Re: Xconsole vs security
Jaakko Niemi wrote: Daniel Martin at cush wrote: The question, I think, is that you are concerned because when you dial up, the password to your isp gets logged by the chat program, and so appears in the xconsole window. You worry that anyone you give an account to can call up xconsole and thereby see your ISP password, which would be a bad thing. That's right ! Ok, to begin with you can make it so that chat doesn't log your password by putting a \q in front of it. In my chatscript (/etc/ppp.chatscript on a Debian 1.3.1 machine) I have: I forgot to say that I'm using a ISDN card and my script use ippd ! So the passwordis on /etc/ppp/isdn-auth ! Do you have the option +pwlog enabled in /etc/isdn/ipppd.ippp0 ? Disabling this makes the passwords to _not_ be logged. Unfortunally, I don't have isdn directory ! :( How could I create it !? Is there any package which do it !? Check out my script, on attachment ! Should I put some more option on ippd !? Thanks. Best regards, Nuno Carvalho#!/bin/tcsh # # ISDN script # # load firmware pcbitctl -l /usr1/pcbit/bitd.hex isdnctrl addif ippp0 isdnctrl l2_prot ippp0 hdlc isdnctrl l3_prot ippp0 trans isdnctrl encap ippp0 syncppp isdnctrl addphone ippp0 out x ifconfig ippp0 aaa.bbb.ccc.ddd pointopoint aaa.bbb.ccc.ddd metric 1 route add default ippp0 isdnctrl huptimeout ippp0 3600 ifconfig ippp0 up ipppd +ua /etc/ppp/isdn-auth \ ipcp-accept-local ipcp-accept-remote \ -detach \ mru 1524 \ -bsdcomp -ac -pc -vj -vjccomp -pred1comp \ debug \ useifip \ /dev/ippp0 exit
Re: Xconsole vs security
I forgot to say that I'm using a ISDN card and my script use ippd ! So the passwordis on /etc/ppp/isdn-auth ! Do you have the option +pwlog enabled in /etc/isdn/ipppd.ippp0 ? Disabling this makes the passwords to _not_ be logged. Unfortunally, I don't have isdn directory ! :( How could I create it !? Is there any package which do it !? Check out my script, on attachment ! Should I put some more option on ippd !? Do you have isdnutils package installed ? It comes with pretty good scripts. Hmm. ipppd comes from isdnutils, so have you something other installed or have you compiled your own ? --j -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Ionut Borcoman at debian wrote: What to do if my password is in pap-secrets ? I can always see it in my xconsole window ! If I simply add an \q in pap-secrets at MyISPpasswd, the pppd will try to use qMyISPpasswd instead to hide it. (I also use KDE and like xconsole as it monitors my the connection. I do not like it shows it so open.). Most likely, you have used pppconfig to configure your connection. By default it turns on debug mode which will display your password as cleartext. Look in /etc/ppp/provider and see if this is so. If not, it might be defined in your global /etc/ppp/options file. Isn't this behavior of pppconfig potentially undesirable? Shouldn't it default to debug mode being turned off? --Damon -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Shaleh wrote: pap too. So, now we need to figure out why. The \q only works in a OK. I agree with that. I didn't give much importance to this, as I'm the only one here. However, who knows what my girl-friend will want to do some day, so better to protect myself. :) Where should I look ? In what config files ? Ionutz -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Shaleh writes: If your password is in pap-secrets it is supposed to remain just that -- a secret. I never see my password come wizzing by on xconsole and I use pap too. So, now we need to figure out why. The \q only works in a chatscript. pppd logs the username and password in the clear when using pap. There is a scheme for encrypting the password, but I've never tried it. I guess I should check it out. -- John Hasler [EMAIL PROTECTED] (John Hasler) Dancing Horse Hill Elmwood, WI -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Shaleh [EMAIL PROTECTED] writes: If your password is in pap-secrets it is supposed to remain just that -- a secret. I never see my password come wizzing by on xconsole and I use pap too. So, now we need to figure out why. The \q only works in a chatscript. Do you perhaps have the debug option uncommented in /etc/ppp/options? Or is there a debug in /etc/ppp/peers/provider? That's the only thing in the ppp sources even looks like it could cause a password to appear in a log. (Though admittedly, I haven't examined the sources in too much detail). Tell me, what does the message with the ISP password look like? -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Daniel Martin at cush wrote: Do you perhaps have the debug option uncommented in /etc/ppp/options? Or is there a debug in /etc/ppp/peers/provider? It was a 'debug' in the /etc/ppp/peers/provider. I've commented it and password (with all the other debug messages) disappeared from the xconsole. Now I only get something like: Jul 10 16:20:59 debian pppd[290]: Serial connection established. Jul 10 16:21:00 debian pppd[290]: Using interface ppp0 Jul 10 16:21:00 debian pppd[290]: Connect: ppp0 -- /dev/ttyS1 Jul 10 16:21:03 debian pppd[290]: Remote message: Login ok Jul 10 16:21:03 debian pppd[290]: local IP address 195.179.251.69 Jul 10 16:21:03 debian pppd[290]: remote IP address 195.179.251.65 Jul 10 16:21:24 debian in.qpopper[319]: connect from localhost Jul 10 16:21:54 debian pppd[290]: Terminating on signal 15. Jul 10 16:21:54 debian pppd[290]: Connection terminated. Jul 10 16:21:54 debian pppd[290]: Hangup (SIGHUP) Jul 10 16:21:54 debian pppd[290]: Exit. Thanks, Ionutz -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Daniel Martin writes: Do you perhaps have the debug option uncommented in /etc/ppp/options? Or is there a debug in /etc/ppp/peers/provider? 'debug' is uncommented in the distributed /etc/ppp/options. That's the only thing in the ppp sources even looks like it could cause a password to appear in a log. For pap/chap, yes. -- John Hasler [EMAIL PROTECTED] (John Hasler) Dancing Horse Hill Elmwood, WI -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Daniel Martin at cush wrote: The question, I think, is that you are concerned because when you dial up, the password to your isp gets logged by the chat program, and so appears in the xconsole window. You worry that anyone you give an account to can call up xconsole and thereby see your ISP password, which would be a bad thing. That's right ! Ok, to begin with you can make it so that chat doesn't log your password by putting a \q in front of it. In my chatscript (/etc/ppp.chatscript on a Debian 1.3.1 machine) I have: I forgot to say that I'm using a ISDN card and my script use ippd ! So the passwordis on /etc/ppp/isdn-auth ! Do you have the option +pwlog enabled in /etc/isdn/ipppd.ippp0 ? Disabling this makes the passwords to _not_ be logged. --j -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Xconsole vs security
Hi, I'm using Debian 1.3.1 and KDE Beta4. When I call the xconsole program I could almost activity on my machine but I think there's something wrong ... Sometimes on xconsole I could see my login and password as when I write them ! It's rigth !?!? I don't think so ! As I work as root and have a username on my machine there's no problem but if I add a new account if someone call xconsole could see my password to my ISP ! Best regards, Nuno Carvalho -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Nuno Carvalho [EMAIL PROTECTED] writes: Hi, I'm using Debian 1.3.1 and KDE Beta4. When I call the xconsole program I could almost activity on my machine but I think there's something wrong ... Sometimes on xconsole I could see my login and password as when I write them ! It's rigth !?!? I don't think so ! As I work as root and have a username on my machine there's no problem but if I add a new account if someone call xconsole could see my password to my ISP ! The question, I think, is that you are concerned because when you dial up, the password to your isp gets logged by the chat program, and so appears in the xconsole window. You worry that anyone you give an account to can call up xconsole and thereby see your ISP password, which would be a bad thing. Ok, to begin with you can make it so that chat doesn't log your password by putting a \q in front of it. In my chatscript (/etc/ppp.chatscript on a Debian 1.3.1 machine) I have: ABORTBUSY ABORTNO CARRIER ABORTVOICE ABORTNO DIALTONE ATDT4103660015 name MyISPlogin word \qMyISPpasswd This will replace your ISP password with all question marks (like: ?) in the logged messages. (This next bit is directed at the list) I was going to add more, but then I noticed that the pipe xconsole reads is world-read - does this strike anyone else as a security hole? Surely the information dumped into /dev/xconsole is as sensitive as that dumped into /var/log/messages, right? -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Daniel Martin at cush wrote: The question, I think, is that you are concerned because when you dial up, the password to your isp gets logged by the chat program, and so appears in the xconsole window. You worry that anyone you give an account to can call up xconsole and thereby see your ISP password, which would be a bad thing. That's right ! Ok, to begin with you can make it so that chat doesn't log your password by putting a \q in front of it. In my chatscript (/etc/ppp.chatscript on a Debian 1.3.1 machine) I have: I forgot to say that I'm using a ISDN card and my script use ippd ! So the passwordis on /etc/ppp/isdn-auth ! I think ppp.chatscript only works when using modem that isn't ISDN ! How could I resolve it !? (This next bit is directed at the list) I was going to add more, but then I noticed that the pipe xconsole reads is world-read - does this strike anyone else as a security hole? Surely the information dumped into /dev/xconsole is as sensitive as that dumped into /var/log/messages, right? As I could see the information that appears on /var/log/messages doesn't appears at allon xconsole ! On /var/log/messages doesn't appears my password ! Best regards, Nuno Carvalho -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Xconsole reads what you tell it to read. Normal setup has it watching the equivalent to syslogd's output. This is set up in the syslogd.conf file in /etc. Xconsole can be set to watch what ever file, fifo, stdin you set it to watch. So if you like you can make it xconsole -file /var/log/messages and it will show that instead. As to the isdn, I do not know. Never dealt with it. -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
Daniel Martin at cush wrote: The question, I think, is that you are concerned because when you dial up, the password to your isp gets logged by the chat program, and so appears in the xconsole window. You worry that anyone you give an account to can call up xconsole and thereby see your ISP password, which would be a bad thing. Ok, to begin with you can make it so that chat doesn't log your password by putting a \q in front of it. In my chatscript (/etc/ppp.chatscript on a Debian 1.3.1 machine) I have: ABORTBUSY ABORTNO CARRIER ABORTVOICE ABORTNO DIALTONE ATDT4103660015 name MyISPlogin word \qMyISPpasswd This will replace your ISP password with all question marks (like: ?) in the logged messages. (This next bit is directed at the list) I was going to add more, but then I noticed that the pipe xconsole reads is world-read - does this strike anyone else as a security hole? Surely the information dumped into /dev/xconsole is as sensitive as that dumped into /var/log/messages, right? What to do if my password is in pap-secrets ? I can always see it in my xconsole window ! If I simply add an \q in pap-secrets at MyISPpasswd, the pppd will try to use qMyISPpasswd instead to hide it. (I also use KDE and like xconsole as it monitors my the connection. I do not like it shows it so open.). TIA, Ionutz -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Xconsole vs security
If your password is in pap-secrets it is supposed to remain just that -- a secret. I never see my password come wizzing by on xconsole and I use pap too. So, now we need to figure out why. The \q only works in a chatscript. -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
