 -0800 (PST) Received: (qmail 34750 invoked by uid 1000); 30 Mar 2002 12:39:26 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Mar 2002 12:39:26 -0000 Date: Sat, 30 Mar 2002 04:39:16 -0800 (PST) From: Jason Stone X-X-Sender: To: FreeBSD Security Subject: Re: SSH or Telnet? In-Reply-To: <20020329220256.N38382-100000@topperwein.dyndns.org> Message-ID: <20020330041645.X2704-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Have a look at ethereal or dsniff. You will be surprised. And of course dsniff also contains ssh-mitm.... > > And if you really need encryption you may run telnet over ipsec) > > IPsec is a VPN solution. If someone in the LAN to which you're > VPN-ing is running a sniffer, then what? IPSec is not a VPN solution - it supports tunnel mode, but its native mode is, well, native mode, which both encrypts and authenticates every ip packet between two properly configured machines. Anyway, yeah, there are alternatives to ssh - whatever over ipsec, whatever over an ssl tunnel, kerberized+encryption whatever, whatever. While ssh/openssh has a long history of bugs, both security-related and otherwise (the deattack overrun, the recent off-by-one bug, a couple of keyfile parsing bugs, the serverloop race, etc), it is widely deployed, widely used (so bugs tend to get noticed/fixed pretty quickly), and even if you don't pre-exchange hostkeys, it provides some protection, so right now, it seems like the best general-purpose solution right now. Maybe someday DNSSec will get deployed and become the generic keystore for IPSec, allowing crypto to become ubiquitous for all applications, but in the meantime, ssh seems like the best option. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8pbH+swXMWWtptckRAssLAJ93f9wh67cXQXB5RT1pX1De8dYr+gCgzHCP 7EKTylO5XIyuszTtdDz/blY= =wVrF -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 7:38:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from m5.andara.com (m5-real.eastlink.ca [24.222.0.25]) by hub.freebsd.org (Postfix) with ESMTP id DB0DD37B405 for ; Sat, 30 Mar 2002 07:38:34 -0800 (PST) Received: from xeno (u206n232.hfx.eastlink.ca [24.222.206.232]) by m5.andara.com (8.12.1/8.12.1) with SMTP id g2UFaLju020045; Sat, 30 Mar 2002 11:36:21 -0400 (AST) Message-ID: <004101c1d800$a4a71ee0$6401a8c0@router.unknown.ca> From: "N. J. Cash" To: "Fernando Gleiser" , "Jesper Wallin" Cc: References: <20020328201100.E6672-100000@cactus.fi.uba.ar> Subject: Re: SSH or Telnet? Date: Sat, 30 Mar 2002 11:36:20 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003E_01C1D7DF.1D16D900" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_003E_01C1D7DF.1D16D900 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I would also recomend that you restrict access to ssh using = /etc/hosts.allow if you would like some added security to just who all = can ssh to your box. Also, if you're going with ssh *which you should* I would only enable = protocol 2 and restrict user access to ssh using /etc/ssh/sshd_config as = well. AllowUsers user1 user2 user3 etc... DenyUsers root nobody etc... At least if you're really parioned about sshd those steps will let you = sleep a little better at night! : ) N. J. Cash ncash@pei.eastlink.ca ----- Original Message -----=20 From: Fernando Gleiser=20 To: Jesper Wallin=20 Cc: security@FreeBSD.ORG=20 Sent: Thursday, March 28, 2002 7:42 PM Subject: Re: SSH or Telnet? On Thu, 28 Mar 2002, Jesper Wallin wrote: > Hey! > > > I've heard and seen alot of security problems related to SSH = (OpenSSH) and > many of my friends have been playing with alot of 0day exploits for = it.. > Right now I'm running the latest port version of it on a = non-standard port > and hope to be secured with it.. I don't accualy see the reason to = not use > Telnet.. All I know tells me it's old and recommend me running = OpenSSH > instead.. Telnet also had some remote root vulnerabities. Every program has bugs. You need to keep them up to date and apply all = the security fixes. Also, having sshd runing in a non standard port doesn't buy you much. There are scanners which try to verify which service is which port and they will find out it's ssh even if it is listening in port 31337. = =3D0) > > What is the best solution? Ofcause peoples are able to attack me = with > brute-force attacks and it's not encrypted.. well, all the peoples = who've > shell/ssh access are trusted and I think they know what they do.. The people may be trusted, but are you sure you can trust the networks = they are loging in from? Besides sniffing, ssh protects you against other threats: 1. ssh has some protection against IP spoofing. 2. ssh has stronger authentication methods. 3. ssh protects you against session hijacking. 4. ssh lets you authenticate the server to the client. 5. ssh lets you tunnel an insecure protocol (POP, IMAP) through an = encrypted connection You can use an SSL enabled telnet or IPSec for the first four, but I = find ssh easier to set up if all you need is remote login/shell/file = transfer. Fer > > > Anyone have any idea/suggestion? > > //Jesper aka Z3l3zT > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------=_NextPart_000_003E_01C1D7DF.1D16D900 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I would also recomend = that=20 you restrict access to ssh using /etc/hosts.allow if you would like = some=20 added security to just who all can ssh to your box.
 
Also, if you're going = with ssh=20 *which you should* I would only enable protocol 2 and restrict user = access to=20 ssh using /etc/ssh/sshd_config as well.
 
AllowUsers user1 user2 = user3=20 etc...
DenyUsers root nobody etc...
 
At least if you're = really parioned=20 about sshd those steps will let you sleep a little better at night! :=20 )
 
 
 
N. J. Cash
ncash@pei.eastlink.ca
----- Original Message -----
From:=20 Fernando Gleiser
To: Jesper Wallin
Sent: Thursday, March 28, 2002 = 7:42=20 PM
Subject: Re: SSH or = Telnet?

On Thu, 28 Mar 2002, Jesper Wallin wrote:

>=20 Hey!
>
>
> I've heard and seen alot of security = problems=20 related to SSH (OpenSSH) and
> many of my friends have been = playing with=20 alot of 0day exploits for it..
> Right now I'm running the = latest port=20 version of it on a non-standard port
> and hope to be secured = with it..=20 I don't accualy see the reason to not use
> Telnet.. All  I = know=20 tells me it's old and recommend me running OpenSSH
>=20 instead..

Telnet also had some remote root = vulnerabities.
Every=20 program has bugs. You need to keep them up to date and apply all=20 the
security fixes.

Also, having sshd runing in a non = standard port=20 doesn't buy you much.
There are scanners which try to verify which = service=20 is which port and
they will find out it's ssh even if it is = listening in=20 port 31337. =3D0)

>
> What is the best solution? = Ofcause peoples=20 are able to attack me with
> brute-force attacks and it's not=20 encrypted.. well, all the peoples who've
> shell/ssh access are = trusted=20 and I think they know what they do..

The people may be trusted, = but are=20 you sure you can trust the networks they are
loging in = from?

Besides=20 sniffing, ssh protects you against other threats:

1. ssh has = some=20 protection against IP spoofing.
2. ssh has stronger authentication=20 methods.
3. ssh protects you against session hijacking.
4. ssh = lets you=20 authenticate the server to the client.
5. ssh lets you tunnel an = insecure=20 protocol (POP, IMAP) through an encrypted
  =20 connection

You can use an SSL enabled telnet or IPSec for the = first=20 four, but I find
ssh easier to set up if all you need is remote=20 login/shell/file = transfer.





Fer
>
>
>=20 Anyone have any idea/suggestion?
>
> //Jesper aka=20 Z3l3zT
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> = with=20 "unsubscribe freebsd-security" in the body of the=20 message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with=20 "unsubscribe freebsd-security" in the body of the=20 message
------=_NextPart_000_003E_01C1D7DF.1D16D900-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 14:45: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 5271937B417 for ; Sat, 30 Mar 2002 14:44:59 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020330224459.XLDV1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Sat, 30 Mar 2002 22:44:59 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2UMiph02414; Sat, 30 Mar 2002 14:44:51 -0800 (PST) (envelope-from cjc) Date: Sat, 30 Mar 2002 14:44:51 -0800 From: "Crist J. Clark" To: peter.lai@uconn.edu Cc: Jason Stone , security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020330144451.B99214@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <20020328174304.L97841@blossom.cjclark.org> <20020330041052.C67123@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020330041052.C67123@cowbert.2y.net>; from sirmoo@cowbert.2y.net on Sat, Mar 30, 2002 at 04:10:52AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Mar 30, 2002 at 04:10:52AM -0500, Peter C. Lai wrote: > Can we at least have the option of being able to either > > 1. not build at all > > or > > 2. not setuid > > on stuff that should never be used (such as rlogin, rsh, rcp) > on modern networks Send patches. > Similarly, very few people use sliplogin (or SLIP at all) or UUCP nowadays uucp(1) is gone in -CURRENT. > and finally, some installations don't require yp*. > I found out that I can use yp* to grab the shadow password file > from a solaris server on the network. I don't want that to happen > if someone got to my box. (Needless to say, I don't use NIS > to authenticate for anything on this segment). You are only vulnerable to something like this when you're actually running ypserv(8). As for the NIS stuff built into commands like passwd(1), it doesn't present much of a security risk. If you _really_ don't want to build NIS support, NIS is basically turned on by adding '-DYP' to CFLAGS in some Makefiles. You can take all of those back out and see what breaks. Again, feel free to send patches if you can devise a NO_YP knob to handle that. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 16:50: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3C5D737B41A for ; Sat, 30 Mar 2002 16:50:00 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id BBCE35346; Sun, 31 Mar 2002 01:49:55 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Karsten W. Rohrbach" Cc: Mike Silbersack , Colin Percival , freebsd-security@freebsd.org Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? References: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca> <20020326034234.Q10197-100000@patrocles.silby.com> <20020326185714.F22539@mail.webmonster.de> From: Dag-Erling Smorgrav Date: 31 Mar 2002 01:49:54 +0100 In-Reply-To: <20020326185714.F22539@mail.webmonster.de> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" writes: > shouldn't the v1 protocol be killed anyway? Some systems (like the SparcStation 5 that serves DNS, DHCP and NTP requests from my home network) are too slow for the algorithms used by ssh2. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 16:51:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from squall.waterspout.com (squall.waterspout.com [208.13.56.12]) by hub.freebsd.org (Postfix) with ESMTP id DC25337B41F for ; Sat, 30 Mar 2002 16:51:31 -0800 (PST) Received: by squall.waterspout.com (Postfix, from userid 1050) id 744429B15; Sat, 30 Mar 2002 19:51:18 -0500 (EST) Date: Sat, 30 Mar 2002 19:51:18 -0500 From: Will Andrews To: Dag-Erling Smorgrav Cc: "Karsten W. Rohrbach" , Mike Silbersack , Colin Percival , freebsd-security@freebsd.org Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020331005118.GK63817@squall.waterspout.com> Mail-Followup-To: Dag-Erling Smorgrav , "Karsten W. Rohrbach" , Mike Silbersack , Colin Percival , freebsd-security@freebsd.org References: <5.0.2.1.1.20020326024955.02392830@popserver.sfu.ca> <20020326034234.Q10197-100000@patrocles.silby.com> <20020326185714.F22539@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.26i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Mar 31, 2002 at 01:49:54AM +0100, Dag-Erling Smorgrav wrote: > Some systems (like the SparcStation 5 that serves DNS, DHCP and NTP > requests from my home network) are too slow for the algorithms used by > ssh2. If you're having problems with DSA, you should be able to use RSA, which is the same algorithm used with SSHv1 if I'm not mistaken. regards, -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 16:53:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7F2FC37B416 for ; Sat, 30 Mar 2002 16:52:58 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id F1BE75347; Sun, 31 Mar 2002 01:52:53 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Zvezdan Petkovic Cc: freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> <20020327143624.B23316@dali.cs.wm.edu> From: Dag-Erling Smorgrav Date: 31 Mar 2002 01:52:53 +0100 In-Reply-To: <20020327143624.B23316@dali.cs.wm.edu> Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Zvezdan Petkovic writes: > What's not clear about it? Well, for one, the fact that you can't copy from one remote host to another. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 30 18: 7:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by hub.freebsd.org (Postfix) with ESMTP id BD2C037B405 for ; Sat, 30 Mar 2002 18:07:50 -0800 (PST) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g2V27ab11332 for ; Sat, 30 Mar 2002 21:07:37 -0500 (EST) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g2V27mr01695 for freebsd-security@FreeBSD.ORG; Sat, 30 Mar 2002 21:07:48 -0500 Date: Sat, 30 Mar 2002 21:07:48 -0500 From: Zvezdan Petkovic To: freebsd-security@FreeBSD.ORG Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020330210748.A1609@dali.cs.wm.edu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020326185714.F22539@mail.webmonster.de> <20020326182003.F15545-100000@patrocles.silby.com> <20020326181634.A919@lothlorien.tangledhelix.net> <20020327074236.B86929@blackhelicopters.org> <20020327110100.6d638389.darklogik@pittgoth.com> <20020327143624.B23316@dali.cs.wm.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from des@ofug.org on Sun, Mar 31, 2002 at 01:52:53AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Mar 31, 2002 at 01:52:53AM +0100, Dag-Erling Smorgrav wrote: > Zvezdan Petkovic writes: > > What's not clear about it? > > Well, for one, the fact that you can't copy from one remote host to > another. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org Wrong, you _CAN_ copy between two remote hosts. scp man page says in the second paragraph of DESCRIPTION: Any file name may contain a host and user specification to indicate that the file is to be copied to/from that host. Copies between two remote hosts are permitted. I just did from my laptop: scp my.office.machine:file.pdf my.home.machine: After logging to my.home.machine I found file.pdf there. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message