-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 237-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 22nd, 2003
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 238-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 23rd, 2003
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 239-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 23rd, 2003
hello,
i've noticed, that many other linux distros released a fix of CAN-2002-1377
(vim modeline vulnerability).
by http://online.securityfocus.org/bid/6384, it seems, that only few linux
distributions (excluding Debian) are affected.
so is it true, that current package of vim in Debian Woody
Hi!!!
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
How can i do this
Some SSH
On Thu, 2003-01-23 at 12:24, Iñaki Martínez wrote:
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want them to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
hi
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
easy way:
chmod 500 /usr/bin/ssh
regards
--
Hi,
Iñaki Martínez écrivait :
I have a server in internet and i want several clients to access to it
via SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
How can i
You can
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
in sshd_conf :
AllowTcpForwarding no :
If you want to use iptables then allow incoming ssh requests from the
relevant hosts and disallow outgoing ssh request from the server:
iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
But if the client jump to another port
GatewayPorts no in sshd_config :
Specifies
Hi,
DEFFONTAINES Vincent wrote:
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they
On Thu, Jan 23, 2003 at 01:45:47PM +0100, DEFFONTAINES Vincent wrote:
You can
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write
On 23 Jan 2003, Stanislas Rusinsky wrote:
in sshd_conf :
AllowTcpForwarding no :
Specifies whether TCP forwarding is permitted. The default is
``yes''. Note that disabling TCP forwarding does not improve security
unless users are also denied shell access, as they can
DEFFONTAINES Vincent wrote:
You can
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they
On Thu, 23 Jan 2003, DEFFONTAINES Vincent wrote:
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed (and
allowed to them) on the system.
Do that. Then try /lib/ld.so a_program_on_a_noexec_partition, and see
what if you have the no-port-forwarding in authorized_keys?
Mike
I'm not not totally sure but I think it is only for forbidding changing the port where
to connect w/ ssh.
This option is sometimes used for tunneling others applications over SSH
or for passing trough NATs and FW afaik
Ralf Dreibrodt écrivait :
Is there any packet filter, which can block only outgoing ssh-sessions?
One may use the string extension to iptables to match SSH? See there:
http://www.netfilter.org/documentation/pomlist/pom-extra.html#string
Regards, J.C.
--
To UNSUBSCRIBE, email to [EMAIL
On Thu, 23 Jan 2003, Jean Christophe ANDRÉ wrote:
But far more secure : apt-cache show kernel-patch-2.4-grsecurity
This is a real solution, but it takes quite a bit of effort to configure
things right. I investigated it some time ago but after a little bit of
fiddling I realized it would take a
El Jue 23 Ene 2003 13:45, DEFFONTAINES Vincent escribió:
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed (and
allowed to them) on the system.
Beware that noexec can be easily cheated:
--
hello,
i've noticed, that many other linux distros released a fix of CAN-2002-1377
(vim modeline vulnerability).
by http://online.securityfocus.org/bid/6384, it seems, that only few linux
distributions (excluding Debian) are affected.
so is it true, that current package of vim in Debian Woody
Hi!!!
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
How can i do this
Some SSH
* Quoting Iñaki Martínez ([EMAIL PROTECTED]):
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
How can i do this
chmod o-x /usr/bin/ssh
- rk
--
What sort of person, said Salzella patiently, sits down and writes a
maniacal laugh? And
On Thu, 2003-01-23 at 12:24, Iñaki Martínez wrote:
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want them to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
hi
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
easy way:
chmod 500 /usr/bin/ssh
regards
--
Hi,
Iñaki Martínez écrivait :
I have a server in internet and i want several clients to access to it
via SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
How can i
On Thu Jan 23 2003 at 12:24:49PM +0100 'I?aki Mart?nez' [EMAIL PROTECTED]
wrote:
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to
On Thu, Jan 23, 2003 at 12:24:49PM +0100, Iñaki Martínez wrote:
Hi!!!
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
Kaixo Charl Matthee!!!
If you want to use iptables then allow incoming ssh requests from the
relevant hosts and disallow outgoing ssh request from the server:
iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
But if the client jump to another port
$ ssh -p 25 remote_ip
I
On Thu Jan 23 2003 at 01:17:21PM +0100 'I?aki Mart?nez' [EMAIL PROTECTED]
wrote:
But if the client jump to another port
That is the shortcoming of using this solution.
I think there is no COMPLETE solution
If there is a rule there is generally some way around it ;) you need to
On Wed, Jan 22, 2003 at 06:49:17PM -0600, Hanasaki JiJi wrote:
eterm and feh, on sarge, are reporting invalid archive signatures of
their dependancies.
I have tried the US and Japan mirrors.
As Jan Niehusman stated about two days ago:
I assume this is because the 2002 Archive Signing Key
You can
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
in sshd_conf :
AllowTcpForwarding no :
If you want to use iptables then allow incoming ssh requests from the
relevant hosts and disallow outgoing ssh request from the server:
iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
But if the client jump to another port
GatewayPorts no in sshd_config :
Specifies
On Thu, Jan 23, 2003 at 01:45:47PM +0100, DEFFONTAINES Vincent wrote:
You can
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write
Hi,
DEFFONTAINES Vincent wrote:
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]):
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed (and
allowed to them) on the system.
This does not prevent them from executing
binaries. This has been
what if you have the no-port-forwarding in authorized_keys?
Mike
I'm not not totally sure but I think it is only for forbidding changing the
port where to connect w/ ssh.
This option is sometimes used for tunneling others applications over SSH
or for passing trough NATs and FW afaik
On Thu, 23 Jan 2003, DEFFONTAINES Vincent wrote:
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed (and
allowed to them) on the system.
Do that. Then try /lib/ld.so a_program_on_a_noexec_partition, and see
DEFFONTAINES Vincent wrote:
You can
1. Remove the users access to the ssh program
(eg change ownership and rights of /usr/bin/ssh and create a ssh group for
allowed outgoing ssh users).
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they
On Thu, 23 Jan 2003 at 12:24:49PM +0100, I?aki Mart?nez wrote:
Hi!!!
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
Ralf Dreibrodt écrivait :
Is there any packet filter, which can block only outgoing ssh-sessions?
One may use the string extension to iptables to match SSH? See there:
http://www.netfilter.org/documentation/pomlist/pom-extra.html#string
Regards, J.C.
On Thu, Jan 23, 2003 at 09:39:19AM +0100, Sasha Nedvedicky wrote:
i've noticed, that many other linux distros released a fix of CAN-2002-1377
(vim modeline vulnerability).
by http://online.securityfocus.org/bid/6384, it seems, that only few linux
distributions (excluding Debian) are
On 2003/01/23 12:24:49PM +0100, Thu, I?aki Mart?nez wrote:
Hi!!!
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers
On Thu, 23 Jan 2003, Jean Christophe ANDRÉ wrote:
But far more secure : apt-cache show kernel-patch-2.4-grsecurity
This is a real solution, but it takes quite a bit of effort to configure
things right. I investigated it some time ago but after a little bit of
fiddling I realized it would take a
Dominique Fortier
Consultant en Solutions Libres
you may also try rbash as a shell type (in /etc/passwd), it is not super
secure, and people can still use their own binaries, but you can
restrict them to their own home directory and whatevers in their path.
Its lazy persons way out of doing chroots for all. more info in the man
for bash
VRT --
A simpler way would be use:
- The connection tracking abilities of the iptables.
For example DROP NEW connections from upper ports
(this way you are not going to have problems with stablished
conections as the ssh login into the machine)
OR:
- At TCP level, match flag like SYN to avoid
El Jue 23 Ene 2003 13:45, DEFFONTAINES Vincent escribió:
2. Mount /home, /tmp and any other place users might have write access on
with the noexec switch, so they can only use binaries installed (and
allowed to them) on the system.
Beware that noexec can be easily cheated:
--
49 matches
Mail list logo
