From owner-freebsd-security Mon Jun 30 21:04:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA06362 for security-outgoing; Mon, 30 Jun 1997 21:04:44 -0700 (PDT) Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA06353 for ; Mon, 30 Jun 1997 21:04:38 -0700 (PDT) Received: from popeye.cs.iastate.edu (popeye.cs.iastate.edu [129.186.3.4]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id XAA09513 for ; Mon, 30 Jun 1997 23:04:35 -0500 (CDT) Received: from localhost (ghelmer@localhost) by popeye.cs.iastate.edu (8.8.5/8.7.1) with SMTP id XAA04167 for ; Mon, 30 Jun 1997 23:04:35 -0500 (CDT) X-Authentication-Warning: popeye.cs.iastate.edu: ghelmer owned process doing -bs Date: Mon, 30 Jun 1997 23:04:34 -0500 (CDT) From: Guy Helmer To: freebsd-security@freebsd.org Subject: FreeBSD security paper - call for reviewers Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I am working on a paper, targeted at an average system administrator, describing how to secure a FreeBSD system. It's still a draft, but I would like to run it past a small set of reviewers for comments and thumbs-up/thumbs-down responses. If it has enough potential I would like to get it published somehow... If you are interested and have a strong UNIX and network security background, please reply to me personally. Thanks, Guy Helmer Guy Helmer, Computer Science Graduate Student - ghelmer@cs.iastate.edu Iowa State University http://www.cs.iastate.edu/~ghelmer Ames, Iowa, USA 42 01'12"N, 93 40'23"W From owner-freebsd-security Tue Jul 1 08:36:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA04531 for security-outgoing; Tue, 1 Jul 1997 08:36:39 -0700 (PDT) Received: from rigel.cs.pdx.edu (root@rigel.cs.pdx.edu [204.203.64.22]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA04526 for ; Tue, 1 Jul 1997 08:36:37 -0700 (PDT) Received: from sirius.cs.pdx.edu (root@sirius.cs.pdx.edu [204.203.64.13]) by rigel.cs.pdx.edu (8.8.5/8.8.5) with ESMTP id IAA02934; Tue, 1 Jul 1997 08:36:32 -0700 (PDT) Received: from localhost (jrb@localhost [127.0.0.1]) by sirius.cs.pdx.edu (8.8.5/8.8.5) with ESMTP id IAA06051; Tue, 1 Jul 1997 08:36:30 -0700 (PDT) Message-Id: <199707011536.IAA06051@sirius.cs.pdx.edu> To: Guy Helmer cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD security paper - call for reviewers In-reply-to: Your message of "Mon, 30 Jun 1997 23:04:34 CDT." Date: Tue, 01 Jul 1997 08:36:30 -0700 From: Jim Binkley Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I'll do it if you like. I am a DARPA principal investigator and network security/researcher/admin at PSU. See http://www.cs.pdx.edu/~jrb regards, Jim Binkley jrb@cs.pdx.edu From owner-freebsd-security Tue Jul 1 10:03:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA08563 for security-outgoing; Tue, 1 Jul 1997 10:03:01 -0700 (PDT) Received: from rigel.cs.pdx.edu (root@rigel.cs.pdx.edu [204.203.64.22]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA08558 for ; Tue, 1 Jul 1997 10:02:59 -0700 (PDT) Received: from sirius.cs.pdx.edu (root@sirius.cs.pdx.edu [204.203.64.13]) by rigel.cs.pdx.edu (8.8.5/8.8.5) with ESMTP id KAA04443 for ; Tue, 1 Jul 1997 10:02:57 -0700 (PDT) Received: from localhost (jrb@localhost [127.0.0.1]) by sirius.cs.pdx.edu (8.8.5/8.8.5) with ESMTP id KAA07768 for ; Tue, 1 Jul 1997 10:02:55 -0700 (PDT) Message-Id: <199707011702.KAA07768@sirius.cs.pdx.edu> To: freebsd-security@FreeBSD.ORG Subject: apology and question re certificate servers In-reply-to: Your message of "Tue, 01 Jul 1997 08:36:30 PDT." <199707011536.IAA06051@sirius.cs.pdx.edu> Date: Tue, 01 Jul 1997 10:02:54 -0700 From: Jim Binkley Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I hate it when I try and send personal mail and send it to a mailing list... Sigh. Sorry ... shoot too quick and the foot hurts. but on the other hand, a question for anyone on the mailing list. Has anybody tried to setup any kind of certificate server on any kind of system? With what results? I'm not even sure what is available to play with at this point; e.g., that might cost money or be free. 1. netscape server + certificate server I presume to do ssl 3.0 stuff with netscape clients. 2. dns sec stuff somewhere? 3. ssleay? regards, Jim Binkley jrb@cs.pdx.edu From owner-freebsd-security Tue Jul 1 12:30:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA16104 for security-outgoing; Tue, 1 Jul 1997 12:30:50 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA16098 for ; Tue, 1 Jul 1997 12:30:48 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id MAA29190; Tue, 1 Jul 1997 12:30:29 -0700 (PDT) To: Jim Binkley cc: freebsd-security@FreeBSD.ORG Subject: Re: apology and question re certificate servers In-reply-to: Your message of "Tue, 01 Jul 1997 10:02:54 PDT." <199707011702.KAA07768@sirius.cs.pdx.edu> Date: Tue, 01 Jul 1997 12:30:29 -0700 Message-ID: <29187.867785429@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Has anybody tried to setup any kind of certificate server > on any kind of system? With what results? www.c2.org offers StrongHold, which I've set up on several FreeBSD systems for secure ordering. We also use the Netscape commerce server for BSDI here at Walnut Creek CDROM. Both work well. Jordan From owner-freebsd-security Tue Jul 1 14:34:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA22849 for security-outgoing; Tue, 1 Jul 1997 14:34:46 -0700 (PDT) Received: from mailbox.nosc.mil (mailbox.nosc.mil [198.253.27.40]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA22819 for ; Tue, 1 Jul 1997 14:34:32 -0700 (PDT) Received: from localhost (swann@localhost) by mailbox.nosc.mil (8.8.3/8.8.3) with SMTP id RAA21791; Tue, 1 Jul 1997 17:19:08 -0400 (EDT) X-Authentication-Warning: mailbox.nosc.mil: swann owned process doing -bs Date: Tue, 1 Jul 1997 17:19:07 -0400 (EDT) From: Bryan Swann X-Sender: swann@mailbox To: mika ruohotie cc: freebsd-security@FreeBSD.ORG Subject: SSHD logging In-Reply-To: <199706281358.QAA24251@shadows.aeon.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I've been looking into ssh and it's logging capabilities. It appears that a typical connection using the ssh daemon is logged by default at the "info" level. The "debug" level shows additional information, but nothing of great concern, IMHO. Most of my other servers such as telnet and ftp log the same type of information at the "notice" level. The default configuration of my Sun Solaris box would not display the logging information from the ssh daemon; you will need to edit the syslog configuration files. But, my HP box logs data at the "info" level by default. I'm no expert in this area, but it appears that HP and Sun do not agree to the information that should be logged and the level it should be logged. If you want to see every connection to the ssh daemon, be sure to configure syslog to log at the "info" level. I would assume that failed connnections are logged at a higher priority, but I haven't tested yet. Hope this helps. __________________________________________________________________________ | Bryan Swann (swann@nosc.mil) 803/974-4267 803/974-5080 (Fax) | | Eagan McAllister Associates, Inc. | | | | "Everything must be working perfectly, cause I don't smell any smoke" | -------------------------------------------------------------------------- On Sat, 28 Jun 1997, mika ruohotie wrote: > > > > Denied connections were logged, allowed ones weren't, IIRC. > > > > Not good enough for me, so I'm running sshd out of inetd. > > Well, as a matter of taste I prefer to keep all the access control stuff > > in one file, and I've always used the extended language option for > > tcpwrappers. > > hmm... > > pardon me if i'm not really understanding what you want to do... > > my out from the box sshd logs the incoming connections well, all i > did was add line to /etc/syslog.conf > > auth.* goes to it's own file auth.all (and is rotated once a month) > > sample output from sshd: > > Jun 28 16:49:07 shadows sshd[24172]: log: Connection from 194.111.220.20 port 1019 > Jun 28 16:49:18 shadows sshd[24172]: debug: Client protocol version 1.5; client software version 1.2.20 > Jun 28 16:49:18 shadows sshd[24172]: debug: Sent 768 bit public key and 1024 bit host key. > Jun 28 16:49:18 shadows sshd[24172]: debug: Encryption type: idea > Jun 28 16:49:18 shadows sshd[24172]: debug: Received session key; encryption turned on. > Jun 28 16:49:18 shadows sshd[24172]: debug: Attempting authentication for soap. > Jun 28 16:49:18 shadows sshd[24172]: debug: Trying rhosts with RSA host authentication for soap > Jun 28 16:49:18 shadows sshd[24172]: debug: RhostsRSA authentication failed for 'soap', remote 'soap', host 'beasty-boys.supsys.fi'. > Jun 28 16:49:23 shadows sshd[24172]: debug: Password authentication for soap failed. > Jun 28 16:49:23 shadows sshd[24172]: fatal: Connection closed by remote host. > Jun 28 16:49:23 shadows sshd[24172]: debug: Calling cleanup 0x104c0(0x0) > Jun 28 16:49:25 shadows sshd[24174]: log: Connection from 194.111.220.20 port 1018 > Jun 28 16:49:25 shadows sshd[24171]: debug: Forked child 24174. > Jun 28 16:49:25 shadows sshd[24174]: debug: Client protocol version 1.5; client software version 1.2.19 > Jun 28 16:49:25 shadows sshd[24174]: debug: Sent 768 bit public key and 1024 bit host key. > Jun 28 16:49:25 shadows sshd[24174]: debug: Encryption type: idea > Jun 28 16:49:26 shadows sshd[24174]: debug: Received session key; encryption turned on. > Jun 28 16:49:26 shadows sshd[24174]: debug: Attempting authentication for soap. > Jun 28 16:49:26 shadows sshd[24174]: debug: Trying rhosts with RSA host authentication for soap > Jun 28 16:49:26 shadows sshd[24174]: debug: RhostsRSA authentication failed for 'soap', remote 'soap', host 'beasty-boys.supsys.fi'. > Jun 28 16:49:49 shadows sshd[24174]: log: Password authentication for soap accepted. > Jun 28 16:49:49 shadows sshd[24174]: debug: Allocating pty. > Jun 28 16:49:49 shadows sshd[24174]: debug: Forking shell. > Jun 28 16:49:49 shadows sshd[24174]: debug: Entering interactive session. > Jun 28 16:49:50 shadows sshd[24176]: login_getclass: unknown class '00^B' > Jun 28 16:49:53 shadows sshd[24174]: debug: Received SIGCHLD. > Jun 28 16:49:53 shadows sshd[24174]: debug: End of interactive session; stdin 5, stdout (read 824, sent 824), stderr 0 bytes. > Jun 28 16:49:53 shadows sshd[24174]: debug: pty_cleanup_proc called > Jun 28 16:49:53 shadows sshd[24174]: debug: Command exited with status 0. > Jun 28 16:49:53 shadows sshd[24174]: debug: Received exit confirmation. > Jun 28 16:49:53 shadows sshd[24174]: log: Closing connection to 194.111.220.20 > > i run sshd as standalone, as suggested. fascistlogging turned on. > > if that's not enough, i dont know what you want. sure, it's bit "vocal". > > i also have still that unknown class thing, even though both my /etc > files and ssh are upgraded multiple times to match the rest of the system, > since i run -current i have to do that often. > > > mickey > From owner-freebsd-security Thu Jul 3 04:11:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA03969 for security-outgoing; Thu, 3 Jul 1997 04:11:13 -0700 (PDT) Received: from ns.cs.msu.su (laskavy@redsun.cs.msu.su [158.250.10.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA03962 for ; Thu, 3 Jul 1997 04:11:05 -0700 (PDT) Received: (from laskavy@localhost) by ns.cs.msu.su (8.8.6/8.6.12) id PAA01774; Thu, 3 Jul 1997 15:11:19 +0400 (DST) Date: Thu, 3 Jul 1997 15:11:19 +0400 (DST) Message-Id: <199707031111.PAA01774@ns.cs.msu.su> From: "Sergei S. Laskavy" To: freebsd-security@freebsd.org Subject: Why perl is still setuid? Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk What do you think about buffer overflows in Perl 4.x and 5.x ? From owner-freebsd-security Thu Jul 3 08:23:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA14893 for security-outgoing; Thu, 3 Jul 1997 08:23:49 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id IAA14888 for ; Thu, 3 Jul 1997 08:23:44 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wjnfG-0001Br-00; Thu, 3 Jul 1997 09:19:22 -0600 To: "Sergei S. Laskavy" Subject: Re: Why perl is still setuid? Cc: freebsd-security@freebsd.org In-reply-to: Your message of "Thu, 03 Jul 1997 15:11:19 +0400." <199707031111.PAA01774@ns.cs.msu.su> References: <199707031111.PAA01774@ns.cs.msu.su> Date: Thu, 03 Jul 1997 09:19:22 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199707031111.PAA01774@ns.cs.msu.su> "Sergei S. Laskavy" writes: : What do you think about buffer overflows in Perl 4.x and 5.x ? I think they are fixed. Prove me wrong :-) Warner From owner-freebsd-security Sat Jul 5 03:47:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA02529 for security-outgoing; Sat, 5 Jul 1997 03:47:15 -0700 (PDT) Received: from monoid.cs.tcd.ie (ts19-06.dublin.indigo.ie [194.125.134.156]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA02524 for ; Sat, 5 Jul 1997 03:47:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by monoid.cs.tcd.ie (8.8.5/8.8.5) with SMTP id LAA01105 for ; Sat, 5 Jul 1997 11:44:20 +0100 (BST) Message-Id: <199707051044.LAA01105@monoid.cs.tcd.ie> X-Authentication-Warning: monoid.cs.tcd.ie: localhost [127.0.0.1] didn't use HELO protocol To: freebsd-security@freebsd.org Subject: Security Model/Target for FreeBSD or 4.4? X-Address: Department of Computer Science, Trinity College, Dublin 2, Ireland. X-Phone: (Home)+353-(0)1-8204643 (College)+353-(0)1-7021321 X-PGP: Public Key on Request MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1100.868099458.1@monoid> Date: Sat, 05 Jul 1997 11:44:19 +0100 From: Colman Reilly Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Does anyone have suggestions where I might find a statement of the security target or security model for FreeBSD or (since I assume the model is much the same) 4.4BSD? Thanks, Colman From owner-freebsd-security Sat Jul 5 08:21:08 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA08675 for security-outgoing; Sat, 5 Jul 1997 08:21:08 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA08670 for ; Sat, 5 Jul 1997 08:21:05 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA08658; Sat, 5 Jul 1997 11:17:46 -0400 (EDT) From: Adam Shostack Message-Id: <199707051517.LAA08658@homeport.org> Subject: Re: Security Model/Target for FreeBSD or 4.4? In-Reply-To: <199707051044.LAA01105@monoid.cs.tcd.ie> from Colman Reilly at "Jul 5, 97 11:44:19 am" To: careilly@monoid.cs.tcd.ie (Colman Reilly) Date: Sat, 5 Jul 1997 11:17:45 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Colman Reilly wrote: | Does anyone have suggestions where I might find a statement of the security | target or security model for FreeBSD or (since I assume the model is much | the same) 4.4BSD? Design and Operation of the 4.4BSD Operating System, by McKusick, Bostick, Karels, and Quarterman? 0-201-54979-4. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Sat Jul 5 14:34:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA20865 for security-outgoing; Sat, 5 Jul 1997 14:34:04 -0700 (PDT) Received: from monoid.cs.tcd.ie (ts07-10.dublin.indigo.ie [194.125.148.135]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA20859 for ; Sat, 5 Jul 1997 14:33:58 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by monoid.cs.tcd.ie (8.8.5/8.8.5) with SMTP id WAA24165; Sat, 5 Jul 1997 22:33:36 +0100 (BST) Message-Id: <199707052133.WAA24165@monoid.cs.tcd.ie> X-Authentication-Warning: monoid.cs.tcd.ie: localhost [127.0.0.1] didn't use HELO protocol To: Adam Shostack cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Model/Target for FreeBSD or 4.4? X-Address: Department of Computer Science, Trinity College, Dublin 2, Ireland. X-Phone: (Home)+353-(0)1-6765859 (College)+353-(0)1-7021321 X-PGP: Public Key on Request In-reply-to: Message from Adam Shostack dated today at 11:17. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24160.868138413.1@monoid> Content-Description: text Date: Sat, 05 Jul 1997 22:33:34 +0100 From: Colman Reilly Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Colman Reilly wrote: | Does anyone have suggestions where I might find a statement of the secur ity | target or security model for FreeBSD or (since I assume the model is muc h | the same) 4.4BSD? Design and Operation of the 4.4BSD Operating System, by McKusick, Bostick, Karels, and Quarterman? 0-201-54979-4. I'm afraid not: the index mentions security twice. I can't find a general discussion of security issues from a design point of view: it's done on a per-bit-of-implementation basis. I also spent a couple of hours fighting with Alta Vista looking for relevant documents and didn't find very much. Any other suggestions? Colman From owner-freebsd-security Sat Jul 5 16:48:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA25733 for security-outgoing; Sat, 5 Jul 1997 16:48:24 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA25726 for ; Sat, 5 Jul 1997 16:48:18 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.6/8.6.9) with ESMTP id QAA13616; Sat, 5 Jul 1997 16:47:44 -0700 (PDT) To: Colman Reilly cc: Adam Shostack , freebsd-security@FreeBSD.ORG Subject: Re: Security Model/Target for FreeBSD or 4.4? In-reply-to: Your message of "Sat, 05 Jul 1997 22:33:34 BST." <199707052133.WAA24165@monoid.cs.tcd.ie> Date: Sat, 05 Jul 1997 16:47:44 -0700 Message-ID: <13612.868146464@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I also spent a couple of hours fighting with Alta Vista looking for relevant > documents and didn't find very much. Any other suggestions? /usr/src? :) Seriously, I doubt you'll find that anyone has sat down and documented this aspect of the system specifically. If you want to study the security implementation in detail, the sources remain the first and foremost resource. In fact, they probably represent the ONLY resource. Good luck! Jordan