Re: Configuring ssh
Hello Mark! The latest version of CygWin toolkit contains OpenSSH 2.0pl1... along with all the other unix tools for win32... so you can just run ssh (including tunnels and other advanced features most term-emulators with ssh don't have) from your bash shell. Nice to hear. I found nothing about it on http://sources.redhat.com/cygwin/. Please tell me where I can download the stuff. bye, Karsten -- Syncope Communication Systems GmbH Klaus-Groth-Str. 84, D-20535 Hamburg Tel +49 40 25198798 Fax +49 40 25198799 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Problem with inetd and exim.
Hi, I have a Problem with inetd and exim. Exim is triggert, although it is not listed in hosts.allow and hosts.deny is All: All or All: All EXCEPT LOCAL. Daemonmode is off, System is Slink. Tested is with telnet IP smtp. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Configuring ssh
* Alan KF LAU | Beside, if one could use password authentication, why would one bother | to take all the trouble setting up RSA connection? :) Using ssh-askpass and then having passwordless connections? I am probably not the only one on this list getting my mail by POP-over-SSH. -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Problem with inetd and exim.
On Mon, Nov 06, 2000 at 11:13:40AM +0100 , Rolf Kutz wrote: :( I use the slink defaults. It's triggert with inetd: /usr/sbin/exim exim -bs, so I thought it should do the job. So I have to recompile or call it via tcpd both will work, but the tcpd approach is easier :) instead? - Rolf Petr Cech -- Debian GNU/Linux maintainer - www.debian.{org,cz} [EMAIL PROTECTED] Phear my "Typical bloody smart-arse debian attitude." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Configuring ssh
Hello Mark! The latest version of CygWin toolkit contains OpenSSH 2.0pl1... along with all the other unix tools for win32... so you can just run ssh (including tunnels and other advanced features most term-emulators with ssh don't have) from your bash shell. Nice to hear. I found nothing about it on http://sources.redhat.com/cygwin/. Please tell me where I can download the stuff. bye, Karsten -- Syncope Communication Systems GmbH Klaus-Groth-Str. 84, D-20535 Hamburg Tel +49 40 25198798 Fax +49 40 25198799
Problem with inetd and exim.
Hi, I have a Problem with inetd and exim. Exim is triggert, although it is not listed in hosts.allow and hosts.deny is All: All or All: All EXCEPT LOCAL. Daemonmode is off, System is Slink. Tested is with telnet IP smtp. - Rolf
Re: Problem with inetd and exim.
On Mon, Nov 06, 2000 at 09:29:01AM +0100 , Rolf Kutz wrote: Hi, I have a Problem with inetd and exim. Exim is triggert, although it is not listed in hosts.allow and hosts.deny is All: All or All: All EXCEPT LOCAL. do you run exim via tcpd? Exim itself is not compiled with tcpwrapers support (because when it was enabled people where jumping, that exim suddenly doesn't work). Daemonmode is off, System is Slink. Tested is with telnet IP smtp. - Rolf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Petr Cech -- Debian GNU/Linux maintainer - www.debian.{org,cz} [EMAIL PROTECTED] _Anarchy_ telsa: rommable debian will be potato chips
Re: Configuring ssh
* Alan KF LAU | Beside, if one could use password authentication, why would one bother | to take all the trouble setting up RSA connection? :) Using ssh-askpass and then having passwordless connections? I am probably not the only one on this list getting my mail by POP-over-SSH. -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are.
Re: Problem with inetd and exim.
On Mon, Nov 06, 2000 at 11:13:40AM +0100 , Rolf Kutz wrote: :( I use the slink defaults. It's triggert with inetd: /usr/sbin/exim exim -bs, so I thought it should do the job. So I have to recompile or call it via tcpd both will work, but the tcpd approach is easier :) instead? - Rolf Petr Cech -- Debian GNU/Linux maintainer - www.debian.{org,cz} [EMAIL PROTECTED] Phear my Typical bloody smart-arse debian attitude.
Re: Configuring ssh
On Mon, 6 Nov 2000, Karsten Mueller wrote: The latest version of CygWin toolkit contains OpenSSH 2.0pl1... along with all the other unix tools for win32... so you can just run ssh (including tunnels and other advanced features most term-emulators with ssh don't have) from your bash shell. Nice to hear. I found nothing about it on http://sources.redhat.com/cygwin/. Please tell me where I can download the stuff. Just get the installer it's find the mirrors and download it from there. The installer can be found here: ftp://sunsite.org.uk/Mirrors/sourceware.cygnus.com/pub/cygwin/setup.exe Or on other sites... just search with google... Mark Janssen Unix Consultant Unix Support Nederland / PSInet Netherlands E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178 http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode
Re: 'Generic' Firewall Rulesets?
He has a website with a firewall building tool that works pretty well. http://www.linux-firewall-tools.com/linux/firewall/index.html Chris Gahlon mikehaarman wrote: There is an excellent book on just this topic by a fellow named Robert L. Ziegler, published by New Riders and called emphLinux Firewalls/emph. A good general discussion of the issues and a couple of good recipies. Also some useful resources at openna.com Gmourani's book has some ipchains recipies as well. mike On Sat, 4 Nov 2000, Troy Telford wrote: Having looked and not found, I'm asking here: Is there any place where I can find a general ruleset for a firewall? And, moreover, while many howto's mention how to specify a rule for a ruleset, they do not specify *what* rules are good/bad/ugly, etc. For instance: Even though packets coming from an FTP port are allowed (supposedly to allow FTP downloads...), apt-get is unable to function properly. Moreover, I have no idea what a 'good' ruleset to simply allow FTP requests from my machine (such as those made by an FTP client on my machine, apt-get, etc.) are reasonably secure. And, in my case, I have incoming FTP disabled, but is there a way to block packets at the firewall (from people requesting FTP services on my computer), while allowing my FTP requests to go unhindered? In fact, I couldn't really find any good information on general firewall construction. I could find information on how to set a rule for the firewall; but now I need to find information on *what* kind of rules are good, and why (and what is bad, and why). Another Example: From what I understand, all TCP/UDP ports above 1024 are 'user' ports, and have no services attatched to them. What kind of possible security problems/other risks are involved by having these ports essentially 'open' to the world? What is the tradeoff with closing them off? For my particular situation, the computer is connected directly to the internet on a campus network. I want to be able to have a good 'basic' firewall ruleset that will allow me to do my normal tasks as though there were no firewall active, yet filter out all incoming connection requests (such as telnet, ftp, etc.). I'm running kernel 2.4.0-test9; I have iptables figured out and can apply rulesets just fine. It's knowing what rules make sense and what ones don't that I need help on. I'm more interested in learning how to create a good firewall than simply having one. (So I can make one from scratch should I ever have a specific need). Thanks for any help offered. I hope I didn't run in too many circles! -Troy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Configuring ssh
On Mon, Nov 06, 2000 at 12:08:17PM +0300, Alan KF LAU wrote: My major concern is that if you enabled password authentication you'd leave your system vulnerable to brute force password attacked as in TELNET. Beside, if one could use password authentication, why would one bother to take all the trouble setting up RSA connection? :) I did ask question here, whether I could let one group of user use password authentication(for casual users with limited access) and the other group of users use RSA(for admin. users who have higher privileges). Seem like it's not possible, according to expert opinions here, for current ssh release. I might be wrong, please advise if it's possible. I wish to know! :) it is possible, but only as a result of ssh's halfway pam support that this works: add auth required pam_listfile.so item=user sense=deny \ file=/etc/ssh/ssh_rsa_only onerr=succeed to /etc/pam.d/ssh and add RSA only usernames to /etc/ssh/ssh_rsa_only the only reason this works is because ssh ignores (or doesn't run?) all pam auth modules when doing RSA authentication. this is not tested on OpenSSH 2.0, only OpenSSH 1.2* -- Ethan Benson http://www.alaska.net/~erbenson/ pgpGk4jVTMOcV.pgp Description: PGP signature
Re: buffer overflow in pine = 4.21
On Mon, Nov 06, 2000 at 09:54:03AM +0100, Thomas Gebhardt wrote: it should segfault. good indication of a buffer overflow there. While this kind of buffer overflow is nasty, (as far as I can see) from a security point of view it is rather harmless. not if the program is question is setuid or setgid, in those cases a user may be able to exploit the overflow to obtain elevated privileges. note that the .debs created by the debian pine-src packages install pine setgid mail (uncessarily AFAICT). If you can get pine to execute arbitrary code just by sending a malicous mail, that's really dangerous. indeed. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpN8QuhZzJ0m.pgp Description: PGP signature
Re: Problem with inetd and exim.
Petr Cech wrote: On Mon, Nov 06, 2000 at 09:29:01AM +0100 , Rolf Kutz wrote: Hi, I have a Problem with inetd and exim. Exim is triggert, although it is not listed in hosts.allow and hosts.deny is All: All or All: All EXCEPT LOCAL. do you run exim via tcpd? Exim itself is not compiled with tcpwrapers support (because when it was enabled people where jumping, that exim suddenly doesn't work). Is this really a good idea? Since the exim install does a fair bit of interactive stuff anyway, wouldn't it be better to put something in there to point out that it does use it, and either manage hosts.allow through the install procedure, or point out how to use it where the hosts_options and hosts_access manpages are?? Nick
Re: Problem with inetd and exim.
On Mon, Nov 06, 2000 at 09:11:45PM + , Nick Phillips wrote: Petr Cech wrote: On Mon, Nov 06, 2000 at 09:29:01AM +0100 , Rolf Kutz wrote: Hi, I have a Problem with inetd and exim. Exim is triggert, although it is not listed in hosts.allow and hosts.deny is All: All or All: All EXCEPT LOCAL. do you run exim via tcpd? Exim itself is not compiled with tcpwrapers support (because when it was enabled people where jumping, that exim suddenly doesn't work). Is this really a good idea? Since the exim install does a fair bit of what is a not a good idea? Leaving it as it always was? interactive stuff anyway, wouldn't it be better to put something in there to point out that it does use it, and either manage hosts.allow through the install procedure, or point maybe yes. Mark? out how to use it where the hosts_options and hosts_access manpages are?? libwrap0. you should have this installed Petr Cech -- Debian GNU/Linux maintainer - www.debian.{org,cz} [EMAIL PROTECTED] woot What do you mean it's not packaged in Debian?
Re: Problem with inetd and exim.
Petr Cech wrote: Is this really a good idea? Since the exim install does a fair bit of what is a not a good idea? Leaving it as it always was? Leaving tcpwrapper support out... As for default config, probably just exim: ALL: severity mail.info: allow or some such. There seem to be far too many rude admins whose mail servers fail the paranoid check these days. out how to use it where the hosts_options and hosts_access manpages are?? libwrap0. you should have this installed Evidently, as apart from anything else, exim would presumably have to depend on it if it were built to use it. I meant so that whoever is reading the message knows that they are the manpages to look at for details... Just a thought. Nick
non-root loopback crypto
hi all, I've been using the loopback crypto stuff for a while and I'm looking for a secure way of doing this from my user account instead of having to su to call losetup. Does anyone have suggestions / experience with doing this? I see that you can't just run /sbin/losetup from non-root: $ losetup -e blowfish /dev/loop0 ~/.crypt memlock: Operation not permitted Couldn't lock into memory, exiting. Is there any other permissions that I can set other than the /dev/loop* stuff to allow me to do this from non-root? or do I have to go the suid route? or is this just not a good idea all together? thanks for any comments, -mike