Re: Secure/hardened/minimal Debian (or Why is the base system theway it is?)
I did this for my company, or something similar. We ship a security information management solution, deliverables are a network appliance (the manager node) and the client software. Anyway, we use debian as our network appliance OS and I have hardened it and provided a very restricted shell for modification of network parameters, etc. What I did was: 1. Install potato out of the box (we have a local mirror) 2. Thin potato out (remove unnecessary packages, compilers, etc) 3. Make a custom 2.4 kernel with NO loadable modules (because we know the hardware, we can do this) and with iptables 4. Install back-compiled packages for SSH, postgres, anything else (system requirements, plus SSH2 security advantages) 5. Switch partitions over to ext3 (if I ship the box and the box goes down and fails an fsck, we either give them root or send a tech, expensive either way) 6. Configure some of the packages to be more secure (e.g. exim configuration) 7. Configure an iptables firewall to further restrict access to illegitamite ports (anything but 80 and our 3 proprietary ports) (8: Install our software, test, etc) My final install, including our software, is under 200M. Right now, I am using Norton Ghost for imaging. I considered FAI but because I was only doing one flavor of image that was not very dynamic, I stuck with Ghost (we are also not releasing *too* many of these yet, when we do the Ghost licensing fees might be higher than is justified). For some packages we use virtual packages through equivs (for example, j2re1.3 from blackdown.org requires some X crap that we don't want, so I build an equivs package that says sure it's here, trust me). If you have any questions about specifics, let me know. -nicole At 12:10 on May 20, Andrew Pollock combined all the right letters to say: We want these builds to be as hardened as possible. For example, we don't want compilers installed, unnecessary binaries floating around, etc etc. I really don't want to deviate from using the packaging system to maintain what's installed. I don't want to wind up with a Frankenstein Debian installation that can't be maintained easily. It's just not the Debian Way either. One thing in particular is inetd. It seems it's unavoidable to have inetd installed, with the netbase package depending on netkit-inetd. Is it possible to completely remove the inetd binary and use a diversion or something to keep the package system reasonably happy with what's happened (I'm not very clued up on more advanced elements of the packaging system like diversions). (Side issue, but why the heck is Woody shipping with inetd and not xinetd? After seeing the way Red Hat manages xinetd based services, it's so much more elegant than using update-inetd). Secondly, even the base system comes with exim installed and port 25 open (granted, I haven't checked to see if it's only on localhost). A lot of reasonably necessary packages depend on a mail-transport-agent virtual package being installed. For example, on my home machine, if I try to remove the sendmail package, I can also kiss goodbye: Some of these I find a little bit strange to be losing because I've gotten rid of my mail transport agent... Log rotation, for example, is something I'd need and want in any build I make. I don't understand why I lose at but not cron either... So my main conundrum at present is what is the best way to make a truly minmalist Debian installation, the Debian Way, in a highly security conscious environment? I'd really like to see Debian get up in this organisation. Anything insightful (and hopefully not inciteful) appreciated. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure/hardened/minimal Debian (or Why is the base system theway it is?)
I suppose since my install is so small this would be possible (just create a bootable floppy that runs a script which uses dd to dump to the disk). The problem I have now is that Ghost 2002 does not image ext3 correctly (so after imaging, I have to convert the filesystems to ext3 again). Supposedly this is fixed in their corporate version, but we don't quite need that large-scale of a solution yet either. -nicole At 23:01 on May 19, Rishi L Khan combined all the right letters to say: (we are also not releasing *too* many of these yet, when we do the Ghost licensing fees might be higher than is justified). when Ghost is prohibitive, consider using dd, the standard unix disk dump tool. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure/hardened/minimal Debian (or Why is the base system the way it is?)
I did this for my company, or something similar. We ship a security information management solution, deliverables are a network appliance (the manager node) and the client software. Anyway, we use debian as our network appliance OS and I have hardened it and provided a very restricted shell for modification of network parameters, etc. What I did was: 1. Install potato out of the box (we have a local mirror) 2. Thin potato out (remove unnecessary packages, compilers, etc) 3. Make a custom 2.4 kernel with NO loadable modules (because we know the hardware, we can do this) and with iptables 4. Install back-compiled packages for SSH, postgres, anything else (system requirements, plus SSH2 security advantages) 5. Switch partitions over to ext3 (if I ship the box and the box goes down and fails an fsck, we either give them root or send a tech, expensive either way) 6. Configure some of the packages to be more secure (e.g. exim configuration) 7. Configure an iptables firewall to further restrict access to illegitamite ports (anything but 80 and our 3 proprietary ports) (8: Install our software, test, etc) My final install, including our software, is under 200M. Right now, I am using Norton Ghost for imaging. I considered FAI but because I was only doing one flavor of image that was not very dynamic, I stuck with Ghost (we are also not releasing *too* many of these yet, when we do the Ghost licensing fees might be higher than is justified). For some packages we use virtual packages through equivs (for example, j2re1.3 from blackdown.org requires some X crap that we don't want, so I build an equivs package that says sure it's here, trust me). If you have any questions about specifics, let me know. -nicole At 12:10 on May 20, Andrew Pollock combined all the right letters to say: We want these builds to be as hardened as possible. For example, we don't want compilers installed, unnecessary binaries floating around, etc etc. I really don't want to deviate from using the packaging system to maintain what's installed. I don't want to wind up with a Frankenstein Debian installation that can't be maintained easily. It's just not the Debian Way either. One thing in particular is inetd. It seems it's unavoidable to have inetd installed, with the netbase package depending on netkit-inetd. Is it possible to completely remove the inetd binary and use a diversion or something to keep the package system reasonably happy with what's happened (I'm not very clued up on more advanced elements of the packaging system like diversions). (Side issue, but why the heck is Woody shipping with inetd and not xinetd? After seeing the way Red Hat manages xinetd based services, it's so much more elegant than using update-inetd). Secondly, even the base system comes with exim installed and port 25 open (granted, I haven't checked to see if it's only on localhost). A lot of reasonably necessary packages depend on a mail-transport-agent virtual package being installed. For example, on my home machine, if I try to remove the sendmail package, I can also kiss goodbye: Some of these I find a little bit strange to be losing because I've gotten rid of my mail transport agent... Log rotation, for example, is something I'd need and want in any build I make. I don't understand why I lose at but not cron either... So my main conundrum at present is what is the best way to make a truly minmalist Debian installation, the Debian Way, in a highly security conscious environment? I'd really like to see Debian get up in this organisation. Anything insightful (and hopefully not inciteful) appreciated. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure/hardened/minimal Debian (or Why is the base system the way it is?)
I suppose since my install is so small this would be possible (just create a bootable floppy that runs a script which uses dd to dump to the disk). The problem I have now is that Ghost 2002 does not image ext3 correctly (so after imaging, I have to convert the filesystems to ext3 again). Supposedly this is fixed in their corporate version, but we don't quite need that large-scale of a solution yet either. -nicole At 23:01 on May 19, Rishi L Khan combined all the right letters to say: (we are also not releasing *too* many of these yet, when we do the Ghost licensing fees might be higher than is justified). when Ghost is prohibitive, consider using dd, the standard unix disk dump tool. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: force to use SSH2
In your sshd_config you can use the Protocol directive. Protocol Specifies the protocol versions sshd should support. The possible values are ``1'' and ``2''. Multiple versions must be comma-separated. The default is ``2,1''. -nicole At 18:05 on May 13, Eduardo Gargiulo combined all the right letters to say: Hi all. Which is the best way to ensure that clients will connect using ssh2 and not ssh1? How can I avoid the use of ssh1? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: force to use SSH2
In your sshd_config you can use the Protocol directive. Protocol Specifies the protocol versions sshd should support. The possible values are ``1'' and ``2''. Multiple versions must be comma-separated. The default is ``2,1''. -nicole At 18:05 on May 13, Eduardo Gargiulo combined all the right letters to say: Hi all. Which is the best way to ensure that clients will connect using ssh2 and not ssh1? How can I avoid the use of ssh1? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
This bug has been fixed in Mozilla upstream and will be included in the 1.0 release. You can dig in Bugtraq for more info. -nicole At 15:26 on May 8, Robert Millan combined all the right letters to say: Hi, Just noticed this advisory, stating a remote vulnerability in mozilla: http://sec.greymagic.com/adv/gm001-ns/ It claims to affect 0.9.7+ but on 1.0 all it does is crashing my browser. Please CC to contact me, not subscribed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: connection refuse by tcp_wrapper
It doesn't look like a tcp wrappers problem to me. It looks like an SSH problem. You might try restarting the SSH server, or maybe using only SSHv1 (to see if it is working at all/accepting connections) with the argument -1, or checking your /var/log/auth.log to see if there are any SSH connection problems (maybe also /var/log/daemon.log). -nicole At 22:18 on Apr 24, [EMAIL PROTECTED] combined all the right...: but when i try to connect from 192.168.1.10 and 11 my server is allways give a message : ssh_exchange_identification: Connection closed by remote host What is the problem with my tcp_wrapper ? anyone can help ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: connection refuse by tcp_wrapper
It doesn't look like a tcp wrappers problem to me. It looks like an SSH problem. You might try restarting the SSH server, or maybe using only SSHv1 (to see if it is working at all/accepting connections) with the argument -1, or checking your /var/log/auth.log to see if there are any SSH connection problems (maybe also /var/log/daemon.log). -nicole At 22:18 on Apr 24, [EMAIL PROTECTED] combined all the right...: but when i try to connect from 192.168.1.10 and 11 my server is allways give a message : ssh_exchange_identification: Connection closed by remote host What is the problem with my tcp_wrapper ? anyone can help ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Need some advice on configuring SAMBA shares
force user = guest force group = user in your samba config for that share will force anything done to that share to be done under that combination. This isn't exactly what you asked, but it is useful. All this and more in `man smb.conf` :o) -nicole At 03:53 on Jan 13, Stefan Srdic combined all the right letters to say: [guests] comment = Guests shares path = /home/guests writeable = yes guest ok = yes My question is, how can a modify the permissions of /home/guest so that any file created under that directory would be owned by user guest and group users (or something else like that). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Need some advice on configuring SAMBA shares
force user = guest force group = user in your samba config for that share will force anything done to that share to be done under that combination. This isn't exactly what you asked, but it is useful. All this and more in `man smb.conf` :o) -nicole At 03:53 on Jan 13, Stefan Srdic combined all the right letters to say: [guests] comment = Guests shares path = /home/guests writeable = yes guest ok = yes My question is, how can a modify the permissions of /home/guest so that any file created under that directory would be owned by user guest and group users (or something else like that).
Re: the right way to access CDROM as non-root
You should have a device /dev/cdrom that is a symbolic link to your real CDROM device (/dev/hdc?). This link should be owned by root:cdrom. You can then add users to the cdrom group and they can then mount the CDROM. Same for the floppy drive (with the floppy group, but you don't have to symlink /dev/fd0). -nicole At 17:36 on Jan 1, Oohara Yuuma combined all the right letters to say: I have a hard disk on /dev/hda and a CDROM drive on /dev/hdc. Their permissions are: brw-rw1 root disk 3, 0 Jul 6 2000 /dev/hda brw-rw1 root disk 22, 0 Jul 6 2000 /dev/hdc I want to access the CDROM drive as a non-root user (to play my music CD). Adding my ordinary account to the group disk is dangerous (anyone in the group disk can reformat my hard disk), so I am looking for another solution. The right way seems to be chgrp cdrom /dev/hdc. Is just doing chgrp enough? /sbin/MAKEDEV insists /dev/hdc should be root:disk 0660. I don't want to edit /sbin/MAKEDEV because it is not a conffile. Is there a possibility that some package calls /sbin/MAKEDEV and overwrites my setting of /dev/hdc? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: the right way to access CDROM as non-root
You should have a device /dev/cdrom that is a symbolic link to your real CDROM device (/dev/hdc?). This link should be owned by root:cdrom. You can then add users to the cdrom group and they can then mount the CDROM. Same for the floppy drive (with the floppy group, but you don't have to symlink /dev/fd0). -nicole At 17:36 on Jan 1, Oohara Yuuma combined all the right letters to say: I have a hard disk on /dev/hda and a CDROM drive on /dev/hdc. Their permissions are: brw-rw1 root disk 3, 0 Jul 6 2000 /dev/hda brw-rw1 root disk 22, 0 Jul 6 2000 /dev/hdc I want to access the CDROM drive as a non-root user (to play my music CD). Adding my ordinary account to the group disk is dangerous (anyone in the group disk can reformat my hard disk), so I am looking for another solution. The right way seems to be chgrp cdrom /dev/hdc. Is just doing chgrp enough? /sbin/MAKEDEV insists /dev/hdc should be root:disk 0660. I don't want to edit /sbin/MAKEDEV because it is not a conffile. Is there a possibility that some package calls /sbin/MAKEDEV and overwrites my setting of /dev/hdc?
Re: What is the status with wu-ftpd updated potato packages?
Read this: http://lists.debian.org/debian-changes/2001/debian-changes-200111/msg00085.html What is the status with the wu-ftpd updated potato packages? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What is the status with wu-ftpd updated potato packages?
Read this: http://lists.debian.org/debian-changes/2001/debian-changes-200111/msg00085.html What is the status with the wu-ftpd updated potato packages?
Re: Some samba problems.
You can specify in your smb.conf a hosts allow = and hosts deny = . This, with security = user (and only adding the valid users to your smbpasswd file or using valid users = ) and removing guest access from your shares, should give you the level of security you want. `man smb.conf` -nicole At 13:54 on Nov 17, shadow combined all the right letters to say: Hi, I have some problems with Samba. I have a large network and want to share my printer, but allow only access from several hosts or even some users, which are registered on my machine. All is ok then I do such thing for file shares -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Some samba problems.
You can specify in your smb.conf a hosts allow = and hosts deny = . This, with security = user (and only adding the valid users to your smbpasswd file or using valid users = ) and removing guest access from your shares, should give you the level of security you want. `man smb.conf` -nicole At 13:54 on Nov 17, shadow combined all the right letters to say: Hi, I have some problems with Samba. I have a large network and want to share my printer, but allow only access from several hosts or even some users, which are registered on my machine. All is ok then I do such thing for file shares
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
I would suggest adding the testing source to your /etc/apt/sources.list and grabbing kernel-source-2.2.19 (version 2.2.19.1-1 has the security patches in question). Edit /etc/apt/sources.list Add deb http://http.us.debian.org/debian/ testing main Save the file. apt-get update apt-get install kernel-source-2.2.19 Once you are done, you can take the testing source out. Unpack the source: cd /usr/src; tar xIvf kernel-source-2.2.19.tar.bz2 [if you are using a version of bzip2 later than what is in stable, you will need j instead of I] Configure your kernel as you usually would (make menuconfig, make xconfig, whatever). Install kernel-package: apt-get install kernel-package Use make-kpkg to build your kernel instead of doing it by hand. make-kpkg buildpackage [you can pass the --revision and --flavour arguments to make it appear as something other than Custom_1.00] Using make-kpkg takes out all of the inbetween steps and leaves you with a customized kernel-image-2.2.19. Go up to the parent directory and install your kernel image with dpkg. It will handle moving your old kernel to a vmlinuz.old link and your new kernel to a vmlinuz link. The default configuration of lilo knows how to handle them both and they will both be bootable should you need to revert to the old kernel. dpkg of course also handles the proper placement of modules and such as well. make-kpkg always seemed to be the best way to make your own kernel but stay debian-friendly to me. It makes a LOT of sense if you have a lot of boxes that are very similar in hardware. -nicole At 19:09 on Oct 23, eim combined all the right letters to say: Actually I'm runnning Potato 2.2r2 on some Debian Boxes which I've upgraded to 2.2r3, the Kernel which powers the system is still 2.2.18pre21 while for the 2.2r3 Release of Potato it should be version 2.2.19 So, correct me if I'm wrong but Debian Potato 2.2r3 comes out with Kernel 2.2.19, right ? Well, if so, I want to upgrade from 2.2.18pre21 to 2.2.19, apply the new RAID Style Patch and the latest security Patch. My question is this: Debian's 2.2.19 kernel-source package is allready avaiable with the latest Kernel security patch or should I download the patch form openwall.com and apply externaly ? Thank you for suggestions, have a good work ! Ivo Marino
Re: Need Help with the Debian Securing Manual (contributions accepted)
At 00:26 on Sep 24, Will Aoki combined all the right letters to say: Mozilla's default language setting is only US English (en-us). My guess is that people getting 403s are running their browsers with out of the box language settings or have changed language settings but haven't listed 'en' as an acceptable language. I don't know why these settings would work elsewhere on www.debian.org but not on doc/manucals/securing-debian-howto/ . Adding language [en] to my languages setting allows me to load the page just fine. Maybe Mozilla should include both languages as defaults? -nicole -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Need Help with the Debian Securing Manual (contributions accepted)
Actually it works in Netscape 4.77 but not Mozilla. So it doesn't look like it's a server-side problem. That was my first guess, too. The Forbidden error also does not have any mention of apache or any web server for that matter. The plot thickens :o) -nicole At 15:54 on Sep 24, Andrew Sione Taumoefolau said: People may be getting the security error because in the absence of a default index file to open (say, plain ol' index.html) Apache is interpreting http://server/directory/ as a request for a directory listing, a feature which, being security-conscious, the people in charge of the server have probably turned off :).
Re: Need Help with the Debian Securing Manual (contributions accepted)
At 00:26 on Sep 24, Will Aoki combined all the right letters to say: Mozilla's default language setting is only US English (en-us). My guess is that people getting 403s are running their browsers with out of the box language settings or have changed language settings but haven't listed 'en' as an acceptable language. I don't know why these settings would work elsewhere on www.debian.org but not on doc/manucals/securing-debian-howto/ . Adding language [en] to my languages setting allows me to load the page just fine. Maybe Mozilla should include both languages as defaults? -nicole
Re: Need Help with the Debian Securing Manual (contributions accepted)
Yup, I'm not using a proxy. http://www.debian.org/doc/manuals/securing-debian-howto/ I can access the following URL (which I found by going through the www.debian.org/doc tree): http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html -nicole At 03:35 on Sep 24, Javier Fernández-Sanguino Peña said: On Sun, Sep 23, 2001 at 06:31:24PM -0700, Nicole Zimmerman wrote: Forbidden You don't have permission to access /doc/manuals/securing-debian-howto/ on this server. ?? Works fine for me, just tried it. Are you sure is not a problem with your proxy? Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Need Help with the Debian Securing Manual (contributions accepted)
Actually it works in Netscape 4.77 but not Mozilla. So it doesn't look like it's a server-side problem. That was my first guess, too. The Forbidden error also does not have any mention of apache or any web server for that matter. The plot thickens :o) -nicole At 15:54 on Sep 24, Andrew Sione Taumoefolau said: People may be getting the security error because in the absence of a default index file to open (say, plain ol' index.html) Apache is interpreting http://server/directory/ as a request for a directory listing, a feature which, being security-conscious, the people in charge of the server have probably turned off :). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Need Help with the Debian Securing Manual (contributions accepted)
Forbidden You don't have permission to access /doc/manuals/securing-debian-howto/ on this server. ?? At 03:27 on Sep 24, Javier Fern?ndez-Sanguino Pe?a combined all the right...: I am not sure everybody is aware of the Securing Debian Manual which can be found at http://www.debian.org/doc/manuals/securing-debian-howto/. In any case, I'm asking for some help with this document due to the current overload of information I'm suffering.
Re: Need Help with the Debian Securing Manual (contributions accepted)
Yup, I'm not using a proxy. http://www.debian.org/doc/manuals/securing-debian-howto/ I can access the following URL (which I found by going through the www.debian.org/doc tree): http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html -nicole At 03:35 on Sep 24, Javier Fern?ndez-Sanguino Pe?a said: On Sun, Sep 23, 2001 at 06:31:24PM -0700, Nicole Zimmerman wrote: Forbidden You don't have permission to access /doc/manuals/securing-debian-howto/ on this server. ?? Works fine for me, just tried it. Are you sure is not a problem with your proxy? Javi
Re: red worm amusement
last i used OpenBSD (2.6) it started portmap and identd by default at the very least, maybe fingerd too i don't remember for sure. The difference is, those were not exploitable. And they are on debian? Turning off services makes an excuse for the real problem -- software needs to be secure, and people need to make sure they are using software that is secure. Sysadmins need to keep up with updates no matter what OS they are administering to make sure their software is secure. Firewalling services makes the same excuse. I don't care if my software is secure because I have a firewall! ... what happens if your firewall gets penetrated? What happens if some local user (hard) reboots your box because they want it to run an NFS server? If you have secure software, you don't really have to worry about running those services, do you? -nicole -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
last i used OpenBSD (2.6) it started portmap and identd by default at the very least, maybe fingerd too i don't remember for sure. The difference is, those were not exploitable. And they are on debian? Turning off services makes an excuse for the real problem -- software needs to be secure, and people need to make sure they are using software that is secure. Sysadmins need to keep up with updates no matter what OS they are administering to make sure their software is secure. Firewalling services makes the same excuse. I don't care if my software is secure because I have a firewall! ... what happens if your firewall gets penetrated? What happens if some local user (hard) reboots your box because they want it to run an NFS server? If you have secure software, you don't really have to worry about running those services, do you? -nicole
SSH security vulnerability (fwd)
I have not verified this problem, but the advisory looks quite decent. -- Forwarded message -- Date: Fri, 9 Feb 2001 13:07:08 -0800 (PST) From: David A. Gatwood [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: SSH security vulnerability I don't usually announce security vulnerabilities, but this one hits close to home. There's a broad, sweeping security hole in basically every version of ssh, both commercial and non-commercial, including OpenSSH. This is fixed in OpenSSH 2.3.0. You are strongly urged to upgrade your systems. Note that there is NO CERT ADVISORY for this yet, as the vulnerability was only discovered yesterday. I've included the pertinent information below. The MkLinux Team -dg - On Fri, 9 Feb 2001, Nick Matsakis wrote: To: [EMAIL PROTECTED] A security hole has recently been exposed in SSHD that may affect users of the public beta. Unfortunately, I don't know much about what version of SSHD the public beta comes with, or where one might find an updated version (Darwin resources would be able to help no doubt) but I thought I would send out this link anyway, so that those who should no about it can do the requisite research. http://razor.bindview.com/publish/advisories/adv_ssh1crc.html ___ mklinux-announce mailing list [EMAIL PROTECTED] http://www.lists.apple.com/mailman/listinfo/mklinux-announce