Re: Crypto File System-Problems Creating One
On 6/9/05, Bernd Eckenfels [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED] you wrote: losetup -e aes-256 /dev/loop0 /dev/hda10 What do you have defined in modules? alias cipher-16 rijndael You also need the cryptoloop module in order to name ciphers by name. Try -E 16 instead. You need to do something like this: sudo cryptsetup -c aes -y create SomeUniqueName /dev/hda10 sudo mount /dev/mapper/SomeUniqueName /mountpoint -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet |`-|
Re: ptrace vulnerability?
-purN linux.orig/kernel/ptrace.c linux/kernel/ptrace.c --- linux.orig/kernel/ptrace.c Thu Mar 13 12:01:46 2003 +++ linux/kernel/ptrace.c Thu Mar 13 13:47:16 2003 @@ -21,6 +21,10 @@ */ int ptrace_check_attach(struct task_struct *child, int kill) { + mb(); + if (!is_dumpable(child)) + return -EPERM; + if (!(child-ptrace PT_PTRACED)) return -ESRCH; @@ -57,7 +61,7 @@ int ptrace_attach(struct task_struct *ta (current-gid != task-gid)) !capable(CAP_SYS_PTRACE)) goto bad; rmb(); - if (!task-mm-dumpable !capable(CAP_SYS_PTRACE)) + if (!is_dumpable(task) !capable(CAP_SYS_PTRACE)) goto bad; /* the same process cannot be attached many times */ if (task-ptrace PT_PTRACED) @@ -123,6 +127,8 @@ int access_process_vm(struct task_struct /* Worry about races with exit() */ task_lock(tsk); mm = tsk-mm; + if (!is_dumpable(tsk) || (init_mm == mm)) + mm = NULL; if (mm) atomic_inc(mm-mm_users); task_unlock(tsk); diff -purN linux.orig/kernel/sys.c linux/kernel/sys.c --- linux.orig/kernel/sys.c Thu Mar 13 12:01:57 2003 +++ linux/kernel/sys.c Thu Mar 13 13:41:25 2003 @@ -1286,7 +1286,7 @@ asmlinkage long sys_prctl(int option, un error = put_user(current-pdeath_signal, (int *)arg2); break; case PR_GET_DUMPABLE: - if (current-mm-dumpable) + if (is_dumpable(current)) error = 1; break; case PR_SET_DUMPABLE: @@ -1294,7 +1294,8 @@ asmlinkage long sys_prctl(int option, un error = -EINVAL; break; } - current-mm-dumpable = arg2; + if (is_dumpable(current)) + current-mm-dumpable = arg2; break; case PR_SET_UNALIGN: #ifdef SET_UNALIGN_CTL -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
the necessary registers. It also diff -purN linux.orig/kernel/ptrace.c linux/kernel/ptrace.c --- linux.orig/kernel/ptrace.c Thu Mar 13 12:01:46 2003 +++ linux/kernel/ptrace.c Thu Mar 13 13:47:16 2003 @@ -21,6 +21,10 @@ */ int ptrace_check_attach(struct task_struct *child, int kill) { + mb(); + if (!is_dumpable(child)) + return -EPERM; + if (!(child-ptrace PT_PTRACED)) return -ESRCH; @@ -57,7 +61,7 @@ int ptrace_attach(struct task_struct *ta (current-gid != task-gid)) !capable(CAP_SYS_PTRACE)) goto bad; rmb(); - if (!task-mm-dumpable !capable(CAP_SYS_PTRACE)) + if (!is_dumpable(task) !capable(CAP_SYS_PTRACE)) goto bad; /* the same process cannot be attached many times */ if (task-ptrace PT_PTRACED) @@ -123,6 +127,8 @@ int access_process_vm(struct task_struct /* Worry about races with exit() */ task_lock(tsk); mm = tsk-mm; + if (!is_dumpable(tsk) || (init_mm == mm)) + mm = NULL; if (mm) atomic_inc(mm-mm_users); task_unlock(tsk); diff -purN linux.orig/kernel/sys.c linux/kernel/sys.c --- linux.orig/kernel/sys.c Thu Mar 13 12:01:57 2003 +++ linux/kernel/sys.c Thu Mar 13 13:41:25 2003 @@ -1286,7 +1286,7 @@ asmlinkage long sys_prctl(int option, un error = put_user(current-pdeath_signal, (int *)arg2); break; case PR_GET_DUMPABLE: - if (current-mm-dumpable) + if (is_dumpable(current)) error = 1; break; case PR_SET_DUMPABLE: @@ -1294,7 +1294,8 @@ asmlinkage long sys_prctl(int option, un error = -EINVAL; break; } - current-mm-dumpable = arg2; + if (is_dumpable(current)) + current-mm-dumpable = arg2; break; case PR_SET_UNALIGN: #ifdef SET_UNALIGN_CTL -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
Re: security.debian.org down?
On Mon, 2003-03-10 at 21:41, Jeremy Drake wrote: I can ping security.debian.org, but cannot use http or ftp. It just hangs. non-us.debian.org is the same box, and having the same troubles. Is this just me? Yeah... i;ve noticed this too... hopefully someone can check into it :) I use it as one of my main debian mirrors, since it's only 5 hops away from me :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org down?
On Mon, 2003-03-10 at 21:41, Jeremy Drake wrote: I can ping security.debian.org, but cannot use http or ftp. It just hangs. non-us.debian.org is the same box, and having the same troubles. Is this just me? Yeah... i;ve noticed this too... hopefully someone can check into it :) I use it as one of my main debian mirrors, since it's only 5 hops away from me :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
Re: question about SSH / IPTABLES
On Thu, 2003-01-23 at 12:24, Iñaki Martínez wrote: I have a server in internet and i want several clients to access to it via SSH but i DON'T want them to be able to use SSH from that server. So i client can access the server via SSH, but s/he CAN NOT ssh to other servers from my server... I'm sure it's possible to (try) and do this using some ip-tables magic or by just removing the ssh binary from the system. This will however not prevent them from doing this, since they can place their own ssh client on the system and connect to other systems over ports you do not expect (like sshd's running on port 80, 443 or random port numbers) Why do you want to disallow people to ssh out of your system, while allowing them to ssh into it ??? You can never block anyone who _wants_ to do something -- Mark Janssen [EMAIL PROTECTED] Saiko Internet Technologies -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: question about SSH / IPTABLES
On Thu, 2003-01-23 at 12:24, Iñaki Martínez wrote: I have a server in internet and i want several clients to access to it via SSH but i DON'T want them to be able to use SSH from that server. So i client can access the server via SSH, but s/he CAN NOT ssh to other servers from my server... I'm sure it's possible to (try) and do this using some ip-tables magic or by just removing the ssh binary from the system. This will however not prevent them from doing this, since they can place their own ssh client on the system and connect to other systems over ports you do not expect (like sshd's running on port 80, 443 or random port numbers) Why do you want to disallow people to ssh out of your system, while allowing them to ssh into it ??? You can never block anyone who _wants_ to do something -- Mark Janssen [EMAIL PROTECTED] Saiko Internet Technologies
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? It'll get to you when you have 200+ debian systems spread across the internet in different cities, timezones and administrative domains :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh banner
On Fri, 2002-10-18 at 14:58, [EMAIL PROTECTED] wrote: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? You can limit it somewhat (by editing source), but the protocol needs the version string, so you can't change it without breaking compatibility. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Automatic Debian security updates, an Implementation
On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote: I don't understand the need for this. Can someone explain why 'apt-get update apt-get dist-upgrade' is not sufficient to keep a debian system secure and updated? It'll get to you when you have 200+ debian systems spread across the internet in different cities, timezones and administrative domains :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
Re: ssh banner
On Fri, 2002-10-18 at 14:58, [EMAIL PROTECTED] wrote: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 How can I disable the message ? You can limit it somewhat (by editing source), but the protocol needs the version string, so you can't change it without breaking compatibility. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
Re: Business Proposal (Urgent)
On Tue, 2002-09-24 at 09:07, Brad Corsello wrote: I propose that we accept Dr. Adams's proposal and use the windfall to fund Debian development. Who wants to put up the money for his fees? From: Dr. Kola Adams [EMAIL PROTECTED] Reply-To: Dr. Kola Adams [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Business Proposal (Urgent) Date: Tue, 24 Sep 2002 05:55:21 -0700 I suggest you first read: http://home.rica.net/alphae/419coal/ Which clearly describes the working of this scam... Just ignore it, or send it on to the relevant government agency... -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Business Proposal (Urgent)
On Tue, 2002-09-24 at 09:07, Brad Corsello wrote: I propose that we accept Dr. Adams's proposal and use the windfall to fund Debian development. Who wants to put up the money for his fees? From: Dr. Kola Adams [EMAIL PROTECTED] Reply-To: Dr. Kola Adams [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Business Proposal (Urgent) Date: Tue, 24 Sep 2002 05:55:21 -0700 I suggest you first read: http://home.rica.net/alphae/419coal/ Which clearly describes the working of this scam... Just ignore it, or send it on to the relevant government agency... -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
OpenSSH 3.4 released... should FIX problems
Head over to OpenSSH.com They have just released version 3.4, which should fix some overflow problems and adds lot's of new checks against dubious input. Advisories and updates on the various pages there. Mark Janssen Syconos IT Consultancy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh and password authentication
On Tue, 2002-06-25 at 15:35, Florent Rougon wrote: But the default sshd_config in the openssh-3.0.2p1 package has a comment indicating the contrary: , | # To disable tunneled clear text passwords, change to no here! | PasswordAuthentication yes ` and according to that comment, the default setting would be insecure... Nope... it's just the way you read it... It's a tunnelled clear-text password, meaning the 'clear-text' password is transmitted trough the tunnel. The tunnel is encrypted. It just means that the password will be visible to roots on both ends of the tunnel, but not to anyone in between. So it's quite safe ;) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-134-2] Unknown OpenSSH remote vulnerability
On Tue, 2002-06-25 at 15:57, Kruskal wrote: Has anyone applied this update yet? I did so on a potato box, enabled priv separation in the sshd config file and restarted sshd. I saw that a user called sshd was created. However, when I ssh'ed in, I didn't see any processes owned by sshd. In fact, the ssh daemon process was still owned by root. I noticed this as well.. and decided to roll my own version, and include a patch for setproctitle support, this to aide debugging. It in fact does work, but the 'sshd' process from the 'sshd' user only exists before login. If you connect to the ssh daemon it will fork off this process, if you do a ps-listing at this stage you will see it. As soon as you log in, this process will be replaced by a process running as your user account. You can also see that the 'priv' process (running as root) will be chrooted in /var/run/sshd This was/is all in woody, but I suspect potato to act the same :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA-134-1
On Tue, 2002-06-25 at 18:11, Phillip Hofmeister wrote: *TECHNICALLY* every login is root. Getty runs as root and then gives up root to the authenticated user once PAM gives the okay...Does this mean the user can break back into root? If the exit their shell (Ctrl + D, or pick your choice of logout method...) then Getty immediately respawns No... getty exec's a shell (or a login actually) and when this exits the inetd restarts the getty. :) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DSA-134-2] Unknown OpenSSH remote vulnerability
On Tue, 2002-06-25 at 18:27, Tycho Fruru wrote: In the recommended config it would be something like /var/empty, not writable by the sshd user. I don't have a system handy to verify whether the package does the right thing here though. The debian package chroots to the empty and root:root owned dir /var/run/sshd I myself changed this to root:sys, but that shouldn't really matter. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl signature.asc Description: This is a digitally signed message part
Re: Generating Mail passwords
On Fri, 2002-05-24 at 15:04, Lars Roland Kristiansen wrote: Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian mail server. I have 200 users and whant some new more secure passwords (not to long though). Is there a simple way to generate secure passwords so i can use them with adduser pwgen or one of the other password generation tools with the right options. :) apt-cache show pwgen Description: Automatic Password generation pwgen generates random, meaningless but pronounceable passwords. Depending on how the program was installed, these words contain either only lowercase letters, or upper and lower case mixed, or digits thrown in. Uppercase letters and digits are placed in a way that eases remembering their position when memorizing only the word. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl signature.asc Description: This is a digitally signed message part
Re: Generating Mail passwords
On Fri, 2002-05-24 at 15:04, Lars Roland Kristiansen wrote: Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian mail server. I have 200 users and whant some new more secure passwords (not to long though). Is there a simple way to generate secure passwords so i can use them with adduser pwgen or one of the other password generation tools with the right options. :) apt-cache show pwgen Description: Automatic Password generation pwgen generates random, meaningless but pronounceable passwords. Depending on how the program was installed, these words contain either only lowercase letters, or upper and lower case mixed, or digits thrown in. Uppercase letters and digits are placed in a way that eases remembering their position when memorizing only the word. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl signature.asc Description: This is a digitally signed message part
Re: how to unsubscribe.
On Fri, 2002-04-26 at 09:58, Trancom wrote: how to unsubscribe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Look here Or Here \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to unsubscribe.
On Fri, 2002-04-26 at 09:58, Trancom wrote: how to unsubscribe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Look here Or Here \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OpenSSH 3.1
On Sun, 2002-04-07 at 14:34, Peter Lieven wrote: Is there any reason why there is no OpenSSH 3.1 package for debian available yet? is the OpenSSH_3.0.2p1 version avaiable in the testing/unstable tree already patched against the March 7, 2002: Off-by-one error in the channel code security hole? Yes, it was fixed in debian package Openssh_3.0.2p1-8 (maybe allready in 7, but that had other problems) Debian usually patches the (security) bug, without going straight to the new upstream release, but only upgrading the package number -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OpenSSH 3.1
On Sun, 2002-04-07 at 14:34, Peter Lieven wrote: Is there any reason why there is no OpenSSH 3.1 package for debian available yet? is the OpenSSH_3.0.2p1 version avaiable in the testing/unstable tree already patched against the March 7, 2002: Off-by-one error in the channel code security hole? Yes, it was fixed in debian package Openssh_3.0.2p1-8 (maybe allready in 7, but that had other problems) Debian usually patches the (security) bug, without going straight to the new upstream release, but only upgrading the package number -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Mon, 2002-04-01 at 18:41, Jon McCain wrote: Chris Reeves wrote: Why not change the users' shell to /usr/bin/menu? Because they need to be able to transfer files to their home directories. If you do this, then ftp,pscp,etc won't work. My original goal was to allow them transfer files to/from home directory with something besides ftp (since they are going over the internet) but not allow them to change to directories above the home. Proftp allowed me to chroot them to the home but scp/sftp does not. Like I said in a previous post. SSH/SFTP/SCP will allow the same kind of chroot-ing proftp does, using the chroot-patch for openssh. You'll have to compile sshd yourself, and place some bins/libs in the user's homedirs (maybe hardlinks to some generic skeleton dir) Here is my ssh/chroot setup: . == chrooted users homedir: ./bin: total 660 drwxr-xr-x2 root root 4096 Mar 18 13:36 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -r-xr-xr-x1 root root 531160 Feb 6 22:36 bash -r-xr-xr-x1 root root43916 Nov 29 13:19 ls -r-xr-xr-x1 root root16684 Nov 29 13:19 mkdir -rwxr-xr-x1 root root23960 Mar 18 13:36 more -r-xr-xr-x1 root root 9916 Jul 26 2001 pwd -r-xr-xr-x1 root root24780 Nov 29 13:19 rm lrwxrwxrwx1 root root4 Mar 30 16:29 sh - bash ./etc: total 24 drwxr-xr-x2 root root 4096 Mar 15 16:13 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -rw-r--r--1 root root 54 Mar 15 13:23 group -rw-r--r--1 root root 428 Mar 15 15:56 hosts -rw-r--r--1 root root 44 Mar 15 15:53 passwd -rw-r--r--1 root root 52 Mar 15 13:23 shells ./lib: total 1848 drwxr-xr-x2 root root 4096 Mar 18 13:37 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -rwxr-xr-x1 root root92511 Mar 15 12:49 ld-linux.so.2 -rwxr-xr-x1 root root 1170812 Mar 15 12:49 libc.so.6 -rw-r--r--1 root root20900 Mar 15 13:01 libcrypt.so.1 -rw-r--r--1 root root 9436 Mar 15 12:49 libdl.so.2 -rw-r--r--1 root root 248132 Mar 15 12:48 libncurses.so.5 -rw-r--r--1 root root71332 Mar 15 13:00 libnsl.so.1 -rw-r--r--1 root root34144 Mar 15 16:10 libnss_files.so.2 -rw-r--r--1 root root29420 Mar 15 12:57 libpam.so.0 -rw-r--r--1 root root 105498 Mar 15 12:51 libpthread.so.0 -rw-r--r--1 root root25596 Mar 15 12:51 librt.so.1 -rw-r--r--1 root root 7760 Mar 15 12:59 libutil.so.1 -rw-r--r--1 root root24328 Mar 15 12:57 libwrap.so.0 ./usr: total 16 drwxr-xr-x4 root root 4096 Mar 15 13:00 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. drwxr-xr-x2 root root 4096 Mar 15 15:55 bin drwxr-xr-x2 root root 4096 Mar 15 15:37 lib ./usr/bin: total 340 drwxr-xr-x2 root root 4096 Mar 15 15:55 . drwxr-xr-x4 root root 4096 Mar 15 13:00 .. -rwxr-xr-x1 root root10332 Mar 15 15:55 env -rwxr-xr-x1 root root13052 Mar 15 13:13 id -r-xr-xr-x1 root root25432 Mar 15 12:40 scp -rwxr-xr-x1 root root43768 Mar 15 15:15 sftp -r-sr-xr-x1 root root 218456 Mar 15 12:40 ssh -rwxr-xr-x1 root root 9692 Mar 15 13:17 tty ./usr/lib: total 852 drwxr-xr-x2 root root 4096 Mar 15 15:37 . drwxr-xr-x4 root root 4096 Mar 15 13:00 .. -rw-r--r--1 root root 771088 Mar 15 13:01 libcrypto.so.0.9.6 -rw-r--r--1 root root54548 Mar 15 13:00 libz.so.1 -rwxr-xr-x1 root root23096 Mar 15 15:37 sftp-server Some of these can probably be removed in your case, (i also allow some local commands, not only sftp/scp) Just make sure all these files are owned by root (or some other user) and not writable by the chrooted user. I can use vpn to let them safely use ftp over the internet. That's only way they can use ftp since the firewall blocks ftp from the internet. But that stills leaves the scp hole. Fixed :) The chroot-patch is at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047repeatmerged=yes or: http://www.cag.lcs.mit.edu/~raoul/ -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] signature.asc Description: This is a digitally signed message part
Re: scp and sftp
On Mon, 2002-04-01 at 18:41, Jon McCain wrote: Chris Reeves wrote: Why not change the users' shell to /usr/bin/menu? Because they need to be able to transfer files to their home directories. If you do this, then ftp,pscp,etc won't work. My original goal was to allow them transfer files to/from home directory with something besides ftp (since they are going over the internet) but not allow them to change to directories above the home. Proftp allowed me to chroot them to the home but scp/sftp does not. Like I said in a previous post. SSH/SFTP/SCP will allow the same kind of chroot-ing proftp does, using the chroot-patch for openssh. You'll have to compile sshd yourself, and place some bins/libs in the user's homedirs (maybe hardlinks to some generic skeleton dir) Here is my ssh/chroot setup: . == chrooted users homedir: ./bin: total 660 drwxr-xr-x2 root root 4096 Mar 18 13:36 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -r-xr-xr-x1 root root 531160 Feb 6 22:36 bash -r-xr-xr-x1 root root43916 Nov 29 13:19 ls -r-xr-xr-x1 root root16684 Nov 29 13:19 mkdir -rwxr-xr-x1 root root23960 Mar 18 13:36 more -r-xr-xr-x1 root root 9916 Jul 26 2001 pwd -r-xr-xr-x1 root root24780 Nov 29 13:19 rm lrwxrwxrwx1 root root4 Mar 30 16:29 sh - bash ./etc: total 24 drwxr-xr-x2 root root 4096 Mar 15 16:13 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -rw-r--r--1 root root 54 Mar 15 13:23 group -rw-r--r--1 root root 428 Mar 15 15:56 hosts -rw-r--r--1 root root 44 Mar 15 15:53 passwd -rw-r--r--1 root root 52 Mar 15 13:23 shells ./lib: total 1848 drwxr-xr-x2 root root 4096 Mar 18 13:37 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. -rwxr-xr-x1 root root92511 Mar 15 12:49 ld-linux.so.2 -rwxr-xr-x1 root root 1170812 Mar 15 12:49 libc.so.6 -rw-r--r--1 root root20900 Mar 15 13:01 libcrypt.so.1 -rw-r--r--1 root root 9436 Mar 15 12:49 libdl.so.2 -rw-r--r--1 root root 248132 Mar 15 12:48 libncurses.so.5 -rw-r--r--1 root root71332 Mar 15 13:00 libnsl.so.1 -rw-r--r--1 root root34144 Mar 15 16:10 libnss_files.so.2 -rw-r--r--1 root root29420 Mar 15 12:57 libpam.so.0 -rw-r--r--1 root root 105498 Mar 15 12:51 libpthread.so.0 -rw-r--r--1 root root25596 Mar 15 12:51 librt.so.1 -rw-r--r--1 root root 7760 Mar 15 12:59 libutil.so.1 -rw-r--r--1 root root24328 Mar 15 12:57 libwrap.so.0 ./usr: total 16 drwxr-xr-x4 root root 4096 Mar 15 13:00 . drwxr-xr-x8 guestguest4096 Mar 15 16:53 .. drwxr-xr-x2 root root 4096 Mar 15 15:55 bin drwxr-xr-x2 root root 4096 Mar 15 15:37 lib ./usr/bin: total 340 drwxr-xr-x2 root root 4096 Mar 15 15:55 . drwxr-xr-x4 root root 4096 Mar 15 13:00 .. -rwxr-xr-x1 root root10332 Mar 15 15:55 env -rwxr-xr-x1 root root13052 Mar 15 13:13 id -r-xr-xr-x1 root root25432 Mar 15 12:40 scp -rwxr-xr-x1 root root43768 Mar 15 15:15 sftp -r-sr-xr-x1 root root 218456 Mar 15 12:40 ssh -rwxr-xr-x1 root root 9692 Mar 15 13:17 tty ./usr/lib: total 852 drwxr-xr-x2 root root 4096 Mar 15 15:37 . drwxr-xr-x4 root root 4096 Mar 15 13:00 .. -rw-r--r--1 root root 771088 Mar 15 13:01 libcrypto.so.0.9.6 -rw-r--r--1 root root54548 Mar 15 13:00 libz.so.1 -rwxr-xr-x1 root root23096 Mar 15 15:37 sftp-server Some of these can probably be removed in your case, (i also allow some local commands, not only sftp/scp) Just make sure all these files are owned by root (or some other user) and not writable by the chrooted user. I can use vpn to let them safely use ftp over the internet. That's only way they can use ftp since the firewall blocks ftp from the internet. But that stills leaves the scp hole. Fixed :) The chroot-patch is at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047repeatmerged=yes or: http://www.cag.lcs.mit.edu/~raoul/ -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] signature.asc Description: This is a digitally signed message part
Re: scp and sftp
On Sun, 2002-03-31 at 05:24, Jon McCain wrote: I've been playing around with the scp and sftp components of putty and noticed what I consider a security hole. Winscp does the same thing. The user can change to directories above their home. Is there a way to chroot them like you can in an ftp config file? I don't see anything in the sshd config files. If you can't, how can I disable the scp functionality? I'm not talking about scp from the linux box. The users don't have shell access so that's not a problem. I'm referring to remote people using a scp client to access my linux machine. You can disable sftp ability by removing the sftp-server program but the scp server part seems to be part of sshd. There is a chroot patch for SSH. You can find it in the Bug tracking system (I added it there a few weeks ago). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047repeatmerged=yes If you apply that patch to your SSHd and modify the /etc/passwd file by using the special token '/./' in the user's homedir he will be chrooted at the token. Example: joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash Now joeuser will be chrooted to /home/joe This works for SSH and SCP / SFTP etc of course. Mark Janssen I did not see anything about this issue on the openssh web site. Anybody got any suggestions? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Sun, 2002-03-31 at 05:24, Jon McCain wrote: I've been playing around with the scp and sftp components of putty and noticed what I consider a security hole. Winscp does the same thing. The user can change to directories above their home. Is there a way to chroot them like you can in an ftp config file? I don't see anything in the sshd config files. If you can't, how can I disable the scp functionality? I'm not talking about scp from the linux box. The users don't have shell access so that's not a problem. I'm referring to remote people using a scp client to access my linux machine. You can disable sftp ability by removing the sftp-server program but the scp server part seems to be part of sshd. There is a chroot patch for SSH. You can find it in the Bug tracking system (I added it there a few weeks ago). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047repeatmerged=yes If you apply that patch to your SSHd and modify the /etc/passwd file by using the special token '/./' in the user's homedir he will be chrooted at the token. Example: joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash Now joeuser will be chrooted to /home/joe This works for SSH and SCP / SFTP etc of course. Mark Janssen I did not see anything about this issue on the openssh web site. Anybody got any suggestions? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache-ssl/woody cannot handle password protected keys?
On Mon, 2002-02-25 at 15:30, Thomas Gebhardt wrote: Hi, just upgraded a host from potato to woody, I observed that my apache-ssl failed to work. Here comes the trick... it does work... # /usr/sbin/apache-sslctl start Reading key for server my.server:443 Enter PEM pass phrase: You are supposed to type in the passphrase at this point... within the 5-10 seconds that are provided to you in the script It's supposed to be getting the passphrase from somewhere... and YOU need to type it here. :) Launching... /usr/lib/apache-ssl/gcache pid=22730 /usr/sbin/apache-sslctl start: httpsd started -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl]
Re: I want to test my firewall from the outside
On Thu, 2002-02-14 at 16:20, Cristian Ionescu-Idbohrn wrote: Greetings, Yes, I would like to do that. Any good tools you folks would recommand? Nmap from a dial-up connection... or login to some unix host and nmap from there... Maniac (Or... just throw your IP into the internet... and let the rest of the world probe your ports)
Re: I want to test my firewall from the outside
On Thu, 2002-02-14 at 16:20, Cristian Ionescu-Idbohrn wrote: Greetings, Yes, I would like to do that. Any good tools you folks would recommand? Nmap from a dial-up connection... or login to some unix host and nmap from there... Maniac (Or... just throw your IP into the internet... and let the rest of the world probe your ports)
Re: How to modify SSH2 prompt message?
On Thu, Feb 07, 2002 at 09:46:41AM +0800, wrote: Hello, Running Woody (2.4.17-1) and ssh (3.0.2p1-6). When I telnet to the box, it prompts me: SSH-2.0-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-6. Protocol mismatch.. Are you telnetting to the SSH port (or running SSH on the telnet port). You can't get rid of this message (unless you also use a modified client.) The message is part of the protocol, and it is required that SSH servers specify their version. You could modify the string... (removing or altering the OpenSSH part). But the SSH-2.0- part is mandatory !! -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl]
Re: portscans and sniffing
On Mon, Jan 21, 2002 at 10:36:18AM +0100, [EMAIL PROTECTED] wrote: Hi all. I have startet a Security Company in Germany an now i have e few questions. First try learning how to write :) Are ftp anonymous scans illegal? That depends on what country the system is located in, but generally it is considere illegal to portscan or attemt to access systems you are not authorized to access. However there is hardly any enforcement of these rules. if it is, can i get an license to do penetrations test? I suggest you only scan systems you are authorized to scan by their respective owners (your clients) and keep well away from other people's boxes. Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] msg05430/pgp0.pgp Description: PGP signature
Re: portscans and sniffing
On Mon, Jan 21, 2002 at 10:36:18AM +0100, [EMAIL PROTECTED] wrote: Hi all. I have startet a Security Company in Germany an now i have e few questions. First try learning how to write :) Are ftp anonymous scans illegal? That depends on what country the system is located in, but generally it is considere illegal to portscan or attemt to access systems you are not authorized to access. However there is hardly any enforcement of these rules. if it is, can i get an license to do penetrations test? I suggest you only scan systems you are authorized to scan by their respective owners (your clients) and keep well away from other people's boxes. Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] pgprUazjdWeOD.pgp Description: PGP signature
Re: MTAs
On Wed, Nov 21, 2001 at 12:56:53PM +0200, Juha J?ykk? wrote: On the other hand, if exim is run from inetd (as I do), does it still need to be suid root? Since inetd runs root anyway, there should bit from exim. Now my original question was: does it (exim) still need to be suid root? And the question still remains and depends (solely?) on whether it still can communicate with inetd. Inetd runs exim with I would assume no setuid-root exim is needed for it to communicate with inetd. mail's priviledges so giving mail access to any necessary directories is enough for exim to function - unless there are issues with the permissions of /var/spool/mail/insert your favourite username here. Now another question: are there? As long as /var/spool/mail/* is writable/owned by the 'mail' user I do not see a problem here. Also check /var/spool/mqueue... if also using outgoing e-mail -- Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED] GnuPG Key Id: 357D2178 http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MTAs
On Wed, Nov 21, 2001 at 12:56:53PM +0200, Juha J?ykk? wrote: On the other hand, if exim is run from inetd (as I do), does it still need to be suid root? Since inetd runs root anyway, there should bit from exim. Now my original question was: does it (exim) still need to be suid root? And the question still remains and depends (solely?) on whether it still can communicate with inetd. Inetd runs exim with I would assume no setuid-root exim is needed for it to communicate with inetd. mail's priviledges so giving mail access to any necessary directories is enough for exim to function - unless there are issues with the permissions of /var/spool/mail/insert your favourite username here. Now another question: are there? As long as /var/spool/mail/* is writable/owned by the 'mail' user I do not see a problem here. Also check /var/spool/mqueue... if also using outgoing e-mail -- Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED] GnuPG Key Id: 357D2178 http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]
Re: OpenSSH 3, DEBIAN 2.2 and PAM authentication
On Mon, Nov 12, 2001 at 02:21:11PM +0100, Carsten Nottebohm wrote: Looks fine to me. I think OpenSSH uses /etc/pam.d/sshd (Note the d in the end). Try renaming your pam config file. To be exact, SSH uses whatever the binary is named. So if you name it opensshd it'll use /etc/pam.d/opensshd. If you name it sshd it will use /etc/pam.d/sshd etc :) That's what I read last week in some docs on the OpenSSH site :) Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED] GnuPG Key Id: 357D2178 http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]
Re: FTP and security
On Thu, Nov 08, 2001 at 04:57:22PM -0500, Adam Spickler wrote: Is there a decent Windows FTP application that supports sftp? Unfortunately, I have to use Windows at work. :/ cygwin includes openssh... and the sftp it has supports everything you need. -- Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED] GnuPG Key Id: 357D2178 http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl] msg04095/pgp0.pgp Description: PGP signature
Re: FTP and security
On Thu, Nov 08, 2001 at 04:57:22PM -0500, Adam Spickler wrote: Is there a decent Windows FTP application that supports sftp? Unfortunately, I have to use Windows at work. :/ cygwin includes openssh... and the sftp it has supports everything you need. -- Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED] GnuPG Key Id: 357D2178 http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl] pgpPkXtSjAs6m.pgp Description: PGP signature
Re: shared root account
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote: I have a bit of a situation: I have a handful of linux machines (almost all with different distributions and kernels and software - .. time (we all know keeping up security is a fulltime job). Obviously to install patches etc I, also, need root privileges. This poses a problem if I am not to remember all those different root passwords and without making all the passwords the same! How can that _safely_ be accomplished? There are versions of su, sudo etc) that do not ask passwords, there are suid binaries but which is _THE_ way You could also use SSH to accomplish this. Set it up so you log in with RSA/DSA key's (and no passwords) and authenticate with your key's passphrase. You will become root on the machine, and you'll be able to use your own passphrase, as will the other 'root's on the machine, each his own keypair and passphrase (Put the public key in the .authorized_keys file for the root user) TUrn on RSA/DSA authentication and 'allow root login' Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED] GnuPG Key Id: 357D2178 http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: shared root account
On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote: I have a bit of a situation: I have a handful of linux machines (almost all with different distributions and kernels and software - .. time (we all know keeping up security is a fulltime job). Obviously to install patches etc I, also, need root privileges. This poses a problem if I am not to remember all those different root passwords and without making all the passwords the same! How can that _safely_ be accomplished? There are versions of su, sudo etc) that do not ask passwords, there are suid binaries but which is _THE_ way You could also use SSH to accomplish this. Set it up so you log in with RSA/DSA key's (and no passwords) and authenticate with your key's passphrase. You will become root on the machine, and you'll be able to use your own passphrase, as will the other 'root's on the machine, each his own keypair and passphrase (Put the public key in the .authorized_keys file for the root user) TUrn on RSA/DSA authentication and 'allow root login' Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED] GnuPG Key Id: 357D2178 http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]
Re: SSH and RSA
On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote: Hi all, Recently I was made administrator over a dozen Solaris boxen heh The prior admin was offsite and used ssh with rsa keys to access the boxes. He allowed root login, and used the RSA key functionality to keep the root password safe. I am not as mature as he was regarding ssh newbie and have only used ssh as a plug in replacement to telnet, I tend to not set a different p/w during ssh-keygen and simply access the boxes as follows: ssh -l me hostname then I login using the normal p/w that is local to the box. I have found that he did not need to transmit the local password over the tunnel, but rather used RSA to verify his identity, but I can't find documentation on how to do it. man ssh, man ssh-agent, man ssh-add, Practical UNIX Internet Security does anyone have any information on how I can implement the same safeguards? Or where I can at least find some documentation on practical ssh implementation. Ok... check your /etc/ssh/sshd_options file You need to enable some options with RSA in their name, they are all there, only commented out by default. Next you need to go to your user's .ssh directory (the user/system you want to ssh to... so root on your solaris boxes) and create a file called authorized_keys (check the local sshd manual page for exact name, it will differer between implementations) and append your public key to it so: cat my-public-key ~/.ssh/authorized_keys Then you should be able to login with your key and key passphrase, and not the local account password. I just tried it on my local system and it works great (using teraterm ssh on windows to my debian linux box) Here's the line from the sshd_options file: RSAAuthentication yes More info can be found in the sshd_options file and the manual page for sshd (not ssh) ;) Have fun... As always, You guys are great, thanks in advance for the help, ~duane -- Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178 http: markjanssen.homeip.net and markjanssen.[com|net|org|nl] Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode PGP signature
Re: SSH and RSA
On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote: Hi all, Recently I was made administrator over a dozen Solaris boxen heh The prior admin was offsite and used ssh with rsa keys to access the boxes. He allowed root login, and used the RSA key functionality to keep the root password safe. I am not as mature as he was regarding ssh newbie and have only used ssh as a plug in replacement to telnet, I tend to not set a different p/w during ssh-keygen and simply access the boxes as follows: ssh -l me hostname then I login using the normal p/w that is local to the box. I have found that he did not need to transmit the local password over the tunnel, but rather used RSA to verify his identity, but I can't find documentation on how to do it. man ssh, man ssh-agent, man ssh-add, Practical UNIX Internet Security does anyone have any information on how I can implement the same safeguards? Or where I can at least find some documentation on practical ssh implementation. Ok... check your /etc/ssh/sshd_options file You need to enable some options with RSA in their name, they are all there, only commented out by default. Next you need to go to your user's .ssh directory (the user/system you want to ssh to... so root on your solaris boxes) and create a file called authorized_keys (check the local sshd manual page for exact name, it will differer between implementations) and append your public key to it so: cat my-public-key ~/.ssh/authorized_keys Then you should be able to login with your key and key passphrase, and not the local account password. I just tried it on my local system and it works great (using teraterm ssh on windows to my debian linux box) Here's the line from the sshd_options file: RSAAuthentication yes More info can be found in the sshd_options file and the manual page for sshd (not ssh) ;) Have fun... As always, You guys are great, thanks in advance for the help, ~duane -- Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178 http: markjanssen.homeip.net and markjanssen.[com|net|org|nl] Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode pgpjNnQjA5cs0.pgp Description: PGP signature
Re: Configuring ssh
On Mon, 6 Nov 2000, Karsten Mueller wrote: The latest version of CygWin toolkit contains OpenSSH 2.0pl1... along with all the other unix tools for win32... so you can just run ssh (including tunnels and other advanced features most term-emulators with ssh don't have) from your bash shell. Nice to hear. I found nothing about it on http://sources.redhat.com/cygwin/. Please tell me where I can download the stuff. Just get the installer it's find the mirrors and download it from there. The installer can be found here: ftp://sunsite.org.uk/Mirrors/sourceware.cygnus.com/pub/cygwin/setup.exe Or on other sites... just search with google... Mark Janssen Unix Consultant Unix Support Nederland / PSInet Netherlands E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178 http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode
Re: SECURITY PROBLEM: autofs [all versions]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 1 Jul 2000, Thor wrote: huh ? and you call this an xploit ? if you have physical access to the console and floppy drive you can always start with a boot + root floppy, mount the hard disk and modify the mounted /etc/passwd file ... this is an old trick, usefull when you loose the root password ;-) Yes, that's correct, but there's a huge difference in an exploit that needs a reboot (boot+root floppy) to work or one that works without putting off any simple monitoring tools. A vi'd passwordfile isn't checked for every other minute... a reboot doesn't go around unnoticed... Mark Janssen Unix Consultant Unix Support Nederland / PSInet Netherlands E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178 http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl Fax/VoiceMail: +31 20 8757555 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org Filter: gpg4pine 4.0 (http://azzie.robotics.net) iD8DBQE5XbkWb6urvDV9IXgRAiMEAJ9tsNTHh/brv5jO1mbMmdiU2ndtyQCfYSEX OGZaPO7airhlgetmJ/gqGHk= =OBIz -END PGP SIGNATURE-