From owner-freebsd-security@FreeBSD.ORG Sun Sep 14 10:12:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19C661065675 for ; Sun, 14 Sep 2008 10:12:47 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (unknown [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id DEF008FC1C for ; Sun, 14 Sep 2008 10:12:46 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTP id 882B246B23; Sun, 14 Sep 2008 06:12:46 -0400 (EDT) Date: Sun, 14 Sep 2008 11:12:46 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: mouss In-Reply-To: <48CC26A7.6020407@netoyen.net> Message-ID: References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> <48CC26A7.6020407@netoyen.net> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Khachatur Shahinyan , Toby Burress Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2008 10:12:47 -0000 On Sat, 13 Sep 2008, mouss wrote: >> A quick search doesn't show me any port for enforcing password age. For >> what it's worth, I once emailed Bruce Schneier about the effectiveness of >> that and he said he never changed his passwords (based on age, anyway). >> But there's probably something. > > Given that it's not easy to select a good password (both strong and easy to > remember), password expiration sometimes result in weak passwords or in > forgotten ones. or if no measure is taken against, people change to old > ones. > > http://www.cryptosmith.com/sanity/expharmful.html > http://www.rsa.com/blog/blog_entry.aspx?id=1286 > http://www.cerias.purdue.edu/site/blog/post/password-change-myths/P50/ > > and the other side has its proponents of course: > > http://lopsa.org/node/29 While these complaints about password expiration are certainly true, it seems like a common policy required by many sites, and failing to be able to support that policy will limit our ability to run at those sites. It would be nice if we could complete the implementation of some of those password-related policies. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Sun Sep 14 10:48:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AA9B106564A for ; Sun, 14 Sep 2008 10:48:37 +0000 (UTC) (envelope-from m@micheas.net) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.176]) by mx1.freebsd.org (Postfix) with ESMTP id 093D98FC20 for ; Sun, 14 Sep 2008 10:48:36 +0000 (UTC) (envelope-from m@micheas.net) Received: by wa-out-1112.google.com with SMTP id j4so1051436wah.3 for ; Sun, 14 Sep 2008 03:48:36 -0700 (PDT) Received: by 10.114.182.15 with SMTP id e15mr5033557waf.84.1221387751646; Sun, 14 Sep 2008 03:22:31 -0700 (PDT) Received: from ?10.0.1.2? ( [24.5.75.31]) by mx.google.com with ESMTPS id m30sm15926395wag.0.2008.09.14.03.22.30 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 14 Sep 2008 03:22:31 -0700 (PDT) From: Micheas Herman To: freebsd-security In-Reply-To: References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> <48CC26A7.6020407@netoyen.net> Content-Type: text/plain Date: Sun, 14 Sep 2008 03:28:22 -0700 Message-Id: <1221388102.5857.4.camel@mars.sf.greencampaigns.com> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 7bit Subject: Re: Freebsd auto locking users (minor correction X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: m@micheas.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2008 10:48:37 -0000 On Sun, 2008-09-14 at 11:12 +0100, Robert Watson wrote: > On Sat, 13 Sep 2008, mouss wrote: > > > > and the other side has its proponents of course: > > > > http://lopsa.org/node/29 This should be http://lopsa.org/node/295 -- "... all the modern inconveniences ..." -- Mark Twain From owner-freebsd-security@FreeBSD.ORG Sun Sep 14 11:04:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A84751065673 for ; Sun, 14 Sep 2008 11:04:17 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 765EF8FC16 for ; Sun, 14 Sep 2008 11:04:17 +0000 (UTC) (envelope-from mouss@netoyen.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netoyen.net; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received: x-virus-scanned; s=msa; t=1221390320; bh=49ivAs/cQ7xMOQ6M324TwWP vD5kysqSOXm7xPS0N4eg=; b=Tr3ofAkSqthJRvKVNxWtAA3tPWD0lgpk069a8Qp lifvS9OBkOya0MWDz+AQsGMpfpOGpP0DVRzblGtM5AS2h2GLCmFxgWws6a7CBEGA 55VNi3n/4TAzHwb7QayUn91Qm5KdwC6lVV4pmSYCh7z7XSLUcss1yGuDDSNFvSxi g8uA= X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by smtp.netoyen.net (Postfix) with ESMTPSA id C4BD5E54802 for ; Sun, 14 Sep 2008 13:05:19 +0200 (CEST) Message-ID: <48CCEFB8.7090402@netoyen.net> Date: Sun, 14 Sep 2008 13:04:24 +0200 From: mouss User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 CC: freebsd-security@freebsd.org References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> <48CC26A7.6020407@netoyen.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2008 11:04:17 -0000 Robert Watson wrote: > [snip] >> http://lopsa.org/node/29 Missing trailing '5'. Thanks Micheas. > > While these complaints about password expiration are certainly true, it > seems like a common policy required by many sites, and failing to be > able to support that policy will limit our ability to run at those > sites. It would be nice if we could complete the implementation of some > of those password-related policies. Agreed. Give them the tools and the documentation, and let them decide. From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 06:32:20 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FF5B106576E for ; Tue, 16 Sep 2008 06:32:20 +0000 (UTC) (envelope-from khachatur.shahinyan@arca.am) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.237]) by mx1.freebsd.org (Postfix) with ESMTP id E029B8FC0A for ; Tue, 16 Sep 2008 06:32:19 +0000 (UTC) (envelope-from khachatur.shahinyan@arca.am) Received: by qb-out-0506.google.com with SMTP id f30so2976551qba.35 for ; Mon, 15 Sep 2008 23:32:18 -0700 (PDT) Received: by 10.66.250.1 with SMTP id x1mr171112ugh.4.1221546737896; Mon, 15 Sep 2008 23:32:17 -0700 (PDT) Received: from ?192.168.1.80? ( [91.199.226.101]) by mx.google.com with ESMTPS id q40sm30968132ugc.8.2008.09.15.23.32.15 (version=SSLv3 cipher=RC4-MD5); Mon, 15 Sep 2008 23:32:15 -0700 (PDT) Message-ID: <48CF5298.9020601@arca.am> Date: Tue, 16 Sep 2008 11:30:48 +0500 From: Khachatur Shahinyan User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <48CB52AE.6070501@arca.am> <20080913021758.39d946c1.trhodes@FreeBSD.org> <48CB5F29.3040903@arca.am> <20080913053721.764ed614.trhodes@FreeBSD.org> <48CB9542.30008@arca.am> <20080914065041.3600784c.trhodes@FreeBSD.org> In-Reply-To: <20080914065041.3600784c.trhodes@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 16 Sep 2008 11:29:54 +0000 Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2008 06:32:20 -0000 Yes, pam_abl is the correct pam module to solve this problem. After reading its manual i was able to lock users and log the authentication failures. Thank You for help. But the password expiration and warning issues are still open. Thank You Khachatur Shahinyan Tom Rhodes wrote: > On Sat, 13 Sep 2008 15:26:10 +0500 > Khachatur Shahinyan wrote: > > >> Tom Rhodes wrote: >> >>> On Sat, 13 Sep 2008 11:35:21 +0500 >>> Khachatur Shahinyan wrote: >>> >>> >>> >>>> Tom Rhodes wrote: >>>> >>>> >>>>> On Sat, 13 Sep 2008 10:42:06 +0500 >>>>> Khachatur Shahinyan wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Dear FreeBsd gurus, I have a problem concerning users password and >>>>>> authentication policies. The goal is >>>>>> 1)make freebsd to lock users after 3 unsuccessful login attempts, >>>>>> 2)force users to change their passwords every 90 days >>>>>> >>>>>> I've done such changes in Linux distros, with various PAM modules.But in >>>>>> Freebsd it seems that i need to use login.conf file. Here I made >>>>>> necessary changes in that file: >>>>>> >>>>>> >>>>>> default:\ >>>>>> ............. >>>>>> ............. >>>>>> ............. :login-retries=1:\ >>>>>> :passwordtime=90d:\ >>>>>> :warnpassword=7d:\ >>>>>> :warnexpire=7d:\ >>>>>> >>>>>>> >>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, >>>>>> no error messages, but after adding a test user I see no changes in the >>>>>> master.passwd file. >>>>>> The fields which are reserved for password aging parameters are 0:0 >>>>>> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User >>>>>> &:/home/test:/bin/sh >>>>>> >>>>>> And the locking point does not work either, e.g. no matter how many >>>>>> times I input wrong password, I'm still able to login. :( >>>>>> I cannot understand what I'm doing wrong, and what should be done solve >>>>>> this issues? I'm not an expert Freebsd administration, so any comments >>>>>> and suggestions are welcome. >>>>>> >>>>>> >>>>>> >>>>> You should be able to set these via the pw(8) utility. >>>>> >>>>> >>>>> >>>>> >>>> Thank You for fast reply. >>>> >>>> Yes, some settings can be done via "pw", but it does not support auto >>>> locking. >>>> >>>> >>>> >>>> >>> I'm about to be going to bed soon, but how did you accomplish >>> this in Linux? We have PAM configuration in /etc/pam.d, you >>> may wish to look there. >>> >>> >>> >> We have few Redhat Linux machines, and solved this problem with faillog >> (http://linux.die.net/man/8/faillog), and pam tally >> (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html). >> It took over 30 minutes to fully configure the system. But in case of >> FreeBsd, it does not seem to be that easy :) >> >> > > Someone mentioned this port: > > security/pam_abl > > The description of this pam module is: > > localhost# cat /usr/ports/security/pam_abl/pkg-descr > The pam_abl provides auto blacklisting of hosts and users > responsible for repeated failed authentication attempts. > > WWW: http://www.hexten.net/pam_abl/ > > Which sounds interesting and most likely do what you want. > > From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 14:34:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB1441065670 for ; Tue, 16 Sep 2008 14:34:47 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 6CA7A8FC1C for ; Tue, 16 Sep 2008 14:34:47 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m8GEYike050705; Tue, 16 Sep 2008 10:34:44 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m8GEYi0Y037839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Sep 2008 10:34:44 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200809161434.m8GEYi0Y037839@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 16 Sep 2008 10:34:51 -0400 To: Gunnar Flygt From: Mike Tancsa In-Reply-To: <20080910063408.GA99970@sr.se> References: <200809071155.m87BtS2H082832@lava.sentex.ca> <20080910063408.GA99970@sr.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: freebsd-security@freebsd.org Subject: Re: Heimdal or MIT for kerberos? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2008 14:34:47 -0000 At 02:34 AM 9/10/2008, Gunnar Flygt wrote: >I'm very pleased with heimdal 1.1. I compile it from sources. No big >problem. Compile on one machine and copy the file structure to the other >at the same OS level. Then using openssh-gssapi-overwrite-base-5.0.p1,1 >with the KRB5_HOME flag set to the directory of heimdal. Same thing >there, compile and make a package on one machine. The KDC's run FreeBSD >7 and the same release of heimdal as the others. Hi, Thanks for the response! When you installed heimdal 1.1 from the source, did you overwrite the local libs, or did you keep everything in /usr/local ? Also, do you use hx509 at all and certs for pre-auth ? ---Mike >On Sun, Sep 07, 2008 at 07:55:26AM -0400, Mike Tancsa wrote: > > We are looking at deploying Kerberos for better user management (SSO) > > and 2 factor authentication via pkcs#11 etokens. The servers are all > > FreeBSD and the machines principals will login from a mix of FreeBSD, > > Windows and MAC OSX using ssh and openvpn. As part of our compliance > > project, access must be 2 factor. The Heimdal in RELENG_7 is a > > rather old version and doesnt seem to have all the bits needed for > > x509 pre-auth so I would probably need to install from the ports > > anyways. Does anyone have any suggestions as to which > > implementation to use ? We are in Canada so it doesnt matter > > regulation wise. Is one better maintained than the other ? There are > > no legacy v4 apps > > Thanks, > > > > ---Mike > > > > -------------------------------------------------------------------- > > Mike Tancsa, tel +1 519 651 3400 > > Sentex Communications, mike@sentex.net > > Providing Internet since 1994 www.sentex.net > > Cambridge, Ontario Canada www.sentex.net/mike > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 12:09:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EEA51065672 for ; Wed, 17 Sep 2008 12:09:03 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from ag-out-0708.google.com (ag-out-0708.google.com [72.14.246.246]) by mx1.freebsd.org (Postfix) with ESMTP id BC4D68FC1A for ; Wed, 17 Sep 2008 12:09:02 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by ag-out-0708.google.com with SMTP id 8so5870267agc.3 for ; Wed, 17 Sep 2008 05:09:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=XSVI/6zfeARfFfF1kZ09fL6q1qfFyhWzuPf+GLpytew=; b=vXpmt/L1kE9kac6T+MEfBg1lPCkAlBKrf2AXtjxQlgxaNlrFo+53yhCBpm++EPwzBA DlkvswqtYVRum6V9adeRSn/6sVEcijcgrGvSt7aPrYH+gpfAS+KZfE2yQ0lNBu+mf3BQ UCWNQtUOldQN7M4GRq0FE5uD/s7u3xjvF3yaM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=NcyxoIYJ1rT85x6xHPwL9QPPtuxEkyLfDbavVhLKwRKQJyjEINnN4o60/jYnZrc8lJ Bit475D5ovZv40cXYt89mvEeuG3nifDkVLCVLI9IQbh3yrs8MhHf4CV3ipyR/JZ4s1vy 24yrX7YFp+gfgXUEL+iUlTT8m73Ow1fs1PYE8= Received: by 10.100.125.12 with SMTP id x12mr3182877anc.159.1221652386791; Wed, 17 Sep 2008 04:53:06 -0700 (PDT) Received: by 10.100.93.16 with HTTP; Wed, 17 Sep 2008 04:53:06 -0700 (PDT) Message-ID: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> Date: Wed, 17 Sep 2008 17:23:06 +0530 From: "Ivan Grover" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Controlling PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2008 12:09:03 -0000 Hi All, I am trying to use few modules such as pam_radius - does remote authentication pam_abl - to lock users/ IP addresses My Problem is , Do i have any standard way to skip one of the PAM module with out changing the service conf file. Suppose i dont want to enable locking of users, then one solution i can think of is to share a common database across application and pam modules. The application sets the flag which indicates, if pam_able is included or not. Then pam_abl module will look into this database and then return simply PAM_SUCCESS always or process the user lockouts. Please advise/comment Best Regards, Ivan. From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 13:13:21 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18A3F106564A for ; Wed, 17 Sep 2008 13:13:21 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id D853F8FC18 for ; Wed, 17 Sep 2008 13:13:15 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 91090 invoked by uid 1000); 17 Sep 2008 12:46:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Sep 2008 12:46:34 -0000 Date: Wed, 17 Sep 2008 05:46:34 -0700 (PDT) From: freebsd-security@dfmm.org X-X-Sender: jason@treehorn.dfmm.org To: Ivan Grover In-Reply-To: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> Message-ID: References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Controlling PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2008 13:13:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Do i have any standard way to skip one of the PAM module > with out changing the service conf file. Why do you not want to change the per-service conf files? Those files _are_ the database. There are a bunch of strategies that you could use to, e.g., maintain your alterations as a diff to the base-system config so to make upgrades easier, but a) to answer your question, no, there's nothing standard for that, and b) that is an especially risky approach - you could completely break your security, letting anyone in, or locking legitimate users out, etc. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFI0PwqswXMWWtptckRAqLsAJ9taCFEPfVGwY6Rrt3qtLuHVvmNDwCfatyl S++ho4Gf4Zl/3E6Vjkks26o= =gGZG -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 16:16:17 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 773551065672 for ; Wed, 17 Sep 2008 16:16:17 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by mx1.freebsd.org (Postfix) with ESMTP id 26C018FC1A for ; Wed, 17 Sep 2008 16:16:16 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so978801ywe.13 for ; Wed, 17 Sep 2008 09:16:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=Px2vJvbUvln9nzIXej1zZRP/2n36n28wlJCn/3AEKqE=; b=dh7VwIC621DZUg/sdWjjIsKi/L+kxYxNMIxTBRCY1L7TtGwXP+5q6XTnbYr1hjpmTf mywkkTn0a4V06fvgDxd6+oKUm97VRR8LWf+QDZETuIodZLVxM7DqlXl8UhCZvrGn8Y5G tqgpO6ido/WENx5uw+H8PeMxX7e381oFNjrKA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=vMRMEixtlqHlFwZRxmqrMqXr2i99jB1AgU6NdpzEIZ1uLrGyJeLa0fWhUzGh2uvPyX WDzHyqRoqv9t5stRnWXQkUV0NEv7aCLSiX7PRY4DUKu6IREKuGMZqHqiNmP6YVzjZZZ5 bEngTKEaq42RfgdLcFJkv8lPPA8w5DLBTCK8Q= Received: by 10.100.232.13 with SMTP id e13mr3666947anh.140.1221668175759; Wed, 17 Sep 2008 09:16:15 -0700 (PDT) Received: by 10.100.93.16 with HTTP; Wed, 17 Sep 2008 09:16:15 -0700 (PDT) Message-ID: <670f29e20809170916g2cafdbaybc6745ce92ad0187@mail.gmail.com> Date: Wed, 17 Sep 2008 21:46:15 +0530 From: "Ivan Grover" To: freebsd-security@dfmm.org In-Reply-To: MIME-Version: 1.0 References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Controlling PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2008 16:16:17 -0000 Thanks Jason. Let me try to explain the complete problem: I have three authentication modules -- pam_radius_auth.so (for remote authentication) -- pam_unix ( unix local authentication) -- pam_opie (challenge/response) and other accounting modules such as pam_abl. I would like to place these in my service conf file in a best possible way. Assume my service conf file looks like: auth required pam_env.so auth required pam_abl.so config=/etc/security/pam_abl.conf auth sufficient pam_radius_auth.so // for remote authentication auth required pam_unix.so auth required pam_opie.so // for challenge response User will try with Remote authentication, if it fails then he has to enter correct unix passwd and challenge/response(providing both might be painful sometimes). Please advise if the above doesnt look ok or if i missed something. PAM application can be configured in the following way: - setup doesnt want to use Remote authenticaion, then pam_radius_auth.so is unneccessarly executed. so disable it - setup doesnt want to use user lockouts/ip address lockouts, then pam_abl.so is unnecessary. Similarly challenge/response softwatre may not be there in client side, so doesnt want to run pam_opie.so. so disable both in this case. By allowing such configurations, i might have to keep so many service conf files for each configuration. instead can i have some other better approach , if any. Does it make sense to leave to SecurityAdministrator to configure in the desired way or we try to code the PAM modules in a proper way so that they dont crash if they dont find the setup required. Please let me know your comments. On Wed, Sep 17, 2008 at 6:16 PM, wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Do i have any standard way to skip one of the PAM module >> with out changing the service conf file. >> > > Why do you not want to change the per-service conf files? Those files > _are_ the database. > > There are a bunch of strategies that you could use to, e.g., maintain your > alterations as a diff to the base-system config so to make upgrades easier, > but a) to answer your question, no, there's nothing standard for that, and > b) that is an especially risky approach - you could completely break your > security, letting anyone in, or locking legitimate users out, etc. > > > -Jason > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQFI0PwqswXMWWtptckRAqLsAJ9taCFEPfVGwY6Rrt3qtLuHVvmNDwCfatyl > S++ho4Gf4Zl/3E6Vjkks26o= > =gGZG > -----END PGP SIGNATURE----- > From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 16:22:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CAF21065678 for ; Wed, 17 Sep 2008 16:22:33 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from ag-out-0708.google.com (ag-out-0708.google.com [72.14.246.248]) by mx1.freebsd.org (Postfix) with ESMTP id B41498FC1E for ; Wed, 17 Sep 2008 16:22:32 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by ag-out-0708.google.com with SMTP id 8so6046834agc.3 for ; Wed, 17 Sep 2008 09:22:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=7mDgUwnXJPNQ8tAS5Iim48lJ0pOy9qtR0NIqVem6rUk=; b=AfQ9Ng7Amh2TIeHYwDkLKr/k1exno+Xq3pFlH92ouV0615SotH8qE7l5QpujuE0bgb jRU5+9poJ79Ml3KU36J3WBPLTFQz0J1teyoz0Mrs2EAQYpUJiFqSqrT0geQhdkdGo+KH Jqg6NMjSRAIgopZ4RxkL2M6HBbHjwECwRZNXc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=l9H9w16twbKBj1FwIXwq4hcb+0E7DWPBVXK+tkYY7NUXGWanJ/h63gpMmMJA1U0TNi f3mDaN0hssC8pu3QCCvZNB9MGkAJID92J5b9TgNNPGiyEJVVp9DYYbcM8smmcyDOqjMk 0UZ44vawmAQk4l6yJMKOr08GBLke05prHaM+Q= Received: by 10.100.132.2 with SMTP id f2mr3744359and.36.1221668551824; Wed, 17 Sep 2008 09:22:31 -0700 (PDT) Received: by 10.100.93.16 with HTTP; Wed, 17 Sep 2008 09:22:31 -0700 (PDT) Message-ID: <670f29e20809170922r43e8c02dlcdeea6e76d18d659@mail.gmail.com> Date: Wed, 17 Sep 2008 21:52:31 +0530 From: "Ivan Grover" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: passing data from PAM module X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2008 16:22:33 -0000 Hi, My PAM application uses remote authentication module pam_radius_auth.so for authenticating users from remote servers. There can be several remote servers. In this case, can any one please suggest me the best way to gather information on several remote servers such as -- server reachability, (kind of returning array saying server 1 is reachable, server 2 is unreachable) -- do they run radius service ...etc I am trying to use pam_get_env pam_set_env for the above. Please advise, if this is not the proper way. I looked at pam_set_data, but i think this cant be used in PAM application. Best Regards, Ivan From owner-freebsd-security@FreeBSD.ORG Sat Sep 20 12:40:45 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 224C91065677 for ; Sat, 20 Sep 2008 12:40:45 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id CA4088FC25 for ; Sat, 20 Sep 2008 12:40:44 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from arthur.nitro.dk (arthur.bofh [192.168.2.3]) by mx.nitro.dk (Postfix) with ESMTP id DDA041E8C39 for ; Sat, 20 Sep 2008 12:40:43 +0000 (UTC) Received: by arthur.nitro.dk (Postfix, from userid 1000) id BE2795D40; Sat, 20 Sep 2008 14:40:43 +0200 (CEST) Date: Sat, 20 Sep 2008 14:40:43 +0200 From: "Simon L. Nielsen" To: freebsd-security@FreeBSD.org Message-ID: <20080920124042.GD1151@arthur.nitro.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Subject: Spam filtering for mails to FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2008 12:40:45 -0000 --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey, In the past security-officer@FreeBSD.org, and a few related addresses, had spam filtering disabled, but due to the amount of spam those addresses were receiving we had to enable spam filtering. It's the same filters as used for the rest of FreeBSD.org. To make sure people can still contact the FreeBSD Security Team, even if spam filters are in the way, we have created a separate email address which doesn't have filtering. This address is published on the FreeBSD Security Website [1]. It's somewhat obfuscated but if/when this address starts to receive spam the address will be changed. The current address will always be published on the FreeBSD Security Website. It's annoying to have to do this, but with the current levels of spam we risk real issues getting lost in the noise. [1] http://security.FreeBSD.org/ --=20 Simon L. Nielsen FreeBSD Deputy Security Officer --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFI1O9KBJx0gP90kKsRAgfiAJ9YrumEoe3oxAVnyfjTj+xnJOkq8gCfcJir JcylDMxrJuyBH0VyXXOiz6g= =pcv2 -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE--