Re: scp and sftp
- Original Message - From: "Jon McCain" Sent: Sunday, March 31, 2002 8:54 AM > The user can change to directories above their home. > Is there a way to chroot them Use restricted bash shell for the user (/bin/rbash) in the /etc/passwd. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security-Update of LISTAR broken...
Few days ago I updated the LISTAR maillist software (apt-get update; ape-get dist-upgrade) with the latest security fix (a buffer overflow Perhaps the problem is with your second command. I've not had good luck with 'ape-get' either. Perhaps it is distantly related to the infinite monkeys problem. (Sorry - couldn't pass this one up...) John -- Arthur looked up. "Ford!" he said, "there's an infinite number of monkeys outside who want to talk to us about this script for Hamlet they've worked out." -The Hitchhiker's Guide to the Galaxy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
- Original Message - From: "Jon McCain" Sent: Sunday, March 31, 2002 8:54 AM > The user can change to directories above their home. > Is there a way to chroot them Use restricted bash shell for the user (/bin/rbash) in the /etc/passwd. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security-Update of LISTAR broken...
>Few days ago I updated the LISTAR maillist software (apt-get update; >ape-get dist-upgrade) with the latest security fix (a buffer overflow Perhaps the problem is with your second command. I've not had good luck with 'ape-get' either. Perhaps it is distantly related to the infinite monkeys problem. (Sorry - couldn't pass this one up...) John -- Arthur looked up. "Ford!" he said, "there's an infinite number of monkeys outside who want to talk to us about this script for Hamlet they've worked out." -The Hitchhiker's Guide to the Galaxy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
> I've been playing around with the scp and sftp components of putty > and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way > to > chroot them like you can in an ftp config file? scp is merely a way to use a ssh shell login to up and download a file, it has the same restrictions a ssh session would have. when you login using ssh you can do "cd .." too...so I don't see the security problem. > I don't see anything > in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The > users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. your users can't connect with the same l/p using ssh? that would be really weird. > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? That doesn't surprise me since this is not a bug or strange feature. Greetz, Ivo van Dongen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Security-Update of LISTAR broken...
Greetings! Few days ago I updated the LISTAR maillist software (apt-get update; ape-get dist-upgrade) with the latest security fix (a buffer overflow IIRC). Since then, the program won't work anymore - does not produce any output, returns with exit code 75 Seems the security fix is broken? Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research & Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
Previously martin f krafft wrote: > wichert, it didn't. why should we discuss this before pushing the > temporary fix into the security archives??? Because it might impact other packages as well. > i'd also like to see answered, but right now, debian's got a semi-bug > in a package found on security.debian.org, we know about it, why do we > even hesitate? I'ld rather make sure we don't have a bug in multiple packages then a reasonably harmless semi-bug in a single package. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sun, Mar 31, 2002 at 05:53:35PM +0200, martin f krafft wrote: > why should we discuss this before pushing the temporary fix into the > security archives??? Maybe because, as you say, the fix (read: workaround) is only temporary? :) Including a new rule in the conffile won't automatically fix everything, people who changed their copies of those conffiles will have to inspect their stuff and merge in the fix. A solution coded into the program would be much better... -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? > I've got a debian package with the chroot patch enabled, and search this mailing list, there was some discussions about that last year. You can get my package for woody here: http://debian.home-dn.net/woody/ ssh/ Debian people question: What about making a ssh-chroot package, made of the current ssh package and just the chroot patch enabled? It will be easier to maintains systems with the need of chroot and, as it will be more used, there will be more people to really audit it! -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpHsuWMebkjt.pgp Description: PGP signature
Re: scp and sftp
> I've been playing around with the scp and sftp components of putty > and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way > to > chroot them like you can in an ftp config file? scp is merely a way to use a ssh shell login to up and download a file, it has the same restrictions a ssh session would have. when you login using ssh you can do "cd .." too...so I don't see the security problem. > I don't see anything > in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The > users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. your users can't connect with the same l/p using ssh? that would be really weird. > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? That doesn't surprise me since this is not a bug or strange feature. Greetz, Ivo van Dongen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.03.31.1602 +0200]: > > i don't get it. will someone please push this package ivo made as an > > NMU into security.debian.org ASAP? i'd do it myself, but i am still > > waiting for DAM approval... > > I'ld like someone to answer my question first: how come the glob > fix in glibc doesn't fix proftpd? wichert, it didn't. why should we discuss this before pushing the temporary fix into the security archives??? it's a good question which i'd also like to see answered, but right now, debian's got a semi-bug in a package found on security.debian.org, we know about it, why do we even hesitate? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] 1-800-psych hello, welcome to the psychiatric hotline. if you are schizophrenic, listen carefully and a little voice will tell you which number to press. pgpoo6dZru1be.pgp Description: PGP signature
Security-Update of LISTAR broken...
Greetings! Few days ago I updated the LISTAR maillist software (apt-get update; ape-get dist-upgrade) with the latest security fix (a buffer overflow IIRC). Since then, the program won't work anymore - does not produce any output, returns with exit code 75 Seems the security fix is broken? Bye Volker -- Volker Tanger [EMAIL PROTECTED] -===- Research & Development Division, WYAE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
Previously martin f krafft wrote: > wichert, it didn't. why should we discuss this before pushing the > temporary fix into the security archives??? Because it might impact other packages as well. > i'd also like to see answered, but right now, debian's got a semi-bug > in a package found on security.debian.org, we know about it, why do we > even hesitate? I'ld rather make sure we don't have a bug in multiple packages then a reasonably harmless semi-bug in a single package. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
On Sun, Mar 31, 2002 at 05:53:35PM +0200, martin f krafft wrote: > why should we discuss this before pushing the temporary fix into the > security archives??? Maybe because, as you say, the fix (read: workaround) is only temporary? :) Including a new rule in the conffile won't automatically fix everything, people who changed their copies of those conffiles will have to inspect their stuff and merge in the fix. A solution coded into the program would be much better... -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? > I've got a debian package with the chroot patch enabled, and search this mailing list, there was some discussions about that last year. You can get my package for woody here: http://debian.home-dn.net/woody/ ssh/ Debian people question: What about making a ssh-chroot package, made of the current ssh package and just the chroot patch enabled? It will be easier to maintains systems with the need of chroot and, as it will be more used, there will be more people to really audit it! -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com msg06135/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
also sprach Wichert Akkerman <[EMAIL PROTECTED]> [2002.03.31.1602 +0200]: > > i don't get it. will someone please push this package ivo made as an > > NMU into security.debian.org ASAP? i'd do it myself, but i am still > > waiting for DAM approval... > > I'ld like someone to answer my question first: how come the glob > fix in glibc doesn't fix proftpd? wichert, it didn't. why should we discuss this before pushing the temporary fix into the security archives??? it's a good question which i'd also like to see answered, but right now, debian's got a semi-bug in a package found on security.debian.org, we know about it, why do we even hesitate? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck 1-800-psych hello, welcome to the psychiatric hotline. if you are schizophrenic, listen carefully and a little voice will tell you which number to press. msg06134/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
Previously martin f krafft wrote: > i don't get it. will someone please push this package ivo made as an > NMU into security.debian.org ASAP? i'd do it myself, but i am still > waiting for DAM approval... I'ld like someone to answer my question first: how come the glob fix in glibc doesn't fix proftpd? Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Sun, 2002-03-31 at 05:24, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. There is a chroot patch for SSH. You can find it in the Bug tracking system (I added it there a few weeks ago). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes If you apply that patch to your SSHd and modify the /etc/passwd file by using the special token '/./' in the user's homedir he will be chrooted at the token. Example: joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash Now joeuser will be chrooted to /home/joe This works for SSH and SCP / SFTP etc of course. Mark Janssen > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: on potato's proftpd
Previously martin f krafft wrote: > i don't get it. will someone please push this package ivo made as an > NMU into security.debian.org ASAP? i'd do it myself, but i am still > waiting for DAM approval... I'ld like someone to answer my question first: how come the glob fix in glibc doesn't fix proftpd? Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
On Sun, 2002-03-31 at 05:24, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. There is a chroot patch for SSH. You can find it in the Bug tracking system (I added it there a few weeks ago). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes If you apply that patch to your SSHd and modify the /etc/passwd file by using the special token '/./' in the user's homedir he will be chrooted at the token. Example: joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash Now joeuser will be chrooted to /home/joe This works for SSH and SCP / SFTP etc of course. Mark Janssen > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
the commercial ssh server has an option to chroot to a user's home directory. there are patches available to openssh to do it also, though i don't know if they've been thoroughly audited. check out http://mail.incredimail.com/howto/openssh/ you can make sftp-server the user's shell to only allow sftp access. xn On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp and sftp
the commercial ssh server has an option to chroot to a user's home directory. there are patches available to openssh to do it also, though i don't know if they've been thoroughly audited. check out http://mail.incredimail.com/howto/openssh/ you can make sftp-server the user's shell to only allow sftp access. xn On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd. > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]