From owner-freebsd-security Sun Nov 17 17:22:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F5D237B401 for ; Sun, 17 Nov 2002 17:22:51 -0800 (PST) Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D10643E4A for ; Sun, 17 Nov 2002 17:22:45 -0800 (PST) (envelope-from yasu@utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id 388B319C for ; Mon, 18 Nov 2002 10:22:44 +0900 (JST) Received: from localhost (eastasia.home.utahime.org [192.168.174.1]) by eastasia.home.utahime.org (Postfix) with ESMTP id 18FF3A7B for ; Mon, 18 Nov 2002 10:22:43 +0900 (JST) Date: Mon, 18 Nov 2002 10:22:18 +0900 (JST) Message-Id: <20021118.102218.35789518.yasu@utahime.org> To: freebsd-security@freebsd.org Subject: Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:40.kadmind From: KIMURA Yasuhiro In-Reply-To: <200211130406.gAD46ZFu008072@freefall.freebsd.org> References: <200211130406.gAD46ZFu008072@freefall.freebsd.org> Organization: Utahime no Mori X-Mailer: Mew version 3.1rc2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> FreeBSD Security Advisories wrote: > V. Solution (snip) > 2) To patch your present system: (snip) > b) Execute the following commands as root: > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/kerberos5/libexec/k5admind > # make depend && make all install > # cd /usr/src/kerberosIV/usr.sbin/kadmind > # make depend && make all install I tried instructions above on my 4.7-RELEASE pc and failed to build k5admind and kandmind. sugar# cd /usr/src/kerberos5/libexec/k5admind/ sugar# make depend && make all install mkdir kadm5 cp /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/kadm5/private.h kadm5/private.h cp /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/kadm5/admin.h kadm5/admin.h test -e /usr/src/kerberos5/libexec/k5admind/kadm5_err.et || ln -sf /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/kadm5/kadm5_err.et compile_et kadm5_err.et cd /usr/src/kerberos5/libexec/k5admind/kadm5 && ln -sf ../kadm5_err.h rm -f .depend mkdep -f .depend -a -I/usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/include -I/usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/roken -I/usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/krb5 -I/usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/asn1 -I/usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb -I/usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/sl -I/usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/kadm5 -I/usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin -I/usr/src/kerberos5/libexec/k5admind/../../lib/libasn1 -I/usr/src/kerberos5/libexec/k5admind/../../lib/libhdb -I/usr/src/kerberos5/libexec/k5admind -I/usr/src/kerberos5/libexec/k5admind/../../include -DHAVE_CONFIG_H -DKRB5_KRB4_COMPAT -DKRB4 -DINET6 /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmind.c /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/server. c /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadm_conn.c /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/version4.c In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin_locl.h:92, from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmind.c:34: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:39: hdb_err.h: No such file or directory /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:41: hdb_asn1.h: No such file or directory In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmind.c:34: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin_locl.h:93: hdb_err.h: No such file or directory In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin_locl.h:92, from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/server.c:34: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:39: hdb_err.h: No such file or directory /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:41: hdb_asn1.h: No such file or directory In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/server.c:34: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin_locl.h:93: hdb_err.h: No such file or directory In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin_locl.h:92, from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadm_conn.c:34: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:39: hdb_err.h: No such file or directory /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:41: hdb_asn1.h: No such file or directory In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadm_conn.c:34: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin_locl.h:93: hdb_err.h: No such file or directory In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin_locl.h:92, from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/version4.c:33: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:39: hdb_err.h: No such file or directory /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h:41: hdb_asn1.h: No such file or directory In file included from /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/version4.c:33: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin_locl.h:93: hdb_err.h: No such file or directory mkdep: compile failed *** Error code 1 Stop in /usr/src/kerberos5/libexec/k5admind. sugar# cd /usr/src/kerberosIV/usr.sbin/kadmind/ sugar# make depend && make all install rm -f .depend mkdep -f .depend -a -I/usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/include -I/usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/lib/roken -I/usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/lib/sl -I/usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/lib/acl -I/usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/lib/kadm -I/usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/lib/kdb -I/usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/lib/krb -I/usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin -I/usr/src/kerberosIV/usr.sbin/kadmind/../../lib/libkadm -I/usr/src/kerberosIV/usr.sbin/kadmind/../../lib/libkrb -I/usr/src/kerberosIV/usr.sbin/kadmind/../include -I/usr/src/kerberosIV/usr.sbin/kadmind/../../include -DHAVE_CONFIG_H -I/usr/src/kerberosIV/usr.sbin/kadmind/../../include -DBINDIR=\"/usr/bin\" -DSBINDIR=\"/usr/sbin\" -DLIBEXECDIR=\"/usr/libexec\" /usr/src/ker berosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_server.c /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_funcs.c /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/admin_server.c /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_ser_wrap.c /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/pw_check.c In file included from /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_server.c:26: /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_locl.h:38: protos.h: No such file or directory In file included from /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_funcs.c:31: /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_locl.h:38: protos.h: No such file or directory In file included from /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/admin_server.c:31: /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_locl.h:38: protos.h: No such file or directory In file included from /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_ser_wrap.c:31: /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_locl.h:38: protos.h: No such file or directory In file included from /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/pw_check.c:34: /usr/src/kerberosIV/usr.sbin/kadmind/../../../crypto/kerberosIV/kadmin/kadm_locl.h:38: protos.h: No such file or directory mkdep: compile failed *** Error code 1 Stop in /usr/src/kerberosIV/usr.sbin/kadmind. sugar# Are there anything else that I should do to patch my 4.7R system? And one more question. This adovisary says: > The k5admind server is installed as part of the `krb5' distribution, > or when building from source with MAKE_KERBEROS5 set. The kadmind > server is installed as part of the `krb4' distribution, or when > building from source with MAKE_KERBEROS4 set. Neither is installed by > default. But both k5admind and kadmind are installed on my 4.7R systems. sugar# ls -l /usr/sbin/kadmind -r-xr-xr-x 1 root wheel 21808 Oct 9 21:51 /usr/sbin/kadmind sugar# ls -l /usr/libexec/k5admind -r-xr-xr-x 1 root wheel 19704 Oct 9 21:55 /usr/libexec/k5admind sugar# I selected "X-Developer" when I install these systems. Isn't it the "default installation" describled above? --- KIMURA Yasuhiro Mail: yasu@utahime.org WWW: http://www.utahime.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 19 5:29:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3603A37B401 for ; Tue, 19 Nov 2002 05:29:45 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACCA743E3B for ; Tue, 19 Nov 2002 05:29:44 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from shade.nectar.cc (localhost [127.0.0.1]) by gw.nectar.cc (Postfix) with ESMTP id 1FA5C67; Tue, 19 Nov 2002 07:29:44 -0600 (CST) Received: by shade.nectar.cc (Postfix, from userid 1001) id 4659B237E5; Tue, 19 Nov 2002 07:29:50 -0600 (CST) Date: Tue, 19 Nov 2002 07:29:50 -0600 From: "Jacques A. Vidrine" To: KIMURA Yasuhiro Cc: freebsd-security@freebsd.org Subject: Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:40.kadmind Message-ID: <20021119132950.GB929@shade.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , KIMURA Yasuhiro , freebsd-security@freebsd.org References: <200211130406.gAD46ZFu008072@freefall.freebsd.org> <20021118.102218.35789518.yasu@utahime.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021118.102218.35789518.yasu@utahime.org> User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [I apologize if you receive a duplicate of this. I have reason to believe it didn't go through the first time.] On Mon, Nov 18, 2002 at 10:22:18AM +0900, KIMURA Yasuhiro wrote: > I tried instructions above on my 4.7-RELEASE pc and failed to build > k5admind and kandmind. [...] > Are there anything else that I should do to patch my 4.7R system? If you perform the following steps before the others, does it work for you? # cd /usr/src/kerberos5/lib # make depend && make all install # cd /usr/src/kerberosIV/lib # make depend && make all install > And one more question. This adovisary says: > > > The k5admind server is installed as part of the `krb5' distribution, > > or when building from source with MAKE_KERBEROS5 set. The kadmind > > server is installed as part of the `krb4' distribution, or when > > building from source with MAKE_KERBEROS4 set. Neither is installed by > > default. > > But both k5admind and kadmind are installed on my 4.7R systems. > > sugar# ls -l /usr/sbin/kadmind > -r-xr-xr-x 1 root wheel 21808 Oct 9 21:51 /usr/sbin/kadmind > sugar# ls -l /usr/libexec/k5admind > -r-xr-xr-x 1 root wheel 19704 Oct 9 21:55 /usr/libexec/k5admind > sugar# > > I selected "X-Developer" when I install these systems. Isn't it the > "default installation" describled above? No, `X-Developer' is not the default installation. Nonetheless, I'm surprised. The `krb4' and `krb5' distributions may be handled differently now --- I must check. Thanks for the feedback! Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 19 8: 2:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B76637B401; Tue, 19 Nov 2002 08:02:36 -0800 (PST) Received: from utahime.as.wakwak.ne.jp (utahime.as.wakwak.ne.jp [61.205.238.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CA7443E3B; Tue, 19 Nov 2002 08:02:30 -0800 (PST) (envelope-from yasu@utahime.org) Received: from eastasia.home.utahime.org (eastasia.home.utahime.org [192.168.174.1]) by utahime.as.wakwak.ne.jp (Postfix) with ESMTP id 9F9C8297; Wed, 20 Nov 2002 01:02:18 +0900 (JST) Received: from localhost (sugar.home.utahime.org [192.168.174.2]) by eastasia.home.utahime.org (Postfix) with ESMTP id 1B2C8A7B; Wed, 20 Nov 2002 01:02:18 +0900 (JST) Date: Wed, 20 Nov 2002 01:00:54 +0900 (JST) Message-Id: <20021120.010054.28094120.yasu@utahime.org> To: nectar@FreeBSD.org Cc: freebsd-security@FreeBSD.org Subject: Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:40.kadmind From: KIMURA Yasuhiro In-Reply-To: <20021119132950.GB929@shade.nectar.cc> References: <200211130406.gAD46ZFu008072@freefall.freebsd.org> <20021118.102218.35789518.yasu@utahime.org> <20021119132950.GB929@shade.nectar.cc> Organization: Utahime no Mori X-Mailer: Mew version 3.1rc2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Jacques A. Vidrine" wrote: > If you perform the following steps before the others, does it > work for you? > # cd /usr/src/kerberos5/lib > # make depend && make all install > # cd /usr/src/kerberosIV/lib > # make depend && make all install Yes. But I didn't have to 'make install' in these directories. # cd /usr/src/kerberos5/lib # make depend && make all # cd /usr/src/kerberos5/libexec/k5admind # make depend && make all install # cd /usr/src/kerberosIV/lib # make depend && make all # cd /usr/src/kerberosIV/usr.sbin/kadmind # make depend && make all install These steps successfully updated k5admind and kadmind on my 4.7R systems. --- KIMURA Yasuhiro Mail: yasu@utahime.org WWW: http://www.utahime.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 19 8:27:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC62C37B401 for ; Tue, 19 Nov 2002 08:27:14 -0800 (PST) Received: from txemail.bankofamerica.com (txemail.bankofamerica.com [171.161.160.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7625C43E75 for ; Tue, 19 Nov 2002 08:27:14 -0800 (PST) (envelope-from Rick.Robinson@bankofamerica.com) Received: from tximail.bankofamerica.com (tximail.bankofamerica.com [171.182.168.13]) by txemail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id gAJGR8M13811 for ; Tue, 19 Nov 2002 16:27:08 GMT Received: from smtpsw01 (smtpsw01.bankofamerica.com [159.185.89.135]) by tximail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id gAJGR8019687 for ; Tue, 19 Nov 2002 16:27:08 GMT Content-return: allowed Date: Tue, 19 Nov 2002 10:26:24 -0600 From: "Robinson, Rick" Subject: Strong Passwords To: "'security@freebsd.org'" Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can anyone suggest what the best way to enforce strong passwords on a FreeBSD system is? We would like to add the functionality to our system to require users to have at least one alpha character and one numeric character in their passwords. And if possible also require them to use special characters in their passwords. I know we can try password cracking as a way to ensure strong passwords, but I think we want to go with a more proactive approach. I looked at the login.conf man page, but it looks like the only option available is to require mixed case passwords. I also looked briefly at Npasswd+, but had trouble getting that to compile on FreeBSD. Any suggestions you might have would be greatly appreciated. Thanks, Rick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 19 11:58:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 542B137B406 for ; Tue, 19 Nov 2002 11:58:26 -0800 (PST) Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0796A43ECD for ; Tue, 19 Nov 2002 11:58:23 -0800 (PST) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id LAA48303 for ; Tue, 19 Nov 2002 11:58:21 -0800 (PST) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id gAJJt9Q77865 for ; Tue, 19 Nov 2002 11:55:10 -0800 (PST) (envelope-from greg@thistle.bogs.org) Message-Id: <200211191955.gAJJt9Q77865@thistle.bogs.org> To: security@FreeBSD.ORG X-To: "Robinson, Rick" X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: Re: Strong Passwords In-reply-to: Your message of "Tue, 19 Nov 2002 10:26:24 CST." Reply-To: gkshenaut@ucdavis.edu Date: Tue, 19 Nov 2002 11:55:08 -0800 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , "Robinson, Rick" cleopede: >Can anyone suggest what the best way to enforce strong passwords on a >FreeBSD system is? We would like to add the functionality to our system to >require users to have at least one alpha character and one numeric character >in their passwords. And if possible also require them to use special >characters in their passwords. I know we can try password cracking as a way >to ensure strong passwords, but I think we want to go with a more proactive >approach. > >I looked at the login.conf man page, but it looks like the only option >available is to require mixed case passwords. I also looked briefly at >Npasswd+, but had trouble getting that to compile on FreeBSD. Any >suggestions you might have would be greatly appreciated. I think the most straightforward way would be to hack your copy of /usr/src/usr.bin/passwd/local_passwd.c to enforce whatever you want. If you go in there, you will probably also notice that the "requirements" of minimum length and not-all-lower-case can be overridden by persistent users--this "kindness" you could, of course, get rid of as well. Actually, I suppose someone could add a new login-conf flag called "nopasswordmercy" or something that enforced minpasswordlen and mixpasswordcase much more strictly than presently--maybe others would find this useful??? Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 19 12: 9:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5626237B401 for ; Tue, 19 Nov 2002 12:09:26 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-146.dsl.lsan03.pacbell.net [63.207.60.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8D4743E88 for ; Tue, 19 Nov 2002 12:09:25 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 4B00D66B2C; Tue, 19 Nov 2002 12:09:25 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 394829BB; Tue, 19 Nov 2002 12:11:06 -0800 (PST) Date: Tue, 19 Nov 2002 12:11:06 -0800 From: Kris Kennaway To: "Robinson, Rick" Cc: "'security@freebsd.org'" Subject: Re: Strong Passwords Message-ID: <20021119201105.GA5905@rot13.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Nov 19, 2002 at 10:26:24AM -0600, Robinson, Rick wrote: > Can anyone suggest what the best way to enforce strong passwords on a > FreeBSD system is? There's a pam_cracklib module floating around somewhere that you can install to enforce strong password security. There are also other similar implementations (I'm pretty sure at least one is in ports, but I couldn't find it with 5 seconds of searching). PAM is definitely the way to go since you won't need to make any code changes or recompile anything. Kris --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE92prZWry0BWjoQKURApSTAJ4xTree/fAd2BeBIq1Ncp0xw0buzwCfd8F7 eE/9RpmWC0wPg8+qUY/HAho= =SacT -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 0:54: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BAF737B401 for ; Wed, 20 Nov 2002 00:54:05 -0800 (PST) Received: from kumprang.or.id (kumprang.or.id [202.143.103.227]) by mx1.FreeBSD.org (Postfix) with SMTP id E689143E3B for ; Wed, 20 Nov 2002 00:53:53 -0800 (PST) (envelope-from budsz@kumprang.or.id) Received: (qmail 3808 invoked by uid 1008); 20 Nov 2002 08:55:37 -0000 Date: Wed, 20 Nov 2002 15:55:36 +0700 From: budsz To: FreeBSD-Security Subject: Some issue apache security Message-ID: <20021120085536.GA96715@kumprang.or.id> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline X-Pubkey: "http://www.kumprang.or.id/~budsz/Pubkey.txt" X-Pubkey-MD5: "http://www.kumprang.or.id/~budsz/Pubkey-checksum.md5" X-Finger-Print: "A05A 268C 3CD4 ABBD D9EB 11E1 F64C 4B4E 6269 5304" X-System-Operation: FreeBSD 4.7-STABLE i386 X-Organization: "Internet Cafe and Game PC Kumprang" User-Agent: Mutt/1.5.1i X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I FreeBSD 4.3 Release, with Apache 1.3.23, is't bug apache will give someone login to console? Thanks --=20 budsz --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE9203d9kxLTmJpUwQRAiW6AJ9vLkv+l+MvjOgNEtAenGgURSE8sACfUYdQ Y4IpKE4B4g5bvKaUe8IAOwY= =Zc9/ -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 2:30:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83D7C37B401 for ; Wed, 20 Nov 2002 02:30:08 -0800 (PST) Received: from bluetavern.com (naphtali.bluetavern.com [216.113.197.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1ADF343E3B for ; Wed, 20 Nov 2002 02:30:08 -0800 (PST) (envelope-from david@davidfuchs.ca) Received: from naphtali.bluetavern.com ([216.113.197.10] helo=davidfuchs.ca) by bluetavern.com with esmtp (Exim 3.34 #1) id 18ES5t-000BHF-00 for freebsd-security@freebsd.org; Wed, 20 Nov 2002 02:28:29 -0800 Message-ID: <3DDB6437.2000200@davidfuchs.ca> Date: Wed, 20 Nov 2002 02:30:15 -0800 From: David Fuchs User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD-Security Subject: Re: Some issue apache security References: <20021120085536.GA96715@kumprang.or.id> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Yes, it is possible that vulnerabilities in Apache 1.3.23 could allow a malicious user to execute arbitrary commands. Check the following URL for related information on Apache security issues: http://www.apacheweek.com/features/security-13 -David Fuchs budsz wrote: >Hi, > >I FreeBSD 4.3 Release, with Apache 1.3.23, is't bug apache will give >someone login to console? > >Thanks > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 2:41:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9611C37B401; Wed, 20 Nov 2002 02:41:36 -0800 (PST) Received: from mail.yazzy.org (mail.yazzy.org [80.232.16.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id E053143E97; Wed, 20 Nov 2002 02:41:35 -0800 (PST) (envelope-from yazzy@ezunix.org) Received: by mail.yazzy.org (Postfix, from userid 1001) id 05337B5FA; Wed, 20 Nov 2002 11:02:22 +0100 (CET) Date: Wed, 20 Nov 2002 11:02:22 +0100 From: "Marcin M. Jessa" To: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: VPN and roaming Windows 2K clients Message-ID: <20021120100222.GA68431@yazzy.org> Reply-To: Marcin Jessa Mail-Followup-To: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: ezUnix.org X-Operating-System: FreeBSD 4.7-RELEASE i386 10:30AM up 2 days, 18:07, 2 users, load averages: 0.00, 0.05, 0.23 X-Editor: Vim http://www.vim.org/ X-Mailer: Mutt http://www.mutt.org/ X-Info: http://www.ezunix.org/ User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi guys. Do you know how to make a FreeBSD firewall a VPN server for roaming Win2K boxes (Win2k users without static IP's)? I've been playing with racoon for a few days but it seems that the only way it can authenticate roaming Windows VLAN users is with preshared certificates. This again excludes usage of manual keying (pre_shared_keys) which is nessesary for accepting connections from dynamic IP's. The preshared keys method can be configured to accept connections from specified hostnames and that could work with windows boxes that run a dyndns client. Again Windows and racoon can only communicate using certificates and not manual keying.... an evil circle. Windows can speak with racoon if one makes racoon to automatically exchange keys but this works only if Windows clients have static IP's... Have any of you guys an idea about what to do to combine these methods? Or maybe there is a workaround? Please squeeze your brains and let me know about whatever you think may be of interest in this metter. Thanks in advance. YazzY To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 6:39:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC9E737B401 for ; Wed, 20 Nov 2002 06:39:51 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id B5B7543E8A for ; Wed, 20 Nov 2002 06:39:47 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 38325 invoked by uid 1000); 20 Nov 2002 14:39:43 -0000 Date: Wed, 20 Nov 2002 16:39:43 +0200 From: Peter Pentchev To: freebsd-security@FreeBSD.org Subject: [OT] Windows applications generating ISA-KMP packets? Message-ID: <20021120143943.GM388@straylight.oblivion.bg> Mail-Followup-To: freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IuJpT0rwbUevm2bB" Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IuJpT0rwbUevm2bB Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Apologies for the somewhat off-topic post; I am also sending this to a couple of other security-related lists, where it will be more relevant, but any replies would be welcome.. Today, a company I do some work for received an e-mail inquiry regarding strange packets sent to an address unknown to us. The packets in question were UDP packets with 500 as both source and destination port. The source address - ours - is not running anything related to IPsec, ISA-KMP or the like. It is, however, a NAT gateway for a large internal network. A quick tcpdump run showed that many hosts on that internal network try to send UDP packets from 500 to 500 to many external hosts, including hosts in the cluster*.icq.com, www.google.com, ns1.google.com, pt*.t-dialin.net, adsl*.pacbell.net, and many others. Is anybody aware of any reason for a Windows workstation (those are all Windows workstations) to send an ISA-KMP packet to external hosts? Which application should we look for? The machines in question are all running recent versions of ICQ clients (the offficial icq.com ones), various versions Microsoft Internet Explorer, and, among others, the Google Toolbar as a plug-in. Does any of these ring a bell? I can see no real reason why any of those would send ISA-KMP packets to anyone for any reason at all, but I can see the packets, and apparently others have seen them, too. On the other hand, could this be some sort of a trojan? Unfortunately, I am not currently, and will not be in the foreseeable future, at that location, so the further research which I would like to do will be somewhat delayed. Still, any information about Windows applications sending UDP packets from and to port 500 would be highly appreciated. Thanks in advance for any replies! G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? --IuJpT0rwbUevm2bB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE9256v7Ri2jRYZRVMRAlSBAKC2EDnOUfkpTbPSlx1TSPHbS/bbPgCeLu2A upgXEXwB09rJheScNEphqU8= =3DVc -----END PGP SIGNATURE----- --IuJpT0rwbUevm2bB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 6:44:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB4A437B401 for ; Wed, 20 Nov 2002 06:44:28 -0800 (PST) Received: from kumprang.or.id (kumprang.or.id [202.143.103.227]) by mx1.FreeBSD.org (Postfix) with SMTP id 86E9243E3B for ; Wed, 20 Nov 2002 06:44:25 -0800 (PST) (envelope-from budsz@kumprang.or.id) Received: (qmail 11774 invoked by uid 1008); 20 Nov 2002 14:46:14 -0000 Date: Wed, 20 Nov 2002 21:46:13 +0700 From: budsz To: Allan Jude <937863@primus.ca> Cc: FreeBSD-Security Subject: Re: Some issue apache security Message-ID: <20021120144613.GB11525@kumprang.or.id> References: <20021120085536.GA96715@kumprang.or.id> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Pubkey: "http://www.kumprang.or.id/~budsz/Pubkey.txt" X-Pubkey-MD5: "http://www.kumprang.or.id/~budsz/Pubkey-checksum.md5" X-Finger-Print: "A05A 268C 3CD4 ABBD D9EB 11E1 F64C 4B4E 6269 5304" X-System-Operation: FreeBSD 4.7-STABLE i386 X-Organization: "Internet Cafe and Game PC Kumprang" User-Agent: Mutt/1.5.1i X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 20, 2002 at 07:04:49AM -0500, Allan Jude wrote: >I would recommend updating your apache to 1.3.27 If I use Apache 1.3.26 is it savety? -- budsz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 6:52:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B47137B401 for ; Wed, 20 Nov 2002 06:52:10 -0800 (PST) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30CF043E4A for ; Wed, 20 Nov 2002 06:52:09 -0800 (PST) (envelope-from kdk@daleco.biz) Received: from DaleCoportable [12.145.226.146] by mail.gbronline.com (SMTPD32-7.13) id A1102C8020C; Wed, 20 Nov 2002 08:49:52 -0600 Message-ID: <035101c290a4$4e54ece0$3ae2910c@DaleCoportable> From: "Kevin D. Kinsey, DaleCo, S.P." To: "budsz" Cc: "FreeBSD-Security" References: <20021120085536.GA96715@kumprang.or.id> <20021120144613.GB11525@kumprang.or.id> Subject: Re: Some issue apache security Date: Wed, 20 Nov 2002 08:51:22 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "budsz" Subject: Re: Some issue apache security > On Wed, Nov 20, 2002 at 07:04:49AM -0500, Allan Jude wrote: > >I would recommend updating your apache to 1.3.27 > > If I use Apache 1.3.26 is it savety? > 1.3.27 is the latest version, most secure by default. See www.apache.org Kevin Kinsey DaleCo, S.P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 8:43:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FF5D37B401 for ; Wed, 20 Nov 2002 08:43:26 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 0F83743E4A for ; Wed, 20 Nov 2002 08:43:23 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 40257 invoked by uid 1000); 20 Nov 2002 16:38:32 -0000 Date: Wed, 20 Nov 2002 18:38:32 +0200 From: Peter Pentchev To: freebsd-security@FreeBSD.org Subject: Re: [OT] Windows applications generating ISA-KMP packets? Message-ID: <20021120163832.GG39662@straylight.oblivion.bg> Mail-Followup-To: freebsd-security@FreeBSD.org References: <20021120143943.GM388@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="JIpyCmsTxyPLrmrM" Content-Disposition: inline In-Reply-To: <20021120143943.GM388@straylight.oblivion.bg> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --JIpyCmsTxyPLrmrM Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 20, 2002 at 04:39:43PM +0200, Peter Pentchev wrote: > Hi, >=20 > Apologies for the somewhat off-topic post; I am also sending this to a > couple of other security-related lists, where it will be more relevant, > but any replies would be welcome.. >=20 > Today, a company I do some work for received an e-mail inquiry > regarding strange packets sent to an address unknown to us. The packets > in question were UDP packets with 500 as both source and destination > port. Thanks to everyone who replied; this seems to be the result of a Win2K group policy setting concerning IPsec, and hopefully the stray ISA-KMP packets will not be sent any longer. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --JIpyCmsTxyPLrmrM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE927qH7Ri2jRYZRVMRAiS9AKCU2r1RIb5svLN8QGy9RmiE2w3gPwCguAtq B159Sx9bp1dPDeU6nbpxDsk= =NLOZ -----END PGP SIGNATURE----- --JIpyCmsTxyPLrmrM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 11:56:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 159A937B401 for ; Wed, 20 Nov 2002 11:56:52 -0800 (PST) Received: from codeblau.de (codeblau.walledcity.de [212.84.209.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27F2543E3B for ; Wed, 20 Nov 2002 11:56:41 -0800 (PST) (envelope-from stephan-freebsd-security@eckner.org) Received: (qmail 11610 invoked by uid 103); 20 Nov 2002 19:56:37 -0000 Date: Wed, 20 Nov 2002 20:56:37 +0100 From: Stephan Eckner To: freebsd-security@FreeBSD.org Subject: Blocking non-IP traffic on an IPFW-Bridge Message-ID: <20021120195637.GA11520@knuth.codeblau.de> Mail-Followup-To: freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I recently set up a bridging-firewall to protect some servers on my internal net. The bridge is correctly blocking all IP-traffic. Nevertheless I find some packets behind the firewall, that seem to have passed the firewall: tcpdump: listening on bge0 20:36:50.247555 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:52.251387 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:54.146709 12.00:02:55:9c:26:ce.453 > 12.ff:ff:ff:ff:ff:ff.453:ipx-rip-resp 1004/1.2 13/1.2 99/1.2 1003/2.3 5/2.3 6/2.3[|ipx 248] 20:36:54.246443 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:54.412285 CDP v2, ttl=180s DevID '17-3-[2731]' Addr (1): IPv4 10.0.12.243 PortID 'FastEthernet0/4' CAP 0x0a[|cdp] 20:36:56.246483 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:57.023039 12.00:01:e6:71:9c:33.452 > 12.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64] 20:36:58.248710 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:37:00.247279 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 This looks like non-IP traffic to me. As I'm seeing these packets on both the external interface of the firewall and on the server behind the firewall, they don't seem to be blocked by my "deny ip from any to any" rule. Is there any way to block these packets from crossing the bridge? Stephan -- Stephan Eckner http://www.eckner.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 20 13:53:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0C7E37B401 for ; Wed, 20 Nov 2002 13:53:02 -0800 (PST) Received: from saul.cis.upenn.edu (SAUL.CIS.UPENN.EDU [158.130.12.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D57143E4A for ; Wed, 20 Nov 2002 13:53:01 -0800 (PST) (envelope-from agoodloe@saul.cis.upenn.edu) Received: from saul.cis.upenn.edu (localhost [127.0.0.1]) by saul.cis.upenn.edu (8.12.5/8.12.5) with ESMTP id gAKLqpsx024431 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 20 Nov 2002 16:52:51 -0500 (EST) Received: from localhost (agoodloe@localhost) by saul.cis.upenn.edu (8.12.5/8.12.5/Submit) with ESMTP id gAKLqoPl024427 for ; Wed, 20 Nov 2002 16:52:50 -0500 (EST) Date: Wed, 20 Nov 2002 16:52:50 -0500 (EST) From: Alwyn Goodloe To: freebsd-security@freebsd.org Subject: IKE/RSA problems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've done a number of ipsec configurations using shared keys but must now use racoon with RSA. I'm using FreeBSD 4.7. In this first little experiment I'm trying to get two machines (server--192.168.3.1 and client -- 192.168.3.2) to establish a connection. It never makes it into phase II. On the client side I keep getting the error message: >>2002-11-20 15:09:37: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon >>2002-11-20 15:09:37: WARNING: ipsec_doi.c:3059:ipsecdoi_checkid1(): ID value mismatched. >>2002-11-20 15:09:37: ERROR: crypto_openssl.c:483:eay_get_x509subjectaltname(): >>2002-11-20 15:09:37: ERROR: oakley.c:1621:oakley_check_certid(): failed to get subjectAltName On the server side I keep getting: >>2002-11-20 17:06:25: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin. >>2002-11-20 17:06:25: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin. >>2002-11-20 17:06:25: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash) >>2002-11-20 17:06:25: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify) >>2002-11-20 17:06:25: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed. >>2002-11-20 17:06:25: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. >>2002-11-20 17:06:25: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 20:INVALID-CERTIFICATE, doi=1 proto_id=1 spi=(size=0). >>2002-11-20 17:06:45: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.3.1[500] >>2002-11-20 17:06:45: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.3.1[500] >>2002-11-20 17:06:45: DEBUG: sockmisc.c:425:sendfromto(): send packet to 192.168.3.2[500] >>2002-11-20 17:06:45: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 1098 bytes message will be sent to 192.168.3.1[500] The conf files are provided below. Can anybody provide some insight ti this problem??? Alwyn Goodloe agoodloe@gradient.cis.upenn.edu -----------SERVER CONF----------------------- # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/racoon/certs" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; #doi ipsec_doi; situation identity_only; my_identifier address 192.168.3.1; peers_identifier address 192.168.3.2; certificate_type x509 "seclab-dell3.crt" "seclab-dell3.key"; peers_certfile "seclab-micron5.crt"; initial_contact on; nonce_size 16; lifetime time 44 hour; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, cast128, blowfish 448, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } -----------------CLIENT CONF ------------------- # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/racoon/certs" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; #doi ipsec_doi; situation identity_only; my_identifier address 192.168.3.2; peers_identifier address 192.168.3.1; certificate_type x509 "seclab-micron5.crt" "seclab-micron5.key"; peers_certfile "seclab-dell3.crt"; nonce_size 16; lifetime time 44 hour; # sec,min,hour initial_contact on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, cast128, blowfish 448, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 21 0:57:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8930C37B401 for ; Thu, 21 Nov 2002 00:57:29 -0800 (PST) Received: from bns.tns.cz (bns.tns.cz [80.188.15.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53FC043E88 for ; Thu, 21 Nov 2002 00:57:28 -0800 (PST) (envelope-from jp@tns.cz) Received: from bertik.tns.cz (bertik.tns.cz [192.168.144.14]) by bns.tns.cz (Postfix) with ESMTP id E780076342 for ; Thu, 21 Nov 2002 09:57:16 +0100 (CET) Received: by bertik.tns.cz (Postfix, from userid 1000) id 7C10A5F66; Thu, 21 Nov 2002 09:57:22 +0100 (CET) Date: Thu, 21 Nov 2002 09:57:21 +0100 From: Josef Pojsl To: Alwyn Goodloe Cc: freebsd-security@freebsd.org Subject: Re: IKE/RSA problems Message-ID: <20021121095721.B256@bertik.tns.cz> Mail-Followup-To: Alwyn Goodloe , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from agoodloe@saul.cis.upenn.edu on Wed, Nov 20, 2002 at 04:52:50PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 20, 2002 at 04:52:50PM -0500, Alwyn Goodloe wrote: > On the client side I keep getting the error message: > > >>2002-11-20 15:09:37: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon > >>2002-11-20 15:09:37: WARNING: ipsec_doi.c:3059:ipsecdoi_checkid1(): ID value mismatched. > >>2002-11-20 15:09:37: ERROR: crypto_openssl.c:483:eay_get_x509subjectaltname(): > >>2002-11-20 15:09:37: ERROR: oakley.c:1621:oakley_check_certid(): failed to get subjectAltName Alwyn, the message seems to be very descriptive. Are you sure that the certificate you are using has got a valid SubjectAltName attribute? There has to be one and its contents should match the peer's identification data. On the client, your racoon is configured to perform address identification: ... peers_identifier address 192.168.3.1 ... So, the server is expected to produce a ceritificate whose SubjectAltName has the value of "IP:192.168.3.1". The same holds for the other way round. See racoon.conf(5) or e.g. http://www.kame.net/newsletter/20000912/ for more details. HTH, Josef To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 21 9:52:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE3BE37B401 for ; Thu, 21 Nov 2002 09:52:13 -0800 (PST) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65DD343E42 for ; Thu, 21 Nov 2002 09:52:13 -0800 (PST) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.5/8.12.5) with ESMTP id gALHq4As080266 for ; Thu, 21 Nov 2002 10:52:04 -0700 (MST) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.5/8.12.5/Submit) id gALHq44J080265 for freebsd-security@freebsd.org; Thu, 21 Nov 2002 10:52:04 -0700 (MST) Date: Thu, 21 Nov 2002 10:52:04 -0700 From: "David G. Andersen" To: freebsd-security@freebsd.org Subject: File table exhaustion patch Message-ID: <20021121105204.B75421@cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In PR 45353, I've submitted a patch to reserve a handfull of file table entries for root-only use, to mitigate the effects of user processes that leak file descriptors: http://www.freebsd.org/cgi/query-pr.cgi?pr=45353 Even with per-process file descriptor limits, it's pretty easy for a buggy program that does any kind of forking to run the system out of file table entries (or for a malicious user to do so). The patch above is trivial, and at least enables root to login and fix things up a bit. I've been running it locally for about a week, and it's happy. Is the form of the solution acceptable? (And if so, anyone interested in committing it to -current for a while? ;-) -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 21 13:18:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8208E37B401; Thu, 21 Nov 2002 13:18:40 -0800 (PST) Received: from mta06-svc.ntlworld.com (mta06-svc.ntlworld.com [62.253.162.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id B296343E3B; Thu, 21 Nov 2002 13:18:33 -0800 (PST) (envelope-from ian.watkinson@ehsbrann.com) Received: from subtlety ([80.3.50.15]) by mta06-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021121211827.WNHK18167.mta06-svc.ntlworld.com@subtlety>; Thu, 21 Nov 2002 21:18:27 +0000 Reply-To: From: "Ian Watkinson" To: , , Subject: VPN Date: Thu, 21 Nov 2002 21:18:27 -0000 Organization: EHSBrann Message-ID: <062a01c291a3$8b63b760$6502010a@subtlety> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-reply-to: <3DDBDE2B.6050407@he.iki.fi> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Been looking at a number of how-to's on the web for connecting Win2k clients to Freebsd as a VPN. However, despite carefully following them, I can't get any of them to work. Could someone on the list who has managed this, either point me in the direction of a how-to that works, or share their config That works with the list? Many thanks in advance. -- Ian Watkinson ================== ICQ 2781385 Internet Pager 2781385@pager.icq.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 21 13:22:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0597137B401 for ; Thu, 21 Nov 2002 13:22:58 -0800 (PST) Received: from out5.mx.nwbl.wi.voyager.net (out5.mx.nwbl.wi.voyager.net [169.207.3.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B8D243E6E for ; Thu, 21 Nov 2002 13:22:57 -0800 (PST) (envelope-from silby@silby.com) Received: from [10.1.1.6] (d69.as9.nwbl0.wi.voyager.net [169.207.132.197]) by out5.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id 670A4C6C4F; Thu, 21 Nov 2002 15:22:55 -0600 (CST) Date: Thu, 21 Nov 2002 15:29:04 -0600 (CST) From: Mike Silbersack To: "David G. Andersen" Cc: freebsd-security@freebsd.org Subject: Re: File table exhaustion patch In-Reply-To: <20021121105204.B75421@cs.utah.edu> Message-ID: <20021121152539.U44884-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 21 Nov 2002, David G. Andersen wrote: > In PR 45353, I've submitted a patch to reserve a handfull of > file table entries for root-only use, to mitigate the effects > of user processes that leak file descriptors: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=45353 > > Even with per-process file descriptor limits, it's pretty > easy for a buggy program that does any kind of forking to > run the system out of file table entries (or for a malicious > user to do so). The patch above is trivial, and at least > enables root to login and fix things up a bit. I've been > running it locally for about a week, and it's happy. > > Is the form of the solution acceptable? (And if so, anyone > interested in committing it to -current for a while? ;-) > > -Dave Your patch looks good, I think it could probably go in without any modifications. HOWEVER, we're in a code freeze leading up to 5.0-release, and local DoSes aren't a critical bug. Hence, I'm going to wait until after 5.0-release is out the door before I go ahead with committing your patch. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 21 14:29: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2E2B37B401 for ; Thu, 21 Nov 2002 14:29:04 -0800 (PST) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E2B643E91 for ; Thu, 21 Nov 2002 14:29:04 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id gALMT1m9006444; Thu, 21 Nov 2002 14:29:01 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id gALMT1L0006443; Thu, 21 Nov 2002 14:29:01 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Thu, 21 Nov 2002 14:29:01 -0800 From: David Schultz To: "David G. Andersen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: File table exhaustion patch Message-ID: <20021121222901.GC6062@HAL9000.homeunix.com> Mail-Followup-To: "David G. Andersen" , freebsd-security@FreeBSD.ORG References: <20021121105204.B75421@cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021121105204.B75421@cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake David G. Andersen : > In PR 45353, I've submitted a patch to reserve a handfull of > file table entries for root-only use, to mitigate the effects > of user processes that leak file descriptors: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=45353 > > Even with per-process file descriptor limits, it's pretty > easy for a buggy program that does any kind of forking to > run the system out of file table entries (or for a malicious > user to do so). The patch above is trivial, and at least > enables root to login and fix things up a bit. I've been > running it locally for about a week, and it's happy. > > Is the form of the solution acceptable? (And if so, anyone > interested in committing it to -current for a while? ;-) Cool! I have two minor comments: - Use suser(9) for the purpose of checking superuserness. - Instead of making the default reservation maxfiles/20, a constant might be more appropriate. The administrator does not need proportionately more file table entries to log in and kill misbehaving processes on larger systems. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 21 17: 4: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F7237B401 for ; Thu, 21 Nov 2002 17:04:05 -0800 (PST) Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50B6043E9C for ; Thu, 21 Nov 2002 17:04:05 -0800 (PST) (envelope-from provos@citi.umich.edu) Received: by citi.umich.edu (Postfix, from userid 104123) id 84C12207D3; Thu, 21 Nov 2002 12:30:32 -0500 (EST) Date: Thu, 21 Nov 2002 12:30:32 -0500 From: Niels Provos To: gkshenaut@ucdavis.edu Cc: security@FreeBSD.ORG Subject: Re: Strong Passwords Message-ID: <20021121173032.GC9462@citi.citi.umich.edu> References: <200211191955.gAJJt9Q77865@thistle.bogs.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200211191955.gAJJt9Q77865@thistle.bogs.org> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Nov 19, 2002 at 11:55:08AM -0800, Greg Shenaut wrote: > I think the most straightforward way would be to hack your copy of > /usr/src/usr.bin/passwd/local_passwd.c to enforce whatever you > want. If you go in there, you will probably also notice that the > "requirements" of minimum length and not-all-lower-case can be I added some improvements to OpenBSD's passwd awhile ago. It allows you to call an external password checking program that determines if the password's quality is acceptable. Its configured via login.conf: passwordcheck path An external program that checks the quality of the password. The password is passed to the program on stdin. An exit code of 0 indi- cates that the quality of the password is sufficient, an ex- it code of 1 signals that the password failed the check. Might be worthwhile porting. The code is very simple. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 0: 5:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C053437B401 for ; Fri, 22 Nov 2002 00:05:42 -0800 (PST) Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80FEE43E3B for ; Fri, 22 Nov 2002 00:05:34 -0800 (PST) (envelope-from sheldonh@starjuice.net) Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 4.10) id 18F8oN-0009SL-00; Fri, 22 Nov 2002 10:05:15 +0200 Date: Fri, 22 Nov 2002 10:05:15 +0200 From: Sheldon Hearn To: Mike Silbersack Cc: "David G. Andersen" , freebsd-security@freebsd.org Subject: Re: File table exhaustion patch Message-ID: <20021122080515.GQ36738@starjuice.net> Mail-Followup-To: Mike Silbersack , "David G. Andersen" , freebsd-security@freebsd.org References: <20021121105204.B75421@cs.utah.edu> <20021121152539.U44884-100000@patrocles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021121152539.U44884-100000@patrocles.silby.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On (2002/11/21 15:29), Mike Silbersack wrote: > HOWEVER, we're in a code freeze leading up to 5.0-release, and local DoSes > aren't a critical bug. Is that the official FreeBSD SO team viewpoint on local DoS vulnerabilities? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 0:12:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E473537B401; Fri, 22 Nov 2002 00:12:27 -0800 (PST) Received: from mta01-svc.ntlworld.com (mta01-svc.ntlworld.com [62.253.162.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5FEC43E8A; Fri, 22 Nov 2002 00:12:20 -0800 (PST) (envelope-from ian.watkinson@ehsbrann.com) Received: from subtlety ([80.3.50.15]) by mta01-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021122081219.WANE15173.mta01-svc.ntlworld.com@subtlety>; Fri, 22 Nov 2002 08:12:19 +0000 Reply-To: From: "Ian Watkinson" To: "'Nikolay Petrov'" , Cc: , , Subject: RE: VPN Date: Fri, 22 Nov 2002 08:12:18 -0000 Organization: EHSBrann Message-ID: <082c01c291fe$e0735250$6502010a@subtlety> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-reply-to: <111773281.20021122091821@hq.panda.bg> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Nikolay Petrov [mailto:nik@hq.panda.bg]=20 > Sent: 22 November 2002 07:18 > To: owner-freebsd-security@FreeBSD.ORG; Ian Watkinson > Cc: freebsd-questions@FreeBSD.ORG; freebsd-net@FreeBSD.ORG;=20 > freebsd-security@freebsd.org > Subject: Re: VPN >=20 >=20 > Hello Ian, >=20 > Thursday, November 21, 2002, 11:18:27 PM, you wrote: >=20 > IW> Been looking at a number of how-to's on the web for=20 > connecting Win2k=20 > IW> clients to Freebsd as a VPN. >=20 > IW> However, despite carefully following them, I can't get=20 > any of them=20 > IW> to work. >=20 > IW> Could someone on the list who has managed this, either=20 > point me in=20 > IW> the direction of a how-to that works, or share their config That=20 > IW> works with the list? >=20 > IW> Many thanks in advance. >=20 >=20 > You can use net/mpd port, ho have good documentation >=20 My fault for not being more specific, I was hoping to use IPSEC, however I can't seem to get beyond windows "Negotiating Security" --=20 Ian Watkinson =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ICQ 2781385 Internet Pager 2781385@pager.icq.com =20 =20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 1:22:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A54F37B401 for ; Fri, 22 Nov 2002 01:22:22 -0800 (PST) Received: from webmail.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 766D743EAF for ; Fri, 22 Nov 2002 01:22:21 -0800 (PST) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 93748 invoked by uid 0); 22 Nov 2002 09:22:59 -0000 Received: from unknown (HELO shuttle.svib.ru) (195.54.219.242) by webmail.sub.ru with SMTP; 22 Nov 2002 09:22:59 -0000 Date: Fri, 22 Nov 2002 12:21:29 +0300 From: Alex Povolotsky To: freebsd-security@freebsd.org Subject: jailed virtual https, anyone? Message-Id: <20021122122129.7c42817b.tarkhil@webmail.sub.ru> Organization: sub.ru X-Mailer: Sylpheed version 0.8.2claws (GTK+ 1.2.10; i386-portbld-freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! Does anyone has expirience in setting up jales https with virtual hosts? I'm looking for some help. -- Alex. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 4:22:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 649B237B401 for ; Fri, 22 Nov 2002 04:22:54 -0800 (PST) Received: from duba01h09-0.dplanet.ch (duba01h09-0.dplanet.ch [212.35.36.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id E691643E6E for ; Fri, 22 Nov 2002 04:22:51 -0800 (PST) (envelope-from quak@mydiax.ch) Received: (from luser@localhost) by duba01h09-0.dplanet.ch (8.11.6/8.11.6) id gAMCMZ614907; Fri, 22 Nov 2002 13:22:35 +0100 Date: Fri, 22 Nov 2002 13:22:35 +0100 Message-Id: <200211221222.gAMCMZ614907@duba01h09-0.dplanet.ch> X-Authentication-Warning: duba01h09-0.dplanet.ch: luser set sender to quak@mydiax.ch using -f Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: quak@mydiax.ch To: tarkhil@webmail.sub.ru Subject: Re: jailed virtual https, anyone? Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings Alex, What exactly is your problem ? What kind of virtual servers do you try to use (Named / IP or Port-based) ?? Regards Kirill >Hello! > >Does anyone has expirience in setting up jales https with virtual hosts? I= 'm looking for some help. > >--=20 >Alex. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 4:40: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DE2837B401 for ; Fri, 22 Nov 2002 04:40:07 -0800 (PST) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E50343E4A for ; Fri, 22 Nov 2002 04:40:06 -0800 (PST) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.5/8.12.5) with ESMTP id gAMCe6As014017; Fri, 22 Nov 2002 05:40:06 -0700 (MST) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.5/8.12.5/Submit) id gAMCe55q014016; Fri, 22 Nov 2002 05:40:05 -0700 (MST) Date: Fri, 22 Nov 2002 05:40:05 -0700 From: "David G. Andersen" To: Mike Silbersack , freebsd-security@freebsd.org Subject: Re: File table exhaustion patch Message-ID: <20021122054005.A13937@cs.utah.edu> References: <20021121105204.B75421@cs.utah.edu> <20021121152539.U44884-100000@patrocles.silby.com> <20021122080515.GQ36738@starjuice.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20021122080515.GQ36738@starjuice.net>; from sheldonh@starjuice.net on Fri, Nov 22, 2002 at 10:05:15AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sheldon Hearn just mooed: > On (2002/11/21 15:29), Mike Silbersack wrote: > > > HOWEVER, we're in a code freeze leading up to 5.0-release, and local DoSes > > aren't a critical bug. > > Is that the official FreeBSD SO team viewpoint on local DoS > vulnerabilities? Well, keep in mind that this isn't really a bad one - it doesn't crash the machine, and it's moderately easy to identify the (l)user who's doing it. I've actually not seen this happen maliciously, I've only seen it happen by accident with buggy research code, some of it mine. It's annoying when it happens, but there are a million things a local user can do to be annoying. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 4:51:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34F4937B401 for ; Fri, 22 Nov 2002 04:51:17 -0800 (PST) Received: from webmail.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 00C6343EAA for ; Fri, 22 Nov 2002 04:51:16 -0800 (PST) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 93809 invoked by uid 0); 22 Nov 2002 12:51:55 -0000 Received: from unknown (HELO shuttle.svib.ru) (195.54.219.242) by webmail.sub.ru with SMTP; 22 Nov 2002 12:51:55 -0000 Date: Fri, 22 Nov 2002 15:50:27 +0300 From: Alex Povolotsky To: "Allan Jude" <937863@primus.ca>, freebsd-security@FreeBSD.ORG, quak@mydiax.ch, Danny.Carroll@mail.ing.nl Subject: Re: jailed virtual https, anyone? Message-Id: <20021122155027.7f694357.tarkhil@webmail.sub.ru> In-Reply-To: References: <20021122145947.406b4d31.tarkhil@webmail.sub.ru> Organization: sub.ru X-Mailer: Sylpheed version 0.8.2claws (GTK+ 1.2.10; i386-portbld-freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 22 Nov 2002 07:07:41 -0500 "Allan Jude" <937863@primus.ca> wrote: AJ> What seems to be the problem with the virtual hosts? AJ> You're quite right, but I have EVERYTHING works ok for now, EXCEPT AJ> virtual hosts with https. Google shows nothing relevant on "jail https AJ> virtual". Oh, quite simple. https cannot be configured with name-based virtual hosts, by design. jail cannot be configured for more than one IP address, by design. (don't ask me to wait until jail-ng will be ready) Jail sits on internal IP, on lo0. fxp0 holds real IP addresses to be accessed from outside. I'm forwarding incoming connection to jail, currently with ipnat. I need to pass information about real (outside) IP to mod_ssl. That is my problem. plain http works perfectly (name-based virthosts). I'm using mod_ssl, but not restricted to it. -- Alex. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 5:43:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD0E137B401; Fri, 22 Nov 2002 05:43:53 -0800 (PST) Received: from kurush.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DF2243EAA; Fri, 22 Nov 2002 05:43:35 -0800 (PST) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (never@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.6/8.12.6) with ESMTP id gAMDhOTP024385; Fri, 22 Nov 2002 15:43:24 +0200 (EET) (envelope-from never@kurush.osdn.org.ua) Received: (from never@localhost) by kurush.osdn.org.ua (8.12.6/8.12.6/Submit) id gAMDhOrJ024383; Fri, 22 Nov 2002 15:43:24 +0200 (EET) Date: Fri, 22 Nov 2002 15:43:24 +0200 From: Alexandr Kovalenko To: freebsd-security@FreeBSD.org Cc: freebsd-stable@FreeBSD.org Subject: OpenSSH's sftp and chroot Message-ID: <20021122134324.GA24134@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [I'm again not sure, which list is more apropriate place for asking this question] Will OpenSSH's sftp-server have support for chroot anytime soon in RELENG_4{_X} ? Becuase of lack of this feature I have to use ssh.com's ssh, which is what I do not like. -- NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 8:39:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F0B737B401 for ; Fri, 22 Nov 2002 08:39:16 -0800 (PST) Received: from mail.ubergeeks.com (lorax.ubergeeks.com [209.145.65.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 967DD43E9C for ; Fri, 22 Nov 2002 08:39:15 -0800 (PST) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from mail.ubergeeks.com (localhost [127.0.0.1]) by mail.ubergeeks.com (8.12.5/8.12.5) with ESMTP id gAMGd2IP048522; Fri, 22 Nov 2002 11:39:05 -0500 (EST) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from localhost (adrian@localhost) by mail.ubergeeks.com (8.12.5/8.12.5/Submit) with ESMTP id gAMGcp9i048519; Fri, 22 Nov 2002 11:38:52 -0500 (EST) (envelope-from adrian+freebsd-security@ubergeeks.com) X-Authentication-Warning: lorax.ubergeeks.com: adrian owned process doing -bs Date: Fri, 22 Nov 2002 11:38:51 -0500 (EST) From: Adrian Filipi-Martin To: Alex Povolotsky Cc: Allan Jude <937863@primus.ca>, , , Subject: Re: jailed virtual https, anyone? In-Reply-To: <20021122155027.7f694357.tarkhil@webmail.sub.ru> Message-ID: <20021122113328.M48082-100000@lorax.ubergeeks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 22 Nov 2002, Alex Povolotsky wrote: > On Fri, 22 Nov 2002 07:07:41 -0500 > "Allan Jude" <937863@primus.ca> wrote: > > AJ> What seems to be the problem with the virtual hosts? > AJ> You're quite right, but I have EVERYTHING works ok for now, EXCEPT > AJ> virtual hosts with https. Google shows nothing relevant on "jail https > AJ> virtual". > > Oh, quite simple. > > https cannot be configured with name-based virtual hosts, by design. > jail cannot be configured for more than one IP address, by design. > (don't ask me to wait until jail-ng will be ready) > Jail sits on internal IP, on lo0. fxp0 holds real IP addresses to be accessed from outside. > I'm forwarding incoming connection to jail, currently with ipnat. I need to pass information about real (outside) IP to mod_ssl. That is my problem. > > plain http works perfectly (name-based virthosts). You still have to do IP-based hosting for https. It doesn't matter that they have their IP's in the jails. The problem is that the SSL channel has already been negotiated and established before apache gets to consider the "Host:" header which is mostly what the virtual hosting is based upon. This means that it's too late to select a different virtual host without generating an SSL hostname mistmatch warning. Adrian -- [ adrian@ubergeeks.com ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 10: 5: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5720837B401 for ; Fri, 22 Nov 2002 10:04:59 -0800 (PST) Received: from webmail.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 2685043E4A for ; Fri, 22 Nov 2002 10:04:58 -0800 (PST) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 62785 invoked by uid 0); 22 Nov 2002 18:05:34 -0000 Received: from unknown (HELO shuttle.svib.ru) (195.54.219.242) by webmail.sub.ru with SMTP; 22 Nov 2002 18:05:34 -0000 Date: Fri, 22 Nov 2002 21:04:09 +0300 From: Alex Povolotsky To: Adrian Filipi-Martin , freebsd-security@FreeBSD.ORG Subject: Re: jailed virtual https, anyone? Message-Id: <20021122210409.0061b0c7.tarkhil@webmail.sub.ru> In-Reply-To: <20021122113328.M48082-100000@lorax.ubergeeks.com> References: <20021122155027.7f694357.tarkhil@webmail.sub.ru> <20021122113328.M48082-100000@lorax.ubergeeks.com> Organization: sub.ru X-Mailer: Sylpheed version 0.8.2claws (GTK+ 1.2.10; i386-portbld-freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 22 Nov 2002 11:38:51 -0500 (EST) Adrian Filipi-Martin wrote: AFM> You still have to do IP-based hosting for https. It doesn't matter AFM> that they have their IP's in the jails. AFM> AFM> The problem is that the SSL channel has already been negotiated and AFM> established before apache gets to consider the "Host:" header which is AFM> mostly what the virtual hosting is based upon. This means that it's too AFM> late to select a different virtual host without generating an SSL hostname AFM> mistmatch warning. YES!!! YES!!! YES!!! I do understand it for quite some time!!! But, for instance, transproxy extracts real IP information from /dev/ipl, which seems to be unavailable from inside the jail. I need either proxy with some method of SSL environment variables passing, or some apache module retrieving information from /dev/ipl or something else, or some way to transfer packets keeping original destination address. That is what I'm seeking here. -- Alex. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 22 11:38:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DB1F37B401 for ; Fri, 22 Nov 2002 11:38:41 -0800 (PST) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CD9D43EBE for ; Fri, 22 Nov 2002 11:38:41 -0800 (PST) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id A5201F804; Fri, 22 Nov 2002 11:38:40 -0800 (PST) Date: Fri, 22 Nov 2002 11:38:40 -0800 From: Nicholas Esborn To: Alex Povolotsky Cc: freebsd-security@FreeBSD.ORG Subject: Re: jailed virtual https, anyone? Message-ID: <20021122193840.GA16501@carbon.berkeley.netdot.net> References: <20021122155027.7f694357.tarkhil@webmail.sub.ru> <20021122113328.M48082-100000@lorax.ubergeeks.com> <20021122210409.0061b0c7.tarkhil@webmail.sub.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20021122210409.0061b0c7.tarkhil@webmail.sub.ru> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Have you considered using a simple TCP-port redirector like pound? It's in the ports tree in www/pound. It would pass the connection in to your lo0 alias with minimal modifications to the packets. -nick On Fri, Nov 22, 2002 at 09:04:09PM +0300, Alex Povolotsky wrote: > YES!!! YES!!! YES!!! I do understand it for quite some time!!! >=20 > But, for instance, transproxy extracts real IP information from /dev/ipl,= which seems to be unavailable from inside the jail. >=20 > I need either proxy with some method of SSL environment variables passing= , or some apache module retrieving information from /dev/ipl or something e= lse, or some way to transfer packets keeping original destination address. >=20 > That is what I'm seeking here.=20 >=20 > --=20 > Alex. --=20 Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 23 2:54:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FDE637B401; Sat, 23 Nov 2002 02:54:24 -0800 (PST) Received: from buexe.b-5.de (buexe.b-5.de [212.14.80.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CE9543E3B; Sat, 23 Nov 2002 02:54:22 -0800 (PST) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9]) by buexe.b-5.de (8.11.6/8.11.6/b-5/buexe-2.0) with ESMTP id gANAsDx19630; Sat, 23 Nov 2002 11:54:15 +0100 Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 6EA5E5E2; Sat, 23 Nov 2002 11:54:09 +0100 (CET) Date: Sat, 23 Nov 2002 11:54:09 +0100 To: Alexandr Kovalenko Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: OpenSSH's sftp and chroot Message-ID: <20021123105409.GH1848@lupe-christoph.de> References: <20021122134324.GA24134@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021122134324.GA24134@nevermind.kiev.ua> User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday, 2002-11-22 at 15:43:24 +0200, Alexandr Kovalenko wrote: > [I'm again not sure, which list is more apropriate place for asking this > question] > Will OpenSSH's sftp-server have support for chroot anytime soon in > RELENG_4{_X} ? Becuase of lack of this feature I have to use ssh.com's > ssh, which is what I do not like. Have a look at scponly, http://www.sublimation.org/scponly/ . The 2.4 version is also in /usr/ports/shells . It can do chroot and handles sftp. HTH, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 23 3:55:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 757DF37B401; Sat, 23 Nov 2002 03:55:29 -0800 (PST) Received: from kurush.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C5ED43EA9; Sat, 23 Nov 2002 03:55:26 -0800 (PST) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (never@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.6/8.12.6) with ESMTP id gANBtMTP093096; Sat, 23 Nov 2002 13:55:22 +0200 (EET) (envelope-from never@kurush.osdn.org.ua) Received: (from never@localhost) by kurush.osdn.org.ua (8.12.6/8.12.6/Submit) id gANBtL3Y093095; Sat, 23 Nov 2002 13:55:21 +0200 (EET) Date: Sat, 23 Nov 2002 13:55:21 +0200 From: Alexandr Kovalenko To: Lupe Christoph Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: OpenSSH's sftp and chroot Message-ID: <20021123115521.GA92641@nevermind.kiev.ua> References: <20021122134324.GA24134@nevermind.kiev.ua> <20021123105409.GH1848@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20021123105409.GH1848@lupe-christoph.de> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Lupe Christoph! On Sat, Nov 23, 2002 at 11:54:09AM +0100, you wrote: > > [I'm again not sure, which list is more apropriate place for asking this > > question] > > > Will OpenSSH's sftp-server have support for chroot anytime soon in > > RELENG_4{_X} ? Becuase of lack of this feature I have to use ssh.com's > > ssh, which is what I do not like. > > Have a look at scponly, http://www.sublimation.org/scponly/ . The 2.4 > version is also in /usr/ports/shells . It can do chroot and handles > sftp. Thank you! This is what I was looking for! -- NEVE-RIPE, will build world for food Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 23 22:50:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DF4F37B404 for ; Sat, 23 Nov 2002 22:50:10 -0800 (PST) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5165F43E9C for ; Sat, 23 Nov 2002 22:50:09 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id gAO6o3Uf002769; Sat, 23 Nov 2002 22:50:03 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id gAO6o1kE002760; Sat, 23 Nov 2002 22:50:01 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Sat, 23 Nov 2002 22:50:01 -0800 From: David Schultz To: Sheldon Hearn Cc: Mike Silbersack , "David G. Andersen" , freebsd-security@FreeBSD.ORG Subject: Re: File table exhaustion patch Message-ID: <20021124065001.GA2683@HAL9000.homeunix.com> Mail-Followup-To: Sheldon Hearn , Mike Silbersack , "David G. Andersen" , freebsd-security@FreeBSD.ORG References: <20021121105204.B75421@cs.utah.edu> <20021121152539.U44884-100000@patrocles.silby.com> <20021122080515.GQ36738@starjuice.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021122080515.GQ36738@starjuice.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Sheldon Hearn : > On (2002/11/21 15:29), Mike Silbersack wrote: > > > HOWEVER, we're in a code freeze leading up to 5.0-release, and local DoSes > > aren't a critical bug. > > Is that the official FreeBSD SO team viewpoint on local DoS > vulnerabilities? DoS attacks are incredibly hard to address in general, and I have yet to see a multiuser system that isn't vulnerable to at least several of them. Given that FreeBSD has always been ``vulnerable'' to file table exhaustion, waiting a few weeks isn't going to be the end of the world[1]. My favorite example of a local DoS attack is: while (1) mkdir t && cd t I ``discovered'' this one about a year ago, then found that Dennis Ritchie had pointed it out in the early 1970's. It reliably crashes most systems, often causing massive filesystem corruption. Until someone fixes the scores of known DoS attacks that already exist, I'm not willing to consider any particular attack to be high-priority. [1] These days, the size limit on the file table is administrative anyway, since the table is a hash table. Of course, it doesn't auto-resize if you grow it by an order of magnitude at runtime. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message