Re: File transfer using ssh
On Thu, Aug 23, 2001 at 03:08:51PM +0200, Samu wrote: On Thu, Aug 23, 2001 at 06:13:04PM +1000, Sam Couter wrote: Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? ssh try sshmitm in dsniff package ... :-)) key exchanging is not make it in a secure manner It is secure when you have put the public key on the remote machine already. SSH is only vulnerable to man-in-the-middle when you first connect to a host, and accept the host-key. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: UP2DATE
On Fri, Aug 24, 2001 at 09:36:14AM +0900, Olaf Meeuwissen wrote: =?x-user-defined?Q?--=3D=5B_..::_V=EDr=F9=A7_::.._=5D=3D--?= [EMAIL PROTECTED] writes: Hmm, can't say I'm overly fond of your email address, but ... I saw many Debian users get their system up2date using apt-get. But their versions of the applications are _the_ latest one, when I look at my system I seem to have, up2date, but older versions. You have older, known-good stable versions. For certain packages that you use regularly, it can make sense to install the newest version. Do this by downloading the source package from testing or unstable, and compiling+installing it. (This way, only the packages you actually want the new features of are upgraded.) Those folks are running unstable/testing. If you don't know how to get that in your sources.list, it's probably not for you. agreed. Could anyone tell me what I can change to get the latest verions ? For a purist setup: deb http://security.debian.org stable/updates main deb http://your debian mirror here/debian stable main deb http://your debian-non-US mirror here/debian-non-US stable non-US/main I'd write that as deb http://mirror/debian-non-US stable/non-US main contrib non-free (contrib and non-free appended to illustrate the fact that you only need to write the non-US once, with stable, instead of 3 times, with main, contrib, non-free) That probably took more time to type than I'll ever save by doing it my way, but whatever... #deb http://your debian mirror here/debian testing main #deb http://your debian-non-US mirror here/debian-non-US testing non-US/main #deb http://your debian mirror here/debian unstable main #deb http://your debian-non-US mirror here/debian-non-US unstable non-US/main -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: Howdy all, Not debian specific, but this is the best batch of security minds I have access too so I figured I'd see if this interests anyone. I need to set up some Xterminal replacemnets - linux boxes that will mostly only be running netscape and ssh. They are going to be used for visiting staff/students/ect so they need a guest account with a bad password. Or, use kdm (instead of xdm). It lets you specify which users will be allowed to log in without typing their password. Thus, you leave the guest account with a strong password and don't tell it to anybody, but allow logins as guest from the console via kdm. (BTW, KDM is a decent replacement for XDM. It can launch whatever you want, not just kde.) This makes securing FTP, SSH, etc. a lot less worrisome. (you still might want to block the guest account out of a lot of stuff...) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: File transfer using ssh
At Thu, 23 Aug 2001 17:18, Curt Howland wrote: One point: All the Windows scp clients I've tried so far are password based, and my server allows only RSA key access, so they don't work. Take a look at Secure-iXplorer http://www.i-tree.org/ixplorer.htm It's a front end for the Secure Shell (SSH) Copy PSCP thats a part of Putty. With Pageant and the Putty saved session option there's no problem to deal with RSA keys. And you have a GUI to copy files from and to a SSH host very comfortably. Jens
Re: Package: ssh 1:1.2.3-9.3 (stable)
On Thu, Aug 23, 2001 at 03:20:59PM +0900, Olaf Meeuwissen wrote: Simon Boulet [EMAIL PROTECTED] writes: Hi, I had some problems today with sshd. Here is what was reported in my log files: Aug 23 00:23:24 host01 kernel: VM: killing process sshd Aug 23 00:23:24 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:24:23 host01 kernel: VM: killing process sshd Aug 23 00:24:23 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:27:51 host01 kernel: VM: killing process sshd Aug 23 00:27:51 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:28:11 host01 kernel: VM: killing process sshd Aug 23 00:28:11 host01 kernel: swap_free: swap-space map bad (entry f000) Looks more like a problem with swap space than with ssh to me. Just happened to hit sshd. Yes. 2.2 kernels (especially earlier ones) kill off whatever process they feel like when the system is out of virtual memory and needs more. To prevent runaway processes from causing the kernel to kill e.g. init, put ulimit -S -v 131072 (adjust this: it's virtual mem size in kB) in /etc/profile. It's a soft limit, so you don't need to be root to raise it if you need to run something huge.. A limit equal to or less than your total physical RAM is usually good, since one process using more than that would thrash like crazy anyway. (However, if you have 64MB or less of physical RAM, don't make the limit that low, or netscape might get an out-of-memory error even when it wasn't in runaway mode...) Also, I think there is a sysctl (/proc/sys/...) in 2.2 called overcommit_memory. Turn this off, and your system won't bite off more than it can chew. With it on, the system doesn't necessarily leave enough space for zeroed pages that are copy-on-write. It assumes that copy-on-write pages won't have to be copied. Unfortunately, there is no way to return an out-of-memory error to a process that is writing to memory. Thus, the kernel kills off some process. (No, this is not good. Yes, the kernel hackers know this. Yes, they have made it not so bad in later 2.2 kernels, and 2.4 has a whole new VM, which mostly does a better job, but is still in heavy development.) I was just wondering if ssh 1.2.3 was not quite old enough to release the ssh 1:2.5.2p2-3 (testing) package? Anyone can help or has any ideas of what went wrong tonight? Should I upgrade to sshd 2.5.2? I would upgrade to kernel-image-2.2.19, if you don't have that already. That should help. Also, if you don't have enough swap set aside (i.e. the problem was not just one runaway process), then dd if=/dev/zero of=/path/to/swapfile bs=1024k count=megs $EDITOR /etc/fstab swapon -a Hopefully I have telnet still open and I was able to /etc/init.d/ssh restart and now it seems to work as normal. Having telnet around kind of defeats the purpose of ssh, not? You su to root on your telnet connection and your root password flies over the wire for all the snoop. Eek! Yeah, really. Time for a new root passwd, I'd say. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 03:08:51PM +0200, Samu wrote: On Thu, Aug 23, 2001 at 06:13:04PM +1000, Sam Couter wrote: Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? ssh try sshmitm in dsniff package ... :-)) key exchanging is not make it in a secure manner It is secure when you have put the public key on the remote machine already. SSH is only vulnerable to man-in-the-middle when you first connect to a host, and accept the host-key. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: UP2DATE
On Fri, Aug 24, 2001 at 09:36:14AM +0900, Olaf Meeuwissen wrote: =?x-user-defined?Q?--=3D=5B_..::_V=EDr=F9=A7_::.._=5D=3D--?= [EMAIL PROTECTED] writes: Hmm, can't say I'm overly fond of your email address, but ... I saw many Debian users get their system up2date using apt-get. But their versions of the applications are _the_ latest one, when I look at my system I seem to have, up2date, but older versions. You have older, known-good stable versions. For certain packages that you use regularly, it can make sense to install the newest version. Do this by downloading the source package from testing or unstable, and compiling+installing it. (This way, only the packages you actually want the new features of are upgraded.) Those folks are running unstable/testing. If you don't know how to get that in your sources.list, it's probably not for you. agreed. Could anyone tell me what I can change to get the latest verions ? For a purist setup: deb http://security.debian.org stable/updates main deb http://your debian mirror here/debian stable main deb http://your debian-non-US mirror here/debian-non-US stable non-US/main I'd write that as deb http://mirror/debian-non-US stable/non-US main contrib non-free (contrib and non-free appended to illustrate the fact that you only need to write the non-US once, with stable, instead of 3 times, with main, contrib, non-free) That probably took more time to type than I'll ever save by doing it my way, but whatever... #deb http://your debian mirror here/debian testing main #deb http://your debian-non-US mirror here/debian-non-US testing non-US/main #deb http://your debian mirror here/debian unstable main #deb http://your debian-non-US mirror here/debian-non-US unstable non-US/main -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE