From owner-freebsd-security Sun Jul 25 9:13:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 440E515175 for ; Sun, 25 Jul 1999 09:13:42 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id MAA05578; Sun, 25 Jul 1999 12:12:34 -0400 (EDT) Date: Sun, 25 Jul 1999 12:12:34 -0400 (EDT) From: Jim Flowers To: Bill Paul Cc: skip-info@skip-vpn.org, freebsd-security@FreeBSD.ORG Subject: Re: wi driver with SKIP In-Reply-To: <199907232130.RAA02570@comet.columbia.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Comments below. Jim Flowers #4 ISP on C|NET, #1 in Ohio On Fri, 23 Jul 1999, Bill Paul wrote: > > Ideally what you ought to do is run tcpdump -n -e -p -x -s1514 -i wi0 > on both sides. This will avoid putting the interface into promiscuous > mode (changes the operation of the NIC slightly) and will dump out the > packet contents. At this point, you show me the packet contents so I can > see for myself the difference between how the frame should look and how > it ultimately does look. OK the results are at the end of this email. Tests with SKIP turned off show identical packets are copied to bpf at each end. These are unencrypted so you can see the packet within the packet starting in the sixth line. From these tests, it seems conclusive that sometime after the outbound packets are copied to bpf in the wi driver but before they are copied to bpf in the pn driver, they are truncated to 64 bytes following the IP header. Beyond that, the packet before it is truncated looks pretty normal so I'm at a dead end. Maybe something will leap out at you. > > Furthermore, what happens when you ping W2 from W1? > Same thing, only there is no turnaround as the initial ping-request cannot be de-encapsulated. > > Would have done more but the building that Hillary Clinton is speaking > > in front of is next to ours and we got kicked out by the secret service. > > You know, I've heard plenty of excuses in my time, but this one takes > the cake. Not that I'm assusing you of lying, but this is definitely > one for the books. But, nontheless true. You don't want to be carrying around computer bags and boxes with those SWAT guys on the rooftops. Jim --------------------------------- Recorded on initiating machine with WaveLAN/EC connected to pn0 10:40:13.653872 0:a0:cc:28:80:f8 0:60:1d:4:26:68 0800 306: 206.151.177.132 > 206.151.177.134: ip-proto-57 272 4500 0124 000f 0000 ff39 ba57 ce97 b184 ce97 b186 1008 0833 0000 9c3e 0200 0100 7669 1c83 2925 a284 30ed 377c 90fe ae5b 0e68 2525 f51c d938 38ce 30a7 d4f1 cdca 56e7 ea07 4e4e 0fc7 2847 f9a3 3912 e6bf 0404 0000 0000 0001 4ca2 2dd7 3e9f 5d13 a134 8e1a bd04 85a9 4500 00bc 000e 0000 ff39 bac0 ce97 b184 ce97 b186 1008 0833 0000 9c3e 0200 0100 7669 1c83 2925 a284 30ed 377c 90fe ae5b 0e68 2525 f51c d938 38ce 30a7 d4f1 cdca 56e7 ea07 4e4e 0fc7 2847 f9a3 3912 e6bf 0404 0000 0000 0001 bede 3f94 4fc9 0a27 f66a cd40 3bb4 ef48 4500 0054 02bf 0000 ff01 b8af ce97 b184 ce97 b186 0800 28f5 2202 0000 cd21 9b37 51ac 0800 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 10:40:14.590330 0:60:1d:4:26:68 0:a0:cc:28:80:f8 0800 98: truncated-ip - 104 bytes missing!206.151.177.134 > 206.151.177.132: ip-proto-57 168 4500 00bc 0015 0000 ff39 bab9 ce97 b186 ce97 b184 1008 0833 0000 9c3e 0200 0100 592d 3210 6557 0dba 6d08 19de af17 f7bb 56e7 ea07 4e4e 0fc7 2847 f9a3 3912 e6bf 0e68 2525 f51c d938 38ce 30a7 d4f1 cdca 0404 0000 Recorded on receiving machine using wi0 driver 10:37:16.033314 0:a0:cc:28:80:f8 0:60:1d:4:26:68 0800 306: 206.151.177.132 > 206.151.177.134: ip-proto-57 272 4500 0124 000f 0000 ff39 ba57 ce97 b184 ce97 b186 1008 0833 0000 9c3e 0200 0100 7669 1c83 2925 a284 30ed 377c 90fe ae5b 0e68 2525 f51c d938 38ce 30a7 d4f1 cdca 56e7 ea07 4e4e 0fc7 2847 f9a3 3912 e6bf 0404 0000 0000 0001 4ca2 2dd7 3e9f 5d13 a134 8e1a bd04 85a9 4500 00bc 000e 0000 ff39 bac0 ce97 b184 ce97 b186 1008 0833 0000 9c3e 0200 0100 7669 1c83 2925 a284 30ed 377c 90fe ae5b 0e68 2525 f51c d938 38ce 30a7 d4f1 cdca 56e7 ea07 4e4e 0fc7 2847 f9a3 3912 e6bf 0404 0000 0000 0001 bede 3f94 4fc9 0a27 f66a cd40 3bb4 ef48 4500 0054 02bf 0000 ff01 b8af ce97 b184 ce97 b186 0800 28f5 2202 0000 cd21 9b37 51ac 0800 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 10:37:16.957262 0:60:1d:4:26:68 0:a0:cc:28:80:f8 0800 202: 206.151.177.134 > 206.151.177.132: ip-proto-57 168 4500 00bc 0015 0000 ff39 bab9 ce97 b186 ce97 b184 1008 0833 0000 9c3e 0200 0100 592d 3210 6557 0dba 6d08 19de af17 f7bb 56e7 ea07 4e4e 0fc7 2847 f9a3 3912 e6bf 0e68 2525 f51c d938 38ce 30a7 d4f1 cdca 0404 0000 0000 0001 c94c 6b5f 8267 8eae d19e 04f9 0900 8dc8 4500 0054 05d3 0000 ff01 b59b ce97 b186 ce97 b184 0000 36da 2202 0100 ce21 9b37 49c7 0800 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 ------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 9:42:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from sirius.ctr.columbia.edu (sirius.ctr.columbia.edu [128.59.64.60]) by hub.freebsd.org (Postfix) with ESMTP id 59BD314BDA for ; Sun, 25 Jul 1999 09:42:52 -0700 (PDT) (envelope-from wpaul@comet.columbia.edu) Received: from comet.columbia.edu (xylophone.comet.columbia.edu [128.59.68.38]) by sirius.ctr.columbia.edu (8.9.1/8.6.4.287) with ESMTP id MAA24467; Sun, 25 Jul 1999 12:41:47 -0400 (EDT) From: wpaul@comet.columbia.edu (Bill Paul) Received: (from wpaul@localhost) by comet.columbia.edu (8.9.3/8.8.7/COMET) id MAA08658; Sun, 25 Jul 1999 12:41:47 -0400 (EDT) Message-Id: <199907251641.MAA08658@comet.columbia.edu> Subject: Re: wi driver with SKIP In-Reply-To: from Jim Flowers at "Jul 25, 1999 12:12:34 pm" To: jflowers@ezo.net (Jim Flowers) Date: Sun, 25 Jul 1999 12:41:47 -0400 (EDT) Cc: skip-info@skip-vpn.org, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Of all the gin joints in all the towns in all the world, Jim Flowers had to walk into mine and say: > Comments below. > > Jim Flowers > #4 ISP on C|NET, #1 in Ohio > > On Fri, 23 Jul 1999, Bill Paul wrote: > > > > Ideally what you ought to do is run tcpdump -n -e -p -x -s1514 -i wi0 > > on both sides. This will avoid putting the interface into promiscuous > > mode (changes the operation of the NIC slightly) and will dump out the > > packet contents. At this point, you show me the packet contents so I can > > see for myself the difference between how the frame should look and how > > it ultimately does look. > > OK the results are at the end of this email. Tests with SKIP turned off > show identical packets are copied to bpf at each end. These are > unencrypted so you can see the packet within the packet starting in the > sixth line. Grrrrr! You've changed the test conditions again! In your last mail, you said the two hosts both had WaveLAN/IEEE ISA cards in them! Now you're telling me that one side has a WaveLAN/EC and a PNIC-based ethernet card instead! These two concepts are *not* interchangeable, do you understand? An ethernet card + WaveLAN/EC is *not* the same as an ISA WaveLAN/IEEE card! Now look: take the WaveLAN/EC thing and put it away. Don't touch it again before this exchange is through or I'm going to hurt you. I mean it. You can not switch back and forth between two different hardware configurations and expect to obtain any useful data! Now try the test *again* with actual, honest to gosh WaveLAN/IEEE cards this time. > >From these tests, it seems conclusive that sometime after the outbound > packets are copied to bpf in the wi driver but before they are copied to > bpf in the pn driver, they are truncated to 64 bytes following the IP > header. Beyond that, the packet before it is truncated looks pretty > normal so I'm at a dead end. Maybe something will leap out at you. No! That's not the conclusion to draw at all! Look closely at the second host! It receives 306 bytes, but it sends back only 202 bytes! Now, in theory the ICMP echo request and ICMP echo reply packets should be exactly the same size, but clearly the other side is only sending 202 bytes: tcpdump shows us this. I don't understand why SKIP would be causing the ICMP echo reply packet to be so much smaller than the received request packet. > > > > Furthermore, what happens when you ping W2 from W1? > > > > Same thing, only there is no turnaround as the initial ping-request > cannot be de-encapsulated. Grrr. But again, you're not really using two WaveLAN/IEEE ISA cards like you said you were. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Department of Electrical Engineering Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "Mulder, toads just fell from the sky!" "I guess their parachutes didn't open." ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 11:18:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.is.hu (mail.is.hu [194.143.230.99]) by hub.freebsd.org (Postfix) with ESMTP id 46A7D14BF2 for ; Sun, 25 Jul 1999 11:18:48 -0700 (PDT) (envelope-from coltaan@is.hu) Received: from is.hu (zenith.is.hu [194.143.230.102]) by mail.is.hu (8.9.2/8.9.1) with ESMTP id UAA13505 for ; Sun, 25 Jul 1999 20:18:55 +0200 (CEST) Message-ID: <379B5590.8C76E9FE@is.hu> Date: Sun, 25 Jul 1999 20:21:04 +0200 From: root X-Mailer: Mozilla 4.51 [en] (X11; I; Linux 2.2.5-15 i586) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Shadow pwd from Linux to FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I have a mixed network with some linux (RedHat) and freebsd (3.1) server. I want take my users from linux to freebsd, but I don't know how can I convert linux shadow passwd file to freebsd master.passwd. Any program, converter? ( any idea? :) ) regards, Szabo Zoltan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 12:29:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from toto.oz-online.net (toto.oz-online.net [208.149.58.2]) by hub.freebsd.org (Postfix) with SMTP id 65E3E1522F for ; Sun, 25 Jul 1999 12:29:40 -0700 (PDT) (envelope-from chriss@toto.oz-online.net) Received: (qmail 27000 invoked by uid 6819); 25 Jul 1999 19:36:02 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jul 1999 19:36:02 -0000 Date: Sun, 25 Jul 1999 14:35:54 -0500 (CWT) From: Chriss To: root Cc: freebsd-security@freebsd.org Subject: Re: Shadow pwd from Linux to FreeBSD In-Reply-To: <379B5590.8C76E9FE@is.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org its a matter of takeing the fields from /etc/passwd and /etc/shadow and rearrangeing them into /etc/master.passwd. threres a perl script i use for this i posted to freebsdrocks.com in the how-to i believe. but just be sure to move just the ones you want, dont go changeing the system accounts or things will complain. -chris On Sun, 25 Jul 1999, root wrote: > Hi! > > I have a mixed network with some linux (RedHat) and freebsd (3.1) > server. I want > take my users from linux to freebsd, but I don't know how can I convert > linux > shadow passwd file to freebsd master.passwd. > Any program, converter? ( any idea? :) ) > > regards, > Szabo Zoltan > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 13:53:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.welearn.com.au (phoenix.welearn.com.au [139.130.44.81]) by hub.freebsd.org (Postfix) with ESMTP id 6FB6114E24 for ; Sun, 25 Jul 1999 13:53:41 -0700 (PDT) (envelope-from sue@phoenix.welearn.com.au) Received: (from sue@localhost) by phoenix.welearn.com.au (8.9.3/8.9.3) id GAA20591 for security@freebsd.org; Mon, 26 Jul 1999 06:55:00 +1000 (EST) (envelope-from sue) Date: Mon, 26 Jul 1999 06:54:57 +1000 From: Sue Blake To: security@freebsd.org Subject: Re: sandbox?? Message-ID: <19990726065455.N7324@welearn.com.au> Mail-Followup-To: security@freebsd.org References: <19990726040233.E7349@welearn.com.au> <19990725214712.F14954@daemon.ninth-circle.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <19990725214712.F14954@daemon.ninth-circle.org>; from Jeroen Ruigrok/Asmodai on Sun, Jul 25, 1999 at 09:47:12PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 25, 1999 at 09:47:12PM +0200, Jeroen Ruigrok/Asmodai wrote: > [ Please direct all follow-ups to security@freebsd.org as the topic fits > that list. Reply-To set ] > > * Sue Blake (sue@welearn.com.au) [990725 20:29]: > > > > On Mon, Jul 19, 1999 at 07:58:01AM -0400, T. William Wells wrote: > > > In article <19990719212431.D300@welearn.com.au>, > > > Sue Blake wrote: > > > : Could someone tell me what is a sandbox, what does it do, how does it > > > : work, how do I use it, or where is it documented? > > > : named(8) and security(8) seem to assume one already knows. > > > > > > It's a generic term. It refers to a restricted environment in > > > which something is to be done. Exactly how a sandbox is > > > implemented depends on the specific application. > > > > If nobody understands how this sandbox thing works, we should change > > the named.conf that we supply. If somebody does, then they or someone > > who they teach (me if really necessary) needs to document it so that > > anyone seriously interested can figure it out on thier own (or at least > > accept the defaults with confidence), and then change at least the > > named.conf to point to that info. It sounds like a good idea, worth > > giving people the resources to use it. > > Basically one has to depict a sandbox like a, erhm, sandbox ;) > > It's a dug hole with raised low stone walls to keep kindergarten aged kids > within the sandbox to play with the sand, etc. But ironically, in this case (named) we want to keep the FreeBSD "kids" out of the sandbox until they are sure they know how to implement it :-) Either we need documentation (and/or pointers) for the background theory and a guide to its actual implementation for named in FreeBSD to encourage people to use it, or we need to disambiguate and discourage its use in named.conf while providing non-sandbox examples for secondaries in the new style config file that the "kids" can learn from without confusion. After some good feedback on sandboxes, it seems that the latter is the more appropriate, particularly in view of the concurrent scarcity of documentation for BIND 8. Thanks for the security explanation. A lot of people seem to be interested in this but too afraid to ask :-) There must be a good book that explains it all. Anyone know? It would almost be worth buying and studying another book in order to be eligible to ask questions on how to use the examples provided in the new named.conf :-) Better still, if it can be condensed into something digestible by newbies I might try writing a summary introduction with examples, recommending either for or against its use by learners. -- Regards, -*Sue*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 15:51:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-193-112-19.dsl.snfc21.pacbell.net [63.193.112.19]) by hub.freebsd.org (Postfix) with ESMTP id B510314D12 for ; Sun, 25 Jul 1999 15:51:14 -0700 (PDT) (envelope-from mike@snafu.adept.org) Received: from localhost (mike@localhost) by snafu.adept.org (8.9.3/8.9.3) with ESMTP id PAA24713; Sun, 25 Jul 1999 15:50:49 -0700 (PDT) Date: Sun, 25 Jul 1999 15:50:49 -0700 (PDT) From: Mike Hoskins To: Sue Blake Cc: security@FreeBSD.ORG Subject: Re: sandbox?? In-Reply-To: <19990726065455.N7324@welearn.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 26 Jul 1999, Sue Blake wrote: > without confusion. After some good feedback on sandboxes, it seems that > the latter is the more appropriate, particularly in view of the > concurrent scarcity of documentation for BIND 8. I really don't understand all the confusion. A quick search for 'BIND sandbox' turned up hits for me. BIND 8, as well, is one of the most documented services in existence. If you prefer online documentation, there's ISC's numerous resources and a plethora of mirrors (antisocial.net is one). If you like hard copies, DNS & BIND 3rd. Ed. is great for BIND 4.x and 8.x. Re: BIND Sandbox, see http://www.psionic.com/papers/dns/dns-openbsd/ for a general idea of what we're talking about, and how many of us were implementing this before it was a default 'feature'. I'm glad to finally see it included. I run BIND in a sandbox on my 3.2-R and 4.0-C systems and it works great. Rather than setting up a non-standard chroot() area I just kept /etc/namedb around, did a 'chgrp bind /etc/namedb', 'chmod 774 /etc/namedb', and added a 'pid-file "/etc/namedb/named.pid";' entry to named.conf so named wouldn't need access to /var/run. Mike Hoskins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 19:40: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from dt011n65.san.rr.com (dt011n65.san.rr.com [204.210.13.101]) by hub.freebsd.org (Postfix) with ESMTP id 76D8E14BE5 for ; Sun, 25 Jul 1999 19:39:57 -0700 (PDT) (envelope-from Doug@gorean.org) Received: from gorean.org (master [10.0.0.2]) by dt011n65.san.rr.com (8.8.8/8.8.8) with ESMTP id TAA14524; Sun, 25 Jul 1999 19:39:38 -0700 (PDT) (envelope-from Doug@gorean.org) Message-ID: <379BCA6B.FEBDFE47@gorean.org> Date: Sun, 25 Jul 1999 19:39:39 -0700 From: Doug Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Sue Blake Cc: security@freebsd.org Subject: Re: sandbox?? References: <19990726040233.E7349@welearn.com.au> <19990725214712.F14954@daemon.ninth-circle.org> <19990726065455.N7324@welearn.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sue Blake wrote: > Either we need documentation (and/or pointers) for the background > theory and a guide to its actual implementation for named in FreeBSD to > encourage people to use it, or we need to disambiguate and discourage > its use in named.conf while providing non-sandbox examples for > secondaries in the new style config file that the "kids" can learn from > without confusion. After some good feedback on sandboxes, it seems that > the latter is the more appropriate, particularly in view of the > concurrent scarcity of documentation for BIND 8. I agree that the current named.conf file is too messy, too confusing, and provides too many examples of ways to shoot oneself in the foot. However, you are incorrect about the level of documentation available for BIND 8. Someone else already provided you a pretty good bibliography. > Thanks for the security explanation. A lot of people seem to be > interested in this but too afraid to ask :-) Well that's just silly. We can't help people who don't ask questions, and we certainly can't help people who are "afraid" to post a question to a mailing list. > There must be a good book > that explains it all. Anyone know? It would almost be worth buying and > studying another book in order to be eligible to ask questions on how > to use the examples provided in the new named.conf :-) Better still, if > it can be condensed into something digestible by newbies I might try > writing a summary introduction with examples, recommending either for > or against its use by learners. New users should not be messing with DNS, and they definitely should not be messing with advanced features like the experimental sandbox code. At minimum a user should read the cricket book, and have a good understanding of _why_ they would want to set up a DNS server in the first place. I'll take a look at the current file and see about simplifying it this week, of course that doesn't guarantee that it'll get committed. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 21:48: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.cybersource.com.sg (server.cybersource.com.sg [203.127.94.130]) by hub.freebsd.org (Postfix) with SMTP id BB79F1526D for ; Sun, 25 Jul 1999 21:48:04 -0700 (PDT) (envelope-from estee@cybersource.com.sg) Received: (qmail 12743 invoked from network); 26 Jul 1999 04:49:06 -0000 Received: from coral.cybersource.com.sg.0.152.127.203.in-addr.arpa (HELO coral) (203.127.152.6) by server.cybersource.com.sg with SMTP; 26 Jul 1999 04:49:06 -0000 Message-Id: <3.0.6.32.19990726124816.00930070@server.cybersource.com.sg> X-Sender: estee@server.cybersource.com.sg X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Mon, 26 Jul 1999 12:48:16 To: FreeBSD-security@freebsd.org From: Estee Goh Subject: Help, it ois urgent Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org HI, My name is estee, i had do some modification on access.login file. And now it cause me cannot lof in the system at all, no matter is as root or normal user. All the access been deny. What should i do? Please reply ASAP, coz this is very very urgent.. regards, estee Goh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 21:53:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (w2xo.pgh.pa.us [206.210.70.5]) by hub.freebsd.org (Postfix) with ESMTP id AB4F115282 for ; Sun, 25 Jul 1999 21:53:43 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.internal [10.0.0.3]) by w2xo.pgh.pa.us (8.9.2/8.9.1) with ESMTP id EAA60750 for ; Mon, 26 Jul 1999 04:53:32 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <379BE9E6.48971781@w2xo.pgh.pa.us> Date: Mon, 26 Jul 1999 00:53:58 -0400 From: "James C. Durham" Organization: dis- X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ssh2 tunneling through firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is sort of a security problem, as it deals with firewalls and ssh, but sort of a networking problem, so excuse me if this is the wrong group... I have a remote server with a public IP address. I have a local firewall machine and a LAN with several machines with private IP addresses (10.x.x.x). I'd like to be able to use ssh2 to tunnel IP connections on the remote server to ports on one of the local machines. I elected to try forwarding telnet requests (port 23) for simplicity. According to the ssh2 man page, this should be possible, but I always get "denied by server" to the forwarding request. I assume that "server" in this context, means the local machine since the message is coming from the remote machine? I'm a little confused about what is happening here. The man page says that the connection request for the port on the server would be sent down the secure channel to the *local* machine and the connection would be made from the local machine. I have tried it's 10.x.x.x address, it's local name from /etc/hosts and also tried "localhost", all with the same results. If the connection is made from the local machine, it certainly should have no problem connecting to localhost:23 . sshd2 is running on the local machine and the remote machine. I'm using ssh2 -R 23:localhost:23 my.server.xx.xx Does anyone know what I'm doing wrong here? -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 22: 4:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id BDA2D151C9 for ; Sun, 25 Jul 1999 22:04:30 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id WAA42888; Sun, 25 Jul 1999 22:02:19 -0700 (PDT) (envelope-from dillon) Date: Sun, 25 Jul 1999 22:02:19 -0700 (PDT) From: Matthew Dillon Message-Id: <199907260502.WAA42888@apollo.backplane.com> To: Mike Hoskins Cc: Sue Blake , security@FreeBSD.ORG Subject: Re: sandbox?? References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I run BIND in a sandbox on my 3.2-R and 4.0-C systems and it works great. :Rather than setting up a non-standard chroot() area I just kept :/etc/namedb around, did a 'chgrp bind /etc/namedb', 'chmod 774 :/etc/namedb', and added a 'pid-file "/etc/namedb/named.pid";' entry to :named.conf so named wouldn't need access to /var/run. : :Mike Hoskins : Ouch, I wouldn't do that! Leave the files and directories that named only reads owned by root and modes 644 or 755. Only files and directories that named *writes* needs to be owned by the sandbox... that usually means the secondary zone directory, which I usually create a subdirectory for. For the same reason, named and its support binaries should be owned by root even if run as user bind. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 22: 5:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from WEBBSD1.turnaround.com.au (webbsd1.turnaround.com.au [203.39.138.49]) by hub.freebsd.org (Postfix) with ESMTP id 2D3CE14CC2 for ; Sun, 25 Jul 1999 22:05:29 -0700 (PDT) (envelope-from A_Johns@TurnAround.com.au) Received: from tasajohns (dhcp64.turnaround.com.au [192.168.1.64]) by WEBBSD1.turnaround.com.au (8.8.7/8.8.7) with SMTP id PAA16088; Mon, 26 Jul 1999 15:26:01 +1000 (EST) (envelope-from A_Johns@TurnAround.com.au) From: "Andrew Johns" To: "Estee Goh" , Subject: RE: Help, it ois urgent Date: Mon, 26 Jul 1999 15:03:44 +1000 Message-ID: <003001bed724$3c44d110$4001a8c0@tasajohns.turnaround.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <3.0.6.32.19990726124816.00930070@server.cybersource.com.sg> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Reboot to single user (boot -s for 3.0+, -s for < 3.0). You will probably have to do this with the reset button if it won't let you in, unless you already have one terminal logged in. Then: 'fsck' to fix your hard reboot 'reboot' to reboot with clean disks. Go to single user mode (-s) again. 'mount -u /' to mount / read/write. 'mount -a' to mount remaining partitions. 'vi login.access' and fix. 'logout' of single user (CTRL+D) to boot multi-user with new login.access 'man login.access' to find out why the 1st attempt failed :) HTH AJ > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Estee Goh > Sent: Monday, 26 July 1999 22:48 > To: FreeBSD-security@FreeBSD.ORG > Subject: Help, it ois urgent > > > HI, > > My name is estee, i had do some modification on > access.login file. And now > it cause me cannot lof in the system at all, no matter is as > root or normal > user. All the access been deny. What should i do? Please > reply ASAP, coz > this is very very urgent.. > > > > regards, > estee Goh > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 22:22:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from news1.cio.med.va.gov (news1.cio.med.va.gov [205.230.50.17]) by hub.freebsd.org (Postfix) with ESMTP id 0321215291 for ; Sun, 25 Jul 1999 22:22:30 -0700 (PDT) (envelope-from lluisma@osi-technologies.com) Received: from osi-technologies.com (rems8.cio.med.va.gov [204.176.52.23]) by news1.cio.med.va.gov (8.8.8+Sun/8.8.8) with ESMTP id BAA25865; Mon, 26 Jul 1999 01:14:58 -0400 (EDT) Message-ID: <379BF011.6A7610B@osi-technologies.com> Date: Mon, 26 Jul 1999 01:20:17 -0400 From: "E.L." X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.10 i686) X-Accept-Language: en MIME-Version: 1.0 To: Sue Blake Cc: security@freebsd.org Subject: Re: sandbox?? References: <19990726040233.E7349@welearn.com.au> <19990725214712.F14954@daemon.ninth-circle.org> <19990726065455.N7324@welearn.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you want an example, see openbsd 2.5(www.openbsd.org) where the default config for named uses this sandbox concept. EX Sue Blake wrote: > On Sun, Jul 25, 1999 at 09:47:12PM +0200, Jeroen Ruigrok/Asmodai wrote: > > [ Please direct all follow-ups to security@freebsd.org as the topic fits > > that list. Reply-To set ] > > > > * Sue Blake (sue@welearn.com.au) [990725 20:29]: > > > > > > On Mon, Jul 19, 1999 at 07:58:01AM -0400, T. William Wells wrote: > > > > In article <19990719212431.D300@welearn.com.au>, > > > > Sue Blake wrote: > > > > : Could someone tell me what is a sandbox, what does it do, how does it > > > > : work, how do I use it, or where is it documented? > > > > : named(8) and security(8) seem to assume one already knows. > > > > > > > > It's a generic term. It refers to a restricted environment in > > > > which something is to be done. Exactly how a sandbox is > > > > implemented depends on the specific application. > > > > > > If nobody understands how this sandbox thing works, we should change > > > the named.conf that we supply. If somebody does, then they or someone > > > who they teach (me if really necessary) needs to document it so that > > > anyone seriously interested can figure it out on thier own (or at least > > > accept the defaults with confidence), and then change at least the > > > named.conf to point to that info. It sounds like a good idea, worth > > > giving people the resources to use it. > > > > Basically one has to depict a sandbox like a, erhm, sandbox ;) > > > > It's a dug hole with raised low stone walls to keep kindergarten aged kids > > within the sandbox to play with the sand, etc. > > But ironically, in this case (named) we want to keep the FreeBSD "kids" > out of the sandbox until they are sure they know how to implement it :-) > > Either we need documentation (and/or pointers) for the background > theory and a guide to its actual implementation for named in FreeBSD to > encourage people to use it, or we need to disambiguate and discourage > its use in named.conf while providing non-sandbox examples for > secondaries in the new style config file that the "kids" can learn from > without confusion. After some good feedback on sandboxes, it seems that > the latter is the more appropriate, particularly in view of the > concurrent scarcity of documentation for BIND 8. > > Thanks for the security explanation. A lot of people seem to be > interested in this but too afraid to ask :-) There must be a good book > that explains it all. Anyone know? It would almost be worth buying and > studying another book in order to be eligible to ask questions on how > to use the examples provided in the new named.conf :-) Better still, if > it can be condensed into something digestible by newbies I might try > writing a summary introduction with examples, recommending either for > or against its use by learners. > > -- > > Regards, > -*Sue*- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 22:48: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 6B79514C36 for ; Sun, 25 Jul 1999 22:47:58 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id WAA27881; Sun, 25 Jul 1999 22:47:07 -0700 (PDT) Message-ID: <19990725224707.A27741@best.com> Date: Sun, 25 Jul 1999 22:47:07 -0700 From: "Jan B. Koum " To: "E.L." , Sue Blake Cc: security@FreeBSD.ORG Subject: Re: sandbox?? References: <19990726040233.E7349@welearn.com.au> <19990725214712.F14954@daemon.ninth-circle.org> <19990726065455.N7324@welearn.com.au> <379BF011.6A7610B@osi-technologies.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <379BF011.6A7610B@osi-technologies.com>; from E.L. on Mon, Jul 26, 1999 at 01:20:17AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Securing DNS (OpenBSD/FreeBSD Version): http://www.psionic.com/papers/dns/dns-openbsd/ -- Yan On Mon, Jul 26, 1999 at 01:20:17AM -0400, "E.L." wrote: > If you want an example, see openbsd 2.5(www.openbsd.org) where the default > config for named uses this sandbox concept. > EX > > Sue Blake wrote: > > > On Sun, Jul 25, 1999 at 09:47:12PM +0200, Jeroen Ruigrok/Asmodai wrote: > > > [ Please direct all follow-ups to security@freebsd.org as the topic fits > > > that list. Reply-To set ] > > > > > > * Sue Blake (sue@welearn.com.au) [990725 20:29]: > > > > > > > > On Mon, Jul 19, 1999 at 07:58:01AM -0400, T. William Wells wrote: > > > > > In article <19990719212431.D300@welearn.com.au>, > > > > > Sue Blake wrote: > > > > > : Could someone tell me what is a sandbox, what does it do, how does it > > > > > : work, how do I use it, or where is it documented? > > > > > : named(8) and security(8) seem to assume one already knows. > > > > > > > > > > It's a generic term. It refers to a restricted environment in > > > > > which something is to be done. Exactly how a sandbox is > > > > > implemented depends on the specific application. > > > > > > > > If nobody understands how this sandbox thing works, we should change > > > > the named.conf that we supply. If somebody does, then they or someone > > > > who they teach (me if really necessary) needs to document it so that > > > > anyone seriously interested can figure it out on thier own (or at least > > > > accept the defaults with confidence), and then change at least the > > > > named.conf to point to that info. It sounds like a good idea, worth > > > > giving people the resources to use it. > > > > > > Basically one has to depict a sandbox like a, erhm, sandbox ;) > > > > > > It's a dug hole with raised low stone walls to keep kindergarten aged kids > > > within the sandbox to play with the sand, etc. > > > > But ironically, in this case (named) we want to keep the FreeBSD "kids" > > out of the sandbox until they are sure they know how to implement it :-) > > > > Either we need documentation (and/or pointers) for the background > > theory and a guide to its actual implementation for named in FreeBSD to > > encourage people to use it, or we need to disambiguate and discourage > > its use in named.conf while providing non-sandbox examples for > > secondaries in the new style config file that the "kids" can learn from > > without confusion. After some good feedback on sandboxes, it seems that > > the latter is the more appropriate, particularly in view of the > > concurrent scarcity of documentation for BIND 8. > > > > Thanks for the security explanation. A lot of people seem to be > > interested in this but too afraid to ask :-) There must be a good book > > that explains it all. Anyone know? It would almost be worth buying and > > studying another book in order to be eligible to ask questions on how > > to use the examples provided in the new named.conf :-) Better still, if > > it can be condensed into something digestible by newbies I might try > > writing a summary introduction with examples, recommending either for > > or against its use by learners. > > > > -- > > > > Regards, > > -*Sue*- > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 25 23:27: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 923D6152F0 for ; Sun, 25 Jul 1999 23:26:50 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id AAA63252; Mon, 26 Jul 1999 00:26:08 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA37753; Mon, 26 Jul 1999 00:27:05 -0600 (MDT) Message-Id: <199907260627.AAA37753@harmony.village.org> To: "James C. Durham" Subject: Re: ssh2 tunneling through firewall Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Mon, 26 Jul 1999 00:53:58 EDT." <379BE9E6.48971781@w2xo.pgh.pa.us> References: <379BE9E6.48971781@w2xo.pgh.pa.us> Date: Mon, 26 Jul 1999 00:27:05 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <379BE9E6.48971781@w2xo.pgh.pa.us> "James C. Durham" writes: : Does anyone know what I'm doing wrong here? GatewayPorts "Yes" in your .ssh/config. It defaults to "no". Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 26 2: 0:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 40381152DF for ; Mon, 26 Jul 1999 02:00:43 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id LAA02339; Mon, 26 Jul 1999 11:00:34 +0200 (CEST) (envelope-from des) To: "Andrew Johns" Cc: "Estee Goh" , Subject: Re: Help, it ois urgent References: <003001bed724$3c44d110$4001a8c0@tasajohns.turnaround.com.au> From: Dag-Erling Smorgrav Date: 26 Jul 1999 11:00:33 +0200 In-Reply-To: "Andrew Johns"'s message of "Mon, 26 Jul 1999 15:03:44 +1000" Message-ID: Lines: 30 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Andrew Johns" writes: > Reboot to single user (boot -s for 3.0+, -s for < 3.0). You will > probably have to do this with the reset button if it won't let you in, > unless you already have one terminal logged in. Ctrl-Alt-Del should still work. > 'fsck' to fix your hard reboot 'fsck -p' > 'reboot' to reboot with clean disks. > Go to single user mode (-s) again. No need. > 'mount -u /' to mount / read/write. > 'mount -a' to mount remaining partitions. No, 'mount -at nonfs' should take care of both. 'mount -a' might fail if you have NFS or vinum file systems listed in /etc/fstab. > 'vi login.access' and fix. vi will probably complain if you don't set the TERM variable first ('setenv TERM cons25' i csh, 'export TERM=cons25' in Bourne shell) DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 26 10:30:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 7871214D96 for ; Mon, 26 Jul 1999 10:30:15 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA22927 for ; Mon, 26 Jul 1999 11:28:08 -0600 (MDT) Message-Id: <4.2.0.58.19990726112737.045f3770@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 26 Jul 1999 11:28:06 -0600 To: security@freebsd.org From: Brett Glass Subject: This from Bugtraq this weekend.... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: BUGTRAQ@SECURITYFOCUS.COM >Date: Sat, 24 Jul 1999 01:26:28 +0000 >Reply-To: Scott >Sender: Bugtraq List >From: Scott >Subject: Re: Linux +ipchains+ ping -R >X-To: Andrej Todosic >X-cc: BUGTRAQ@SECURITYFOCUS.COM >To: BUGTRAQ@SECURITYFOCUS.COM > >About 2 weeks ago someone made me aware of a similar bug in FreeBSD >with natd/ipfw. I tested it on my own computer (FreeBSD 3.2-STABLE) and >the result was an immediate result reboot without any logging. > >This firewall rule fixes the problem on my FreeBSD box. Adjust it >accordingly for the logging options, etc. Make sure its the 1st rule >listed. > > >deny log ip from any to any ipopt rr > > >-Scott > >On Thu, 22 Jul 1999, Andrej Todosic wrote: > > > Hello , > > > > i am not quite sure if this has been discussed or if htere is a fix already > > but i d still like to mention it. > > > > linux firewall setup 2.2.5 or 2.2.10 and ipchains + Nat + advanced router > > > > > > if you are less than nine hops away from it ping -R and ( assuming the fw > > lets the packets go through ) you get a kernel panic . > > > > > > You cant go wrong . i tried it on more than one firewall and more than one > > kernel. > > > > > > PS if you are testing it do make sure you are not going through the fw for a > > connection ( which how i screwed myself up and left the ping -R in the > > background ) > > > > > > > > > > Andrej > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 26 17:39: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (w2xo.pgh.pa.us [206.210.70.5]) by hub.freebsd.org (Postfix) with ESMTP id BFAFA14DA3 for ; Mon, 26 Jul 1999 17:39:03 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.internal [10.0.0.3]) by w2xo.pgh.pa.us (8.9.2/8.9.1) with ESMTP id AAA62962; Tue, 27 Jul 1999 00:36:26 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <379CFF2C.4BEC3EE3@w2xo.pgh.pa.us> Date: Mon, 26 Jul 1999 20:37:00 -0400 From: "James C. Durham" Organization: dis- X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh2 tunneling through firewall References: <379BE9E6.48971781@w2xo.pgh.pa.us> <199907260627.AAA37753@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Warner Losh wrote: > > In message <379BE9E6.48971781@w2xo.pgh.pa.us> "James C. Durham" writes: > : Does anyone know what I'm doing wrong here? > > GatewayPorts "Yes" in your .ssh/config. It defaults to "no". > > Warner Thanks, Warner, but in my man page it says this feature is unimplemented. However, I tried it anyway and got "unrecognized configuration parameter". regards, -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 26 22:43:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 18D05152BD for ; Mon, 26 Jul 1999 22:43:11 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id XAA65922; Mon, 26 Jul 1999 23:43:05 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id XAA50750; Mon, 26 Jul 1999 23:44:14 -0600 (MDT) Message-Id: <199907270544.XAA50750@harmony.village.org> To: "James C. Durham" Subject: Re: ssh2 tunneling through firewall Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Mon, 26 Jul 1999 20:37:00 EDT." <379CFF2C.4BEC3EE3@w2xo.pgh.pa.us> References: <379CFF2C.4BEC3EE3@w2xo.pgh.pa.us> <379BE9E6.48971781@w2xo.pgh.pa.us> <199907260627.AAA37753@harmony.village.org> Date: Mon, 26 Jul 1999 23:44:14 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <379CFF2C.4BEC3EE3@w2xo.pgh.pa.us> "James C. Durham" writes: : Thanks, Warner, but in my man page it says this : feature is unimplemented. However, I tried it anyway : and got "unrecognized configuration parameter". I had to add that in my config file when I upgraded my ssh recently. However, it doesn't sound like that is the problem :-(. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 26 23:27:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from WEBBSD1.turnaround.com.au (webbsd1.turnaround.com.au [203.39.138.49]) by hub.freebsd.org (Postfix) with ESMTP id 8688514F83 for ; Mon, 26 Jul 1999 23:27:12 -0700 (PDT) (envelope-from A_Johns@TurnAround.com.au) Received: from tasajohns (dhcp64.turnaround.com.au [192.168.1.64]) by WEBBSD1.turnaround.com.au (8.8.7/8.8.7) with SMTP id QAA28267; Tue, 27 Jul 1999 16:47:41 +1000 (EST) (envelope-from A_Johns@TurnAround.com.au) From: "Andrew Johns" To: "James C. Durham" , Subject: RE: ssh2 tunneling through firewall Date: Tue, 27 Jul 1999 16:25:13 +1000 Message-ID: <001201bed7f8$c9008bb0$4001a8c0@tasajohns.turnaround.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 In-Reply-To: <379BE9E6.48971781@w2xo.pgh.pa.us> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [snip] > > sshd2 is running on the local machine and the remote machine. > I'm using ssh2 -R 23:localhost:23 my.server.xx.xx > > Does anyone know what I'm doing wrong here? > I'm guessing, but do you need to specify your full localhost name as it would be visible to the remote host, instead of using 'localhost' which might be confusing the remote side as it may be trying to connect to itself on port 23 via port 23 -> leading to its confusion (and mine after that sentence :)) ie: does ssh2 -R 23:your.fully.qualified.local.host.name:23 remote.host.xx.yy work any better? HTH AJ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 27 1:38:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id AF73814F40; Tue, 27 Jul 1999 01:38:12 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id EAA15096; Tue, 27 Jul 1999 04:37:08 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Tue, 27 Jul 1999 04:37:08 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: jkoshy@FreeBSD.org Cc: freebsd-security@FreeBSD.org Subject: Re: yet more ways to attack executing binaries (was Re: deny ktrace without read permissions? ) In-Reply-To: <199907270304.UAA57529@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 26 Jul 1999 jkoshy@FreeBSD.org wrote: > > Another cool attack on this mechanism is if the binary uses shared > > libraries: modify LD_LIBRARY_PATH so that its favorite shared library is > > your own version of the library, that proceeds to dump the entire > > application to disk when executed. > > Yes, it is certainly a subtle attack. I wonder if shared libs aren't more > trouble than gain. From the point of view of pluggable application code (PAM, crypto, etc) they are a wonderful boon. From the point of view of clear boundaries between bodies of executable code and traditional concepts of programs and processes, they certainly muddy the water. We've seen a number of attacks on NT and Windows based on centralized OS management of shared libraries--I think our mechanism of driving it from the user side works better, but one does have to be careful of "features" like LD_LIBRARY_PATH. It enables things like SOCKS proxy code without modifying the application, but also encourages this muddying. The real answer, as someone pointed out, may be to avoid trying to break out of the traditional UNIX uid-based protection domains: doing so seems only to cause angst :-). Moving towards a model of carefully audited and well-defined IPC between different protection domains might be better. For example, instead of using setuid applications and relying on a series of hacks to prevent debugging, shared libraries, etc, instead having daemons that listen on IPC channels (i.e., UNIX domain sockets or TCP ports, POSIX FIFOs, etc) in well-known locations. For example, a password daemon listening on /var/run/auth/passwd_socket that takes advantage of the local credential passing to authenticate the connection, and then provides password-related services via carefully audited LPC code. Once this is done, suddenly you don't have to audit the entire application, only its communication code, and you don't have to worry about the mixed credentials from setuid. Of course, programs like sendmail have shown that it's possible to really botch a communications protocol implementation, but part of the problem there is the text-based interface and complication of the issue. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Computing Laboratory at Cambridge University Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 27 2:59:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 6C95014E2E for ; Tue, 27 Jul 1999 02:58:51 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id LAA16324; Tue, 27 Jul 1999 11:58:42 +0200 (CEST) Message-ID: <19990727115841.C14540@foobar.franken.de> Date: Tue, 27 Jul 1999 11:58:41 +0200 From: Harold Gutch To: "James C. Durham" , freebsd-security@FreeBSD.ORG Subject: Re: ssh2 tunneling through firewall References: <379BE9E6.48971781@w2xo.pgh.pa.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <379BE9E6.48971781@w2xo.pgh.pa.us>; from James C. Durham on Mon, Jul 26, 1999 at 12:53:58AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 26, 1999 at 12:53:58AM -0400, James C. Durham wrote: > I'd like to be able to use ssh2 to tunnel IP connections > on the remote server to ports on one of the local machines. > > I elected to try forwarding telnet requests (port 23) > for simplicity. > > sshd2 is running on the local machine and the remote machine. > I'm using ssh2 -R 23:localhost:23 my.server.xx.xx ^^ I don't use ssh2, but assuming that the syntax is the same as in ssh1, you're trying to bind to port 23, which won't work unless you're root. Does binding to a port higher than 1024 work ? bye, Harold -- Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 27 4:58:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (w2xo.pgh.pa.us [206.210.70.5]) by hub.freebsd.org (Postfix) with ESMTP id 95D28153DD for ; Tue, 27 Jul 1999 04:58:32 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.internal [10.0.0.3]) by w2xo.pgh.pa.us (8.9.2/8.9.1) with ESMTP id LAA64407; Tue, 27 Jul 1999 11:56:05 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <379D9E7A.894D5595@w2xo.pgh.pa.us> Date: Tue, 27 Jul 1999 07:56:42 -0400 From: "James C. Durham" Organization: dis- X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Harold Gutch Cc: freebsd-security@FreeBSD.ORG, A_Johns@TurnAround.com.au Subject: Re: ssh2 tunneling through firewall References: <379BE9E6.48971781@w2xo.pgh.pa.us> <19990727115841.C14540@foobar.franken.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Harold Gutch wrote: > ^^ > I don't use ssh2, but assuming that the syntax is the same as in > ssh1, you're trying to bind to port 23, which won't work unless > you're root. Does binding to a port higher than 1024 work ? > I *was* root, but just for giggles, I tried a port > 1024 and got the same results. Andrew Johns wrote: >> I'm guessing, but do you need to specify your full localhost name as it > would be visible to the remote host, instead of using 'localhost' which > might be confusing the remote side as it may be trying to connect to > itself on port 23 via port 23 -> leading to its confusion (and mine > after that sentence :)) > > ie: does ssh2 -R 23:your.fully.qualified.local.host.name:23 > remote.host.xx.yy work any better? Nope, tried that too, as well as the numeric IP address. 8-). The error message says "Operation denied by the server". This is a little confusing... the message is coming from the local machine, so the "server" would be the remote host running sshd2. Checking /var/log/messages on the remote machine says something like "Failed to open listen on 0.0.0.0:23 . Hmmm... it looks like it's not getting the address of the local machine. Thanks for the input, folks, but I'm still getting nowhere! -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 27 21:22:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (w2xo.pgh.pa.us [206.210.70.5]) by hub.freebsd.org (Postfix) with ESMTP id C503E14CF5 for ; Tue, 27 Jul 1999 21:22:37 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.internal [10.0.0.3]) by w2xo.pgh.pa.us (8.9.2/8.9.1) with ESMTP id EAA66785 for ; Wed, 28 Jul 1999 04:22:14 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <379E85A1.1E734862@w2xo.pgh.pa.us> Date: Wed, 28 Jul 1999 00:22:57 -0400 From: "James C. Durham" Organization: dis- X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: SSH2 Won't forward priviledged ports Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Please see my previous posting regarding problems with forwarding ports using ssh2. I am trying to forward ports from a machine outside my firewall to a machine inside the firewall using ssh2. I found that I *can* forward non-priviledged ports just fine. According to the documentation, root can forward priviledged ports. I still can not do this, even though I log in as root. I can forward ports > 1024, but not < 1024. Somehow, even though I'm being authenticated as root for login purposes, I'm not being authenticated for port forwarding. I've made keys for both the client and server machines for root. Anyone have any ideas where to look for this authentication problem? I particularly want to forward port 80, so this is a real hangup! -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 27 23:14:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 60C1E14FB9 for ; Tue, 27 Jul 1999 23:13:59 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id IAA28855; Wed, 28 Jul 1999 08:11:37 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199907280611.IAA28855@gratis.grondar.za> To: Harold Gutch Cc: "James C. Durham" , freebsd-security@FreeBSD.ORG Subject: Re: ssh2 tunneling through firewall Date: Wed, 28 Jul 1999 08:11:36 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Mon, Jul 26, 1999 at 12:53:58AM -0400, James C. Durham wrote: > > I'd like to be able to use ssh2 to tunnel IP connections > > on the remote server to ports on one of the local machines. > > > > I elected to try forwarding telnet requests (port 23) > > for simplicity. > > > > sshd2 is running on the local machine and the remote machine. > > I'm using ssh2 -R 23:localhost:23 my.server.xx.xx > ^^ > I don't use ssh2, but assuming that the syntax is the same as in > ssh1, you're trying to bind to port 23, which won't work unless > you're root. Does binding to a port higher than 1024 work ? You really want to forward a local port to the remote: # ssh -L 23:remote.host.org:23 remote.host.org M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 28 19:21: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (w2xo.pgh.pa.us [206.210.70.5]) by hub.freebsd.org (Postfix) with ESMTP id A009914F5D for ; Wed, 28 Jul 1999 19:21:05 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.internal [10.0.0.3]) by w2xo.pgh.pa.us (8.9.2/8.9.1) with ESMTP id CAA01022; Thu, 29 Jul 1999 02:20:27 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <379FBA55.61104FEF@w2xo.pgh.pa.us> Date: Wed, 28 Jul 1999 22:20:05 -0400 From: "James C. Durham" Organization: dis- X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: pram512@antisocial.com, freebsd-security@freebsd.org Subject: Re: ssh2 tunneling through firewall References: <19990728210350.22272.rocketmail@web1004.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ME wrote: > > I'm having similar problems, with much the same > progress as you. If you do get it figured out, would > you please make sure to post your solution to the > list, so the rest of us can benifit? (of course, if I > happen to find a solution, I'll do the same) > Thanks > -miak. Well.. I feel like a real dunce. I usually find out that my problems are something stupid I have overlooked, and this was no exception. Somehow, there were processes listening on the ports involved. I had the services commented out in inetd.conf, and I thought I had done a kill -1 on inetd, but maybe not. Anyhow, there was a storm today and the remote server rebooted, and now it works just fine. I had thought, incorrectly, that it wouldn't forward any port, then I discovered that I could forward ports 8888 and 1558 . I then jumped to the conclusion that it was only priviledged ports that wouldn't forward, ...you see... I kept getting deeper... 8-). Anyhow, it turns out that I must not have done an HUP on inetd and there were listeners on those ports. That was the whole problem. It works fine now. I have sucessfully forwarded web service and telnet through the firewall. The only thing I can say in my defense is that the error message said "permission denied by server". It should have been "listener already listening on port" or something of that sort. I know that FreeBSD will do that if you start a service twice, so the error code exists. Oh well, that's the story. I did some experimenting with varous arguments to the "-R" option in ssh2. I found that "localhost" works just fine. The idea is that you can forward a port anywhere that the local system can connect. You can use any valid address. I guess you could forward your http port to any site on the web! A nice feature of this is that you can assign a machine on your LAN as the "local server" and have it nail up an ssh connection to your "remote server" off-site, then forward the various ports on the remote server to various machines on your LAN. This will work even if they have no public IP addresses because your local server should have their "phoney" IP addresses in it's /etc/hosts file. I tried this by forwarding from my remote server through my local server to "shazam.internal", which is my workstation and not known to the net at all. It worked fine. I'm very pleased at this point. Forwarding the telnet port to a system with tcpwrappers causes an immediate disconnect. I'm not sure why, but I guess it detects the relay. So, what you need to do is: 1. Set up sshd2 on your remote server. 2. Make sure you have all the services listening on any port you want to forward killed dead! 3. Set up ssh2 on your local server. 4. Nail up an ssh connection with: ssh2 -R 23:localhost:23 remote.server.xx (you must be root to forward ports < 1024). Now, when you telnet to remote.server.xx you get the local servers telnet login. If you use ssh2 _r 23:lanmachine1:23 remote.server.xx , then you will see the telnet login of a machine on your LAN. I've certainly got a bloody spot on the wall from banging my head, but I finally got it! Duhhhh... Thanks to all for the input! -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 29 7:31:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from prioris.im.pw.edu.pl (prioris.im.pw.edu.pl [148.81.80.7]) by hub.freebsd.org (Postfix) with ESMTP id 9F4D5155CA; Thu, 29 Jul 1999 07:31:12 -0700 (PDT) (envelope-from zaks@prioris.im.pw.edu.pl) Received: (from localhost user: 'zaks', uid#501) by prioris.im.pw.edu.pl id ; Thu, 29 Jul 1999 16:14:57 +0200 Date: Thu, 29 Jul 1999 16:14:57 +0200 From: Slawek Zak To: freebsd-ports@freebsd.org Cc: freebsd-security@freebsd.org Subject: Extracted files' permissions Message-ID: <19990729161457.A727@prioris.im.pw.edu.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When I lately extracted some packages, I have noticed that owners of the files and directories are random (try make extract lang/lua or lang/erlang) These UIDs may or may not exist on your system. If they do, the files can be easily overwritten by malicious user and lead to compromise of the system. So my question is if it should be treated as bug, and reported to the packager, or maybe there should be an additional step in extracting these files, in which the owner would be changed to 0:0. Of course the easiest solution would be chmod og= /usr/ports :) -- * Suavek Zak * email: zaks@im.pw.edu.pl voice: +48 (0) 22 674 66 79 * PGP v2.3: 2048/9A7CBF71, finger://zaks@prioris.im.pw.edu.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 29 9: 5:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from dfw-ix1.ix.netcom.com (dfw-ix1.ix.netcom.com [206.214.98.1]) by hub.freebsd.org (Postfix) with ESMTP id 931B9150C5 for ; Thu, 29 Jul 1999 09:05:45 -0700 (PDT) (envelope-from steve_b@ix.netcom.com) Received: (from smap@localhost) by dfw-ix1.ix.netcom.com (8.8.4/8.8.4) id LAA18315; Thu, 29 Jul 1999 11:04:42 -0500 (CDT) Received: from ali-ca50-19.ix.netcom.com(209.110.236.83) by dfw-ix1.ix.netcom.com via smap (V1.3) id rma018218; Thu Jul 29 11:04:07 1999 Message-ID: <005901bed9db$f43a9de0$5b48fea9@napanet.net> From: "Steve Brown" To: "Chriss" , "root" Cc: References: Subject: Re: Shadow pwd from Linux to FreeBSD Date: Thu, 29 Jul 1999 08:53:16 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Or do as I do, the actual system password file is not used by any services. All services have their own unique password file. Steve ----- Original Message ----- From: Chriss To: root Cc: Sent: Sunday, July 25, 1999 12:35 PM Subject: Re: Shadow pwd from Linux to FreeBSD > > > its a matter of takeing the fields from /etc/passwd and /etc/shadow and > rearrangeing them into /etc/master.passwd. threres a perl script i use for > this i posted to freebsdrocks.com in the how-to i believe. but just be > sure to move just the ones you want, dont go changeing the system accounts > or things will complain. > > -chris > > On Sun, 25 Jul 1999, root wrote: > > > Hi! > > > > I have a mixed network with some linux (RedHat) and freebsd (3.1) > > server. I want > > take my users from linux to freebsd, but I don't know how can I convert > > linux > > shadow passwd file to freebsd master.passwd. > > Any program, converter? ( any idea? :) ) > > > > regards, > > Szabo Zoltan > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 29 16:52: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from alfik.ms.mff.cuni.cz (alfik.ms.mff.cuni.cz [195.113.19.71]) by hub.freebsd.org (Postfix) with ESMTP id 4836F1565E for ; Thu, 29 Jul 1999 16:51:55 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from nenya.ms.mff.cuni.cz by alfik.ms.mff.cuni.cz; (8.8.8/v1.00/19990210.0854) id BAA17049; Fri, 30 Jul 1999 01:51:11 +0200 (MET DST) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.1b+Sun/8.9.1) with ESMTP id BAA28460; Fri, 30 Jul 1999 01:51:11 +0200 (MET DST) Date: Fri, 30 Jul 1999 01:51:11 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: "James C. Durham" Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH2 Won't forward priviledged ports In-Reply-To: <379E85A1.1E734862@w2xo.pgh.pa.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 28 Jul 1999, James C. Durham wrote: > According to the documentation, root can forward > priviledged ports. I still can not do this, even > though I log in as root. > > I can forward ports > 1024, but not < 1024. Works fine for me. It's only necessary to login as root on the remote side. > Somehow, even though I'm being authenticated as root > for login purposes, I'm not being authenticated for port > forwarding. I've made keys for both the client and > server machines for root. > > Anyone have any ideas where to look for this authentication > problem? I particularly want to forward port 80, so > this is a real hangup! Ehm. Couldn't be the problem that some other process is already listenning on the port - inetd or some other daemon? Vlada Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 2:14: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from volodya.prime.net.ua (volodya.prime.net.ua [195.64.229.17]) by hub.freebsd.org (Postfix) with ESMTP id 4174014D94; Fri, 30 Jul 1999 02:13:56 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost [127.0.0.1]) by volodya.prime.net.ua (8.9.3/8.8.8) with ESMTP id MAA02516; Fri, 30 Jul 1999 12:14:23 +0300 (EEST) (envelope-from andyo@prime.net.ua) Message-ID: <37A16CEF.657AE236@prime.net.ua> Date: Fri, 30 Jul 1999 12:14:23 +0300 From: "Andy V. Oleynik" Organization: M-Info X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.2-STABLE i386) X-Accept-Language: en, ru, uk MIME-Version: 1.0 To: Slawek Zak Cc: freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Extracted files' permissions References: <19990729161457.A727@prioris.im.pw.edu.pl> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's not seldom situation when creator creates package under its own uid/gid which may not exist on other systems. Dont worry about it. Just write perl script which read package list and chown 0:0 all the stuff :) Slawek Zak wrote: > When I lately extracted some packages, I have noticed that owners of > the files and directories are random (try make extract lang/lua or > lang/erlang) These UIDs may or may not exist on your system. If they > do, the files can be easily overwritten by malicious user and lead to > compromise of the system. > > So my question is if it should be treated as bug, and reported to the > packager, or maybe there should be an additional step in extracting > these files, in which the owner would be changed to 0:0. > > Of course the easiest solution would be chmod og= /usr/ports :) > > -- > * Suavek Zak > * email: zaks@im.pw.edu.pl voice: +48 (0) 22 674 66 79 > * PGP v2.3: 2048/9A7CBF71, finger://zaks@prioris.im.pw.edu.pl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- WBW Andy V. Oleynik (When U work in virtual office prime.net.ua's U have good chance to obtain system administrator virtual money ö%-) +380442448363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 5:22:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from nexus.plymovent.se (nexus.plymovent.se [212.247.77.253]) by hub.freebsd.org (Postfix) with ESMTP id 6CBCF15111; Fri, 30 Jul 1999 05:22:04 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from tu (polaris [192.168.1.21]) by nexus.plymovent.se (8.9.3/8.9.3) with SMTP id OAA31938; Fri, 30 Jul 1999 14:30:32 +0200 (CEST) (envelope-from thomas.uhrfelt@plymovent.se) From: "Thomas Uhrfelt" To: Cc: Subject: Date: Fri, 30 Jul 1999 14:21:27 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I solved the problem with the BROKEN tag in the SKIP makefile, this was due to a serious error on my part .. I had cvsup:ed my ports tree with the . tag instead of RELENG_3_2_0, so I was as current I could be, and since the SKIP port is broken in current.. well go figure.. I have backed myself down to 3.2R ports now and when I try to compile this (works great on the 3.2 machine) on a 3.1-R machine (of course with ports from 3.1-R, one only makes this kinda mistake once huh?) I get the following: orion# make clean ===> Cleaning for skip-1.0 orion# make install ===> Extracting for skip-1.0 >> Checksum OK for skipsrc-1.0.tar.Z. ===> skip-1.0 depends on file: /usr/X11R6/lib/libxview.a - found ===> skip-1.0 depends on file: /usr/X11R6/lib/X11/config/XView.cf - found ===> skip-1.0 depends on executable: gmake - found ===> skip-1.0 depends on shared library: xview.3 - found ===> Patching for skip-1.0 ===> Applying FreeBSD patches for skip-1.0 ... Lot's of sucessful compiles here, now on the the troubleling part ... 6/des_ede_ecb.o ../bdcmod/safer/bin.x86/skip_safercbc.o ../bdcmod/safer/bin.x86/safer.o ../common/bin.x86/md5.o modstat: /dev/lkm: Device not configured gmake[2]: *** [bin.x86/skip.o] Error 2 gmake[2]: Leaving directory `/usr/ports/security/skip/work/skip/freebsd' gmake[1]: *** [freebsd] Error 2 gmake[1]: Leaving directory `/usr/ports/security/skip/work/skip' gmake: *** [skip] Error 2 *** Error code 2 Stop. *** Error code 1 Stop. *** Error code 1 Stop. *** Error code 1 Stop. orion# What is wrong, there is a /dev/lkm, so I have no idea what to do right now? Anyone? Regards, Thomas Uhrfelt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 6:36:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from alfik.ms.mff.cuni.cz (alfik.ms.mff.cuni.cz [195.113.19.71]) by hub.freebsd.org (Postfix) with ESMTP id D28FC150D4; Fri, 30 Jul 1999 06:36:46 -0700 (PDT) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from nenya.ms.mff.cuni.cz by alfik.ms.mff.cuni.cz; (8.8.8/v1.00/19990210.0854) id PAA15339; Fri, 30 Jul 1999 15:35:08 +0200 (MET DST) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.1b+Sun/8.9.1) with ESMTP id PAA13874; Fri, 30 Jul 1999 15:35:08 +0200 (MET DST) Date: Fri, 30 Jul 1999 15:35:08 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: Thomas Uhrfelt Cc: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Jul 1999, Thomas Uhrfelt wrote: > modstat: /dev/lkm: Device not configured > What is wrong, there is a /dev/lkm, so I have no idea what to do right now? > Anyone? Well, the special file does exist, but device is not configured. That's because in 3.2, LKMs were dropped to change to .ko - kernel objets. That's the new format of kernel modules. You can load a .ko kernel module for loading old LKM kernel modules. kldload /modules/lkm.ko Now, the lkm interface should be up, and you should be able to succeed with SKIP. I hope there's no collisinion between the two schemes of kernel modules. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 7:28:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from ddsecurity.com.br (vitoria.ddsecurity.com.br [200.18.130.93]) by hub.freebsd.org (Postfix) with SMTP id B5D8714F63 for ; Fri, 30 Jul 1999 07:28:07 -0700 (PDT) (envelope-from grios@ddsecurity.com.br) Received: (qmail 82027 invoked by uid 1001); 30 Jul 1999 14:00:13 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Jul 1999 14:00:13 -0000 Date: Fri, 30 Jul 1999 11:00:13 -0300 (EST) From: Gustavo Rios To: freebsd-security@freebsd.org Subject: ssyslogd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anybody here use secure syslogd ? I got it form its home page, but it does not compile under freebsd, but goes well with linux! Any tip ? -- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 9: 5:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id A6546156D5 for ; Fri, 30 Jul 1999 09:05:11 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id CAA27926; Sat, 31 Jul 1999 02:05:18 +1000 (EST) From: Darren Reed Message-Id: <199907301605.CAA27926@cheops.anu.edu.au> Subject: Re: ssyslogd To: grios@ddsecurity.com.br (Gustavo Rios) Date: Sat, 31 Jul 1999 02:05:18 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Gustavo Rios" at Jul 30, 99 11:00:13 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Gustavo Rios, sie said: > > Does anybody here use secure syslogd ? > I got it form its home page, but it does not compile under freebsd, but > goes well with linux! > > Any tip ? get a secure syslogd that works with ssl from: http://coombs.anu.edu.au/~avalon/nsyslog.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 11:32:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from norad.inetu.net (norad.inetu.net [206.245.188.72]) by hub.freebsd.org (Postfix) with ESMTP id A89CE15154 for ; Fri, 30 Jul 1999 11:32:52 -0700 (PDT) (envelope-from maxiter@inetu.net) Received: from localhost (maxiter@localhost) by norad.inetu.net (8.9.3/8.9.3) with ESMTP id OAA01220 for ; Fri, 30 Jul 1999 14:32:34 -0400 (EDT) Date: Fri, 30 Jul 1999 14:32:34 -0400 (EDT) From: Mark To: freebsd-security@freebsd.org Subject: SUBSCRIBE Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe --------------------------------------------------- Mark Rekai - INetU, Inc.(tm) - http://www.INetU.net Electronic commerce - Web development - Web hosting Mark@INetU.net - Phone: (610) 266-7441 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 12:29:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from neptune.psn.net (neptune.psn.net [207.211.58.16]) by hub.freebsd.org (Postfix) with ESMTP id B889214E1A; Fri, 30 Jul 1999 12:29:14 -0700 (PDT) (envelope-from will@shadow.blackdawn.com) Received: from 5042-243.008.popsite.net ([209.224.140.243] helo=shadow.blackdawn.com) by neptune.psn.net with esmtp (PSN Internet Service 2.12 #3) id 11AIJx-0001mv-00; Fri, 30 Jul 1999 12:27:58 -0700 Received: (from will@localhost) by shadow.blackdawn.com (8.9.3/8.9.2) id PAA35866; Fri, 30 Jul 1999 15:27:54 -0400 (EDT) (envelope-from will) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Fri, 30 Jul 1999 15:27:54 -0400 (EDT) Reply-To: Will Andrews From: Will Andrews To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Subject: RE: skip port Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Moved this to FreeBSD-ports, the correct mailing list for problems with ports. Please make all replies there and not freebsd-net or -security. On 30-Jul-99 Thomas Uhrfelt wrote: > I solved the problem with the BROKEN tag in the SKIP makefile, this was due > to a serious error on my part .. I had cvsup:ed my ports tree with the . tag > instead of RELENG_3_2_0, so I was as current I could be, and since the SKIP > port is broken in current.. well go figure.. I have backed myself down to > 3.2R ports now and when I try to compile this (works great on the 3.2 > machine) on a 3.1-R machine (of course with ports from 3.1-R, one only makes > this kinda mistake once huh?) I get the following: There's a reason ports are set BROKEN.. see ports/9949. Perhaps (since this is the latest PR I could find relating to skip) they forgot to take the "BROKEN" line out.. or something else is broken, and there was no PR as to why it was set "BROKEN" again. (although kern/12703 indicates a problem with a particular device, tx0; it does not state if/why skip would be set BROKEN). See http://www.FreeBSD.ORG/cgi/query-pr.cgi?pr=9949 and http://www.FreeBSD.ORG/cgi/query-pr.cgi?pr=12703 for more information. > orion# make clean > ===> Cleaning for skip-1.0 > orion# make install > ===> Extracting for skip-1.0 >>> Checksum OK for skipsrc-1.0.tar.Z. > ===> skip-1.0 depends on file: /usr/X11R6/lib/libxview.a - found > ===> skip-1.0 depends on file: /usr/X11R6/lib/X11/config/XView.cf - found > ===> skip-1.0 depends on executable: gmake - found > ===> skip-1.0 depends on shared library: xview.3 - found > ===> Patching for skip-1.0 > ===> Applying FreeBSD patches for skip-1.0 > > ... Lot's of sucessful compiles here, now on the the troubleling part ... > > 6/des_ede_ecb.o ../bdcmod/safer/bin.x86/skip_safercbc.o > ../bdcmod/safer/bin.x86/safer.o ../common/bin.x86/md5.o > modstat: /dev/lkm: Device not configured > gmake[2]: *** [bin.x86/skip.o] Error 2 > gmake[2]: Leaving directory `/usr/ports/security/skip/work/skip/freebsd' > gmake[1]: *** [freebsd] Error 2 > gmake[1]: Leaving directory `/usr/ports/security/skip/work/skip' > gmake: *** [skip] Error 2 According to ports/9949, this program was remade as a KLD.. thus you wouldn't be using /dev/lkm.. (as far as I know :) Would Archie Cobbs like to take over explaining this? :) -- Will Andrews System Administrator, Gatekeeper Technologies http://www.gatekeep.net/ - Powered by FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 18:59:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id BE4A614D40; Fri, 30 Jul 1999 18:59:47 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id SAA31040; Fri, 30 Jul 1999 18:59:07 -0700 (PDT) From: Archie Cobbs Message-Id: <199907310159.SAA31040@bubba.whistle.com> Subject: Re: skip port In-Reply-To: from Will Andrews at "Jul 30, 1999 03:13:24 pm" To: andrews@TECHNOLOGIST.COM (Will Andrews) Date: Fri, 30 Jul 1999 18:59:07 -0700 (PDT) Cc: thomas.uhrfelt@plymovent.se (Thomas Uhrfelt), freebsd-security@FreeBSD.ORG, freebsd-net@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG, archie@whistle.com (Archie Cobbs) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Will Andrews writes: > According to ports/9949, this program was remade as a KLD.. thus you wouldn't > be using /dev/lkm.. (as far as I know :) > > Would Archie Cobbs like to take over explaining this? :) Sure.. there are two separate things going on. When FreeBSD switched from LKM -> KLD, the skip port broke (in -current) and was subsequently fixed by me. That was 6 months ago or so. More recently (in the past couple of weeks) the skip port was broken again (again, in -current only) due to the changes to the dev_t stuff. So as it stands now, it is broken for -current. However, it will work for 3.2 *but* you of course must get the right version of the port. Or you can get the head version and uncomment the BROKEN= line. That's the information I have :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 30 22:41:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id CE74D151B3 for ; Fri, 30 Jul 1999 22:41:52 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id XAA78435; Fri, 30 Jul 1999 23:41:51 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id XAA86286; Fri, 30 Jul 1999 23:43:47 -0600 (MDT) Message-Id: <199907310543.XAA86286@harmony.village.org> To: "James C. Durham" Subject: Re: SSH2 Won't forward priviledged ports Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 28 Jul 1999 00:22:57 EDT." <379E85A1.1E734862@w2xo.pgh.pa.us> References: <379E85A1.1E734862@w2xo.pgh.pa.us> Date: Fri, 30 Jul 1999 23:43:47 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <379E85A1.1E734862@w2xo.pgh.pa.us> "James C. Durham" writes: : I can forward ports > 1024, but not < 1024. Feature. Unless you are root, you cannot bind to those ports. : Somehow, even though I'm being authenticated as root : for login purposes, I'm not being authenticated for port : forwarding. I've made keys for both the client and : server machines for root. Are you root on the client machine, if not then your ssh process cannot bind to low numbered ports. The kernel will not allow it. If you are root when you run the ssh to the remote machine (and not merely be authorized for root login on the remote machine), then you have found a bug in ssh. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message