From owner-freebsd-security Sun Jan 14 0:12: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id BF12D37B400; Sun, 14 Jan 2001 00:11:49 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id AAA00707; Sun, 14 Jan 2001 00:11:15 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101140811.AAA00707@spammie.svbug.com> Date: Sun, 14 Jan 2001 00:11:14 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: Building a local network on switches (ANTISNIFFER measures) To: wes@softweyr.com Cc: sthaug@nethelp.no, matrix@ipform.ru, questions@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: <3A56AD06.BDD770B0@softweyr.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 5 Jan, Wes Peters wrote: > sthaug@nethelp.no wrote: >> >> > Somebody said, that there is way to fool but floodding it with weird >> > arpa entries and the switch will fall back into hub mode. I wonder if it >> > is true for all hubs and if I can use non SNMP controllable hub. >> >> Think about how a hub works (or for that matter a switch). It has a >> MAC address table of a certain finite size. If you send packets with >> a MAC address which is not in the address table, the packet must be >> transmitted on all ports (except the one it arrived on). > > Except some managed switches allow you to specify certain MAC addresses > that are allowed on a given port. Packets received from other MAC > addresses are dropped. > Yes, 3Com ethernet ethernet switched hubs offer this. However, most admins I've run into kill that feature. One co-lo we were in started dropping packets for no reason. So ourselves and others would ping the outside world just to keep our servers from getting dropped. Yes, they were 3Com. Getting back to the question about ANTI-sniffer measuers. Good hackers usually go for the weakest link. If SNMP routers and hubs have passwords and don't get set to 'public', they will go after other boxes. I suggest if you are running a co-lo or something with many servers, sett up a sacrafical lamb. A 486-box with minimal setting is good, maybe even with jail. If you give then an easy target, they will usually go for it. In other words, make it a target. Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 0:44:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id CDE1D37B400 for ; Sun, 14 Jan 2001 00:44:15 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 14 Jan 2001 00:42:26 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.1/8.11.0) id f0E8iAl34886 for freebsd-security@FreeBSD.ORG; Sun, 14 Jan 2001 00:44:10 -0800 (PST) (envelope-from cjc) Date: Sat, 13 Jan 2001 23:31:18 -0800 From: "Crist J. Clark" To: Frank Tobin Subject: Re: opinions on password policies Message-ID: <20010113233118.L97980@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <20010113165021.I97980@rfx-64-6-211-149.users.reflexco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from ftobin@uiuc.edu on Sat, Jan 13, 2001 at 11:24:36PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jan 13, 2001 at 11:24:36PM -0600, Frank Tobin wrote: > Crist J. Clark, at 16:50 -0800 on Sat, 13 Jan 2001, wrote: > > I am not sure I understand your argument here. I your system, how does > the _user_ authenticate himself? Biometrics? HW token? Smart card? > Really, no passwords? > > Public-key authentications exist in such implementations such as ssh RSA > authentication. In general, they involve the user signing or decrypting > certain data. Humans do not do public key cryptography, computers do. At least, I know few humans who could remember a cryptographically strong public key. At least I can't remember something like, 153577658214885982509493316841098473892501830956676294035988312022114505660826045244490395172085104588411442247269415386765186973514047249009914161471637107944525338519920746658247945778928907782278534009232496672474969492175492146365230659408831159099408128303250608450538695130852047344349476932104716348461 And I the private key... Well, I wouldn't want to post something like that, and I wouldn't want to memorize it. The question arises, how do you protect the keys? With passwords of course. Where did the original poster say anything about network logins? So, back to my original question, how does the _user_ authenticate himself when he sits down at the workstation? Biometrics? HW token? Smart card? Really, no passwords? > Peter Chiu is correct in stating that there is a central point of > vulnerability when it comes to using public key authentication. Of > course, the user is under no obligation to use the same keypair for all > systems used. Also, the decision of how many sites the user uses a > particular keypair for, and whether or not to encrypt the keypair locally > is entirely up to the user (a good thing). > > One key idea is to leave the strength of the security as much up to the > user as possible. With passwords, however, the user has to worry about > both ends being compromoised (his end, and the server's end); Again, who said anything about network logins? > if the > server is compromised, and his password gotten, this might be used against > him other places. With public-key authentication, he only has to worry > about his end; if the server's end is compromised, the user's security is > compromised little. This has nothing to do with the question originally asked about choosing good passwords. If a server is compromised, a good password is stolen just as easily as a bad one. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 0:56:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 293E037B400; Sun, 14 Jan 2001 00:56:37 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id AAA00746; Sun, 14 Jan 2001 00:56:24 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101140856.AAA00746@spammie.svbug.com> Date: Sun, 14 Jan 2001 00:56:23 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: Antisniffer measures (digest of posts) To: wes@softweyr.com Cc: rwatson@FreeBSD.ORG, matrix@ipform.ru, security@FreeBSD.ORG, questions@FreeBSD.ORG In-Reply-To: <3A58080E.335DEC57@softweyr.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 6 Jan, Wes Peters wrote: > Robert Watson wrote: >> > > Or just provide us with a really good telnet-over-SSL client. > > An excellent summary, Robert. > Yes, Robert it so good it keep me from having to jump in. ;-> Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 1:49:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 1B5C837B400 for ; Sun, 14 Jan 2001 01:49:33 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id BAA00822; Sun, 14 Jan 2001 01:49:26 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101140949.BAA00822@spammie.svbug.com> Date: Sun, 14 Jan 2001 01:49:24 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: (no subject) To: ftobin@uiuc.edu Cc: freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 14 Jan, Frank Tobin wrote: > Crist J. Clark, at 16:50 -0800 on Sat, 13 Jan 2001, wrote: > > I am not sure I understand your argument here. I your system, how does > the _user_ authenticate himself? Biometrics? HW token? Smart card? > Really, no passwords? > >...[Trimmed].... > > One key idea is to leave the strength of the security as much up to the > user as possible. With passwords, however, the user has to worry about > both ends being compromoised (his end, and the server's end); if the > server is compromised, and his password gotten, this might be used against > him other places. With public-key authentication, he only has to worry > about his end; if the server's end is compromised, the user's security is > compromised little. > The concept you present "leave the strength.. up to the user.." is sound. As a matter of fact, one security concept worth noting is, "the person damaged - should be the person responsible". However, your argument for PKA shows a flaw in assuming that the PKA offer some type of protection if the server is comprimised. If the server is comprimised, then *any* schenario must make certain assumptions. Hence, the-man-in-the-middle schenarios/attacks. I should also state that arguments on this level are nothing more than vicious circles. Even a deep analysis will lead back to other weakness. That is, weaknesses not associated with PKA, SSH or the client/server. Best Regards, Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 3:58:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (a0g1355ly34tj.bc.hsia.telus.net [216.232.252.235]) by hub.freebsd.org (Postfix) with ESMTP id B4F1D37B402 for ; Sun, 14 Jan 2001 03:58:27 -0800 (PST) Received: by grok.example.net (Postfix, from userid 1000) id 155B2212E05; Sun, 14 Jan 2001 03:58:22 -0800 (PST) Date: Sun, 14 Jan 2001 03:58:21 -0800 From: Steve Reid To: Frank Tobin Cc: Dru , security@FreeBSD.ORG Subject: Re: opinions on password policies Message-ID: <20010114035821.A79825@grok.bc.hsia.telus.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Frank Tobin on Sat, Jan 13, 2001 at 05:35:51PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote: > If forced to remember another password, most users (including myself) > will often re-use a password they use at another place. If you let a user pick a password, nine times out of ten they will pick a word or name, and if you're lucky they might append a single digit or "123". If you just enforce that it be random-looking then it is likely that you will have users picking passwords that only _look_ random but aren't actually very hard to guess. For example, some combination of initials and DoB or anniversary. Compounding the matter, many people like to discuss their innovative password selection techniques with others, to show off their cleverness. They feel safe in doing so because they think that their password is effectively unguessable (they wouldn't have chosen it otherwise). I have been guilty of all of the above at one time or another. In fact, I'm about to commit that last one right now... :) I prefer to assign passwords. Generate a random password and then you know exactly how much entropy is there, and that users aren't just re-using a password from somewhere else. Of course, nobody wants to go to the trouble of memorizing a random eight-character alphanumeric string. So, users are instructed to write down the password on a small slip of paper. "But what happens if they lose that slip of paper?", I hear you ask. They are instructed to keep it in their wallet, where it is no more likely to go missing than their drivers licence or their bank card, and in the event of a theft the cash and credit cards are more interesting than a slip of paper. IMHO it's the lesser of several evils. It doesn't prevent lusers from memorizing that strong, randomly generated password and using it for everything, thus defeating the whole purpose. Or accidentally entering their password at the wrong system (although having to read it from a slip of paper may make that less likely). Or sticking the slip of paper to their monitor for all to read. But, I don't think there is any enforcable password policy that can prevent those things. Two-pronged "what you have" plus "what you know" authentication is a better approach, but for now most of us are stuck with just passwords. P.S. A few years ago I was bringing in a server for install at a colocation. All of the machines there were stored in locked, air conditioned cabinets. But the doors were made of glass, so I could see all of the machines as I walked by. On several of them I saw masking tape or yellow post-it notes bearing account names and passwords, including at least one where the account name was "root". There was even one with step-by-step instructions to login via telnet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 4:48:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from expert.com.br (soure.expert.com.br [200.242.253.1]) by hub.freebsd.org (Postfix) with SMTP id 7BE0F37B401 for ; Sun, 14 Jan 2001 04:48:11 -0800 (PST) Received: (qmail 30323 invoked from network); 14 Jan 2001 12:52:22 -0000 Received: from bxs20-1-p19.expert.com.br (HELO nirvana) (200.242.253.149) by soure.expert.com.br with SMTP; 14 Jan 2001 12:52:22 -0000 Message-ID: <00f001c07e28$5cc6d4e0$95fdf2c8@nirvana> From: "Roberto Samarone Araujo (RSA)" To: Subject: Something strange in a 4.2 FreeBSD Box Date: Sun, 14 Jan 2001 09:48:56 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Every week I need to reboot my FreeBSD 4.2 machine, I noticed that it only works for seven days. In a randomic hour in the seven day, it blocks. I really don't know what is happening but, I looked at logs and this message appeared : Jan 13 18:06:23 soure /kernel: swap_pager_getswapspace: failed Does anyone know what is happening and How can I fix it ? thanks, Roberto Samarone Araujo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 7:39:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 9391537B400 for ; Sun, 14 Jan 2001 07:39:03 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id HAA01453; Sun, 14 Jan 2001 07:38:47 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101141538.HAA01453@spammie.svbug.com> Date: Sun, 14 Jan 2001 07:38:46 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: Something strange in a 4.2 FreeBSD Box To: sama@supridad.com.br Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <00f001c07e28$5cc6d4e0$95fdf2c8@nirvana> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 14 Jan, Roberto Samarone Araujo (RSA) wrote: > Hi, > > Every week I need to reboot my FreeBSD 4.2 machine, I noticed > that it only works for seven days. In a randomic hour in the seven day, it > blocks. I really don't know what is happening but, I looked at logs and this > message appeared : > > Jan 13 18:06:23 soure /kernel: > swap_pager_getswapspace: failed > > Does anyone know what is happening and How can I fix it ? > It looks like you either ran out of swap space or your Hard drive is failing around your swap space. Or the controller or driver is being flake. Could you post more information on your system? Maybe someone else has some solid ideas. Specifically use dmesg(8) and pstat(8). Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 8:50:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.unibe.ch (mailhub.unibe.ch [130.92.254.109]) by hub.freebsd.org (Postfix) with ESMTP id 7D32437B401 for ; Sun, 14 Jan 2001 08:50:01 -0800 (PST) Received: from CONVERSION-DAEMON by mailhub.unibe.ch (PMDF V5.2-32 #42480) id <0G7500701VWKV1@mailhub.unibe.ch> for freebsd-security@freebsd.org; Sun, 14 Jan 2001 17:45:57 +0100 (MET) Received: from iamexwi.unibe.ch (haegar.unibe.ch [130.92.71.10]) by mailhub.unibe.ch (PMDF V5.2-32 #42480) with ESMTP id <0G750073PVWK9O@mailhub.unibe.ch> for freebsd-security@freebsd.org; Sun, 14 Jan 2001 17:45:56 +0100 (MET) Received: from arp.unibe.ch (arp [130.92.62.25]) by iamexwi.unibe.ch (8.8.8+Sun/8.8.8) with ESMTP id RAA27965 for ; Sun, 14 Jan 2001 17:50:27 +0100 (MET) Received: (from roth@localhost) by arp.unibe.ch (8.9.3+Sun/8.9.1) id RAA07694 for freebsd-security@freebsd.org; Sun, 14 Jan 2001 17:50:23 +0100 (MET) Date: Sun, 14 Jan 2001 17:50:23 +0100 From: Tobias Roth Subject: Re: Something strange in a 4.2 FreeBSD Box In-reply-to: <200101141538.HAA01453@spammie.svbug.com>; from opentrax@email.com on Sun, Jan 14, 2001 at 07:38:46AM -0800 To: freebsd-security@freebsd.org Message-id: <20010114175023.A7680@arp.unibe.ch> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT User-Agent: Mutt/1.2.5i References: <00f001c07e28$5cc6d4e0$95fdf2c8@nirvana> <200101141538.HAA01453@spammie.svbug.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On 14 Jan, Roberto Samarone Araujo (RSA) wrote: > > > > Every week I need to reboot my FreeBSD 4.2 machine, I noticed > > that it only works for seven days. In a randomic hour in the seven day, it > > blocks. I really don't know what is happening but, I looked at logs and this > > message appeared : > > > > Jan 13 18:06:23 soure /kernel: > > swap_pager_getswapspace: failed > > > > Does anyone know what is happening and How can I fix it ? > > > It looks like you either ran out of swap space or > your Hard drive is failing around your swap space. > Or the controller or driver is being flake. > > Could you post more information on your system? > Maybe someone else has some solid ideas. > Specifically use dmesg(8) and pstat(8). Could you please NOT post more information on your system? In case you haven't noticed, this is freebsd-security and not freebsd-questions. Thank you for not asking or answering questions that are not related to security. greets, Tobe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 17:54:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1]) by hub.freebsd.org (Postfix) with SMTP id DF98137B400 for ; Sun, 14 Jan 2001 17:54:28 -0800 (PST) Received: (qmail 30180 invoked from network); 15 Jan 2001 01:54:25 -0000 Received: from swun.esec.com.au (HELO esec.com.au) (203.21.85.207) by lynx.esec.com.au with SMTP; 15 Jan 2001 01:54:25 -0000 Message-ID: <3A62595C.909E0873@esec.com.au> Date: Mon, 15 Jan 2001 12:58:52 +1100 From: Sam Wun Organization: eSec Limited X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: opentrax@email.com Cc: sama@supridad.com.br, freebsd-security@FreeBSD.ORG Subject: Re: Something strange in a 4.2 FreeBSD Box References: <200101141538.HAA01453@spammie.svbug.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org and df would do. opentrax@email.com wrote: > On 14 Jan, Roberto Samarone Araujo (RSA) wrote: > > Hi, > > > > Every week I need to reboot my FreeBSD 4.2 machine, I noticed > > that it only works for seven days. In a randomic hour in the seven day, it > > blocks. I really don't know what is happening but, I looked at logs and this > > message appeared : > > > > Jan 13 18:06:23 soure /kernel: > > swap_pager_getswapspace: failed > > > > Does anyone know what is happening and How can I fix it ? > > > It looks like you either ran out of swap space or > your Hard drive is failing around your swap space. > Or the controller or driver is being flake. > > Could you post more information on your system? > Maybe someone else has some solid ideas. > Specifically use dmesg(8) and pstat(8). > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 21:14:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id CA66D37B699 for ; Sun, 14 Jan 2001 21:14:09 -0800 (PST) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f0F5E5I11468; Sun, 14 Jan 2001 21:14:05 -0800 Date: Sun, 14 Jan 2001 21:14:05 -0800 From: Brooks Davis To: David Andreas Alderud Cc: _Security Subject: Re: Encrypted networked filesystem needed Message-ID: <20010114211405.A10193@Odin.AC.HMC.Edu> References: <003e01c07db6$fac4b850$6400a8c0@xgod> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <003e01c07db6$fac4b850$6400a8c0@xgod>; from aaldv97@student.vxu.se on Sun, Jan 14, 2001 at 12:17:20AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Please wrap lines to < 80 columns.] On Sun, Jan 14, 2001 at 12:17:20AM +0100, David Andreas Alderud wrote: > It might be a good idea to take a look at NIS+ if you want to use NFS, > there still some problems but considering how simple it is to > use NIS+ it's really good, NIS+ removes most if the problems with DNS. > The reasons for using NIS+ is mainly because it's designed to work > with NFS, both coming from Sun Microsystems. The sad fact is that if you can't trust your wire, you can't trust NIS+. It's vulnerable to even the lamest man in them middle attack. The basic problem is that SecureRPC (on which NIS+ is based) doesn't validate the body of the packet, just the headers. For example, it's quite trivial to write a man in the middle attack that turns any valid user into a user with an arbitrary user id (perhaps zero ;-) and a known password if you use NIS+ for logins. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 14 22:43:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id 55D6137B400 for ; Sun, 14 Jan 2001 22:43:41 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id WAA02381; Sun, 14 Jan 2001 22:43:34 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101150643.WAA02381@spammie.svbug.com> Date: Sun, 14 Jan 2001 22:43:32 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: Something strange in a 4.2 FreeBSD Box To: roth@iamexwi.unibe.ch Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010114175023.A7680@arp.unibe.ch> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 14 Jan, Tobias Roth wrote: >> On 14 Jan, Roberto Samarone Araujo (RSA) wrote: >> > >> > Every week I need to reboot my FreeBSD 4.2 machine, I noticed >> > that it only works for seven days. In a randomic hour in the seven day, it >> > blocks. I really don't know what is happening but, I looked at logs and this >> > message appeared : >> > >> > Jan 13 18:06:23 soure /kernel: >> > swap_pager_getswapspace: failed >> > >> > Does anyone know what is happening and How can I fix it ? >> > >> It looks like you either ran out of swap space or >> your Hard drive is failing around your swap space. >> Or the controller or driver is being flake. >> >> Could you post more information on your system? >> Maybe someone else has some solid ideas. >> Specifically use dmesg(8) and pstat(8). > > Could you please NOT post more information on your system? > In case you haven't noticed, this is freebsd-security and not freebsd-questions. > Thank you for not asking or answering questions that are not related to security. > greets, Tobe > If I recall right the user mentioned some security concerns, But perhaps your right the user does not have enough valid information for a security concern. How do we make the destinction in the future? Do you have some suggestions? Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 8:46:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.gammanet.pl (relay.gammanet.pl [195.216.106.36]) by hub.freebsd.org (Postfix) with ESMTP id 7618F37B401 for ; Mon, 15 Jan 2001 08:46:27 -0800 (PST) Received: from mail.gammanet.pl (mail.gammanet.pl [195.216.106.35]) by relay.gammanet.pl (8.11.1/8.11.1) with ESMTP id f0FGkmF62531 for ; Mon, 15 Jan 2001 17:46:48 +0100 (CET) Received: from beybol.gammanet.pl ([195.216.113.32]) by mail.gammanet.pl (8.11.1/8.11.1) with ESMTP id f0FGkkY62527 for ; Mon, 15 Jan 2001 17:46:47 +0100 (CET) Message-Id: <4.3.2.7.0.20010115175220.00acae90@mail.gammanet.pl> X-Sender: beybol@mail.gammanet.pl X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 15 Jan 2001 17:54:03 +0100 To: freebsd-security@FreeBSD.ORG From: Tomasz Stryczynski Subject: ipfilter Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello I am looking for some good pages about how to configure ipfilter. Can anybody help me? Tomasz Stryczynski tomek@gammanet.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 8:52:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from nebula.cybercable.fr (d217.dhcp212-126.cybercable.fr [212.198.126.217]) by hub.freebsd.org (Postfix) with ESMTP id 0DF1237B400 for ; Mon, 15 Jan 2001 08:52:11 -0800 (PST) Received: (from mux@localhost) by nebula.cybercable.fr (8.11.1/8.11.1) id f0FGqFH04599; Mon, 15 Jan 2001 17:52:15 +0100 (CET) (envelope-from mux) From: Maxime Henrion Date: Mon, 15 Jan 2001 17:52:15 +0100 To: Tomasz Stryczynski Cc: freebsd-security@freebsd.org Subject: Re: ipfilter Message-ID: <20010115175215.C579@nebula.cybercable.fr> References: <4.3.2.7.0.20010115175220.00acae90@mail.gammanet.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.0.20010115175220.00acae90@mail.gammanet.pl>; from tomek@gammanet.pl on Mon, Jan 15, 2001 at 05:54:03PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tomasz Stryczynski wrote: > Hello > > I am looking for some good pages about how to configure ipfilter. > Can anybody help me? > Tomasz Stryczynski > tomek@gammanet.pl The most famous HOWTO is the one on www.obfuscation.org/ipf. Good luck ! Maxime -- Don't be fooled by cheap finnish imitations ; BSD is the One True Code Key fingerprint = F9B6 1D5A 4963 331C 88FC CA6A AB50 1EF2 8CBE 99D6 Public Key : http://www.epita.fr/~henrio_m/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 8:55:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 8E8AE37B402 for ; Mon, 15 Jan 2001 08:55:00 -0800 (PST) Received: from localhost (traviso@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id JAA78177; Mon, 15 Jan 2001 09:54:39 -0700 (MST) Date: Mon, 15 Jan 2001 09:54:39 -0700 (MST) From: "Travis [Admin Team]" To: Tomasz Stryczynski Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfilter In-Reply-To: <4.3.2.7.0.20010115175220.00acae90@mail.gammanet.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 15 Jan 2001, Tomasz Stryczynski wrote: > I am looking for some good pages about how to configure ipfilter. > Can anybody help me? > Tomasz Stryczynski > tomek@gammanet.pl http://infovat.rapidnet.com/ipf-howto.txt Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 10:31:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from monarch.prairienet.org (monarch.prairienet.org [192.17.3.5]) by hub.freebsd.org (Postfix) with SMTP id 2A1AF37B699 for ; Mon, 15 Jan 2001 10:31:29 -0800 (PST) Received: (qmail 8179 invoked from network); 15 Jan 2001 18:31:20 -0000 Received: from slip-74.prairienet.org (HELO sherman.spotnet.org) (192.17.3.94) by monarch.prairienet.org with SMTP; 15 Jan 2001 18:31:20 -0000 Received: from localhost (localhost [127.0.0.1]) by sherman.spotnet.org (8.11.0/8.9.3) with ESMTP id f0FIUML20134 for ; Mon, 15 Jan 2001 12:30:54 -0600 Date: Mon, 15 Jan 2001 12:30:18 -0600 (CST) From: David Talkington X-Sender: Cc: Subject: Re: opinions on password policies In-Reply-To: <20010114035821.A79825@grok.bc.hsia.telus.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Steve Reid wrote: >On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote: >> If forced to remember another password, most users (including myself) >> will often re-use a password they use at another place. > >If you let a user pick a password, nine times out of ten they will pick >a word or name, and if you're lucky they might append a single digit or >"123". >Of course, nobody wants to go to the trouble of memorizing a random >eight-character alphanumeric string. So, users are instructed to write >down the password on a small slip of paper. One interesting technique is the one I picked up from Martin Wolske, and it addressess all the above issues. Pick a very long phrase or sentence, unrelated to you personally, and with lots of punctuation, but that you won't forget. Now choose 8 or 10 characters from it at random, and write down their positions (say, the first, fourth, 14th, 20th, 19th, 31st, 10th, 8th, 39th). Now, as long as the original phrase is sufficiently long and unguessable: 1) it can be a common phrase in your native language; 2) you can reuse it safely for much longer than a single password; 3) you can write the keys down anywhere you like -- 1,4,14,20,19,31,10,8,39 means nothing to anyone but you; 4) you can pick a different one for each system, and post it right on your monitor. An intruder would probably have to brute-force your password on several systems before he or she could piece together the original phrase (like Wheel Of Fortune =), by which time the wise administrator has already moved on to a different phrase. Of course, the convenience of this scheme depends on your ability to quickly count character positions in your head ... - -d - -- David Talkington Prairienet dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOmNBvr1ZYOtSwT+tAQFwSwf+JTdkprhPHDm561umxzgZ7HBXbc7Ibs3N wcyXL0Y00ZsXylczMCDJcFqvL2Vmk9WWui4qw4r5mj3irsAcdjYCxK4qukR46yxB rvun/hKcyhp+W30VjQaE+SDzm5pxxMMIbtfzv8IAdlbusaEpRHSWK6289UPYr5IL SPlmT50+n/lnIIC0sH3m4eauwYWPTAgzSbO/4UE60LcZAb5aMnqWFYM6dGrTfkLk dF7X0DWjfrpzAi9vcfvFrzHxI+qKiCOFAxzUySnn2UnmF2Q8w+J3QpR4ZxZNqyNa YqF/a65W2jl2GMbNKlK1J+uy0DAxWBciSM/JjnFbyDRCuucyoI9Ckw== =p81s -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 10:46:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from devnull.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 70A4E37B400 for ; Mon, 15 Jan 2001 10:46:15 -0800 (PST) Received: from exchange.xpert.com ([199.203.132.115]) by devnull.xpert.com with esmtp (Exim 3.01 #1) id 14IEdk-00050m-00 for freebsd-security@FreeBSD.ORG; Mon, 15 Jan 2001 20:46:00 +0200 Received: by exchange.xpert.com with Internet Mail Service (5.5.2650.21) id ; Mon, 15 Jan 2001 20:45:51 +0200 Message-ID: <00BF97DD9F3FD311AB860060084E50DD782F24@exchange.xpert.com> From: Yonatan Bokovza To: freebsd-security@FreeBSD.ORG Subject: FW: ICMP fragmentation required but DF set problems. Date: Mon, 15 Jan 2001 20:45:49 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hey, This was just up on BugTraq. Can anyone add information to the topic? -----Original Message----- From: antirez [mailto:antirez@INVECE.ORG] Sent: Monday, January 15, 2001 8:16 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: ICMP fragmentation required but DF set problems. Hi all, The problem I'm exposing is quite obvious, but unfortunatelly can be used in a very simple way by script kiddies. SYNOPSIS It's possible to slowdown (a lot) connections between two arbirary hosts (but at least one with the PMTU discovery enabled) using some spoofed TCP/IP packet. Maybe you can do more against some TCP/IP stack. AFFECTED SYSTEMS I tryed it a bit against some site, seems that at least Linux and some BSD are vulnerable. Anyway it is quite probable that almost all the TCP/IP stacks with the PMTU discovery enabled are vulnerable. SOLUTION There isn't a clear solution. CREDITS (!) me DETAILS (When I talk about "the stack" I'm refering to Linux 2.4 TCP/IP stack) The path MTU discovery is used to optimize TCP/IP performances. Sorry if you don't know how it works, no flood for readers. Anyway the stack takes an hash table with the MTU of other ends. When an ICMP frag-req but DF set reaches the stack it perform a look-up in the hash table, searching for the old MTU, than look at the size of the quoted packet in the ICMP packet, and compute the new MTU (strong semplification). The look-up is done using even the TOS field, since different TOS may have different routing (I guess is for this). The players: A - some host that talks or will talk with the host B B - some host that talks or will talk with the host A C - the attacker, able to spoof IP packets C: sends an ICMP echo request, with some data, the source address set to A and the dest address set to B. B: creates a new entry in the hash table, if there isn't an old. C: sends an ICMP fragmentation needed but DF set, with the source address set to A and the dest address set to B, quoting the ICMP echo-reply response that we can guess (set the right TOS (usually 0x40) if you want that this works). B: set the new MTU in relation to the quoted packet total len. You may want to send this packets once every second, just to avoid expires. Also This may be useful if the MSS TCP option override the MTU (it shouldn't, but some implementations may do this), otherwise you can send even less spoofed packets. Note that shouldn't be useful to quote a packet that was really sent in this scenario. EXPLOIT Please, write the exploit just to confirm this, don't ship it to lame people. I want not to release my proof-of-concepts code. That's all, can someone confirm this? regards, antirez -- Salvatore Sanfilippo | http://www.kyuzz.org/antirez | PGP: finger antirez@tella.alicom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 10:52:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id DFB8837B401 for ; Mon, 15 Jan 2001 10:52:21 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA80498; Mon, 15 Jan 2001 12:51:21 -0300 (ART) From: Fernando Schapachnik Message-Id: <200101151551.MAA80498@ns1.via-net-works.net.ar> Subject: Re: Proposed modification to ftpd In-Reply-To: <200101131727.SAA23176@feder.pps.de> "from Peter Ross at Jan 13, 2001 06:27:27 pm" To: Peter Ross Date: Mon, 15 Jan 2001 12:51:21 -0300 (ART) Cc: security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just for the record: a) No, it doesn't solve my problems since I need a htdocs and a log directories on each chrooted environment. b) My modifications are NOT going to happen because: > Let me clarify this -- the existing ftpd we have is going away in favor > the of much improved LukeM/NetBSD one (which also gives us more code > shareing). I will import it around Feb 10th. > > -- > -- David (obrien@FreeBSD.org) Regards. En un mensaje anterior, Peter Ross escribió: > Hello, > > next week I have to change a ftp server. > > I read the thread starting with the message from > Fernando Schapachnik on Fri, 29 Dec 2000 > 13:29:45 -0300 (ART) Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 11:43:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 389DE37B402 for ; Mon, 15 Jan 2001 11:43:32 -0800 (PST) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.1/8.11.1) with ESMTP id f0FJhYb01739; Mon, 15 Jan 2001 11:43:34 -0800 (PST) (envelope-from bri@cx175057-a.ocnsd1.sdca.home.com) Date: Mon, 15 Jan 2001 11:41:50 -0800 (PST) From: Brian To: David Talkington Cc: security@FreeBSD.ORG Subject: Re: opinions on password policies In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don't you need to do special stuff on some unix flavors to allow more than 8 characters?? Bri On Mon, 15 Jan 2001, David Talkington wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Steve Reid wrote: > >On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote: > >> If forced to remember another password, most users (including myself) > >> will often re-use a password they use at another place. > > > >If you let a user pick a password, nine times out of ten they will pick > >a word or name, and if you're lucky they might append a single digit or > >"123". > >Of course, nobody wants to go to the trouble of memorizing a random > >eight-character alphanumeric string. So, users are instructed to write > >down the password on a small slip of paper. > > One interesting technique is the one I picked up from Martin Wolske, > and it addressess all the above issues. Pick a very long phrase or > sentence, unrelated to you personally, and with lots of punctuation, > but that you won't forget. Now choose 8 or 10 characters from it at > random, and write down their positions (say, the first, fourth, 14th, > 20th, 19th, 31st, 10th, 8th, 39th). > > Now, as long as the original phrase is sufficiently long and > unguessable: 1) it can be a common phrase in your native language; 2) > you can reuse it safely for much longer than a single password; 3) you > can write the keys down anywhere you like -- 1,4,14,20,19,31,10,8,39 > means nothing to anyone but you; 4) you can pick a different one for > each system, and post it right on your monitor. > > An intruder would probably have to brute-force your password on > several systems before he or she could piece together the original > phrase (like Wheel Of Fortune =), by which time the wise administrator > has already moved on to a different phrase. > > Of course, the convenience of this scheme depends on your ability to > quickly count character positions in your head ... > > - -d > > - -- > David Talkington > Prairienet > dtalk@prairienet.org > 217-244-1962 > > PGP key: http://www.prairienet.org/~dtalk/dt000823.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.75-6 > > iQEVAwUBOmNBvr1ZYOtSwT+tAQFwSwf+JTdkprhPHDm561umxzgZ7HBXbc7Ibs3N > wcyXL0Y00ZsXylczMCDJcFqvL2Vmk9WWui4qw4r5mj3irsAcdjYCxK4qukR46yxB > rvun/hKcyhp+W30VjQaE+SDzm5pxxMMIbtfzv8IAdlbusaEpRHSWK6289UPYr5IL > SPlmT50+n/lnIIC0sH3m4eauwYWPTAgzSbO/4UE60LcZAb5aMnqWFYM6dGrTfkLk > dF7X0DWjfrpzAi9vcfvFrzHxI+qKiCOFAxzUySnn2UnmF2Q8w+J3QpR4ZxZNqyNa > YqF/a65W2jl2GMbNKlK1J+uy0DAxWBciSM/JjnFbyDRCuucyoI9Ckw== > =p81s > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 12: 2: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id 54E6137B401 for ; Mon, 15 Jan 2001 12:01:42 -0800 (PST) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id HAA21600; Tue, 16 Jan 2001 07:01:28 +1100 (EDT) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37641) with ESMTP id <01JYYSN863N4EMXTR7@cim.alcatel.com.au>; Tue, 16 Jan 2001 07:01:31 +1100 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.0/8.11.0) id f0FK1OA37841; Tue, 16 Jan 2001 07:01:24 +1100 (EST envelope-from jeremyp) Content-return: prohibited Date: Tue, 16 Jan 2001 07:01:24 +1100 From: Peter Jeremy Subject: Re: opinions on password policies In-reply-to: ; from bri@cx175057-a.ocnsd1.sdca.home.com on Mon, Jan 15, 2001 at 11:41:50AM -0800 To: Brian Cc: David Talkington , security@FreeBSD.ORG Mail-followup-to: Brian , David Talkington , security@FreeBSD.ORG Message-id: <20010116070124.D91029@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-Jan-15 11:41:50 -0800, Brian wrote: >Don't you need to do special stuff on some unix flavors to allow more than >8 characters?? The `standard' for DES passwords is to allow you to enter long passwords and just truncate them to 8 characters. As long as the entered password is consistently truncated, it doesn't matter that you are remembering a longer password. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 12:16:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 9E82537B402 for ; Mon, 15 Jan 2001 12:16:27 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1483 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 15 Jan 2001 14:14:56 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Mon, 15 Jan 2001 14:14:54 -0600 (CST) From: James Wyatt To: Peter Jeremy Cc: Brian , David Talkington , security@FreeBSD.ORG Subject: Re: opinions on password policies In-Reply-To: <20010116070124.D91029@gsmx07.alcatel.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 16 Jan 2001, Peter Jeremy wrote: > On 2001-Jan-15 11:41:50 -0800, Brian wrote: > >Don't you need to do special stuff on some unix flavors to allow more than > >8 characters?? > > The `standard' for DES passwords is to allow you to enter long > passwords and just truncate them to 8 characters. As long as > the entered password is consistently truncated, it doesn't matter > that you are remembering a longer password. Sometimes I wish it warned folks. I had a user that had "Welcome2Elvis" for the Sun server named Elvis, "Welcome2Tigger" for the NEC box named Tigger, etc... They really had the same password for all machines when they thought they were unique - and they needed to be. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 12:22: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from booyaa.hq.netapp.com (nat-198-95-226-227.netapp.com [198.95.226.227]) by hub.freebsd.org (Postfix) with ESMTP id 04B0137B402 for ; Mon, 15 Jan 2001 12:21:45 -0800 (PST) Received: (from dtm@localhost) by booyaa.hq.netapp.com (8.11.1/8.11.1) id f0FKL3Q33282; Mon, 15 Jan 2001 12:21:03 -0800 (PST) (envelope-from dtm@foobox.net) X-Authentication-Warning: booyaa.hq.netapp.com: dtm set sender to dtm@foobox.net using -f To: tomek@gammanet.pl Cc: security@FreeBSD.ORG Subject: Re: ipfilter From: Duane T Mun Date: 15 Jan 2001 12:21:03 -0800 In-Reply-To: Tomasz Stryczynski's message of "Mon, 15 Jan 2001 17:54:03 +0100" Message-ID: Lines: 14 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "TS" == Tomasz Stryczynski writes: TS> I am looking for some good pages about how to configure TS> ipfilter. Can anybody help me? The IP Filter WWW site: http://coombs.anu.edu.au/~avalon/ip-filter.html A good introduction to IP Filter: http://www.obfuscation.org/ipf/ -- dtm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 14:30:24 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8DEDD37B400; Mon, 15 Jan 2001 14:29:56 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:01.openssh Reply-To: security-advisories@freebsd.org Message-Id: <20010115222956.8DEDD37B400@hub.freebsd.org> Date: Mon, 15 Jan 2001 14:29:56 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:01 Security Advisory FreeBSD, Inc. Topic: Hostile server OpenSSH agent/X11 forwarding Category: core/ports Module: openssh Announced: 2001-01-15 Credits: Markus Friedl Affects: FreeBSD 4.1.1-STABLE prior to the correction date Ports collection prior to the correction date Corrected: 2000-11-14 Vendor status: Updated version released FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 and SSH2 secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. Versions of OpenSSH are included in the FreeBSD ports collection and the FreeBSD base system. II. Problem Description To quote the OpenSSH Advisory: If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. This is the correct behaviour. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation. All versions of FreeBSD 4.x prior to the correction date including FreeBSD 4.1 and 4.1.1 are vulnerable to this problem, but it was corrected prior to the release of FreeBSD 4.2. For users of FreeBSD 3.x, OpenSSH is not installed by default, but is part of the FreeBSD ports collection. The base system and ports collections shipped with FreeBSD 4.2 do not contain this problem since it was discovered before the release. III. Impact Hostile SSH servers can access your X11 display or your ssh-agent when connected to, which may allow access to confidential data or other network accounts, through snooping of password or keying material through the X11 session, or reuse of the SSH credentials obtained through the SSH agent. IV. Workaround Clear both the $DISPLAY and $SSH_AUTH_SOCK variables before connecting to untrusted hosts. For example, in Bourne shell syntax: % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host V. Solution Upgrade the vulnerable system to 4.1.1-STABLE or 4.2-STABLE after the correction date, or patch your current system source code and rebuild. To patch your present system: download the patch from the below location and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:01/openssh.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/crypto/openssh # patch < /path/to/openssh.patch # cd /usr/src/secure/lib/libssh # make depend && make all # cd /usr/src/secure/usr.bin/ssh # make depend && make all install [Ports collection] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/openssh-2.2.0.tgz NOTE: Due to an oversight the package version was not updated after the security fix was applied, so be sure to install a package created after the correction date. 3) download a new port skeleton for the OpenSSH port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOmN6RFUuHi5z0oilAQGAUAQAllC+FmvfYpmP6gQqO+xB6UIZsK0GQsAM WRCOiULMLBD4kHJkYVJUQmSyK5jPxEVkwILX3jE9qZhB65alW20L965mQS/DjM5p bj0itnwTy1DL6dul15vWBfCJKxL/A0SrgVv+hnDwHx3YU4x0re/1bNU3gVa8bT1K Nnu2/m1wmpU= =MAzv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 14:31: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id F316B37B402; Mon, 15 Jan 2001 14:30:30 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:02.syslog-ng Reply-To: security-advisories@freebsd.org Message-Id: <20010115223030.F316B37B402@hub.freebsd.org> Date: Mon, 15 Jan 2001 14:30:30 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:02 Security Advisory FreeBSD, Inc. Topic: syslog-ng remote denial-of-service Category: ports Module: syslog-ng Announced: 2001-01-15 Credits: Balazs Scheidler Affects: Ports collection prior to the correction date. Corrected: 2000-11-25 Vendor status: Updated version released FreeBSD only: NO I. Background syslog-ng is a replacement for the standard syslogd daemon, a service for logging of local and remote system messages. II. Problem Description The syslog-ng port, versions prior to 1.4.9, contains a remote vulnerability. Due to incorrect log parsing, remote users may cause syslog-ng to crash, causing a denial-of-service if the daemon is not running under a watchdog process which will automatically restart it in the event of failure. The syslog-ng port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote attackers may cause syslog-ng to crash, causing a denial-of-service if the daemon is not running under a watchdog process which will automatically restart it in the event of failure. The default installation of the port/package is therefore vulnerable to this problem. If you have not chosen to install the syslog-ng port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the syslog-ng port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the syslog-ng port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/sysutils/syslog-ng-1.4.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/sysutils/syslog-ng-1.4.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/sysutils/syslog-ng-1.4.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/syslog-ng-1.4.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/sysutils/syslog-ng-1.4.10.tgz 3) download a new port skeleton for the syslog-ng port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOmN6R1UuHi5z0oilAQGfWgP/Yd6fjKCernj84HSuHgdXCxT3g27VFub6 9k62GJ1wiwz8S3v4zvx1C1xbhE+pgBv+EuBe8SEp0R2BtKC/RdcrWAwYtxvqA/6d yknNjwBSJ2yvkZMzeG2pZXsy6TG8n6lIiEp0aCWqOsSn5FgykXg1YfAXiJ1Mo0Gu aNKBcOEMCag= =0IjM -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 14:31:51 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C334037B400; Mon, 15 Jan 2001 14:31:17 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:03.bash1 Reply-To: security-advisories@freebsd.org Message-Id: <20010115223117.C334037B400@hub.freebsd.org> Date: Mon, 15 Jan 2001 14:31:17 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:03 Security Advisory FreeBSD, Inc. Topic: bash1 creates insecure temporary files Category: ports Module: bash1 Announced: 2001-01-15 Affects: Ports collection prior to the correction date. Corrected: 2000-11-29 Credits: Various FreeBSD only: NO I. Background bash is an enhanced bourne-like shell. II. Problem Description The bash port, versions prior to the correction date, creates insecure temporary files when the '<<' operator is used, by using a predictable filename based on the process ID of the shell. An attacker can exploit this vulnerability to overwrite an arbitrary file writable by the user running the shell. The contents of the file are overwritten with the text being entered using the '<<' operator, so it will usually not be under the control of the attacker. Therefore the likely impact of this vulnerability is a denial of service since the attacker can cause critical files writable by the user to be overwritten. It is unlikely, although possible depending on the circumstances in which the '<<' operator is used, that the attacker could exploit the vulnerability to gain privileges (this typically requires that they have control over the contents the target file is overwritten with). This is the same vulnerability as that described in advisory 00:76 relating to the tcsh/csh shells. The bash1 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 are vulnerable to this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users can cause an arbitrary file writable by a victim to be overwritten when the victim invokes the '<<' operator in bash1 (e.g. from within a shell script). If you have not chosen to install the bash1 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the bash1 port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the bash1 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/bash-1.14.7.tgz NOTE: Due to an oversight the package version was not updated after the security fix was applied, so be sure to install a package created after the correction date. 3) download a new port skeleton for the bash1 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOmN6SVUuHi5z0oilAQERhgQAqW3ZEBCxXC2lZvqypspSwjPdc6kU3eQm gUNMdrk6BZX2Pj8t8q+xK9rHasyXw2fkPeZ93EvBHhOa4p5l5UARhCllNS628LAJ Vk3zalfHKtZIO1bCq16R5NpyQ1zh+QB9mPnl9q8KINyO0gEUtq0n3LKgr7yr74tN 2TC9j+g5GhU= =RLhf -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 14:32:52 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 127B437B6B9; Mon, 15 Jan 2001 14:31:45 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:04.joe Reply-To: security-advisories@freebsd.org Message-Id: <20010115223145.127B437B6B9@hub.freebsd.org> Date: Mon, 15 Jan 2001 14:31:45 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:04 Security Advisory FreeBSD, Inc. Topic: joe creates insecure recovery files Category: ports Module: joe Announced: 2001-01-15 Credits: Christer Öberg and Patrik Birgersson, of Wkit Security AB Affects: Ports collection prior to the correction date. Corrected: 2000-12-12 Vendor status: Updated version released FreeBSD only: NO I. Background joe is a text editor. II. Problem Description The joe port, versions prior to 2.8_2, contains a local vulnerability: if a joe session with an unsaved file terminates abnormally, joe creates a rescue copy of the file called ``DEADJOE'' in the same directory as the file being edited. The creation of this copy is made without checking if the file is a symbolic link. If the file is a link, joe will append the contents of the unsaved file to the linked file: therefore if the joe editor is run on a private file in a public directory such as /tmp, an attacker can access the contents of the edited file by causing it to be appended to a world-writable file owned by the attacker if the joe process terminates abnormally. The joe port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious local users, under certain restricted conditions, may obtain read access to non-readable files edited using the joe editor. If you have not chosen to install the joe port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the joe port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the joe port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/editors/joe-2.8_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/editors/joe-2.8_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/editors/joe-2.8_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/editors/joe-2.8_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/editors/joe-2.8_2.tgz 3) download a new port skeleton for the joe port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOmN6S1UuHi5z0oilAQGiyAP+I8VOR5J8ThxuinRuGlwI9sIRImmMRxfd oHYJFWQRoNfQTSdE6Q+ushjqJNPL7JrU8PZjSL/6wE89CVGeZL+70/wTz8HU9Ihi 8j8y98Fo+NvkBgpaLz5Ypo7Wpi3rZiEPzKTmfByk6CjVuwUc5k13aswcIg3TcZh0 TZuJFzhBxm8= =baNZ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 14:33:30 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id E668837B698; Mon, 15 Jan 2001 14:32:09 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:05.stunnel Reply-To: security-advisories@freebsd.org Message-Id: <20010115223209.E668837B698@hub.freebsd.org> Date: Mon, 15 Jan 2001 14:32:09 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:05 Security Advisory FreeBSD, Inc. Topic: stunnel contains potential remote compromise Category: ports Module: stunnel Announced: 2001-01-15 Credits: Lez , Brian Hatch Affects: Ports collection prior to the correction date. Corrected: 2000-12-20 Vendor status: Updated version released FreeBSD only: NO I. Background stunnel is an SSL encryption wrapper for network services. II. Problem Description The stunnel port, versions prior to 3.9, contains a vulnerability which could allow remote compromise. When debugging is turned on (using the -d 7 option), stunnel will perform identd queries of remote connections, and the username returned by the remote identd server is written to the log file. Due to incorrect usage of syslog(), a malicious remote user who can manipulate their identd username can take advantage of string-formatting operators to execute arbitrary code on the local system as the user running stunnel, often the root user. The stunnel port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may execute arbitrary code on the local system as the user running stunnel using stunnel, under certain circumstances. If you have not chosen to install the stunnel port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the stunnel port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the stunnel port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/stunnel-3.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/stunnel-3.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/stunnel-3.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/stunnel-3.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/stunnel-3.10.tgz 3) download a new port skeleton for the stunnel port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOmN6T1UuHi5z0oilAQGFYwP/TLc1mxrH+2H7XhW/srJraZwtQn33z66t 1xASiaxefICPgnFvXHZoTMpkJI5ow2SFyLjUE2jG1MW2e5iu6fl7AeYIYNT1BF2t cqr6LRS92Srant5YbFqoBaTUuJtjw61T0P+dcjHfMCJAHVtihoQk8Ngw2YoX0KfV 5ReEYZPh530= =okQ9 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 14:34:40 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 49D2D37B69F; Mon, 15 Jan 2001 14:32:37 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:06.zope Reply-To: security-advisories@freebsd.org Message-Id: <20010115223237.49D2D37B69F@hub.freebsd.org> Date: Mon, 15 Jan 2001 14:32:37 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:06 Security Advisory FreeBSD, Inc. Topic: zope vulnerability allows escalation of privileges Category: ports Module: zope Announced: 2001-01-15 Credits: Erik Enge Affects: Ports collection prior to the correction date. Corrected: 2000-12-20 Vendor status: Patch released FreeBSD only: NO I. Background zope is an object-based dynamic web application platform. II. Problem Description The zope port, versions prior to 2.2.4, contains a vulnerability due to the computation of local roles not climbing the correct hierarchy of folders, sometimes granting local roles inappropriately. This may allow users with privileges in one folder to gain the same privileges in another folder. The zope port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Zope users with privileges in one folder may be able to gain the same privileges in other folders. If you have not chosen to install the zope port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the zope port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the zope port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.4.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.4.tgz 3) download a new port skeleton for the zope port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOmN6UVUuHi5z0oilAQGVdAP/TPreDK7sB21+F5wO6KAWKBZe4NZIRAlt aajsBSTmpCYGtQ1dbsIeMUtTYOzdR8FKO0CPYfZbl1cjGljW3HpWIus0ildznNeA LznyYR9fwoSNU0Vh9xtqZ3OolCGw+GY98Wg55RcgToDDxeNnT4ZSGZnf4zdwQw9S QbDfN6Br1oM= =c035 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 21:10:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 137EC37B400 for ; Mon, 15 Jan 2001 21:09:56 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with ESMTP id SAA57754 for ; Tue, 16 Jan 2001 18:09:53 +1300 (NZDT) Message-Id: <200101160509.SAA57754@ducky.nz.freebsd.org> From: "Dan Langille" Organization: The FreeBSD Diary / FreshPorts To: security@freebsd.org Date: Tue, 16 Jan 2001 18:09:51 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:01.openssh Reply-To: dan@langille.org In-reply-to: <20010115222956.8DEDD37B400@hub.freebsd.org> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 15 Jan 2001, at 14:29, FreeBSD Security Advisories wrote: > [Ports collection] > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the OpenSSH port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/openssh-2.2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/openssh-2.2.0.tgz I have not checked the other files, but ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4- stable/security/openssh-2.2.0.tgz is not available. -- Dan Langille The FreeBSD Diary - http://freebsddiary.org/ FreshPorts - http://freshports.org/ NZ Broadband - http://unixathome.org/broadband/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 21:18: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 8B51A37B400 for ; Mon, 15 Jan 2001 21:17:46 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0G5L1K99462; Mon, 15 Jan 2001 21:21:01 -0800 (PST) (envelope-from kris) Date: Mon, 15 Jan 2001 21:21:01 -0800 From: Kris Kennaway To: Dan Langille Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:01.openssh Message-ID: <20010115212100.A78870@citusc17.usc.edu> References: <20010115222956.8DEDD37B400@hub.freebsd.org> <200101160509.SAA57754@ducky.nz.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101160509.SAA57754@ducky.nz.freebsd.org>; from dan@langille.org on Tue, Jan 16, 2001 at 06:09:51PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 16, 2001 at 06:09:51PM +1300, Dan Langille wrote: > On 15 Jan 2001, at 14:29, FreeBSD Security Advisories wrote: >=20 > > [Ports collection] > >=20 > > One of the following: > >=20 > > 1) Upgrade your entire ports collection and rebuild the OpenSSH port. > >=20 > > 2) Deinstall the old package and install a new package dated after the > > correction date, obtained from: > >=20 > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security= /openssh-2.2.0.tgz > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security= /openssh-2.2.0.tgz > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/securit= y/openssh-2.2.0.tgz > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/securit= y/openssh-2.2.0.tgz > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/securi= ty/openssh-2.2.0.tgz >=20 > I have not checked the other files, but=20 >=20 > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4- > stable/security/openssh-2.2.0.tgz >=20 > is not available. Oops. That's probably because the port refuses to build on >=3D4.0 since it's already in the base system. Kris --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjpj2jwACgkQWry0BWjoQKWAMACbBa+Fi1twTb63SVMWgFhgfpeF aOsAn2UhHZpayq3ScqQt3GC0Aog3EU++ =erG5 -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 22:40:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 994DC37B400 for ; Mon, 15 Jan 2001 22:40:14 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 15 Jan 2001 22:38:29 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.1/8.11.0) id f0G6eCL51275; Mon, 15 Jan 2001 22:40:12 -0800 (PST) (envelope-from cjc) Date: Mon, 15 Jan 2001 22:40:11 -0800 From: "Crist J. Clark" To: Yonatan Bokovza Cc: freebsd-security@FreeBSD.ORG Subject: Re: FW: ICMP fragmentation required but DF set problems. Message-ID: <20010115224011.G97980@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <00BF97DD9F3FD311AB860060084E50DD782F24@exchange.xpert.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <00BF97DD9F3FD311AB860060084E50DD782F24@exchange.xpert.com>; from Yonatan@xpert.com on Mon, Jan 15, 2001 at 08:45:49PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 15, 2001 at 08:45:49PM +0200, Yonatan Bokovza wrote: > hey, > This was just up on BugTraq. Can anyone add information > to the topic? There are much more interesting attacks available to anyone who cares to try. I haven't read the PMTU discovery RFCs for a while. Can't say if this attack is practical on an RFC-compliant IP stack or if there are ways to defend against it without breaking the RFCs. If you are paranoid, you can turn off PMTU discovery, # sysctl -w net.inet.tcp.path_mtu_discovery=0 -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 23: 5:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.uni-bielefeld.de (mail2.uni-bielefeld.de [129.70.4.90]) by hub.freebsd.org (Postfix) with ESMTP id 8077137B400; Mon, 15 Jan 2001 23:04:40 -0800 (PST) Received: from hermes.hrz.uni-bielefeld.de (hermes.hrz.uni-bielefeld.de [129.70.4.55]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0G78005PLUBQCW@mail.uni-bielefeld.de>; Tue, 16 Jan 2001 08:04:38 +0100 (MET) Received: from hermes.hrz.uni-bielefeld.de (lkoeller@localhost) by hermes.hrz.uni-bielefeld.de (8.8.6 (PHNE_17135)/8.8.6) with ESMTP id IAA22365; Tue, 16 Jan 2001 08:04:34 +0100 (MET) Date: Tue, 16 Jan 2001 08:04:34 +0100 From: Lars =?iso-8859-1?Q?K=F6ller?= X-Face: eCcoCV}FjV*O{6>[1$XP/e%]TJhEw2MF33dFh)^HM7Gfd=[/(4+0a$~ MIME-version: 1.0 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Content-type: MULTIPART/MIXED; BOUNDARY="Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multipart MIME message. --Boundary_(ID_xDstRF5eItDzZq6wnE0/mg) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable -------- Hello! As the maintainer for exmh2 on the FreeBSD ports collection I would = inform you about an security issue just mentioned on BUGTRAQ (see = attached Mail). Best regards Lars -- = E-Mail: Lars.Koeller@Uni-Bielefeld.DE \ Lars K=F6ller lkoeller@FreeBSD.org \ CC University of PGP: http://www.uk.pgp.net/pgpnet/wwwkeys.html \ Bielefeld, Germany = Key-ID: A430D499 \ Tel: +49 521 106 4964 ----------- FreeBSD, what else? ---- http://www.freebsd.org -------------= --Boundary_(ID_xDstRF5eItDzZq6wnE0/mg) Content-type: MESSAGE/RFC822; name=1 Content-description: 1 Return-path: owner-bugtraq@SECURITYFOCUS.COM Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0G7700F5MV9WL9@mail.uni-bielefeld.de>; Mon, 15 Jan 2001 19:27:33 +0100 (MET) Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id 3AC2624C8C7; Mon, 15 Jan 2001 08:47:13 -0800 (PST) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 22992071 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Mon, 15 Jan 2001 08:45:57 -0800 Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 463A02517B0 for ; Fri, 12 Jan 2001 14:36:30 -0800 (PST) Received: (qmail 26641 invoked by alias); Fri, 12 Jan 2001 22:36:33 +0000 Received: (qmail 26631 invoked from network); Fri, 12 Jan 2001 22:36:33 +0000 Received: from fn3.tfn.net (HELO fn3.freenet.tlh.fl.us) (150.176.31.250) by mail.securityfocus.com with SMTP; Fri, 12 Jan 2001 22:36:33 +0000 Received: from localhost (noeld@localhost) by fn3.freenet.tlh.fl.us (8.8.8/8.6.9) with ESMTP id SAA31415 for ; Fri, 12 Jan 2001 18:06:54 -0500 (EST) Date: Fri, 12 Jan 2001 18:06:54 -0500 From: "Noel A. Davis" Subject: exmh security vulnerability Sender: Bugtraq List X-X-Sender: Approved-by: beng@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM Reply-to: "Noel A. Davis" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Delivered-to: bugtraq@lists.securityfocus.com Delivered-to: BUGTRAQ@SECURITYFOCUS.COM X-Authentication-warning: fn3.freenet.tlh.fl.us: noeld owned process doing -bs Brent Welch asked that this message about the exmh symlink problem be forwarded to Bugtraq. Thanks, Noel RootPrompt.org -- Nothing but Unix News and information for Unix Sysadmins http://rootprompt.org/ rss/rdf file: http://www.rootprompt.org/rss/ Text Headlines: http://www.rootprompt.org/rss/text.php3 ---------- Forwarded message ---------- Date: Fri, 12 Jan 2001 11:24:38 -0800 From: Brent Welch To: Albert White - SUN Ireland Cc: exmh-users@redhat.com, sans@sans.org, noeld@rootprompt.org Subject: Re: exmh security vulnerability on linux.com I have put information about the symlink attack and fixes on http://www.beedub.com/exmh/symlink.html Note that any user can protect themselves without applying a patch. Exmh already has a feature that allows users to choose their own tmp directory via the TMPDIR or EXMHTMPDIR environment variable. Apparently the original bug reported failed to realize this simple remedy. However, a patch that causes exmh to pick a better directory by default is in place and available from the above web page. The change is also checked into CVS. If someone outthere is a member of BUGTRAQ, I would appreciate a posting to their list about this fix. >>>Albert White - SUN Ireland said: > On http://oreilly.linux.com/pub/a/linux/2001/01/08/insecurities.html > > This bug is mentioned: > > "A problem in the bug reporting system for exmh, an X-based interface for th e > MH mail, can cause overwriting of arbitrary system files that are writable b y > the user running exmhexmh encounters a problem in its code, it opens a dialo g > that asks the user what happened and then allows them to send a bug report t o > the author. If the user chooses to e-mail the bug report, exmh creates the > file /tmp/exmhErrorMsg. If the file is a symlink, it will follow the symlink , > overwriting the file that it is linked to. > > As of this time, the author has not released a patch or updated version. It is > recommended that the bug report feature not be used on multiuser systems unt il > this problem has been fixed." > > I think the problem is in error.tcl around line 121: > 119 proc ExmhMailError { w errInfo } { > 120 global exmh > 121 if [catch {open [Env_Tmp]/exmhErrorMsg w} out] { > 122 Exmh_Status "Cannot open [Env_Tmp]/exmhErrorMsg" purple > 123 return > 124 } > > I guess all that is needed to fix this is a check to see that the file isn't a > symlink before opening it. I don't know how to do that in tcl though :) > > Cheers, > ~Al > > > --==_Exmh_-536764512P > Content-Type: application/pgp-signature > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.2 (SunOS) > Comment: Exmh version 2.2 06/23/2000 > > iD4DBQE6XxH3pfmE8MiMM1IRAh4AAJjoZuUKRrXwlU3NALPNXmOCY15VAJwNr82Q > H7r69/0P2qxWE66bcPUCxg== > =2+zl > -----END PGP SIGNATURE----- > > --==_Exmh_-536764512P-- -- Brent Welch http://www.interwoven.com --Boundary_(ID_xDstRF5eItDzZq6wnE0/mg)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 15 23:44:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail2.rdc1.on.home.com (femail2.rdc1.on.home.com [24.2.9.89]) by hub.freebsd.org (Postfix) with ESMTP id 77A3E37B400; Mon, 15 Jan 2001 23:44:14 -0800 (PST) Received: from wilma ([24.114.163.66]) by femail2.rdc1.on.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010116074409.RRTN2929.femail2.rdc1.on.home.com@wilma>; Mon, 15 Jan 2001 23:44:09 -0800 Message-ID: <004a01c07f90$29bcef80$0300a8c0@wilma> From: "Dennis Jun" To: Cc: Subject: TCP_DROP_SYNFIN Date: Tue, 16 Jan 2001 02:44:31 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have compiled this option in my kernel on 3 differents FreeBSD boxes (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work all the time. Specifically with this scan nmap -v -O -sS . Is it just me or does this not work for other people as well? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 0: 2:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from fork.computel.sk (fork.computel.sk [195.28.96.96]) by hub.freebsd.org (Postfix) with ESMTP id 689CC37B402; Tue, 16 Jan 2001 00:02:11 -0800 (PST) Received: from tempest.sk (t74.tempest.sk [195.28.100.74]) by fork.computel.sk with ESMTP id JAA20770; Tue, 16 Jan 2001 09:02:02 +0100 Message-ID: <3A63FFF9.8E64A6AA@tempest.sk> Date: Tue, 16 Jan 2001 09:02:01 +0100 From: Pavol Adamec Organization: Tempest X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Dennis Jun Cc: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: TCP_DROP_SYNFIN References: <004a01c07f90$29bcef80$0300a8c0@wilma> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not sure what you excatly ment by that but: TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and FIN flags set. nmap -sS is a "half-open scan" - it send packets with only SYN flag set. What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN packets to non-listening ports. Paul Dennis Jun wrote: > > I have compiled this option in my kernel on 3 differents FreeBSD boxes > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work all > the time. Specifically with this scan nmap -v -O -sS . Is it just me or > does this not work for other people as well? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Dennis Jun wrote: > > I have compiled this option in my kernel on 3 differents FreeBSD boxes > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work all > the time. Specifically with this scan nmap -v -O -sS . Is it just me or > does this not work for other people as well? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 0:26: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F270D37B6A2; Tue, 16 Jan 2001 00:25:42 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id JAA36125; Tue, 16 Jan 2001 09:25:39 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Pavol Adamec Cc: Dennis Jun , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: TCP_DROP_SYNFIN References: <004a01c07f90$29bcef80$0300a8c0@wilma> <3A63FFF9.8E64A6AA@tempest.sk> From: Dag-Erling Smorgrav Date: 16 Jan 2001 09:25:38 +0100 In-Reply-To: Pavol Adamec's message of "Tue, 16 Jan 2001 09:02:01 +0100" Message-ID: Lines: 15 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pavol Adamec writes: > TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and > FIN flags set. nmap -sS is a "half-open scan" - it send packets > with only SYN flag set. > What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN > packets to non-listening ports. Correct. TCP_DROP_SYNFIN protects against (some forms of) OS finger- printing, not against port scanning. And in both cases, remember that the corresponding sysctl variable defaults to off (see /etc/defaults/rc.conf) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 2:15:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by hub.freebsd.org (Postfix) with ESMTP id 50E8A37B401 for ; Tue, 16 Jan 2001 02:15:34 -0800 (PST) Received: from sarenet.es (borja.sarenet.es [192.148.167.77]) by orhi.sarenet.es (Postfix) with ESMTP id C304D496C for ; Tue, 16 Jan 2001 11:15:25 +0100 (MET) Message-ID: <3A641F3F.55AA9322@sarenet.es> Date: Tue, 16 Jan 2001 11:15:27 +0100 From: Borja Marcos X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: A wish and a dream... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know the subject suggests an SPAM, but it isn't. It would be great to have a small gadget (for example, with an USB interface) with the ssh private key stored, so that ssh used it to authenticate instead of having to store the key in the disk. Is there anything commercially available? Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 2:25:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from fork.computel.sk (fork.computel.sk [195.28.96.96]) by hub.freebsd.org (Postfix) with ESMTP id E77B837B400 for ; Tue, 16 Jan 2001 02:24:55 -0800 (PST) Received: from tempest.sk (t74.tempest.sk [195.28.100.74]) by fork.computel.sk with ESMTP id LAA29027; Tue, 16 Jan 2001 11:24:53 +0100 Message-ID: <3A642174.9A7A8068@tempest.sk> Date: Tue, 16 Jan 2001 11:24:52 +0100 From: Pavol Adamec Organization: Tempest X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Borja Marcos Cc: freebsd-security@freebsd.org Subject: Re: A wish and a dream... References: <3A641F3F.55AA9322@sarenet.es> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rainbow Technologies - iKey Paul. Borja Marcos wrote: > > I know the subject suggests an SPAM, but it isn't. > > It would be great to have a small gadget (for example, with > an USB interface) with the ssh private key stored, so that ssh used it > to authenticate instead of having to store the key in the disk. > > Is there anything commercially available? > > Borja. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 3:57:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id DCA1237B69B; Tue, 16 Jan 2001 03:57:01 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id WAA15035; Tue, 16 Jan 2001 22:56:48 +1100 (EST) From: Darren Reed Message-Id: <200101161156.WAA15035@caligula.anu.edu.au> Subject: Re: TCP_DROP_SYNFIN In-Reply-To: <004a01c07f90$29bcef80$0300a8c0@wilma> from Dennis Jun at "Jan 16, 1 02:44:31 am" To: dennisjun@home.com (Dennis Jun) Date: Tue, 16 Jan 2001 22:56:47 +1100 (EST) Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Dennis Jun, sie said: > I have compiled this option in my kernel on 3 differents FreeBSD boxes > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work all > the time. Specifically with this scan nmap -v -O -sS . Is it just me or > does this not work for other people as well? This is a bullshit change/patch (sorry for being blunt). I think your aim for this (defeat nmap scanning) is a load of horse manure. Use ipfw/ipfilter to do this. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 5:39:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by hub.freebsd.org (Postfix) with ESMTP id 3228037B698; Tue, 16 Jan 2001 05:38:52 -0800 (PST) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id FAA10564; Tue, 16 Jan 2001 05:38:50 -0800 (PST) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.1/8.11.1) id f0GDcmJ68936; Tue, 16 Jan 2001 05:38:48 -0800 (PST) (envelope-from bmah) Message-Id: <200101161338.f0GDcmJ68936@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.3 01/14/2001 with nmh-1.0.4 To: Lars =?iso-8859-1?Q?K=F6ller?= Cc: bmah@FreeBSD.org, FreeBSD-security@FreeBSD.org, FreeBSD-ports@FreeBSD.org Subject: Re: exmh security bugfix! In-Reply-To: <200101160704.IAA22365@hermes.hrz.uni-bielefeld.de> References: <200101160704.IAA22365@hermes.hrz.uni-bielefeld.de> Comments: In-reply-to Lars =?iso-8859-1?Q?K=F6ller?= message dated "Tue, 16 Jan 2001 08:04:34 +0100." From: bmah@FreeBSD.org (Bruce A. Mah) Reply-To: bmah@FreeBSD.org X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-394012406P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 16 Jan 2001 05:38:48 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_-394012406P Content-Type: text/plain; charset=us-ascii If memory serves me right, Lars =?iso-8859-1?Q?K=F6ller?= wrote: > As the maintainer for exmh2 on the FreeBSD ports collection I would = > inform you about an security issue just mentioned on BUGTRAQ (see = > attached Mail). Hi Lars-- Thanks for the note. We (the exmh developers) have been working on a fix; a new version (which will be called exmh-2.3) will be released probably today. I'll be updating the port as soon as this happens. If there isn't something put up by late today, I'll fix the port with a patch from exmh's CVS repository. More information is at: http://www.beedub.com/exmh/symlink.html It would have been really nice if the person who originally reported this bug to BUGTRAQ had bothered to contact *any* of the exmh developers before posting to said list. Apparently, nowadays, saying "I'M 3L33T CUZ I F0UND A H0LE 1ST" is more important than giving developers a chance to actually fix problems in their software. Cheers, Bruce. PS. Yes, I should have put the patch into the port sooner. I had thought we would have cut a new exmh release earlier, which would have made this a moot point. One way or another FreeBSD will see the fix today. --==_Exmh_-394012406P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6ZE7n2MoxcVugUsMRAuyLAKCkiZzqNA7M8b7fWJTRBN1m5V2wegCeINgC o6z46C+fU41OtMSc8hh3cs0= =yG0E -----END PGP SIGNATURE----- --==_Exmh_-394012406P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 9:13: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 9583B37B400 for ; Tue, 16 Jan 2001 09:12:47 -0800 (PST) Received: from x86w2kw1 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Tue, 16 Jan 2001 09:12:46 -0800 Message-ID: <003c01c07fdf$f8fb7ec0$0101a8c0@development.local> From: "John Howie" To: "Pavol Adamec" , "Borja Marcos" Cc: References: <3A641F3F.55AA9322@sarenet.es> <3A642174.9A7A8068@tempest.sk> Subject: Re: A wish and a dream... Date: Tue, 16 Jan 2001 09:15:48 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Or even a SmartCard from a company like Gemplus? john... ----- Original Message ----- From: "Pavol Adamec" To: "Borja Marcos" Cc: Sent: Tuesday, January 16, 2001 2:24 AM Subject: Re: A wish and a dream... > Rainbow Technologies - iKey > > Paul. > > Borja Marcos wrote: > > > > I know the subject suggests an SPAM, but it isn't. > > > > It would be great to have a small gadget (for example, with > > an USB interface) with the ssh private key stored, so that ssh used it > > to authenticate instead of having to store the key in the disk. > > > > Is there anything commercially available? > > > > Borja. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 10: 7: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from preacher.netwarriors.org (unknown [216.34.142.180]) by hub.freebsd.org (Postfix) with ESMTP id D7A4D37B401 for ; Tue, 16 Jan 2001 10:06:43 -0800 (PST) Received: (from loki@localhost) by preacher.netwarriors.org (8.11.1/8.11.1) id f0GI6hx59329 for freebsd-security@freebsd.org; Tue, 16 Jan 2001 10:06:43 -0800 (PST) (envelope-from loki) Date: Tue, 16 Jan 2001 10:06:43 -0800 From: Jonas Luster To: freebsd-security@freebsd.org Subject: Re: A wish and a dream... Message-ID: <20010116100642.A59220@netwarriors.org> Mail-Followup-To: Jonas Luster , freebsd-security@freebsd.org References: <3A641F3F.55AA9322@sarenet.es> <3A642174.9A7A8068@tempest.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A642174.9A7A8068@tempest.sk>; from pavol_adamec@tempest.sk on Tue, Jan 16, 2001 at 11:24:52AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ Reformatted for readers sanity ] * Pavol Adamec sez: > > I know the subject suggests an SPAM, but it isn't. > > > > It would be great to have a small gadget (for example, with > > an USB interface) with the ssh private key stored, so that ssh used it > > to authenticate instead of having to store the key in the disk. > Rainbow Technologies - iKey If I understand the webpage correctly, then this is not a storage medium for random keys and such... but myabe I'm missing this fetaure. For my BSD-machines I've bought a Compact Flash 16MB card and some CFreaders for the desktops and stored my PGP and SSH stuff on them. A small script mounts and unmounts the CF-card (which announces itself to the OS as a new file system) under .keys, and .ssh, .pgp and .gpg have the needed symlinks. This seems so far the most cost-effective and portable solution. jonas -- http://www.advogato.org/person/jLoki To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 12:29:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from sj-msg-core-4.cisco.com (sj-msg-core-4.cisco.com [171.71.163.10]) by hub.freebsd.org (Postfix) with ESMTP id 6618537B69C; Tue, 16 Jan 2001 12:28:51 -0800 (PST) Received: from bmah-freebsd-0.cisco.com (bmah-freebsd-0.cisco.com [171.70.84.42]) by sj-msg-core-4.cisco.com (8.9.3/8.9.1) with ESMTP id MAA09128; Tue, 16 Jan 2001 12:28:53 -0800 (PST) Received: (from bmah@localhost) by bmah-freebsd-0.cisco.com (8.11.1/8.11.1) id f0GKSp724907; Tue, 16 Jan 2001 12:28:51 -0800 (PST) (envelope-from bmah) Message-Id: <200101162028.f0GKSp724907@bmah-freebsd-0.cisco.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Lars =?iso-8859-1?Q?K=F6ller?= Cc: bmah@FreeBSD.org, FreeBSD-security@FreeBSD.org, FreeBSD-ports@FreeBSD.org Subject: Re: exmh security bugfix! In-Reply-To: <200101160704.IAA22365@hermes.hrz.uni-bielefeld.de> References: <200101160704.IAA22365@hermes.hrz.uni-bielefeld.de> Comments: In-reply-to Lars =?iso-8859-1?Q?K=F6ller?= message dated "Tue, 16 Jan 2001 08:04:34 +0100." From: bmah@FreeBSD.org (Bruce A. Mah) Reply-To: bmah@FreeBSD.org X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1726961518P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 16 Jan 2001 12:28:50 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_1726961518P Content-Type: text/plain; charset=us-ascii If memory serves me right, Lars =?iso-8859-1?Q?K=F6ller?= wrote: > As the maintainer for exmh2 on the FreeBSD ports collection I would = > inform you about an security issue just mentioned on BUGTRAQ (see = > attached Mail). I've committed bugfix patches from exmh's CVS respository to our mail/exmh2 port. The new version number is 2.2_1. exmh-2.3 should be released RSN. Bruce. --==_Exmh_1726961518P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: Exmh version 2.2 06/23/2000 iD8DBQE6ZK8C2MoxcVugUsMRAvQNAKCIHTRI1SHA0TC5FeM9RYVpfUxtLgCgxpDP s9SplKElayc0tLKvNbh9zdI= =EviY -----END PGP SIGNATURE----- --==_Exmh_1726961518P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 12:36:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from apotheosis.org.za (apotheosis.org.za [137.158.128.27]) by hub.freebsd.org (Postfix) with ESMTP id A55BF37B402; Tue, 16 Jan 2001 12:36:02 -0800 (PST) Date: Tue, 16 Jan 2001 22:35:32 +0200 From: Matthew West To: Dru Cc: questions@freebsd.org, security@freebsd.org, Siviwe Kwatsha Subject: Re: opinions on password policies Message-ID: <20010116223532.A91772@apotheosis.org.za> Mail-Followup-To: Matthew West , Dru , questions@freebsd.org, security@freebsd.org, Siviwe Kwatsha References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from "Dru" on Sat, Jan 13, 2001 at 01:43:47PM Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jan 13, 2001 at 01:43:47PM -0500, Dru wrote: > After spending a week trying to use my rudimentary programming > skills to hack Makefiles and C source code, I've failed miserably in > getting either "npasswd" or "passwd+" to compile on 4.2-Release. Perhaps you should take a look at: http://lucifer.ru.ac.za/stuffplayingwith.html This site has some work which gets FreeBSD's password program to use cracklib. -- mwest@uct.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 19:18: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from monarch.prairienet.org (monarch.prairienet.org [192.17.3.5]) by hub.freebsd.org (Postfix) with SMTP id 146D737B401 for ; Tue, 16 Jan 2001 19:17:46 -0800 (PST) Received: (qmail 24640 invoked from network); 17 Jan 2001 03:17:43 -0000 Received: from slip-87.prairienet.org (HELO sherman.spotnet.org) (192.17.3.107) by monarch.prairienet.org with SMTP; 17 Jan 2001 03:17:43 -0000 Received: from localhost (localhost [127.0.0.1]) by sherman.spotnet.org (8.11.0/8.9.3) with ESMTP id f0H3HDO02767; Tue, 16 Jan 2001 21:17:14 -0600 Date: Tue, 16 Jan 2001 21:17:09 -0600 (CST) From: David Talkington X-Sender: To: Borja Marcos Cc: Subject: Re: A wish and a dream... In-Reply-To: <3A641F3F.55AA9322@sarenet.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Borja Marcos wrote: > > It would be great to have a small gadget (for example, with >an USB interface) with the ssh private key stored, so that ssh used it >to authenticate instead of having to store the key in the disk. > > Is there anything commercially available? A locked cabinet in my office contains a floppy disk on which is my pgp key. I mount it when I'm logged in to my workstation. Low tech, but it works. -d - -- David Talkington Prairienet dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOmUOuL1ZYOtSwT+tAQEkPAgAmDizavMHbvZv2HzFhhESkIizerU0fkk6 B1cOvzVqKqTZipdG09vGpgmuGdybk65aRIKuCPgMUlgbo2d6ucYRRQ0mf0dhtqgv rT05Gkhm5m8dNrZ3Q9MCM9Rxn4fhqnQmkrKD6QgHA2uG+M5GFjxT5yZUUfdwr6+J qtqn1OoaZssd48aqyfjaHw97T8TGgOmdSrHvufShDYcX53LlH6I9yNpmZfCcNb6G YdAYKf0vga7TKct6G98xuN1mt+/XNDTvKgV520K/q6elxf+ifJxwNb0piCSZbN7/ puC9OESDjMGUB3wtHV4Tg9KxHHX9Bdy3mFZrutRLtZfPPLUdgbLSrw== =Q+vN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 20:11:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id 9649437B400 for ; Tue, 16 Jan 2001 20:11:14 -0800 (PST) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id PAA26741; Wed, 17 Jan 2001 15:11:10 +1100 (EDT) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37640) with ESMTP id <01JZ0O1HNOE890IFGR@cim.alcatel.com.au>; Wed, 17 Jan 2001 15:11:04 +1100 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.0/8.11.0) id f0H4Axf02235; Wed, 17 Jan 2001 15:10:59 +1100 (EST envelope-from jeremyp) Content-return: prohibited Date: Wed, 17 Jan 2001 15:10:58 +1100 From: Peter Jeremy Subject: Re: A wish and a dream... In-reply-to: <3A641F3F.55AA9322@sarenet.es>; from borjamar@sarenet.es on Tue, Jan 16, 2001 at 11:15:27AM +0100 To: Borja Marcos Cc: freebsd-security@FreeBSD.ORG Mail-followup-to: Borja Marcos , freebsd-security@FreeBSD.ORG Message-id: <20010117151058.B98607@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <3A641F3F.55AA9322@sarenet.es> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-Jan-16 11:15:27 +0100, Borja Marcos wrote: > It would be great to have a small gadget (for example, with >an USB interface) with the ssh private key stored, so that ssh used it >to authenticate instead of having to store the key in the disk. > > Is there anything commercially available? Dallas Semiconductor iButton: http://www.ibutton.com/ Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 16 23:43:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 5006B37B401 for ; Tue, 16 Jan 2001 23:43:02 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id SAA25466; Wed, 17 Jan 2001 18:42:52 +1100 (EST) From: Darren Reed Message-Id: <200101170742.SAA25466@caligula.anu.edu.au> Subject: Re: A wish and a dream... In-Reply-To: <20010117151058.B98607@gsmx07.alcatel.com.au> from Peter Jeremy at "Jan 17, 1 03:10:58 pm" To: peter.jeremy@alcatel.com.au (Peter Jeremy) Date: Wed, 17 Jan 2001 18:42:52 +1100 (EST) Cc: borjamar@sarenet.es, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Peter Jeremy, sie said: > On 2001-Jan-16 11:15:27 +0100, Borja Marcos wrote: > > It would be great to have a small gadget (for example, with > >an USB interface) with the ssh private key stored, so that ssh used it > >to authenticate instead of having to store the key in the disk. > > > > Is there anything commercially available? > > Dallas Semiconductor iButton: http://www.ibutton.com/ There is also the Rainbow Technologies iKey (don't ask me for a URL). I use the iKey 2000 with Windows/Netscape quite successfully. If it is plugged into the USB port, I can read encrypted mail, if it's not, I can't (using IE means the key info is copied from the device to the system registry). If only they'd release specs. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 1:13:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from vista.athms.com (athms.bayarea.net [204.71.213.154]) by hub.freebsd.org (Postfix) with ESMTP id 247AB37B401 for ; Wed, 17 Jan 2001 01:12:49 -0800 (PST) Received: from goofy.int.athms.com ([192.168.100.12] helo=athms.com) by vista.athms.com with esmtp (Exim 3.16) id 14IomG-000Igu-00 ; Wed, 17 Jan 2001 01:21:12 -0800 Message-ID: <3A6562F2.2D232401@athms.com> Date: Wed, 17 Jan 2001 01:16:34 -0800 From: Tom Czarnik X-Mailer: Mozilla 4.61 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 Cc: Peter Jeremy , freebsd-security@FreeBSD.ORG Subject: Re: A wish and a dream... References: <200101170742.SAA25466@caligula.anu.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed wrote: > > There is also the Rainbow Technologies iKey (don't ask me for a URL). http://www.rainbow.com/ikey2000/index.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 11:29: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.deanandadie.net (dsl-6-169-186-216.cust.dslnetworks.net [216.186.169.6]) by hub.freebsd.org (Postfix) with SMTP id 052F837B6D9 for ; Wed, 17 Jan 2001 11:28:51 -0800 (PST) Received: (qmail 56229 invoked from network); 17 Jan 2001 19:34:56 -0000 Received: from tfz.deanandadie.net (HELO 10.0.0.1) (@216.186.169.7) by mail.deanandadie.net with SMTP; 17 Jan 2001 19:34:56 -0000 Received: (qmail 1514 invoked by uid 1001); 17 Jan 2001 19:31:23 -0000 Date: 17 Jan 2001 19:31:23 -0000 Message-ID: <20010117193123.1513.qmail@10.0.0.1> From: FreeBSD-Security@DeanAndAdie.net To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 13:48:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 50B8237B71C for ; Wed, 17 Jan 2001 13:47:41 -0800 (PST) Received: from dagger.web.us.uu.net (dagger.web.us.uu.net [208.211.134.28]) by jenkins.web.us.uu.net (Postfix) with ESMTP id 32D1E12685; Wed, 17 Jan 2001 16:47:40 -0500 (EST) Received: by dagger.web.us.uu.net (Postfix, from userid 515) id E7DAD46BC; Wed, 17 Jan 2001 16:47:35 -0500 (EST) From: "David J. MacKenzie" To: freebsd-security@freebsd.org Cc: djm@web.us.uu.net Subject: full PAM support for login, rshd, and su X-Quote: Anything that is too stupid to be spoken is sung. --Voltaire Message-Id: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> Date: Wed, 17 Jan 2001 16:47:35 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The FreeBSD (4.2-STABLE) login has only partial PAM support; it supports PAM authentication, but not account management or sessions. I want to use a locally written PAM module that restricts logins based on a DB file lookup, but the account management function is necessary for that. The FreeBSD rshd and su don't have any PAM support. Below are patches to add full PAM support to those programs. I haven't tackled adding PAM to the FreeBSD ftpd so far, because I use proftpd which already has it. I haven't looked at Heimdal or krb4, as the relevant utilities from them don't seem to be installed on FreeBSD, and my company has standardized on MIT krb5. The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux package's PAM patches to the BSD login.c, which are covered by the BSD copyright (no GPL). If you don't like that for some reason, it would be straightforward for someone to rewrite that error checking. I simplified the "cleanenv" code in su.c based on BSDI's version, which is covered by the same copyright as the FreeBSD version. I've also added PAM support (for account management and sessions) to the MIT krb5 ksu, login.krb5, and kshd, which I'll be submitting to krbdev@mit.edu soon. I think if you're going to ship PAM, you should actually use it. The OpenSSH shipped with FreeBSD (as of 4.2-STABLE) is also missing the USE_PAM support that's in the portable OpenSSH release. I highly recommend importing that code into your source tree. I'm going to have to do so in my tree. --- ./usr.bin/login/login.c 2000/08/08 03:12:59 1.1 +++ ./usr.bin/login/login.c 2001/01/16 23:38:50 @@ -81,6 +81,7 @@ #ifndef NO_PAM #include #include +#include #endif #include "pathnames.h" @@ -106,6 +107,7 @@ #ifndef NO_PAM static int auth_pam __P((void)); +pam_handle_t *pamh = NULL; #endif static int auth_traditional __P((void)); extern void login __P((struct utmp *)); @@ -150,6 +152,10 @@ char tname[sizeof(_PATH_TTY) + 10]; char *shell = NULL; login_cap_t *lc = NULL; +#ifndef NO_PAM + pid_t pid; + int e; +#endif /* NO_PAM */ (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); @@ -548,6 +554,35 @@ if (!pflag) environ = envinit; +#ifndef NO_PAM + if (pamh) { + /* + * We must fork() before setuid() because we need to call + * pam_close_session() as root. + */ + pid = fork(); + if (pid < 0) { + err(1, "fork"); + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + exit(0); + } else if (pid) { + /* parent - wait for child to finish, then cleanup session */ + wait(NULL); + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + exit(0); + } else { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + } +#endif /* NO_PAM */ + /* * We don't need to be root anymore, so * set the user and session context @@ -562,6 +597,17 @@ exit(1); } +#ifndef NO_PAM + if (pamh) { + const char * const *env = (const char * const *)pam_getenvlist(pamh); + int i; + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } + } +#endif /* NO_PAM */ + (void)setenv("SHELL", pwd->pw_shell, 1); (void)setenv("HOME", pwd->pw_dir, 1); if (term != NULL && *term != '\0') @@ -663,7 +709,6 @@ static int auth_pam() { - pam_handle_t *pamh = NULL; const char *tmpl_user; const void *item; int rval; @@ -724,13 +769,36 @@ break; default: - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); + syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e)); rval = -1; break; } - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - rval = -1; + + if (rval != -1) { + e = pam_acct_mgmt(pamh, 0); + if (e == PAM_NEW_AUTHTOK_REQD) { + e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (e != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e)); + rval = -1; + } + } else if (e != PAM_SUCCESS) { + rval = 1; + } else if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e)); + rval = -1; + } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); + rval = -1; + pam_close_session(pamh, 0); + } + } + + if (rval == -1) { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + pamh = NULL; } return rval; } @@ -745,7 +813,7 @@ /* * Allow for authentication style and/or kerberos instance - * */ + */ #define NBUFSIZ UT_NAMESIZE + 64 --- ./usr.bin/su/Makefile 2001/01/16 21:33:47 1.1 +++ ./usr.bin/su/Makefile 2001/01/16 21:41:43 @@ -4,9 +4,9 @@ PROG= su SRCS= su.c -COPTS+= -DLOGIN_CAP -DSKEY +COPTS+= -DLOGIN_CAP -DSKEY -DUSE_PAM DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} -LDADD= -lutil -lskey -lmd -lcrypt +LDADD= -lutil -lskey -lmd -lcrypt -lpam .if defined(WHEELSU) COPTS+= -DWHEELSU --- ./usr.bin/su/su.c 2000/02/24 21:06:21 1.1 +++ ./usr.bin/su/su.c 2001/01/16 23:29:48 @@ -65,6 +65,20 @@ #include #endif +#ifdef USE_PAM +#include +#include +#include +#include +#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ + fprintf(stderr,"su: PAM error: %s\n",pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR,"PAM error: %s",pam_strerror(pamh, retcode)); \ + pam_end(pamh, retcode); exit(1); \ + } +#define PAM_END { retcode = pam_close_session(pamh,0); \ + pam_end(pamh,retcode); } +#endif /* USE_PAM */ + #ifdef SKEY #include #endif @@ -107,7 +121,7 @@ char *targetpass; int iswheelsu; #endif /* WHEELSU */ - char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np; + char *p, **g, *user, *shell=NULL, *username, *cleanenv = NULL, **nargv, **np; struct group *gr; uid_t ruid; gid_t gid; @@ -118,6 +132,15 @@ char *class=NULL; int setwhat; #endif +#ifdef USE_PAM + int retcode; + pam_handle_t *pamh = NULL; + struct pam_conv conv = { misc_conv, NULL }; + char myhost[MAXHOSTNAMELEN + 1], *mytty; + int statusp=0; + int child_pid, child_pgrp, ret_pid; + const char * const *env; +#endif /* USE_PAM */ #ifdef KERBEROS char *k; #endif @@ -230,11 +253,24 @@ } #endif +#ifdef USE_PAM + retcode = pam_start("su", user, &conv, &pamh); + PAM_FAIL_CHECK; +#else /* !USE_PAM */ #ifdef WHEELSU targetpass = strdup(pwd->pw_passwd); #endif /* WHEELSU */ +#endif /* USE_PAM */ if (ruid) { +#ifdef USE_PAM + retcode = pam_authenticate(pamh, 0); + PAM_FAIL_CHECK; + retcode = pam_acct_mgmt(pamh, 0); + if (retcode == PAM_NEW_AUTHTOK_REQD) + retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + PAM_FAIL_CHECK; +#else /* !USE_PAM */ #ifdef KERBEROS if (use_kerberos && koktologin(username, user) && !pwd->pw_uid) { @@ -280,11 +316,12 @@ #ifdef WHEELSU || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass))) #endif /* WHEELSU */ - )) { -#else + )) +#else /* !SKEY */ p = getpass("Password:"); - if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { -#endif + if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) +#endif /* SKEY */ + { #ifdef KERBEROS if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p))) #endif @@ -307,6 +344,7 @@ user, ontty()); exit(1); } +#endif /* USE_PAM */ } if (asme) { @@ -334,6 +372,60 @@ (void)setpriority(PRIO_PROCESS, 0, prio); +#ifdef USE_PAM + gethostname(myhost, sizeof(myhost)); + retcode = pam_set_item(pamh, PAM_RHOST, myhost); + PAM_FAIL_CHECK; + + mytty = ttyname(STDERR_FILENO); + if (!mytty) + mytty = "tty"; + retcode = pam_set_item(pamh, PAM_TTY, mytty); + PAM_FAIL_CHECK; + + retcode = pam_open_session(pamh, 0); + PAM_FAIL_CHECK; + + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); + PAM_FAIL_CHECK; + + env = (const char * const *)pam_getenvlist(pamh); + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } + + /* + * We must fork() before setuid() because we need to call + * pam_close_session() as root. + */ + + statusp = 1; + switch ((child_pid = fork())) { + default: + while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) { + if (WIFSTOPPED(statusp)) { + child_pgrp = tcgetpgrp(1); + kill(getpid(), SIGSTOP); + tcsetpgrp(1, child_pgrp); + kill(child_pid, SIGCONT); + statusp = 1; + continue; + } + break; + } + if (ret_pid == -1) + err(1, "waitpid"); + PAM_END; + exit(statusp); + case -1: + err(1, "fork"); + PAM_END; + exit (1); + case 0: + pam_end(pamh, retcode); +#endif /* USE_PAM */ + #ifdef LOGIN_CAP /* Set everything now except the environment & umask */ setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; @@ -361,10 +453,7 @@ #ifdef KERBEROS k = getenv("KRBTKFILE"); #endif - if ((cleanenv = calloc(20, sizeof(char*))) == NULL) - errx(1, "calloc"); - cleanenv[0] = NULL; - environ = cleanenv; + environ = &cleanenv; #ifdef LOGIN_CAP /* set the su'd user's environment & umask */ setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV); @@ -403,6 +492,9 @@ execv(shell, np); err(1, "%s", shell); +#ifdef USE_PAM + } +#endif /* USE_PAM */ } static void --- ./libexec/rshd/Makefile 2001/01/17 00:04:57 1.1 +++ ./libexec/rshd/Makefile 2001/01/17 00:05:11 @@ -8,9 +8,9 @@ #CFLAGS+= -DCRYPT # For login_cap handling -CFLAGS+=-DLOGIN_CAP -Wall +CFLAGS+=-DLOGIN_CAP -DUSE_PAM -Wall DPADD+= ${LIBUTIL} -LDADD+= -lutil +LDADD+= -lutil -lpam # IPv6 support CFLAGS+= -DINET6 --- ./libexec/rshd/rshd.c 2000/11/12 07:00:38 1.1 +++ ./libexec/rshd/rshd.c 2001/01/17 00:40:07 @@ -80,6 +80,12 @@ #include #endif +#ifdef USE_PAM +#include +#include +static pam_handle_t *pamh; +#endif /* USE_PAM */ + /* wrapper for KAME-special getnameinfo() */ #ifndef NI_WITHSCOPEID #define NI_WITHSCOPEID 0 @@ -219,6 +225,10 @@ #ifdef LOGIN_CAP login_cap_t *lc; #endif +#ifdef USE_PAM + static struct pam_conv conv = { misc_conv, NULL }; + int retcode; +#endif /* USE_PAM */ (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); @@ -349,7 +359,8 @@ remuser, fromhost, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect.\n"; - goto fail; + error(errorstr, fromhost); + exit(1); } #ifdef LOGIN_CAP lc = login_getpwclass(pwd); @@ -377,6 +388,36 @@ pwd->pw_dir = "/"; } +#ifdef USE_PAM + retcode = pam_start("rsh", locuser, &conv, &pamh); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retcode)); + exit(1); + } + pam_set_item (pamh, PAM_RUSER, remuser); + pam_set_item (pamh, PAM_RHOST, fromhost); + pam_set_item (pamh, PAM_TTY, "tty"); + + retcode = pam_authenticate(pamh, 0); + if (retcode == PAM_SUCCESS) { + retcode = pam_acct_mgmt(pamh, 0); + } + if (retcode == PAM_SUCCESS) { + retcode = pam_open_session(pamh,0); + } + if (retcode == PAM_SUCCESS) { + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); + if (retcode != PAM_SUCCESS) + pam_close_session(pamh, 0); + } + if (retcode != PAM_SUCCESS) { + pam_end(pamh, retcode); + syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, pam_strerror(pamh, retcode), cmdbuf); + error("Login incorrect.\n"); + exit(1); + } +#else /* !USE_PAM */ if (errorstr || (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, @@ -390,7 +431,6 @@ syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied. cmd='%.80s'", remuser, fromhost, locuser, cmdbuf); -fail: if (errorstr == NULL) errorstr = "Login incorrect.\n"; error(errorstr, fromhost); @@ -401,6 +441,8 @@ error("Logins currently disabled.\n"); exit(1); } +#endif /* USE_PAM */ + #ifdef LOGIN_CAP if (lc != NULL && fromp->su_family == AF_INET) { /*XXX*/ char remote_ip[MAXHOSTNAMELEN]; @@ -569,6 +611,10 @@ (doencrypt && FD_ISSET(pv1[0], &readfrom)) || #endif FD_ISSET(pv[0], &readfrom)); +#ifdef USE_PAM + pam_close_session(pamh, 0); + pam_end(pamh, PAM_SUCCESS); +#endif /* USE_PAM */ exit(0); } setpgrp(0, getpid()); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 14: 8:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 8152937B400 for ; Wed, 17 Jan 2001 14:07:50 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id DED8B2BBFC; Wed, 17 Jan 2001 16:07:39 -0600 (CST) Date: Wed, 17 Jan 2001 16:07:39 -0600 From: Bill Fumerola To: "David J. MacKenzie" Cc: freebsd-security@freebsd.org Subject: Re: full PAM support for login, rshd, and su Message-ID: <20010117160739.Q76347@elvis.mu.org> References: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010117214735.E7DAD46BC@dagger.web.us.uu.net>; from djm@web.us.uu.net on Wed, Jan 17, 2001 at 04:47:35PM -0500 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 17, 2001 at 04:47:35PM -0500, David J. MacKenzie wrote: > I think if you're going to ship PAM, you should actually use it. > The OpenSSH shipped with FreeBSD (as of 4.2-STABLE) is also missing > the USE_PAM support that's in the portable OpenSSH release. I highly > recommend importing that code into your source tree. I'm going to > have to do so in my tree. The openssh people have made life difficult for those trying to do work in this area by instantly forking all their code. Maybe thats just in their nature, though... -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 14:19: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (Postfix) with ESMTP id 9BF9637B400 for ; Wed, 17 Jan 2001 14:18:49 -0800 (PST) Received: (from alan@localhost) by agora.rdrop.com (8.11.1/8.11.1) id f0HMIpk27916; Wed, 17 Jan 2001 14:18:51 -0800 (PST) Date: Wed, 17 Jan 2001 14:18:49 -0800 From: Alan Batie To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su Message-ID: <20010117141848.E25292@agora.rdrop.com> Mail-Followup-To: "David J. MacKenzie" , freebsd-security@FreeBSD.ORG References: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010117214735.E7DAD46BC@dagger.web.us.uu.net>; from djm@web.us.uu.net on Wed, Jan 17, 2001 at 04:47:35PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 17, 2001 at 04:47:35PM -0500, David J. MacKenzie wrote: > I think if you're going to ship PAM, you should actually use it. And *please* document it! I've had the misfortune of using a Linux box with that *thing* in it. There's no man pages, and what docs I found on the web didn't match. A most unpleasant experience. -- Alan Batie ______ www.rdrop.com/users/alan Me alan@batie.org \ / www.qrd.org The Triangle PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 17: 6:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from ukexchange.avantgo.com (unknown [62.41.97.90]) by hub.freebsd.org (Postfix) with ESMTP id 2590837B6A5 for ; Wed, 17 Jan 2001 17:05:53 -0800 (PST) Received: by ukexchange.ldn.avantgo.com with Internet Mail Service (5.5.2650.21) id ; Thu, 18 Jan 2001 01:05:40 -0000 Received: from nayarit.avantgo.com ([10.1.30.1]) by sampnt500.avantgo.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id CN0QW9GF; Wed, 17 Jan 2001 17:05:33 -0800 Received: from nayarit.avantgo.com (localhost.avantgo.com [127.0.0.1]) by nayarit.avantgo.com (Postfix) with ESMTP id 9424DF80D; Wed, 17 Jan 2001 17:05:43 -0800 (PST) From: Michael Kiernan To: Bill Fumerola Cc: freebsd-security@FreeBSD.ORG X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Subject: Re: full PAM support for login, rshd, and su In-Reply-To: Your message of "Wed, 17 Jan 2001 16:07:39 CST." <20010117160739.Q76347@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 17 Jan 2001 17:05:43 -0800 Message-Id: <20010118010543.9424DF80D@nayarit.avantgo.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 17 Jan 2001 16:07:39 CST, Bill Fumerola wrote: > On Wed, Jan 17, 2001 at 04:47:35PM -0500, David J. MacKenzie wrote: > > > I think if you're going to ship PAM, you should actually use it. > > The OpenSSH shipped with FreeBSD (as of 4.2-STABLE) is also missing > > the USE_PAM support that's in the portable OpenSSH release. I highly > > recommend importing that code into your source tree. I'm going to > > have to do so in my tree. > > The openssh people have made life difficult for those trying to do work > in this area by instantly forking all their code. Is there a reason we import from OpenBSD's OpenSSH source tree as opposed to importing the "portable" release? OpenBSD will probably never use PAM. Since we use their code we put ourselves in the position of duplicating the work that goes into the portable release, such as the PAM support. Can somebody shed some light on the background of this decision? Just curious. Thanks, Mike -- Michael Kiernan mkiernan@avantgo.com +1-650-638-7581 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 18:41:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 15A5C37B404 for ; Wed, 17 Jan 2001 18:41:35 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0I2ilW69684; Wed, 17 Jan 2001 18:44:47 -0800 (PST) (envelope-from kris) Date: Wed, 17 Jan 2001 18:44:47 -0800 From: Kris Kennaway To: Bill Fumerola Cc: "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su Message-ID: <20010117184446.F69328@citusc17.usc.edu> References: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> <20010117160739.Q76347@elvis.mu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zjcmjzIkjQU2rmur" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010117160739.Q76347@elvis.mu.org>; from billf@mu.org on Wed, Jan 17, 2001 at 04:07:39PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --zjcmjzIkjQU2rmur Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 17, 2001 at 04:07:39PM -0600, Bill Fumerola wrote: > On Wed, Jan 17, 2001 at 04:47:35PM -0500, David J. MacKenzie wrote: >=20 > > I think if you're going to ship PAM, you should actually use it. > > The OpenSSH shipped with FreeBSD (as of 4.2-STABLE) is also missing > > the USE_PAM support that's in the portable OpenSSH release. I highly > > recommend importing that code into your source tree. I'm going to > > have to do so in my tree. >=20 > The openssh people have made life difficult for those trying to do work > in this area by instantly forking all their code. >=20 > Maybe thats just in their nature, though... PAM support has been merged into OpenSSH in -current and recently (last week or so) merged into -stable. Kris --zjcmjzIkjQU2rmur Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ZlieWry0BWjoQKURAk0MAJ9O1RJIV25wCu2Utxw/zAYxq80qZACaA5Jv k0bmEXLqU4zk33gZw3kdH8s= =WBzF -----END PGP SIGNATURE----- --zjcmjzIkjQU2rmur-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 20:13:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 4127B37B401; Wed, 17 Jan 2001 20:13:22 -0800 (PST) Received: from jenkins.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by jenkins.web.us.uu.net (Postfix) with ESMTP id 50EBE12685; Wed, 17 Jan 2001 23:13:21 -0500 (EST) To: Kris Kennaway Cc: "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su In-Reply-To: Message from Kris Kennaway of "Wed, 17 Jan 2001 18:44:47 PST." <20010117184446.F69328@citusc17.usc.edu> Date: Wed, 17 Jan 2001 23:13:21 -0500 From: "David J. MacKenzie" Message-Id: <20010118041321.50EBE12685@jenkins.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > PAM support has been merged into OpenSSH in -current and recently > (last week or so) merged into -stable. Excellent! You just made my day. I hadn't done a cvsup in a few weeks. /usr/src/crypto/openssh on -stable does have a few problems, though: 1. There's no Makefile hook for enabling PAM support like there is for SKEY, AFS, etc. 2. make errors out because of two mistyped man page directives. 3. If you do "make obj" before compiling it, it can't find -lssh. 4. It can't find crypt(). Here are patches to fix all of these problems: --- ./Makefile.inc 2001/01/18 03:15:08 1.1 +++ ./Makefile.inc 2001/01/18 03:40:53 @@ -4,10 +4,5 @@ .include -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif +LDADD+= -L../lib -lssh +DPADD+= ../lib/libssh.a --- ./sftp-server/Makefile 2001/01/18 03:43:08 1.1 +++ ./sftp-server/Makefile 2001/01/18 03:43:13 @@ -6,7 +6,7 @@ BINMODE?=555 BINDIR= /usr/libexec -MAN= sftp-server.8 +MAN8= sftp-server.8 SRCS= sftp-server.c log-server.c --- ./sshd/Makefile 2001/01/18 03:42:00 1.1 +++ ./sshd/Makefile 2001/01/18 03:55:59 @@ -4,7 +4,7 @@ BINOWN= root BINMODE=555 BINDIR= /usr/sbin -MAN= sshd.8 +MAN8= sshd.8 CFLAGS+=-DHAVE_LOGIN_CAP SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ @@ -29,10 +29,15 @@ SRCS+= auth-skey.c auth2-skey.c .endif +.if (${PAM:L} == "yes") +CFLAGS+= -DUSE_PAM +SRCS+= auth-pam.c +.endif + .include -LDADD+= -lcrypto -lutil -lz -DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} +LDADD+= -lcrypto -lutil -lz -lcrypt +DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBCRYPT} .if (${TCP_WRAPPERS:L} == "yes") CFLAGS+= -DLIBWRAP @@ -44,4 +49,9 @@ CFLAGS+= -DSKEY LDADD+= -lskey DPADD+= ${SKEY} +.endif + +.if (${PAM:L} == "yes") +LDADD+= ${MINUSLPAM} +DPADD+= ${LIBPAM} .endif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 20:18:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id BBE6D37B400 for ; Wed, 17 Jan 2001 20:18:28 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0I4Lje71331; Wed, 17 Jan 2001 20:21:45 -0800 (PST) (envelope-from kris) Date: Wed, 17 Jan 2001 20:21:45 -0800 From: Kris Kennaway To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su Message-ID: <20010117202145.A71288@citusc17.usc.edu> References: <20010118041321.50EBE12685@jenkins.web.us.uu.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010118041321.50EBE12685@jenkins.web.us.uu.net>; from djm@web.us.uu.net on Wed, Jan 17, 2001 at 11:13:21PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 17, 2001 at 11:13:21PM -0500, David J. MacKenzie wrote: >=20 > > PAM support has been merged into OpenSSH in -current and recently > > (last week or so) merged into -stable. >=20 > Excellent! You just made my day. I hadn't done a cvsup in a few weeks. >=20 > /usr/src/crypto/openssh on -stable does have a few problems, though: >=20 > 1. There's no Makefile hook for enabling PAM support like there is for > SKEY, AFS, etc. > 2. make errors out because of two mistyped man page directives. > 3. If you do "make obj" before compiling it, it can't find -lssh. > 4. It can't find crypt(). The makefiles in /usr/src/crypto are not used by the build process - the stuff is built under /usr/src/secure using FreeBSD makefiles. Kris --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6Zm9ZWry0BWjoQKURAhx0AKCUWg6mYLfeeiypV+xg8MBTToGbkwCgqLFp Dq6GesfOMEqEZNfVDI+jdoE= =ssgX -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 17 21:53: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id E705937B400; Wed, 17 Jan 2001 21:52:52 -0800 (PST) Received: from jenkins.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by jenkins.web.us.uu.net (Postfix) with ESMTP id 461E912685; Thu, 18 Jan 2001 00:52:52 -0500 (EST) To: Kris Kennaway Cc: "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su In-Reply-To: Message from Kris Kennaway of "Wed, 17 Jan 2001 20:21:45 PST." <20010117202145.A71288@citusc17.usc.edu> Date: Thu, 18 Jan 2001 00:52:52 -0500 From: "David J. MacKenzie" Message-Id: <20010118055252.461E912685@jenkins.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The makefiles in /usr/src/crypto are not used by the build process - > the stuff is built under /usr/src/secure using FreeBSD makefiles. Oh. That's, um, nonobvious. Thanks for cluing me in. Doesn't that deserve at least a README in /usr/src/crypto and /usr/src/contrib? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 4:57:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id 3931437B698; Thu, 18 Jan 2001 04:56:49 -0800 (PST) Received: from grondar.za (root@gratis.grondar.za [196.7.18.133]) by gratis.grondar.za (8.11.1/8.11.1) with ESMTP id f0ICuPI41727; Thu, 18 Jan 2001 14:56:29 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200101181256.f0ICuPI41727@gratis.grondar.za> To: "David J. MacKenzie" Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su References: <20010118055252.461E912685@jenkins.web.us.uu.net> In-Reply-To: <20010118055252.461E912685@jenkins.web.us.uu.net> ; from "David J. MacKenzie" "Thu, 18 Jan 2001 00:52:52 EST." Date: Thu, 18 Jan 2001 14:56:32 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > The makefiles in /usr/src/crypto are not used by the build process - > > the stuff is built under /usr/src/secure using FreeBSD makefiles. > > Oh. That's, um, nonobvious. Thanks for cluing me in. > > Doesn't that deserve at least a README in /usr/src/crypto and /usr/src/contrib? There is one :-) M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 4:58:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id CB16137B400 for ; Thu, 18 Jan 2001 04:58:34 -0800 (PST) Received: from grondar.za (root@gratis.grondar.za [196.7.18.133]) by gratis.grondar.za (8.11.1/8.11.1) with ESMTP id f0ICwOI41753; Thu, 18 Jan 2001 14:58:24 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200101181258.f0ICwOI41753@gratis.grondar.za> To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su References: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> In-Reply-To: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> ; from "David J. MacKenzie" "Wed, 17 Jan 2001 16:47:35 EST." Date: Thu, 18 Jan 2001 14:58:31 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The FreeBSD (4.2-STABLE) login has only partial PAM support; it > supports PAM authentication, but not account management or sessions. > I want to use a locally written PAM module that restricts logins based on > a DB file lookup, but the account management function is necessary for > that. The FreeBSD rshd and su don't have any PAM support. Cool! I'll start testing immediately! > Below are patches to add full PAM support to those programs. I > haven't tackled adding PAM to the FreeBSD ftpd so far, because I use > proftpd which already has it. I'd be most grateful if you could add this to our ftpd, if you have the time. > I haven't looked at Heimdal or krb4, as the relevant utilities from > them don't seem to be installed on FreeBSD, and my company has > standardized on MIT krb5. I'll work on that. M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 6:12: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 5180537B400 for ; Thu, 18 Jan 2001 06:11:47 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id LAA86494; Thu, 18 Jan 2001 11:11:46 -0300 (ART) From: Fernando Schapachnik Message-Id: <200101181411.LAA86494@ns1.via-net-works.net.ar> Subject: Re: full PAM support for login, rshd, and su In-Reply-To: <200101181258.f0ICwOI41753@gratis.grondar.za> "from Mark Murray at Jan 18, 2001 02:58:31 pm" To: Mark Murray Date: Thu, 18 Jan 2001 11:11:46 -0300 (ART) Cc: "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Mark Murray escribió: > > Below are patches to add full PAM support to those programs. I > > haven't tackled adding PAM to the FreeBSD ftpd so far, because I use > > proftpd which already has it. > > I'd be most grateful if you could add this to our ftpd, if you have the time. From what I saw in some recent hacking of ftpd in already has some kind of PAM support, although I can't tell you how much. For instance it supports "template" users, which is very good. Anyway, it appears that the current ftpd is going to be replaced by the NetBSD ftpd in a few days. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 6:17: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 6E5CF37B402 for ; Thu, 18 Jan 2001 06:16:49 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14JFrp-0004Qw-00; Thu, 18 Jan 2001 16:16:45 +0200 Date: Thu, 18 Jan 2001 16:16:45 +0200 (IST) From: Roman Shterenzon To: Pavol Adamec Cc: Subject: Re: TCP_DROP_SYNFIN In-Reply-To: <3A63FFF9.8E64A6AA@tempest.sk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 16 Jan 2001, Pavol Adamec wrote: > I'm not sure what you excatly ment by that but: > > TCP_DROP_SYNFIN forces kernel to drop packets with BOTH SYN and > FIN flags set. nmap -sS is a "half-open scan" - it send packets > with only SYN flag set. > What you likely want is TCP_RESTRICT_RST - not to emit RST for SYN > packets to non-listening ports. I thought that this is what blackhole(4) is for. Can you explain? > > Paul > > Dennis Jun wrote: > > > > I have compiled this option in my kernel on 3 differents FreeBSD boxes > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work all > > the time. Specifically with this scan nmap -v -O -sS . Is it just me or > > does this not work for other people as well? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > Dennis Jun wrote: > > > > I have compiled this option in my kernel on 3 differents FreeBSD boxes > > (4.1.1-STABLE, 4.1-RELEASEs) and I have noticed that it doesn't work all > > the time. Specifically with this scan nmap -v -O -sS . Is it just me or > > does this not work for other people as well? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 7: 9:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from catapult.web.us.uu.net (catapult.web.us.uu.net [208.211.134.20]) by hub.freebsd.org (Postfix) with ESMTP id EEAEC37B402 for ; Thu, 18 Jan 2001 07:09:23 -0800 (PST) Received: from catapult.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by catapult.web.us.uu.net (Postfix) with ESMTP id 111FB3E5B; Thu, 18 Jan 2001 10:09:23 -0500 (EST) To: Mark Murray Cc: "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su In-Reply-To: Message from Mark Murray of "Thu, 18 Jan 2001 14:56:32 +0200." <200101181256.f0ICuPI41727@gratis.grondar.za> Date: Thu, 18 Jan 2001 10:09:22 -0500 From: "David J. MacKenzie" Message-Id: <20010118150923.111FB3E5B@catapult.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Doesn't that deserve at least a README in /usr/src/crypto and /usr/src/contrib? > > There is one :-) Yes, technically there is one in /usr/src/crypto. But it's so vague that I had read it at least twice, and still didn't realize the implications of what it says. And there isn't one in /usr/src/contrib (in -stable after my cvsup yesterday). Here's what /usr/src/crypto/README currently says: ------------------------------------------------------------------------------ $FreeBSD: src/crypto/README,v 1.2.2.1 2000/07/31 12:26:51 alex Exp $ This directory is for the EXACT same use as src/contrib, except it holds crypto sources. It is the result of an old USA law, which made these sources export controlled, so they had to be kept seperate. ------------------------------------------------------------------------------ I'd like to see something like this added to make it clearer: ------------------------------------------------------------------------------ The Makefiles in these directories are not used by FreeBSD. These source files are used by Makefiles in src/lib, src/usr.bin, etc. ------------------------------------------------------------------------------ And put the same notice in /usr/src/contrib/README. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 7:15: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 8D79737B400 for ; Thu, 18 Jan 2001 07:14:43 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id DF1FB1360C; Thu, 18 Jan 2001 10:14:42 -0500 (EST) Date: Thu, 18 Jan 2001 10:14:42 -0500 From: Chris Faulhaber To: "David J. MacKenzie" Cc: Mark Murray , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su Message-ID: <20010118101442.A42298@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "David J. MacKenzie" , Mark Murray , freebsd-security@FreeBSD.ORG References: <20010118150923.111FB3E5B@catapult.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010118150923.111FB3E5B@catapult.web.us.uu.net>; from djm@web.us.uu.net on Thu, Jan 18, 2001 at 10:09:22AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 18, 2001 at 10:09:22AM -0500, David J. MacKenzie wrote: > > > > Doesn't that deserve at least a README in /usr/src/crypto and /usr/src/contrib? > > > > There is one :-) > > Yes, technically there is one in /usr/src/crypto. But it's so vague that I had > read it at least twice, and still didn't realize the implications of what it says. > And there isn't one in /usr/src/contrib (in -stable after my cvsup yesterday). > Actually, the proper way might be to expand the descriptions in hier(7) -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 8:27: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 4AC1137B404 for ; Thu, 18 Jan 2001 08:26:51 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1668 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 18 Jan 2001 10:25:50 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 18 Jan 2001 10:25:48 -0600 (CST) From: James Wyatt To: Chris Faulhaber Cc: "David J. MacKenzie" , Mark Murray , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su In-Reply-To: <20010118101442.A42298@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Jan 2001, Chris Faulhaber wrote: > On Thu, Jan 18, 2001 at 10:09:22AM -0500, David J. MacKenzie wrote: > > > > > > Doesn't that deserve at least a README in /usr/src/crypto and /usr/src/contrib? > > > > > > There is one :-) > > > > Yes, technically there is one in /usr/src/crypto. But it's so vague that I had > > read it at least twice, and still didn't realize the implications of what it says. > > And there isn't one in /usr/src/contrib (in -stable after my cvsup yesterday). > > Actually, the proper way might be to expand the descriptions > in hier(7) Could you at least add a note to the appropriate READMSs pointing to it? I know if you are building things on FreeBSD, you should read heir(7), but most clueful folks I know start with READMEs wherever they work and might miss heir(7). This gives them a pointer to the real trove and avoids hurting folks with good habits. Or am I just rationalizing my own previous mistakes? (^_^) - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 9:10:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 6120437B401 for ; Thu, 18 Jan 2001 09:10:36 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id MAA00719; Thu, 18 Jan 2001 12:10:29 -0500 (EST) (envelope-from wollman) Date: Thu, 18 Jan 2001 12:10:29 -0500 (EST) From: Garrett Wollman Message-Id: <200101181710.MAA00719@khavrinen.lcs.mit.edu> To: James Wyatt Cc: freebsd-security@FreeBSD.org Subject: Re: full PAM support for login, rshd, and su In-Reply-To: References: <20010118101442.A42298@peitho.fxp.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I know if you are building things on FreeBSD, you should read heir(7) No, actually, you should read hier(7). Since so many people can't seem to spell `hierarchy' this is perhaps a poor choice of name. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 9:23:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id E8C1637B6AF for ; Thu, 18 Jan 2001 09:23:02 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0IHPwQ74230; Thu, 18 Jan 2001 09:25:58 -0800 (PST) (envelope-from kris) Date: Thu, 18 Jan 2001 09:25:58 -0800 From: Kris Kennaway To: Fernando Schapachnik Cc: Mark Murray , "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su Message-ID: <20010118092558.A74185@citusc17.usc.edu> References: <200101181258.f0ICwOI41753@gratis.grondar.za> <200101181411.LAA86494@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101181411.LAA86494@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Thu, Jan 18, 2001 at 11:11:46AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 18, 2001 at 11:11:46AM -0300, Fernando Schapachnik wrote: > Anyway, it appears that the current ftpd is going to be replaced by > the NetBSD ftpd in a few days. Well, the plan to replace it has been discussed, but it's not going to go ahead until at the very least the netbsd version is taught all of the missing options and features which it doesn't have, relative to our current ftpd. But it's still something for people to keep in mind here. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ZycmWry0BWjoQKURApfoAKDWtQKrpqzeHbR1YR6jqE/5LlRhlQCZAVQd b2Hi5Tw9vmgpgpXNtgVA4eQ= =kEJV -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 10: 5:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 0694537B401 for ; Thu, 18 Jan 2001 10:05:02 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 3A454193E3 for ; Thu, 18 Jan 2001 12:05:01 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0II51Z64731 for freebsd-security@freebsd.org; Thu, 18 Jan 2001 12:05:01 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Thu, 18 Jan 2001 12:05:01 -0600 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Subject: PAM broken design? pam_setcred Message-ID: <20010118120501.B64632@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is it just me, or is pam_setcred broken? For example, with the following config file: login auth sufficient pam_skey.so login auth sufficient pam_krb5.so login auth required pam_unix.so Regardless of whether you authenticate with `skey', `krb5', or `unix', pam_sm_setcred is called in pam_skey.so, i.e. the module search starts over. By my reading of the Solaris man page, pam_sm_setcred should be called in the module that successfully authenticated the user. At any rate this seems infinitely more useful. Excerpt from Solaris 2.6 pam(3): If the user has been successfully authenticated, the application calls pam_setcred() to set any user credentials associated with the authentication service. [...] For example, during the call to pam_authenticate(), service modules may store data in the handle that is intended for use by pam_setcred(). Just looking for a sanity check... Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 10:23:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.marketnews.com (mail.economeister.com [205.183.200.2]) by hub.freebsd.org (Postfix) with ESMTP id 598E637B400 for ; Thu, 18 Jan 2001 10:22:56 -0800 (PST) Received: from mharding ([205.183.200.47]) by mail.marketnews.com (8.11.0/8.9.3) with SMTP id f0IIMhp26309 for ; Thu, 18 Jan 2001 13:22:43 -0500 (EST) From: "Mason Harding" To: Subject: Anti-Virus for SMTP Date: Thu, 18 Jan 2001 10:17:49 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a FreeBSD 4.2 e-mail server running Sendmail. I will probably soon be moving that to qmail. My question is this, can anyone recommend a good Anti-Virus scanner for SMTP? Nearly all of the client machines are on Win*. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 10:36:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 1E2E137B699 for ; Thu, 18 Jan 2001 10:36:14 -0800 (PST) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.1/8.11.1) with ESMTP id f0IIaCl04829; Thu, 18 Jan 2001 13:36:12 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.0.1.4.0.20010118132904.0259eb50@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 18 Jan 2001 13:29:43 -0500 To: "Mason Harding" , From: Mike Tancsa Subject: Re: Anti-Virus for SMTP In-Reply-To: References: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check amavis in the ports. Works very well for me using sendmail and the McAfee/NAI scanner. I know people who use it with qmail as well. ---Mike At 10:17 AM 1/18/01 -0800, Mason Harding wrote: >I have a FreeBSD 4.2 e-mail server running Sendmail. I will probably soon >be moving that to qmail. My question is this, can anyone recommend a good >Anti-Virus scanner for SMTP? Nearly all of the client machines are on Win*. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 10:53:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 91C3237B400 for ; Thu, 18 Jan 2001 10:53:08 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA49030; Thu, 18 Jan 2001 19:53:04 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Garrett Wollman Cc: James Wyatt , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su References: <20010118101442.A42298@peitho.fxp.org> <200101181710.MAA00719@khavrinen.lcs.mit.edu> From: Dag-Erling Smorgrav Date: 18 Jan 2001 19:53:04 +0100 In-Reply-To: Garrett Wollman's message of "Thu, 18 Jan 2001 12:10:29 -0500 (EST)" Message-ID: Lines: 9 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman writes: > No, actually, you should read hier(7). Since so many people can't > seem to spell `hierarchy' this is perhaps a poor choice of name. I suggest layout(7). DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 11: 0: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2E9A437B400 for ; Thu, 18 Jan 2001 10:59:42 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA12388; Thu, 18 Jan 2001 10:58:11 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12385; Thu Jan 18 10:58:00 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f0IIvj873879; Thu, 18 Jan 2001 10:57:45 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdp73875; Thu Jan 18 10:57:42 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f0IIveW33966; Thu, 18 Jan 2001 10:57:40 -0800 (PST) Message-Id: <200101181857.f0IIveW33966@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdT33960; Thu Jan 18 10:56:55 2001 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: Fernando Schapachnik Cc: Mark Murray , "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su In-reply-to: Your message of "Thu, 18 Jan 2001 11:11:46 -0300." <200101181411.LAA86494@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Thu, 18 Jan 2001 10:56:54 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200101181411.LAA86494@ns1.via-net-works.net.ar>, Fernando = Schapachn ik writes: > En un mensaje anterior, Mark Murray escribi=F3: > > > Below are patches to add full PAM support to those programs. I > > > haven't tackled adding PAM to the FreeBSD ftpd so far, because I us= e > > > proftpd which already has it. > > = > > I'd be most grateful if you could add this to our ftpd, if you have t= he tim > e. > = > >From what I saw in some recent hacking of ftpd in already has some > kind of PAM support, although I can't tell you how much. For instance > it supports "template" users, which is very good. > = > Anyway, it appears that the current ftpd is going to be replaced by > the NetBSD ftpd in a few days. Why? What does the NetBSD ftpd do that our ftpd doesn't? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 12:31: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 54F9E37B69F for ; Thu, 18 Jan 2001 12:30:49 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1063 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 18 Jan 2001 14:30:12 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 18 Jan 2001 14:30:11 -0600 (CST) From: James Wyatt To: Garrett Wollman Cc: freebsd-security@FreeBSD.org Subject: Re: full PAM support for login, rshd, and su In-Reply-To: <200101181710.MAA00719@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Jan 2001, Garrett Wollman wrote: > < said: > > > I know if you are building things on FreeBSD, you should read heir(7) > > No, actually, you should read hier(7). Since so many people can't > seem to spell `hierarchy' this is perhaps a poor choice of name. Maybe I need more hier-education? (^_^) THanks, I can spell it, I just can't type it... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 13: 2: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id BCF2137B400 for ; Thu, 18 Jan 2001 13:01:49 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0IL3Dc77168; Thu, 18 Jan 2001 13:03:13 -0800 (PST) (envelope-from kris) Date: Thu, 18 Jan 2001 13:03:12 -0800 From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su Message-ID: <20010118130312.A77122@citusc17.usc.edu> References: <200101181411.LAA86494@ns1.via-net-works.net.ar> <200101181857.f0IIveW33966@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101181857.f0IIveW33966@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Jan 18, 2001 at 10:56:54AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 18, 2001 at 10:56:54AM -0800, Cy Schubert - ITSD Open Systems G= roup wrote: > In message <200101181411.LAA86494@ns1.via-net-works.net.ar>, Fernando=20 > Schapachn > ik writes: > > En un mensaje anterior, Mark Murray escribi=F3: > > > > Below are patches to add full PAM support to those programs. I > > > > haven't tackled adding PAM to the FreeBSD ftpd so far, because I use > > > > proftpd which already has it. > > >=20 > > > I'd be most grateful if you could add this to our ftpd, if you have t= he tim > > e. > >=20 > > >From what I saw in some recent hacking of ftpd in already has some > > kind of PAM support, although I can't tell you how much. For instance > > it supports "template" users, which is very good. > >=20 > > Anyway, it appears that the current ftpd is going to be replaced by > > the NetBSD ftpd in a few days. >=20 > Why? What does the NetBSD ftpd do that our ftpd doesn't? The short answer is: "quite a bit". Unfortunately the reverse is also currently true. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6Z1oQWry0BWjoQKURAgN2AKDdH+MJGpFdFl8oweLkolNycqwWYwCg/G+6 nDySrzA40DVgv53B3lKbzyQ= =Bpvs -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 13:54:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from typhoon.direct-internet.net (unknown [207.245.193.3]) by hub.freebsd.org (Postfix) with ESMTP id 989B237B400; Thu, 18 Jan 2001 13:54:09 -0800 (PST) Received: from Direct (volcano.direct-internet.net [207.245.193.37]) by typhoon.direct-internet.net (8.11.1/8.11.1) with SMTP id f0IM7kh99547; Thu, 18 Jan 2001 17:07:46 -0500 (EST) (envelope-from info@direct-internet.net) Message-ID: <02e601c08199$8c6ff220$25c1f5cf@directinternet.net> From: "Direct Internet Access--INFO" To: , Cc: , , , References: <200101140856.AAA00746@spammie.svbug.com> Subject: Re: Antisniffer measures (digest of posts) Date: Thu, 18 Jan 2001 16:56:27 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Disposition-Notification-To: "Direct Internet Access--INFO" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unique Messaging Solutions: It's not just about email anymore. Built on advanced messaging technology, we offer Internet messaging infrastructure solutions for corporations and service providers such as ISPs, telcos and portals. Fully scalable, our solutions enable customers to manage the technological complexities associated with messaging and to stay competitive with the latest features, while simultaneously reducing costs and easing IT burdens. Our flexible "Allsource" deployment model enables customers to either outsource, midsource or insource- whatever makes the most sense for each individual business. We're uniquely positioned to develop a strategic upgrade path based on the combination of customer needs and the evolution of messaging technology. Our customers include E-bay, Bell, AT&T, AOL, 3Com, CNET, ICQ, Yahoo, Nokia etc. InScribeT From email to secure file sharing, Internet fax, groupware and message boards. InJoinT Directory, meta-directory and advanced data integration solutions that will help you keep up with today's ebusiness demands. InVokeT Leading-edge solutions that enable wireless messaging for corporations, service providers, and portals. InOneT An integrated messaging and collaboration suite that combines several of Critical Path's most popular services. InScheduleT Web-based calendaring and event management tools. InLineT Web-based solutions for shared resource scheduling, project management and collaboration. InTouchT Our skilled professional services consultants work closely with customers and partners to successfully design and deploy complex messaging infrastructures, including: Initial requirements analysis and integration planning Installation and deployment Project management of the roll-out phase Ongoing support. Please contact Chris Christenson Critical Path Account Executive direct: 480-785-3752 fax: 602-530-3775 email: chrisc@cp.net www.cp.net Critical Path: Forbes' #1 "Best-Managed, Fastest Growing Tech Company In The World" http://www.forbes.com/asap/00/0403/101.htm http://specials.ft.com/ftit/december2000/FT3Q10XXAGC.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 13:56:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from typhoon.direct-internet.net (unknown [207.245.193.3]) by hub.freebsd.org (Postfix) with ESMTP id D189F37B699 for ; Thu, 18 Jan 2001 13:55:53 -0800 (PST) Received: from Direct (volcano.direct-internet.net [207.245.193.37]) by typhoon.direct-internet.net (8.11.1/8.11.1) with SMTP id f0IM9Qh99587; Thu, 18 Jan 2001 17:09:26 -0500 (EST) (envelope-from info@direct-internet.net) Message-ID: <030401c08199$bdb4dc60$25c1f5cf@directinternet.net> From: "Direct Internet Access--INFO" To: "Roman Shterenzon" , "Pavol Adamec" Cc: References: Subject: Re: TCP_DROP_SYNFIN Date: Thu, 18 Jan 2001 16:58:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Disposition-Notification-To: "Direct Internet Access--INFO" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unique Messaging Solutions: It's not just about email anymore. Built on advanced messaging technology, we offer Internet messaging infrastructure solutions for corporations and service providers such as ISPs, telcos and portals. Fully scalable, our solutions enable customers to manage the technological complexities associated with messaging and to stay competitive with the latest features, while simultaneously reducing costs and easing IT burdens. Our flexible "Allsource" deployment model enables customers to either outsource, midsource or insource- whatever makes the most sense for each individual business. We're uniquely positioned to develop a strategic upgrade path based on the combination of customer needs and the evolution of messaging technology. Our customers include E-bay, Bell, AT&T, AOL, 3Com, CNET, ICQ, Yahoo, Nokia etc. InScribeT From email to secure file sharing, Internet fax, groupware and message boards. InJoinT Directory, meta-directory and advanced data integration solutions that will help you keep up with today's ebusiness demands. InVokeT Leading-edge solutions that enable wireless messaging for corporations, service providers, and portals. InOneT An integrated messaging and collaboration suite that combines several of Critical Path's most popular services. InScheduleT Web-based calendaring and event management tools. InLineT Web-based solutions for shared resource scheduling, project management and collaboration. InTouchT Our skilled professional services consultants work closely with customers and partners to successfully design and deploy complex messaging infrastructures, including: Initial requirements analysis and integration planning Installation and deployment Project management of the roll-out phase Ongoing support. Please contact Chris Christenson Critical Path Account Executive direct: 480-785-3752 fax: 602-530-3775 email: chrisc@cp.net www.cp.net Critical Path: Forbes' #1 "Best-Managed, Fastest Growing Tech Company In The World" http://www.forbes.com/asap/00/0403/101.htm http://specials.ft.com/ftit/december2000/FT3Q10XXAGC.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 13:56:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from typhoon.direct-internet.net (unknown [207.245.193.3]) by hub.freebsd.org (Postfix) with ESMTP id EA86C37B404 for ; Thu, 18 Jan 2001 13:56:05 -0800 (PST) Received: from Direct (volcano.direct-internet.net [207.245.193.37]) by typhoon.direct-internet.net (8.11.1/8.11.1) with SMTP id f0IM8Wh99565; Thu, 18 Jan 2001 17:08:32 -0500 (EST) (envelope-from info@direct-internet.net) Message-ID: <02ed01c08199$9e8a0a40$25c1f5cf@directinternet.net> From: "Direct Internet Access--INFO" To: , Cc: References: <200101140949.BAA00822@spammie.svbug.com> Subject: Re: Messaging Date: Thu, 18 Jan 2001 16:57:13 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Disposition-Notification-To: "Direct Internet Access--INFO" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unique Messaging Solutions: It's not just about email anymore. Built on advanced messaging technology, we offer Internet messaging infrastructure solutions for corporations and service providers such as ISPs, telcos and portals. Fully scalable, our solutions enable customers to manage the technological complexities associated with messaging and to stay competitive with the latest features, while simultaneously reducing costs and easing IT burdens. Our flexible "Allsource" deployment model enables customers to either outsource, midsource or insource- whatever makes the most sense for each individual business. We're uniquely positioned to develop a strategic upgrade path based on the combination of customer needs and the evolution of messaging technology. Our customers include E-bay, Bell, AT&T, AOL, 3Com, CNET, ICQ, Yahoo, Nokia etc. InScribeT From email to secure file sharing, Internet fax, groupware and message boards. InJoinT Directory, meta-directory and advanced data integration solutions that will help you keep up with today's ebusiness demands. InVokeT Leading-edge solutions that enable wireless messaging for corporations, service providers, and portals. InOneT An integrated messaging and collaboration suite that combines several of Critical Path's most popular services. InScheduleT Web-based calendaring and event management tools. InLineT Web-based solutions for shared resource scheduling, project management and collaboration. InTouchT Our skilled professional services consultants work closely with customers and partners to successfully design and deploy complex messaging infrastructures, including: Initial requirements analysis and integration planning Installation and deployment Project management of the roll-out phase Ongoing support. Please contact Chris Christenson Critical Path Account Executive direct: 480-785-3752 fax: 602-530-3775 email: chrisc@cp.net www.cp.net Critical Path: Forbes' #1 "Best-Managed, Fastest Growing Tech Company In The World" http://www.forbes.com/asap/00/0403/101.htm http://specials.ft.com/ftit/december2000/FT3Q10XXAGC.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 13:58:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from typhoon.direct-internet.net (unknown [207.245.193.3]) by hub.freebsd.org (Postfix) with ESMTP id 58C1337B401; Thu, 18 Jan 2001 13:57:53 -0800 (PST) Received: from Direct (volcano.direct-internet.net [207.245.193.37]) by typhoon.direct-internet.net (8.11.1/8.11.1) with SMTP id f0IMAwh99655; Thu, 18 Jan 2001 17:10:59 -0500 (EST) (envelope-from info@direct-internet.net) Message-ID: <031601c08199$f5daa3e0$25c1f5cf@directinternet.net> From: "Direct Internet Access--INFO" To: "Jorge Peixoto Vasquez" , Cc: , References: <5077.979084280@coconut.itojun.org> Subject: Re: Messaging Date: Thu, 18 Jan 2001 16:59:39 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Disposition-Notification-To: "Direct Internet Access--INFO" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unique Messaging Solutions: It's not just about email anymore. Built on advanced messaging technology, we offer Internet messaging infrastructure solutions for corporations and service providers such as ISPs, telcos and portals. Fully scalable, our solutions enable customers to manage the technological complexities associated with messaging and to stay competitive with the latest features, while simultaneously reducing costs and easing IT burdens. Our flexible "Allsource" deployment model enables customers to either outsource, midsource or insource- whatever makes the most sense for each individual business. We're uniquely positioned to develop a strategic upgrade path based on the combination of customer needs and the evolution of messaging technology. Our customers include E-bay, Bell, AT&T, AOL, 3Com, CNET, ICQ, Yahoo, Nokia etc. InScribeT From email to secure file sharing, Internet fax, groupware and message boards. InJoinT Directory, meta-directory and advanced data integration solutions that will help you keep up with today's ebusiness demands. InVokeT Leading-edge solutions that enable wireless messaging for corporations, service providers, and portals. InOneT An integrated messaging and collaboration suite that combines several of Critical Path's most popular services. InScheduleT Web-based calendaring and event management tools. InLineT Web-based solutions for shared resource scheduling, project management and collaboration. InTouchT Our skilled professional services consultants work closely with customers and partners to successfully design and deploy complex messaging infrastructures, including: Initial requirements analysis and integration planning Installation and deployment Project management of the roll-out phase Ongoing support. Please contact Chris Christenson Critical Path Account Executive direct: 480-785-3752 fax: 602-530-3775 email: chrisc@cp.net www.cp.net Critical Path: Forbes' #1 "Best-Managed, Fastest Growing Tech Company In The World" http://www.forbes.com/asap/00/0403/101.htm http://specials.ft.com/ftit/december2000/FT3Q10XXAGC.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 14:17:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 4260D37B699 for ; Thu, 18 Jan 2001 14:17:15 -0800 (PST) Subject: Re: Messaging To: "Direct Internet Access--INFO" Cc: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Thu, 18 Jan 2001 16:17:30 -0600 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 01/18/2001 04:11:12 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is technical discussion group, respect our solemnity and do not post commerical material to it. "Direct Internet Access--INFO" To: "Jorge Peixoto Vasquez" , t> cc: , Sent by: owner-freebsd-security@F Subject: Re: Messaging reeBSD.ORG 01/18/01 03:59 PM Unique Messaging Solutions: It's not just about email anymore. Built on advanced messaging technology, we offer Internet messaging infrastructure solutions for corporations and service providers such as ISPs, telcos and portals. Fully scalable, our solutions enable customers to manage the technological complexities associated with messaging and to stay competitive with the latest features, while simultaneously reducing costs and easing IT burdens. Our flexible "Allsource" deployment model enables customers to either outsource, midsource or insource- whatever makes the most sense for each individual business. We're uniquely positioned to develop a strategic upgrade path based on the combination of customer needs and the evolution of messaging technology. Our customers include E-bay, Bell, AT&T, AOL, 3Com, CNET, ICQ, Yahoo, Nokia etc. InScribeT From email to secure file sharing, Internet fax, groupware and message boards. InJoinT Directory, meta-directory and advanced data integration solutions that will help you keep up with today's ebusiness demands. InVokeT Leading-edge solutions that enable wireless messaging for corporations, service providers, and portals. InOneT An integrated messaging and collaboration suite that combines several of Critical Path's most popular services. InScheduleT Web-based calendaring and event management tools. InLineT Web-based solutions for shared resource scheduling, project management and collaboration. InTouchT Our skilled professional services consultants work closely with customers and partners to successfully design and deploy complex messaging infrastructures, including: Initial requirements analysis and integration planning Installation and deployment Project management of the roll-out phase Ongoing support. Please contact Chris Christenson Critical Path Account Executive direct: 480-785-3752 fax: 602-530-3775 email: chrisc@cp.net www.cp.net Critical Path: Forbes' #1 "Best-Managed, Fastest Growing Tech Company In The World" http://www.forbes.com/asap/00/0403/101.htm http://specials.ft.com/ftit/december2000/FT3Q10XXAGC.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 15: 6:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (marius.org [216.88.115.170]) by hub.freebsd.org (Postfix) with ESMTP id 78A8637B401 for ; Thu, 18 Jan 2001 15:06:36 -0800 (PST) Received: (from marius@localhost) by marius.org (8.11.0/8.11.0) id f0IN6Yk05942 for freebsd-security@FreeBSD.ORG; Thu, 18 Jan 2001 17:06:34 -0600 (CST) Date: Thu, 18 Jan 2001 17:06:34 -0600 From: Marius Strom To: freebsd-security@FreeBSD.ORG Subject: Re: TCP_DROP_SYNFIN Message-ID: <20010118170634.M500@marius.org> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <030401c08199$bdb4dc60$25c1f5cf@directinternet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <030401c08199$bdb4dc60$25c1f5cf@directinternet.net>; from info@direct-internet.net on Thu, Jan 18, 2001 at 04:58:07PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org *wonders how long it will be before everyone has volcano.direct-internet.net in their access lists. On Thu, Jan 18, 2001 at 04:58:07PM -0500, Direct Internet Access--INFO wrote: > Unique Messaging Solutions: > > It's not just about email anymore. Built on advanced messaging technology, > we offer Internet messaging infrastructure solutions for corporations and > service providers such as ISPs, telcos and portals. > Fully scalable, our solutions enable customers to manage the technological > complexities associated with messaging and to stay competitive with the > latest features, while simultaneously reducing costs and easing IT burdens. > Our flexible "Allsource" deployment model enables customers to either > outsource, midsource or insource- whatever makes the most sense for each > individual business. We're uniquely positioned to develop a strategic > upgrade path based on the combination of customer needs and the evolution of > messaging technology. > > Our customers include E-bay, Bell, AT&T, AOL, 3Com, CNET, ICQ, Yahoo, Nokia > etc. > > InScribeT > From email to secure file sharing, Internet fax, groupware and message > boards. > InJoinT > Directory, meta-directory and advanced data integration solutions that will > help you keep up with today's ebusiness demands. > InVokeT > Leading-edge solutions that enable wireless messaging for corporations, > service providers, and portals. > InOneT > An integrated messaging and collaboration suite that combines several of > Critical Path's most popular services. > InScheduleT > Web-based calendaring and event management tools. > InLineT > Web-based solutions for shared resource scheduling, project management and > collaboration. > InTouchT > > Our skilled professional services consultants work closely with customers > and partners to successfully design and deploy complex messaging > infrastructures, including: Initial requirements analysis and integration > planning Installation and deployment > Project management of the roll-out phase Ongoing support. > > Please contact > Chris Christenson > Critical Path > Account Executive > direct: 480-785-3752 > fax: 602-530-3775 > email: chrisc@cp.net > www.cp.net > Critical Path: Forbes' #1 "Best-Managed, Fastest Growing Tech Company In The > World" > http://www.forbes.com/asap/00/0403/101.htm > http://specials.ft.com/ftit/december2000/FT3Q10XXAGC.html > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Marius Strom Professional Geek/Unix System Administrator URL: http://www.marius.org/ http://www.marius.org/marius.pgp 0x55DE53E4 "Never underestimate the bandwidth of a mini-van full of DLT tapes traveling down the highway at 65 miles per hour..." -Andrew Tanenbaum, "Computer Networks" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 15:47:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id EC57E37B400 for ; Thu, 18 Jan 2001 15:46:50 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1969 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 18 Jan 2001 17:45:58 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 18 Jan 2001 17:44:55 -0600 (CST) From: James Wyatt To: George.Giles@mcmail.vanderbilt.edu Cc: Direct Internet Access--INFO , freebsd-security@freebsd.org Subject: Re: Messaging In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So you just *HAD* to quote the whole thing and repost it, eh? Of course, I'm a bozoid for replying as well. What can we do to reduce these? Was their server in the RBL? - Jy@ btw: A chunk of SPAM in the FreeBSD lists is a small price for the info. On Thu, 18 Jan 2001 George.Giles@mcmail.vanderbilt.edu wrote: > This is technical discussion group, respect our solemnity and do not post > commerical material to it. > > "Direct Internet > Access--INFO" To: "Jorge Peixoto Vasquez" , [ ... ] > Sent by: > owner-freebsd-security@F Subject: Re: Messaging > reeBSD.ORG [ ... ] > Unique Messaging Solutions: > > It's not just about email anymore. Built on advanced messaging technology, > we offer Internet messaging infrastructure solutions for corporations and > service providers such as ISPs, telcos and portals. [ ... spiffy drivel removed ... ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 16:41:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 316ED37B401 for ; Thu, 18 Jan 2001 16:41:07 -0800 (PST) Received: (from root@localhost) by earth.wnm.net (8.11.0/8.11.0) id f0J0g6O63023; Thu, 18 Jan 2001 18:42:06 -0600 (CST) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0av) with ESMTP id f0J0g4N63013; Thu, 18 Jan 2001 18:42:04 -0600 (CST) X-Authentication-Warning: earth.wnm.net: alex owned process doing -bs Date: Thu, 18 Jan 2001 18:42:03 -0600 (CST) From: Alex Charalabidis To: Mike Tancsa Cc: Mason Harding , freebsd-security@freebsd.org Subject: Re: Anti-Virus for SMTP In-Reply-To: <5.0.1.4.0.20010118132904.0259eb50@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Jan 2001, Mike Tancsa wrote: > > Check amavis in the ports. Works very well for me using sendmail and the > McAfee/NAI scanner. I know people who use it with qmail as well. > > ---Mike > > At 10:17 AM 1/18/01 -0800, Mason Harding wrote: > >I have a FreeBSD 4.2 e-mail server running Sendmail. I will probably soon > >be moving that to qmail. My question is this, can anyone recommend a good > >Anti-Virus scanner for SMTP? Nearly all of the client machines are on Win*. > > Amavis is fine if you're prepared to take a serious performance hit. If your server is already groaning under its load, forget it. It works very well though, even with McAfee (probably the last AV I'd use if the amavis port didn't default to it). -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 System Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 16:46: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 2C43637B401 for ; Thu, 18 Jan 2001 16:45:42 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.1/8.11.1) id f0J0jfc39547; Thu, 18 Jan 2001 19:45:41 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.1/8.11.1av) with ESMTP id f0J0jZd39539; Thu, 18 Jan 2001 19:45:36 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010118194423.01c35ef8@marble.sentex.net> X-Sender: mdtancsa@marble.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 18 Jan 2001 19:45:35 -0500 To: Alex Charalabidis From: Mike Tancsa Subject: Re: Anti-Virus for SMTP Cc: Mason Harding , freebsd-security@freebsd.org In-Reply-To: References: <5.0.1.4.0.20010118132904.0259eb50@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:42 PM 1/18/2001 -0600, Alex Charalabidis wrote: >On Thu, 18 Jan 2001, Mike Tancsa wrote: >Amavis is fine if you're prepared to take a serious performance hit. If >your server is already groaning under its load, forget it. It works very >well though, even with McAfee (probably the last AV I'd use if the amavis >port didn't default to it). It is a bit harsh CPU wise, but it seems to work reliably and NAI does provide regular updates. Which combo are you using on FreeBSD ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 21:18:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id 4C1A837B401 for ; Thu, 18 Jan 2001 21:18:13 -0800 (PST) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id FAA04234; Fri, 19 Jan 2001 05:21:49 GMT (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Fri, 19 Jan 2001 07:20:29 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: Mason Harding Cc: freebsd-security@FreeBSD.ORG Subject: Re: Anti-Virus for SMTP In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Also, /usr/ports/security/inflex. (sendmail only for now) -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions On Thu, 18 Jan 2001, Mason Harding wrote: > I have a FreeBSD 4.2 e-mail server running Sendmail. I will probably soon > be moving that to qmail. My question is this, can anyone recommend a good > Anti-Virus scanner for SMTP? Nearly all of the client machines are on Win*. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 21:20:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 3857E37B402 for ; Thu, 18 Jan 2001 21:19:45 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14JIWU-0000Ns-00; Thu, 18 Jan 2001 10:06:54 -0700 Message-ID: <3A6722AE.3830EDD9@softweyr.com> Date: Thu, 18 Jan 2001 10:06:54 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Jonas Luster Cc: freebsd-security@freebsd.org Subject: Re: A wish and a dream... References: <3A641F3F.55AA9322@sarenet.es> <3A642174.9A7A8068@tempest.sk> <20010116100642.A59220@netwarriors.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jonas Luster wrote: > > [ Reformatted for readers sanity ] > > * Pavol Adamec sez: > > > > I know the subject suggests an SPAM, but it isn't. > > > > > > It would be great to have a small gadget (for example, with > > > an USB interface) with the ssh private key stored, so that ssh used it > > > to authenticate instead of having to store the key in the disk. > > > Rainbow Technologies - iKey > > If I understand the webpage correctly, then this is not a storage medium > for random keys and such... but myabe I'm missing this fetaure. It's a small writable flash memory in a USB dongle. Conceptually, it should work fine for storing small blobs of data like a key. > For my BSD-machines I've bought a Compact Flash 16MB card and some > CFreaders for the desktops and stored my PGP and SSH stuff on them. A > small script mounts and unmounts the CF-card (which announces itself to > the OS as a new file system) under .keys, and .ssh, .pgp and .gpg have > the needed symlinks. > > This seems so far the most cost-effective and portable solution. Versus $10 for an iButton reader and $2 for an iButton? You'd have to write code to extract the keys from the iButton, though. Being able to mount the CF device is a nice advantage. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 21:20:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 91BE237B6A3 for ; Thu, 18 Jan 2001 21:20:09 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14InkJ-0000E4-00; Wed, 17 Jan 2001 01:15:07 -0700 Message-ID: <3A65548B.E3D7ADA4@softweyr.com> Date: Wed, 17 Jan 2001 01:15:07 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Pavol Adamec Cc: Borja Marcos , freebsd-security@freebsd.org Subject: Re: A wish and a dream... References: <3A641F3F.55AA9322@sarenet.es> <3A642174.9A7A8068@tempest.sk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pavol Adamec wrote: > > Rainbow Technologies - iKey > > Paul. > > Borja Marcos wrote: > > > > I know the subject suggests an SPAM, but it isn't. > > > > It would be great to have a small gadget (for example, with > > an USB interface) with the ssh private key stored, so that ssh used it > > to authenticate instead of having to store the key in the disk. > > > > Is there anything commercially available? The iKey looks great, but I've been told it has a known exploit (a hard- coded keyphrase built into the hardware, or something like that.) You could easily store a passphrase on a read/write iButton from Dallas Semiconductor. They sell an experimenter's kit with a serial port reader and an iButton for $10 or $12. The code to interface to it is in ports, in /usr/ports/comms/mlan. See the URL references in the pkg-desr (or pkg/DESCR) file there for more into. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 21:45: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 61E7737B400 for ; Thu, 18 Jan 2001 21:44:50 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1538 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 18 Jan 2001 23:44:46 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 18 Jan 2001 23:44:45 -0600 (CST) From: James Wyatt To: Wes Peters Cc: Jonas Luster , freebsd-security@freebsd.org Subject: Re: A wish and a dream... In-Reply-To: <3A6722AE.3830EDD9@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Jan 2001, Wes Peters wrote: > Jonas Luster wrote: > > For my BSD-machines I've bought a Compact Flash 16MB card and some > > CFreaders for the desktops and stored my PGP and SSH stuff on them. A > > small script mounts and unmounts the CF-card (which announces itself to > > the OS as a new file system) under .keys, and .ssh, .pgp and .gpg have > > the needed symlinks. > > > > This seems so far the most cost-effective and portable solution. > > Versus $10 for an iButton reader and $2 for an iButton? You'd have to write > code to extract the keys from the iButton, though. Being able to mount the > CF device is a nice advantage. The iButton also has a CryptoKey which can hold actual passphrases or passwords intact until you give it a key. Maybe I also want the temperature when I authenticate... (^_^) The iButton stuff isn't hard to handle. It would be nice to have a PAM interface for it. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 22:20:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id 9D53237B402 for ; Thu, 18 Jan 2001 22:19:50 -0800 (PST) Received: from sv.Go2France.com (sv.meiway.com [212.73.210.79]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 870466A906 for ; Fri, 19 Jan 2001 07:19:45 +0100 (CET) Message-Id: <5.0.2.1.0.20010119070958.01ce3230@mail.Go2France.com> X-Sender: lconrad%Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 19 Jan 2001 07:18:28 +0100 To: freebsd-security@freebsd.org From: Len Conrad Subject: Re: Anti-Virus for SMTP In-Reply-To: <4.2.2.20010118194423.01c35ef8@marble.sentex.net> References: <5.0.1.4.0.20010118132904.0259eb50@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>Amavis is fine if you're prepared to take a serious performance hit. If >>your server is already groaning under its load, forget it. It works very >>well though, even with McAfee (probably the last AV I'd use if the amavis >>port didn't default to it). > >It is a bit harsh CPU wise, but it seems to work reliably and NAI >does provide regular updates. Which combo are you using on FreeBSD ? Avamis-PERL is being daemonized to remove the hit of loading up PERL for every msg. Daemonizing PERL with SpeedyCGI does not work with Amavis since SpeedyCGI does not pass required results from the AV scanner to Amavis. The SpeedyCGI developer agrees to make changes but they are substantial and will take time. A daemonized Avamis will be ready before SpeedCGI is fixed, but there is no date for it. I use Amavis-PERL-10 with Kaspersky and postfix and it works well. My IMGate group is trying put together a script, vs a FreeBSD port, that installs all of the numerous cast members (compressors, PERL modules, Kaspersky stufff) since the recent Amavis port for FreeBSD doesn't support postfix and apparently won't for some time. Len http://BIND8NT.MEIway.com : Binary for ISC BIND 8.2.3 T9B for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-spam mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 18 22:25:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from preacher.netwarriors.org (unknown [216.34.142.180]) by hub.freebsd.org (Postfix) with ESMTP id 216BF37B402 for ; Thu, 18 Jan 2001 22:25:12 -0800 (PST) Received: (from loki@localhost) by preacher.netwarriors.org (8.11.1/8.11.1) id f0J6PAE02411 for freebsd-security@freebsd.org; Thu, 18 Jan 2001 22:25:10 -0800 (PST) (envelope-from loki) Date: Thu, 18 Jan 2001 22:25:10 -0800 From: Jonas Luster To: freebsd-security@freebsd.org Subject: Re: A wish and a dream... Message-ID: <20010118222510.A2382@netwarriors.org> Mail-Followup-To: Jonas Luster , freebsd-security@freebsd.org References: <3A641F3F.55AA9322@sarenet.es> <3A642174.9A7A8068@tempest.sk> <20010116100642.A59220@netwarriors.org> <3A6722AE.3830EDD9@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A6722AE.3830EDD9@softweyr.com>; from wes@softweyr.com on Thu, Jan 18, 2001 at 10:06:54AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Wes Peters sez: > > > Rainbow Technologies - iKey > > > > If I understand the webpage correctly, then this is not a storage medium > > for random keys and such... but myabe I'm missing this fetaure. > > It's a small writable flash memory in a USB dongle. Conceptually, it > should work fine for storing small blobs of data like a key. Hmm. We're doing lotsa business with Spectria/Rainbow. This sounds definitely interesting enough to go ahead and ask them for a few test devices :) > > This seems so far the most cost-effective and portable solution. > > Versus $10 for an iButton reader and $2 for an iButton? You'd have to write > code to extract the keys from the iButton, though. Being able to mount the > CF device is a nice advantage. I stand corrected. I had a different price somewhere in the back of my head. The portability issue still remains, tho. jonas -- http://www.advogato.org/person/jLoki To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 0:26: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from backend2.aha.ru (aqua.zenon.net [213.189.198.209]) by hub.freebsd.org (Postfix) with ESMTP id 19CF137B401 for ; Fri, 19 Jan 2001 00:25:43 -0800 (PST) Received: from [195.2.76.180] (HELO AMARKELO) by backend2.aha.ru (CommuniGate Pro SMTP 3.3.1) with ESMTP id 9687865; Fri, 19 Jan 2001 11:25:37 +0300 Date: Fri, 19 Jan 2001 11:25:46 +0300 From: "Alex N. Markelov" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Alex N. Markelov" Organization: Folium Ltd. X-Priority: 3 (Normal) Message-ID: <14380311832.20010119112546@futures.msk.ru> To: "Mason Harding" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Anti-Virus for SMTP In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Mason, Thursday, January 18, 2001, 9:17:49 PM, you wrote: MH> I have a FreeBSD 4.2 e-mail server running Sendmail. I will probably soon MH> be moving that to qmail. My question is this, can anyone recommend a good MH> Anti-Virus scanner for SMTP? Nearly all of the client machines are on Win*. Here's one: http://www.avp.ru/news.asp?tnews=0&nview=2&id=149&page=0 from Russia :) Here's info about versions for mail servers: http://www.avp.ru/products.asp?pgroup=3 Best regards, Alex N. Markelov ---------------------------- System administrator. Folium Ltd., Moscow, Russia. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 0:58:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from neptune.he.net (neptune.he.net [216.218.166.2]) by hub.freebsd.org (Postfix) with ESMTP id ED87137B69B for ; Fri, 19 Jan 2001 00:57:55 -0800 (PST) Received: from netrinsics.com ([211.101.228.66] (may be forged)) by neptune.he.net (8.8.6/8.8.2) with ESMTP id AAA24792 for ; Fri, 19 Jan 2001 00:57:53 -0800 Received: (from robinson@localhost) by netrinsics.com (8.11.1/8.11.1) id f0IMZZc62512 for freebsd-security@outbound.freebsd.org; Fri, 19 Jan 2001 06:35:35 +0800 (+0800) (envelope-from robinson) Date: Fri, 19 Jan 2001 06:35:35 +0800 (+0800) From: Michael Robinson Message-Id: <200101182235.f0IMZZc62512@netrinsics.com> To: freebsd-security@freebsd.org Subject: Re: A wish and a dream... In-Reply-To: <20010118222510.A2382@netwarriors.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I stand corrected. I had a different price somewhere in the back of my >head. The portability issue still remains, tho. Dallas Semiconductor has an IButton reader that is basically a DB-9 serial dongle with a small cradle for the button. You could take that and plug it into any handy RS-232 port (with the proviso that the port can support the funky and non-standard "one wire protocol"). -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 4:44:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 06EA737B400 for ; Fri, 19 Jan 2001 04:43:52 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14JatR-0003Py-00; Fri, 19 Jan 2001 14:43:49 +0200 Date: Fri, 19 Jan 2001 14:43:49 +0200 (IST) From: Roman Shterenzon To: Garrett Wollman Cc: Subject: Re: full PAM support for login, rshd, and su In-Reply-To: <200101181710.MAA00719@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Jan 2001, Garrett Wollman wrote: > < said: > > > I know if you are building things on FreeBSD, you should read heir(7) > > No, actually, you should read hier(7). Since so many people can't > seem to spell `hierarchy' this is perhaps a poor choice of name. I always thought that the name from hier (fr.) - yesterday :) --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 5:24:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id A572437B400 for ; Fri, 19 Jan 2001 05:24:13 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14JbWX-0003kI-00; Fri, 19 Jan 2001 15:24:13 +0200 Date: Fri, 19 Jan 2001 15:24:13 +0200 (IST) From: Roman Shterenzon To: Len Conrad Cc: Subject: Re: Anti-Virus for SMTP In-Reply-To: <5.0.2.1.0.20010119070958.01ce3230@mail.Go2France.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 19 Jan 2001, Len Conrad wrote: > > >>Amavis is fine if you're prepared to take a serious performance hit. If > >>your server is already groaning under its load, forget it. It works very > >>well though, even with McAfee (probably the last AV I'd use if the amavis > >>port didn't default to it). > > > >It is a bit harsh CPU wise, but it seems to work reliably and NAI > >does provide regular updates. Which combo are you using on FreeBSD ? > > Avamis-PERL is being daemonized to remove the hit of loading up PERL > for every msg. > > Daemonizing PERL with SpeedyCGI does not work with Amavis since > SpeedyCGI does not pass required results from the AV scanner to > Amavis. The SpeedyCGI developer agrees to make changes but they are > substantial and will take time. A daemonized Avamis will be ready > before SpeedCGI is fixed, but there is no date for it. > > I use Amavis-PERL-10 with Kaspersky and postfix and it works > well. My IMGate group is trying put together a script, vs a FreeBSD > port, that installs all of the numerous cast members (compressors, > PERL modules, Kaspersky stufff) since the recent Amavis port for > FreeBSD doesn't support postfix and apparently won't for some time. It might, if one supplies me enough information for implementing it. In the docs supplied with amavis-perl, it says that relay scanning may be performed only on postfix-current, and I'm not aware of its stability. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 5:30:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 731DD37B400 for ; Fri, 19 Jan 2001 05:30:36 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14Jbcl-0003kd-00; Fri, 19 Jan 2001 15:30:39 +0200 Date: Fri, 19 Jan 2001 15:30:39 +0200 (IST) From: Roman Shterenzon To: Mike Tancsa Cc: Subject: Re: Anti-Virus for SMTP In-Reply-To: <5.0.1.4.0.20010118132904.0259eb50@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Jan 2001, Mike Tancsa wrote: > > Check amavis in the ports. Works very well for me using sendmail and the > McAfee/NAI scanner. I know people who use it with qmail as well. Could you please contact those people and ask them to send me their setup, so I'll be able to incorporate it in the amavis-perl port? I'm talking about "the complete scanning" solution, e.g. scanning all mail, and not only the mail delivered locally, which is trivial, but seldom useful. > At 10:17 AM 1/18/01 -0800, Mason Harding wrote: > >I have a FreeBSD 4.2 e-mail server running Sendmail. I will probably soon > >be moving that to qmail. My question is this, can anyone recommend a good > >Anti-Virus scanner for SMTP? Nearly all of the client machines are on Win*. > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 5:31:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 6E0CB37B400 for ; Fri, 19 Jan 2001 05:31:29 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14Jbdb-0003kf-00; Fri, 19 Jan 2001 15:31:31 +0200 Date: Fri, 19 Jan 2001 15:31:31 +0200 (IST) From: Roman Shterenzon To: Alex Charalabidis Cc: Subject: Re: Anti-Virus for SMTP In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 18 Jan 2001, Alex Charalabidis wrote: > On Thu, 18 Jan 2001, Mike Tancsa wrote: > > > > > Check amavis in the ports. Works very well for me using sendmail and the > > McAfee/NAI scanner. I know people who use it with qmail as well. > > > > ---Mike > > > > At 10:17 AM 1/18/01 -0800, Mason Harding wrote: > > >I have a FreeBSD 4.2 e-mail server running Sendmail. I will probably soon > > >be moving that to qmail. My question is this, can anyone recommend a good > > >Anti-Virus scanner for SMTP? Nearly all of the client machines are on Win*. > > > > > Amavis is fine if you're prepared to take a serious performance hit. If > your server is already groaning under its load, forget it. It works very > well though, even with McAfee (probably the last AV I'd use if the amavis > port didn't default to it). It defaults to uvscan since it's the only antivirus in the ports tree (AFAIK). --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 5:45:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 6208E37B400 for ; Fri, 19 Jan 2001 05:44:52 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1158 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 19 Jan 2001 07:43:36 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Fri, 19 Jan 2001 07:43:35 -0600 (CST) From: James Wyatt To: Michael Robinson Cc: freebsd-security@freebsd.org Subject: Re: A wish and a dream... In-Reply-To: <200101182235.f0IMZZc62512@netrinsics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 19 Jan 2001, Michael Robinson wrote: > >I stand corrected. I had a different price somewhere in the back of my > >head. The portability issue still remains, tho. > > Dallas Semiconductor has an IButton reader that is basically a DB-9 > serial dongle with a small cradle for the button. You could take that and > plug it into any handy RS-232 port (with the proviso that the port can support > the funky and non-standard "one wire protocol"). They have a Parallel port version and a USB version now. The USB thingie and the iButton now fit on a keyring. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 5:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id C281637B400 for ; Fri, 19 Jan 2001 05:52:11 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14Jbxc-00044I-00; Fri, 19 Jan 2001 15:52:12 +0200 Date: Fri, 19 Jan 2001 15:52:12 +0200 (IST) From: Roman Shterenzon To: James Wyatt Cc: Subject: Re: A wish and a dream... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 19 Jan 2001, James Wyatt wrote: > On Fri, 19 Jan 2001, Michael Robinson wrote: > > >I stand corrected. I had a different price somewhere in the back of my > > >head. The portability issue still remains, tho. > > > > Dallas Semiconductor has an IButton reader that is basically a DB-9 > > serial dongle with a small cradle for the button. You could take that and > > plug it into any handy RS-232 port (with the proviso that the port can support > > the funky and non-standard "one wire protocol"). > > They have a Parallel port version and a USB version now. The USB thingie > and the iButton now fit on a keyring. - Jy@ I just got my hands on a Aladdin eToken http://www.aladdin.co.il/etoken/summary.asp, they have a SDK and I'm going to see how hard it can be to hack a support for it using the "ugen" driver. It's small USB thingy. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 6: 8:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id CCF1337B402 for ; Fri, 19 Jan 2001 06:08:07 -0800 (PST) Received: from sv.Go2France.com (sv.meiway.com [212.73.210.79]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 1795E6A90F for ; Fri, 19 Jan 2001 15:08:05 +0100 (CET) Message-Id: <5.0.2.1.0.20010119150317.059d5ba0@mail.Go2France.com> X-Sender: lconrad%Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 19 Jan 2001 15:06:42 +0100 To: From: Len Conrad Subject: Re: Anti-Virus for SMTP In-Reply-To: References: <5.0.2.1.0.20010119070958.01ce3230@mail.Go2France.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I use Amavis-PERL-10 with Kaspersky and postfix and it works > > well. My IMGate group is trying put together a script, vs a FreeBSD > > port, that installs all of the numerous cast members (compressors, > > PERL modules, Kaspersky stufff) since the recent Amavis port for > > FreeBSD doesn't support postfix and apparently won't for some time. > >It might, if one supplies me enough information for implementing it. >In the docs supplied with amavis-perl, it says that relay scanning may be >performed only on postfix-current, and I'm not aware of its stability. I'd be surprised if any postfix user here disagreed with the consensus that Wietse's "current" is better than most "release". That's ime, and I haven't seen anybody in the postfix lists give evidence to contrary. Len http://BIND8NT.MEIway.com : Binary for ISC BIND 8.2.3 T9B for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-spam mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 6:19: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from aker.com.br (unknown [200.252.12.5]) by hub.freebsd.org (Postfix) with ESMTP id D0C8337B402 for ; Fri, 19 Jan 2001 06:18:38 -0800 (PST) Received: from aker.com.br (jorge.aker.com.br [10.0.0.16]) by aker.com.br (8.9.3/8.9.3) with ESMTP id LAA29040 for ; Fri, 19 Jan 2001 11:06:29 -0200 (BRST) (envelope-from jorge@aker.com.br) Message-ID: <3A684CD9.A6B77B86@aker.com.br> Date: Fri, 19 Jan 2001 12:19:05 -0200 From: Jorge Peixoto Vasquez Organization: Aker Security Solutions X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: [Fwd: A wish and a dream...] Content-Type: multipart/mixed; boundary="------------7B1ECD125F0EED4AB3750DA1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------7B1ECD125F0EED4AB3750DA1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------7B1ECD125F0EED4AB3750DA1 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <3A6831E3.107AC569@aker.com.br> Date: Fri, 19 Jan 2001 10:24:03 -0200 From: Jorge Peixoto Vasquez Organization: Aker Security Solutions X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: James Wyatt Subject: Re: A wish and a dream... References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit James Wyatt wrote: > > The iButton also has a CryptoKey which can hold actual passphrases or > passwords intact until you give it a key. Maybe I also want the > temperature when I authenticate... (^_^) The iButton stuff isn't hard to > handle. It would be nice to have a PAM interface for it. - Jy@ More than just that. It can hold your private key and do the actual RSA procesing if you have the password. By doing that, it ensures your key is never copied. It is just like the normal crypto-smartcards like CryptoFlex from Schlumberger (www.slb.com). jOrge -- Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions Manufacturer of the FreeBSD/Linux Aker Firewall http://www.aker.com.br tel. +55 - 61 - 340 9083 --------------7B1ECD125F0EED4AB3750DA1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 6:48:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (flutter.freebsd.dk [212.242.40.147]) by hub.freebsd.org (Postfix) with ESMTP id C6C1537B402 for ; Fri, 19 Jan 2001 06:48:35 -0800 (PST) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id f0JEmUl97020; Fri, 19 Jan 2001 15:48:30 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: James Wyatt Cc: Michael Robinson , freebsd-security@FreeBSD.ORG Subject: Re: A wish and a dream... In-Reply-To: Your message of "Fri, 19 Jan 2001 07:43:35 CST." Date: Fri, 19 Jan 2001 15:48:29 +0100 Message-ID: <97018.979915709@critter> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Jam es Wyatt writes: >On Fri, 19 Jan 2001, Michael Robinson wrote: >> >I stand corrected. I had a different price somewhere in the back of my >> >head. The portability issue still remains, tho. >> >> Dallas Semiconductor has an IButton reader that is basically a DB-9 >> serial dongle with a small cradle for the button. You could take that and >> plug it into any handy RS-232 port (with the proviso that the port can support >> the funky and non-standard "one wire protocol"). The parallel port thing should be avoided. The serial port thing works great on all just moderately normal RS-232 ports. Havn't tried the USB thing. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 7:15:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from iceberg.mrican.web.id (yogya.indosat.net.id [202.155.16.68]) by hub.freebsd.org (Postfix) with SMTP id 9506737B404 for ; Fri, 19 Jan 2001 07:15:25 -0800 (PST) Received: (qmail 18267 invoked by uid 0); 19 Jan 2001 15:08:36 -0000 Date: Fri, 19 Jan 2001 22:08:36 +0700 From: Andy To: freebsd-security@FreeBSD.ORG Subject: Why you keep old IPFilter package? Message-ID: <20010119220836.A18256@yogya.indosat.net.id> Reply-To: Andy Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear officers, Why there are still IPFilter 4.8 on my 4.2-STABLE source tree? I looked at ipfilter's page and found 4.11 there... is there no scheduled upgrade on base tree for IPFilter from 4.8 to 4.11 soon? Regards, -andy- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 7:22:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (unknown [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 9075637B404 for ; Fri, 19 Jan 2001 07:22:16 -0800 (PST) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by eltex.ru (8.9.3/8.9.3) with SMTP id SAA14273; Fri, 19 Jan 2001 18:16:37 +0300 (MSK) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Fri, 19 Jan 2001 18:20:01 +0300 Received: from undisclosed-intranet-sender id xmal26848; Fri, 19 Jan 01 18:19:55 +0300 Date: Fri, 19 Jan 2001 18:39:32 +0300 Message-Id: <200101191539.SAA04154@paranoid.alpha.int> From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Anti-Virus for SMTP To: alex@wnm.net Cc: mike@sentex.net, mharding@marketnews.com, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, The real problem is lack of client-server content inspection protocol.. Any suggestions on that? _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOmhfs6H/mIJW9LeBAQGorgP/W0tC9aETNNo8/f08CEr96yHEqTgfJWau 468N5J8pj6evyQjCI9h7IgDY9RTEU4A4tUpAaPiv7Zu2rVuNreLFVOIWlCfAev5o aropTeLSPp0HCPkhqvWnZn3NeYURftJ7QiUbvFJllHuXZHuvxg6Fz+TiKNxXAk00 BvnSFGwSlZg= =yt7o -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 7:26:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id DD3D437B69B for ; Fri, 19 Jan 2001 07:25:54 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14JdQJ-0004TO-00; Fri, 19 Jan 2001 17:25:55 +0200 Date: Fri, 19 Jan 2001 17:25:55 +0200 (IST) From: Roman Shterenzon To: Cc: Subject: Re: Anti-Virus for SMTP In-Reply-To: <200101191539.SAA04154@paranoid.alpha.int> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Checkpoint call this "CVP" - content vectoring protocol AFAIK. On Fri, 19 Jan 2001 ark@eltex.ru wrote: > nuqneH, > > The real problem is lack of client-server content inspection protocol.. > Any suggestions on that? > _ _ _ _ _ _ _ > {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ > (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| > [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! > > > ---------------------------------------------------------------------- > gpg: Warning: using insecure memory! > gpg: Signature made Fri 19 Jan 2001 05:39:31 PM IST using RSA key ID 56F4B781 > gpg: Can't check signature: public key not found > ---------------------------------------------------------------------- > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 7:28:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 19C9937B69B for ; Fri, 19 Jan 2001 07:28:02 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA16017; Fri, 19 Jan 2001 07:27:48 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda16013; Fri Jan 19 07:27:36 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f0JFRV006026; Fri, 19 Jan 2001 07:27:31 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdYc6024; Fri Jan 19 07:27:15 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f0JFREX38397; Fri, 19 Jan 2001 07:27:14 -0800 (PST) Message-Id: <200101191527.f0JFREX38397@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdJ38379; Fri Jan 19 07:26:53 2001 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Andy Cc: freebsd-security@FreeBSD.ORG Subject: Re: Why you keep old IPFilter package? In-reply-to: Your message of "Fri, 19 Jan 2001 22:08:36 +0700." <20010119220836.A18256@yogya.indosat.net.id> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 19 Jan 2001 07:26:52 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010119220836.A18256@yogya.indosat.net.id>, Andy writes: > Dear officers, > Why there are still IPFilter 4.8 on my 4.2-STABLE source tree? I looked at ip > filter's page > and found 4.11 there... > is there no scheduled upgrade on base tree for IPFilter from 4.8 to 4.11 soon > ? 3.4.16 is the latest release. Been using it on 4.2R for about a week w/o problems. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 7:33:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 5633537B69D for ; Fri, 19 Jan 2001 07:33:10 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA10045; Fri, 19 Jan 2001 10:32:47 -0500 (EST) (envelope-from wollman) Date: Fri, 19 Jan 2001 10:32:47 -0500 (EST) From: Garrett Wollman Message-Id: <200101191532.KAA10045@khavrinen.lcs.mit.edu> To: Wes Peters Cc: freebsd-security@FreeBSD.ORG Subject: Re: A wish and a dream... In-Reply-To: <3A65548B.E3D7ADA4@softweyr.com> References: <3A641F3F.55AA9322@sarenet.es> <3A642174.9A7A8068@tempest.sk> <3A65548B.E3D7ADA4@softweyr.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > The iKey looks great, but I've been told it has a known exploit (a hard- > coded keyphrase built into the hardware, or something like that.) However, all that gives an attacker is the chance to attempt to brute-force the pass-phrase(s) your key(s) is/are protected under. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 7:36:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (unknown [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id AEAA337B69E for ; Fri, 19 Jan 2001 07:36:18 -0800 (PST) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by eltex.ru (8.9.3/8.9.3) with SMTP id SAA14422; Fri, 19 Jan 2001 18:30:36 +0300 (MSK) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Fri, 19 Jan 2001 18:34:01 +0300 Received: from undisclosed-intranet-sender id xmawL5685; Fri, 19 Jan 01 18:34:00 +0300 Date: Fri, 19 Jan 2001 18:53:36 +0300 Message-Id: <200101191553.SAA04217@paranoid.alpha.int> In-Reply-To: from "Roman Shterenzon " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: Anti-Virus for SMTP To: roman@xpert.com Cc: ark@eltex.ru, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Does not qualify for obvious reasons. Any others? Roman Shterenzon said : > Checkpoint call this "CVP" - content vectoring protocol AFAIK. > > On Fri, 19 Jan 2001 ark@eltex.ru wrote: > > > nuqneH, > > > > The real problem is lack of client-server content inspection protocol.. > > Any suggestions on that? _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOmhi/6H/mIJW9LeBAQHmZwP/cr82ds2tzk54JooUuONbEHpRGzUIoqOo eObCYJCd1trYLSb4/q5k1feZI3gJwHxXLe8u++S6Yd6+ZFpQWiuIo1ku55v4fsLy 3OlIS8POytKktVljIq0md/2MmMBiplssWPlFrw+Ag9Gzq+zZVljDTH8G3tiLLSIX YAI9iMnDTsY= =dlC6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 8:21:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f19.law3.hotmail.com [209.185.241.19]) by hub.freebsd.org (Postfix) with ESMTP id 2931237B404 for ; Fri, 19 Jan 2001 08:21:14 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 19 Jan 2001 08:21:13 -0800 Received: from 63.23.142.214 by lw3fd.law3.hotmail.msn.com with HTTP; Fri, 19 Jan 2001 16:21:13 GMT X-Originating-IP: [63.23.142.214] From: "Mason Harding" To: freebsd-security@FreeBSD.ORG Subject: RE: Anti-Virus for SMTP Date: Fri, 19 Jan 2001 16:21:13 Mime-Version: 1.0 Content-Type: text/html Message-ID: X-OriginalArrivalTime: 19 Jan 2001 16:21:13.0943 (UTC) FILETIME=[D7A80670:01C08233] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org
I know this is a bit off the subject, but I posted the original message in this thread, and I can not get amavis-perl to make. Is amavis-perl the amavis in the ports that others in this thread have had luck with? It has not worked for me on the only 2 FreeBSD boxes I have tried it on. I am now to the point where it fails due to "file" not supporting the -b option. How have others had luck with this?
Thank you,
Mason
Get your FREE download of MSN Explorer at http://explorer.msn.com

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 8:27:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id D87D937B404 for ; Fri, 19 Jan 2001 08:27:24 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14JeV5-0000BV-00; Fri, 19 Jan 2001 09:34:55 -0700 Message-ID: <3A686CAF.C195C392@softweyr.com> Date: Fri, 19 Jan 2001 09:34:55 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Re: A wish and a dream... References: <3A641F3F.55AA9322@sarenet.es> <3A642174.9A7A8068@tempest.sk> <3A65548B.E3D7ADA4@softweyr.com> <200101191532.KAA10045@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > The iKey looks great, but I've been told it has a known exploit (a hard- > > coded keyphrase built into the hardware, or something like that.) > > However, all that gives an attacker is the chance to attempt to > brute-force the pass-phrase(s) your key(s) is/are protected under. Right, and the whole idea with something like the iKey is to only connect it to the machine when you need the key. I don't forsee someone mugging the FreeBSD SO in order to send out properly signed nefarious security patch. At least not this week. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 8:33:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [208.229.236.19]) by hub.freebsd.org (Postfix) with ESMTP id BBFD537B698; Fri, 19 Jan 2001 08:32:54 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [208.229.236.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id KAA30368; Fri, 19 Jan 2001 10:32:53 -0600 Received: from colltech.com (dhcp5207.wdc.colltech.com [10.20.5.207]) by mail2.colltech.com (8.9.3/8.9.3/not) with ESMTP id KAA16797; Fri, 19 Jan 2001 10:32:46 -0600 Message-ID: <3A686C13.3F5BD5ED@colltech.com> Date: Fri, 19 Jan 2001 11:32:19 -0500 From: dhagan@colltech.com Organization: Collective X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Fernando Schapachnik , Mark Murray , "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su References: <200101181258.f0ICwOI41753@gratis.grondar.za> <200101181411.LAA86494@ns1.via-net-works.net.ar> <20010118092558.A74185@citusc17.usc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > Well, the plan to replace it has been discussed, but it's not going to > go ahead until at the very least the netbsd version is taught all of > the missing options and features which it doesn't have, relative to > our current ftpd. But it's still something for people to keep in mind > here. So should Fernando and I try to get patches committed to the current ftpd or not? David O'Brien gave the impression that we shouldn't bother since it was going to be replaced RSN. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 10:14:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 6983137B400 for ; Fri, 19 Jan 2001 10:14:00 -0800 (PST) Received: from jenkins.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by jenkins.web.us.uu.net (Postfix) with ESMTP id 9A71212685; Fri, 19 Jan 2001 13:13:59 -0500 (EST) To: freebsd-security@FreeBSD.ORG Cc: djm@web.us.uu.net Subject: improved: PAM support for login, rshd, and su In-Reply-To: Message from "David J. MacKenzie" of "Thu, 18 Jan 2001 10:09:22 EST." <20010118150923.111FB3E5B@catapult.web.us.uu.net> Date: Fri, 19 Jan 2001 13:13:59 -0500 From: "David J. MacKenzie" Message-Id: <20010119181359.9A71212685@jenkins.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In reviewing the patches I sent to this list recently, I realized that I had neglected to add support for PAM "template users" to rshd and su. I also noticed that rshd didn't use auth_checknologin() when LOGIN_CAP was defined (not my bug, but I have fixed it). And I failed to add dependencies for LIBPAM to the Makefiles. Here is a revised version of my patches, which supercedes the previous one. The patches to login didn't change. --- ./libexec/rshd/Makefile 2001/01/17 00:04:57 1.1 +++ ./libexec/rshd/Makefile 2001/01/19 17:33:26 @@ -8,9 +8,9 @@ #CFLAGS+= -DCRYPT # For login_cap handling -CFLAGS+=-DLOGIN_CAP -Wall -DPADD+= ${LIBUTIL} -LDADD+= -lutil +CFLAGS+=-DLOGIN_CAP -DUSE_PAM -Wall +DPADD+= ${LIBUTIL} ${LIBPAM} +LDADD+= -lutil -lpam # IPv6 support CFLAGS+= -DINET6 --- ./libexec/rshd/rshd.c 2000/11/12 07:00:38 1.1 +++ ./libexec/rshd/rshd.c 2001/01/19 17:58:29 @@ -80,6 +80,12 @@ #include #endif +#ifdef USE_PAM +#include +#include +static pam_handle_t *pamh; +#endif /* USE_PAM */ + /* wrapper for KAME-special getnameinfo() */ #ifndef NI_WITHSCOPEID #define NI_WITHSCOPEID 0 @@ -219,6 +225,10 @@ #ifdef LOGIN_CAP login_cap_t *lc; #endif +#ifdef USE_PAM + static struct pam_conv conv = { misc_conv, NULL }; + int retcode; +#endif /* USE_PAM */ (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); @@ -341,6 +351,43 @@ getstr(locuser, sizeof(locuser), "locuser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); + +#ifdef USE_PAM + retcode = pam_start("rsh", locuser, &conv, &pamh); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retcode)); + exit(1); + } + pam_set_item (pamh, PAM_RUSER, remuser); + pam_set_item (pamh, PAM_RHOST, fromhost); + pam_set_item (pamh, PAM_TTY, "tty"); + + retcode = pam_authenticate(pamh, 0); + if (retcode == PAM_SUCCESS) { + if ((retcode = pam_get_item(pamh, PAM_USER, &cp)) == PAM_SUCCESS) { + strncpy(locuser, cp, sizeof(locuser)); + } else + syslog(LOG_ERR|LOG_AUTH, "Couldn't get PAM_USER: %s", + pam_strerror(pamh, retcode)); + retcode = pam_acct_mgmt(pamh, 0); + } + if (retcode == PAM_SUCCESS) { + retcode = pam_open_session(pamh,0); + } + if (retcode == PAM_SUCCESS) { + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); + if (retcode != PAM_SUCCESS) + pam_close_session(pamh, 0); + } + if (retcode != PAM_SUCCESS) { + pam_end(pamh, retcode); + syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, pam_strerror(pamh, retcode), cmdbuf); + error("Login incorrect.\n"); + exit(1); + } +#endif /* USE_PAM */ + setpwent(); pwd = getpwnam(locuser); if (pwd == NULL) { @@ -349,11 +396,42 @@ remuser, fromhost, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect.\n"; - goto fail; + error(errorstr, fromhost); + exit(1); + } + +#ifndef USE_PAM + if (errorstr || + (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || + iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, + remuser, locuser) < 0) { + if (__rcmd_errstr) + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, __rcmd_errstr, + cmdbuf); + else + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied. cmd='%.80s'", + remuser, fromhost, locuser, cmdbuf); + if (errorstr == NULL) + errorstr = "Login incorrect.\n"; + error(errorstr, fromhost); + exit(1); } -#ifdef LOGIN_CAP +#endif /* USE_PAM */ + +#ifdef LOGIN_CAP lc = login_getpwclass(pwd); -#endif + if (pwd->pw_uid) + auth_checknologin(lc); +#else /* !LOGIN_CAP */ + if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { + error("Logins currently disabled.\n"); + exit(1); + } +#endif /* LOGIN_CAP */ + if (chdir(pwd->pw_dir) < 0) { #ifdef LOGIN_CAP if (chdir("/") < 0 || @@ -377,30 +455,6 @@ pwd->pw_dir = "/"; } - if (errorstr || - (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || - iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, - remuser, locuser) < 0) { - if (__rcmd_errstr) - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied (%s). cmd='%.80s'", - remuser, fromhost, locuser, __rcmd_errstr, - cmdbuf); - else - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); -fail: - if (errorstr == NULL) - errorstr = "Login incorrect.\n"; - error(errorstr, fromhost); - exit(1); - } - - if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { - error("Logins currently disabled.\n"); - exit(1); - } #ifdef LOGIN_CAP if (lc != NULL && fromp->su_family == AF_INET) { /*XXX*/ char remote_ip[MAXHOSTNAMELEN]; @@ -569,6 +623,10 @@ (doencrypt && FD_ISSET(pv1[0], &readfrom)) || #endif FD_ISSET(pv[0], &readfrom)); +#ifdef USE_PAM + pam_close_session(pamh, 0); + pam_end(pamh, PAM_SUCCESS); +#endif /* USE_PAM */ exit(0); } setpgrp(0, getpid()); --- ./usr.bin/login/login.c 2000/08/08 03:12:59 1.1 +++ ./usr.bin/login/login.c 2001/01/18 03:24:07 @@ -81,6 +81,7 @@ #ifndef NO_PAM #include #include +#include #endif #include "pathnames.h" @@ -106,6 +107,7 @@ #ifndef NO_PAM static int auth_pam __P((void)); +pam_handle_t *pamh = NULL; #endif static int auth_traditional __P((void)); extern void login __P((struct utmp *)); @@ -150,6 +152,10 @@ char tname[sizeof(_PATH_TTY) + 10]; char *shell = NULL; login_cap_t *lc = NULL; +#ifndef NO_PAM + pid_t pid; + int e; +#endif /* NO_PAM */ (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); @@ -548,6 +554,35 @@ if (!pflag) environ = envinit; +#ifndef NO_PAM + if (pamh) { + /* + * We must fork() before setuid() because we need to call + * pam_close_session() as root. + */ + pid = fork(); + if (pid < 0) { + err(1, "fork"); + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + exit(0); + } else if (pid) { + /* parent - wait for child to finish, then cleanup session */ + wait(NULL); + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + exit(0); + } else { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + } +#endif /* NO_PAM */ + /* * We don't need to be root anymore, so * set the user and session context @@ -562,6 +597,17 @@ exit(1); } +#ifndef NO_PAM + if (pamh) { + const char * const *env = (const char * const *)pam_getenvlist(pamh); + int i; + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } + } +#endif /* NO_PAM */ + (void)setenv("SHELL", pwd->pw_shell, 1); (void)setenv("HOME", pwd->pw_dir, 1); if (term != NULL && *term != '\0') @@ -663,7 +709,6 @@ static int auth_pam() { - pam_handle_t *pamh = NULL; const char *tmpl_user; const void *item; int rval; @@ -724,13 +769,36 @@ break; default: - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); + syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e)); rval = -1; break; } - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - rval = -1; + + if (rval != -1) { + e = pam_acct_mgmt(pamh, 0); + if (e == PAM_NEW_AUTHTOK_REQD) { + e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (e != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e)); + rval = -1; + } + } else if (e != PAM_SUCCESS) { + rval = 1; + } else if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e)); + rval = -1; + } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); + rval = -1; + pam_close_session(pamh, 0); + } + } + + if (rval == -1) { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + pamh = NULL; } return rval; } @@ -745,7 +813,7 @@ /* * Allow for authentication style and/or kerberos instance - * */ + */ #define NBUFSIZ UT_NAMESIZE + 64 --- ./usr.bin/su/Makefile 2001/01/16 21:33:47 1.1 +++ ./usr.bin/su/Makefile 2001/01/19 17:41:13 @@ -4,9 +4,9 @@ PROG= su SRCS= su.c -COPTS+= -DLOGIN_CAP -DSKEY -DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} -LDADD= -lutil -lskey -lmd -lcrypt +COPTS+= -DLOGIN_CAP -DSKEY -DUSE_PAM +DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} ${LIBPAM} +LDADD= -lutil -lskey -lmd -lcrypt -lpam .if defined(WHEELSU) COPTS+= -DWHEELSU --- ./usr.bin/su/su.c 2000/02/24 21:06:21 1.1 +++ ./usr.bin/su/su.c 2001/01/19 17:48:55 @@ -65,6 +65,20 @@ #include #endif +#ifdef USE_PAM +#include +#include +#include +#include +#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ + fprintf(stderr,"su: PAM error: %s\n",pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR,"PAM error: %s",pam_strerror(pamh, retcode)); \ + pam_end(pamh, retcode); exit(1); \ + } +#define PAM_END { retcode = pam_close_session(pamh,0); \ + pam_end(pamh,retcode); } +#endif /* USE_PAM */ + #ifdef SKEY #include #endif @@ -107,8 +121,7 @@ char *targetpass; int iswheelsu; #endif /* WHEELSU */ - char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np; - struct group *gr; + char *p, *user, *shell=NULL, *username, *cleanenv = NULL, **nargv, **np; uid_t ruid; gid_t gid; int asme, ch, asthem, fastlogin, prio, i; @@ -118,6 +131,18 @@ char *class=NULL; int setwhat; #endif +#ifdef USE_PAM + int retcode; + pam_handle_t *pamh = NULL; + struct pam_conv conv = { misc_conv, NULL }; + char myhost[MAXHOSTNAMELEN + 1], *mytty; + int statusp=0; + int child_pid, child_pgrp, ret_pid; + const char * const *env; +#else /* !USE_PAM */ + char **g; + struct group *gr; +#endif /* USE_PAM */ #ifdef KERBEROS char *k; #endif @@ -214,6 +239,28 @@ } } +#ifdef USE_PAM + retcode = pam_start("su", user, &conv, &pamh); + PAM_FAIL_CHECK; + + if (ruid) { + retcode = pam_authenticate(pamh, 0); + PAM_FAIL_CHECK; + + if ((retcode = pam_get_item(pamh, PAM_USER, &p)) == PAM_SUCCESS) { + user = p; + } else + syslog(LOG_ERR|LOG_AUTH, "Couldn't get PAM_USER: %s", + pam_strerror(pamh, retcode)); + + retcode = pam_acct_mgmt(pamh, 0); + if (retcode == PAM_NEW_AUTHTOK_REQD) + retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + PAM_FAIL_CHECK; + } + +#endif /* USE_PAM */ + /* get target login information, default to root */ if ((pwd = getpwnam(user)) == NULL) { errx(1, "unknown login: %s", user); @@ -230,6 +277,7 @@ } #endif +#ifndef USE_PAM #ifdef WHEELSU targetpass = strdup(pwd->pw_passwd); #endif /* WHEELSU */ @@ -280,11 +328,12 @@ #ifdef WHEELSU || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass))) #endif /* WHEELSU */ - )) { -#else + )) +#else /* !SKEY */ p = getpass("Password:"); - if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { -#endif + if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) +#endif /* SKEY */ + { #ifdef KERBEROS if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p))) #endif @@ -308,6 +357,7 @@ exit(1); } } +#endif /* USE_PAM */ if (asme) { /* if asme and non-standard target shell, must be root */ @@ -334,6 +384,60 @@ (void)setpriority(PRIO_PROCESS, 0, prio); +#ifdef USE_PAM + gethostname(myhost, sizeof(myhost)); + retcode = pam_set_item(pamh, PAM_RHOST, myhost); + PAM_FAIL_CHECK; + + mytty = ttyname(STDERR_FILENO); + if (!mytty) + mytty = "tty"; + retcode = pam_set_item(pamh, PAM_TTY, mytty); + PAM_FAIL_CHECK; + + retcode = pam_open_session(pamh, 0); + PAM_FAIL_CHECK; + + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); + PAM_FAIL_CHECK; + + env = (const char * const *)pam_getenvlist(pamh); + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } + + /* + * We must fork() before setuid() because we need to call + * pam_close_session() as root. + */ + + statusp = 1; + switch ((child_pid = fork())) { + default: + while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) { + if (WIFSTOPPED(statusp)) { + child_pgrp = tcgetpgrp(1); + kill(getpid(), SIGSTOP); + tcsetpgrp(1, child_pgrp); + kill(child_pid, SIGCONT); + statusp = 1; + continue; + } + break; + } + if (ret_pid == -1) + err(1, "waitpid"); + PAM_END; + exit(statusp); + case -1: + err(1, "fork"); + PAM_END; + exit (1); + case 0: + pam_end(pamh, retcode); +#endif /* USE_PAM */ + #ifdef LOGIN_CAP /* Set everything now except the environment & umask */ setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; @@ -361,10 +465,7 @@ #ifdef KERBEROS k = getenv("KRBTKFILE"); #endif - if ((cleanenv = calloc(20, sizeof(char*))) == NULL) - errx(1, "calloc"); - cleanenv[0] = NULL; - environ = cleanenv; + environ = &cleanenv; #ifdef LOGIN_CAP /* set the su'd user's environment & umask */ setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV); @@ -403,6 +504,9 @@ execv(shell, np); err(1, "%s", shell); +#ifdef USE_PAM + } +#endif /* USE_PAM */ } static void To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 10:33: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 9DFC737B401 for ; Fri, 19 Jan 2001 10:32:51 -0800 (PST) Received: from jenkins.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by jenkins.web.us.uu.net (Postfix) with ESMTP id 9CBC612685; Fri, 19 Jan 2001 13:32:50 -0500 (EST) To: freebsd-security@FreeBSD.ORG Cc: djm@web.us.uu.net Subject: pam_setcred confusion Date: Fri, 19 Jan 2001 13:32:50 -0500 From: "David J. MacKenzie" Message-Id: <20010119183250.9CBC612685@jenkins.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A note about my PAM patches: the FreeBSD man page for pam_setcred says: This function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been authenticated and before a session is opened ^^^^^^ for the user (with pam_open_session(3)). The Solaris 8 man page for pam_setcred says: The pam_setcred() function is used to establish, modify, or delete user credentials. It is typically called after the user has been authenticated and after a session has been ^^^^^ opened. See pam_authenticate(3PAM), pam_acct_mgmt(3PAM), and pam_open_session(3PAM). Notice that they disagree on the order of the PAM calls. When I wrote my patches I was referencing the Solaris documentation. Perhaps the order doesn't matter, in practice. If it does, then the order of pam_open_session() and pam_setcred() calls may need to be reversed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 11:30:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.lewman.org (lowrider.lewman.org [63.109.230.166]) by hub.freebsd.org (Postfix) with ESMTP id 8E24437B402 for ; Fri, 19 Jan 2001 11:30:40 -0800 (PST) Received: by mail.lewman.org (Postfix, from userid 1004) id F1D433DF8; Fri, 19 Jan 2001 14:30:38 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mail.lewman.org (Postfix) with ESMTP id EFA2E5C0D for ; Fri, 19 Jan 2001 14:30:38 -0500 (EST) Date: Fri, 19 Jan 2001 14:30:38 -0500 (EST) From: Sean Lutner X-X-Sender: To: Subject: Failover firewalls with ipfw? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm currently doing some research into firewalls, and which one(s) would be right for my network. I'm considering everything from Checkpoint-1, to Cisco Pix, to ipchains, to ipfw on FreeBSD. My question is this. Does anyone out there know of any utilities/code/addons I could use to implement a failover pair of firewalls using ipfw and fbsd? Ideally I'd like to do stateful failover, but having two machines always on and a heartbeat solution might wirk as well. If anyone can offer some pointers, it would be much appreciated. Sean Lutner | www: http://www.rentul.net e-mail: sean@rentul.net | "Imagination is more important than knowledge." -- Albert Einstein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 11:59:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id C774B37B400; Fri, 19 Jan 2001 11:59:13 -0800 (PST) Received: from grondar.za (root@gratis.grondar.za [196.7.18.133]) by gratis.grondar.za (8.11.1/8.11.1) with ESMTP id f0JJwoI47779; Fri, 19 Jan 2001 21:58:55 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200101191958.f0JJwoI47779@gratis.grondar.za> To: dhagan@colltech.com Cc: Kris Kennaway , Fernando Schapachnik , "David J. MacKenzie" , freebsd-security@FreeBSD.ORG Subject: Re: full PAM support for login, rshd, and su References: <3A686C13.3F5BD5ED@colltech.com> In-Reply-To: <3A686C13.3F5BD5ED@colltech.com> ; from dhagan@colltech.com "Fri, 19 Jan 2001 11:32:19 EST." Date: Fri, 19 Jan 2001 21:58:55 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Kris Kennaway wrote: > > Well, the plan to replace it has been discussed, but it's not going to > > go ahead until at the very least the netbsd version is taught all of > > the missing options and features which it doesn't have, relative to > > our current ftpd. But it's still something for people to keep in mind > > here. > > So should Fernando and I try to get patches committed to the current > ftpd or not? David O'Brien gave the impression that we shouldn't bother > since it was going to be replaced RSN. Hold off. lets see what happens... M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 12:15:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 5079937B400 for ; Fri, 19 Jan 2001 12:14:55 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 9596A193E3; Fri, 19 Jan 2001 14:14:53 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0JKErq67083; Fri, 19 Jan 2001 14:14:53 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Fri, 19 Jan 2001 14:14:53 -0600 From: "Jacques A. Vidrine" To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: pam_setcred confusion Message-ID: <20010119141453.D66917@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , "David J. MacKenzie" , freebsd-security@FreeBSD.ORG References: <20010119183250.9CBC612685@jenkins.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010119183250.9CBC612685@jenkins.web.us.uu.net>; from djm@web.us.uu.net on Fri, Jan 19, 2001 at 01:32:50PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 19, 2001 at 01:32:50PM -0500, David J. MacKenzie wrote: > A note about my PAM patches: the FreeBSD man page for pam_setcred says: > > This function is used to establish, maintain and delete > the credentials of a user. It should be called after a > user has been authenticated and before a session is opened > ^^^^^^ > for the user (with pam_open_session(3)). > > The Solaris 8 man page for pam_setcred says: > > The pam_setcred() function is used to establish, modify, or > delete user credentials. It is typically called after the > user has been authenticated and after a session has been > ^^^^^ > opened. See pam_authenticate(3PAM), pam_acct_mgmt(3PAM), > and pam_open_session(3PAM). > > Notice that they disagree on the order of the PAM calls. > When I wrote my patches I was referencing the Solaris documentation. > Perhaps the order doesn't matter, in practice. > If it does, then the order of pam_open_session() and pam_setcred() > calls may need to be reversed. The FreeBSD PAM is based on Linux-PAM. If you do ultimately find out that this is a problem, please drop the Linux-PAM authors a line, also. Also see my post to this list earlier this week about the fact that pam_setcred does not seem to work (at least in the Linux-PAM -- and therefore FreeBSD -- implementation). -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 12:18:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 28A0E37B404 for ; Fri, 19 Jan 2001 12:18:02 -0800 (PST) Received: (qmail 22543 invoked by uid 0); 19 Jan 2001 20:18:00 -0000 Received: from p3ee21611.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.17) by mail.gmx.net (mail04) with SMTP; 19 Jan 2001 20:18:00 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA19269 for freebsd-security@freebsd.org; Fri, 19 Jan 2001 19:16:43 +0100 Date: Fri, 19 Jan 2001 19:16:43 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: Messaging Message-ID: <20010119191643.I253@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from jwyatt@rwsystems.net on Thu, Jan 18, 2001 at 05:44:55PM -0600 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 18, 2001 at 17:44 -0600, James Wyatt wrote: > > So you just *HAD* to quote the whole thing and repost it, eh? > Of course, I'm a bozoid for replying as well. Me too. :> > What can we do to reduce these? Was their server in the RBL? - Jy@ I thought I had recognized a new "quality" in them: They've been *responses* to previous message lists. It seems like somebody found out about an autoresponder feature in his Outlook ... And in case the sender's address is subscribed: can it get removed quickly ("legally" covered by acting against the charter and good manners)? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 12:32:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 4C36537B402 for ; Fri, 19 Jan 2001 12:32:26 -0800 (PST) Received: from jenkins.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by jenkins.web.us.uu.net (Postfix) with ESMTP id E79A912686; Fri, 19 Jan 2001 15:32:18 -0500 (EST) To: freebsd-security@FreeBSD.ORG Cc: djm@web.us.uu.net Subject: login_access() Date: Fri, 19 Jan 2001 15:32:18 -0500 From: "David J. MacKenzie" Message-Id: <20010119203218.E79A912686@jenkins.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org login.c in -stable is compiled by default with login_access(), which is in the login source directory. It reads /etc/login.access to restrict who can login. sshd also uses that source file. However, rshd and the MIT krb5 port don't check that file, so relying on it for authorization is risky. I suggest that login_access() be removed from the login source directory and turned into a PAM module account management function so it can be used uniformly without specially hacking each program that needs it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 12:33:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from aker.com.br (unknown [200.252.12.5]) by hub.freebsd.org (Postfix) with ESMTP id 57D4C37B404 for ; Fri, 19 Jan 2001 12:33:16 -0800 (PST) Received: from aker.com.br (jorge.aker.com.br [10.0.0.16]) by aker.com.br (8.9.3/8.9.3) with ESMTP id RAA30008; Fri, 19 Jan 2001 17:21:05 -0200 (BRST) (envelope-from jorge@aker.com.br) Message-ID: <3A68A4A0.14786E4D@aker.com.br> Date: Fri, 19 Jan 2001 18:33:36 -0200 From: Jorge Peixoto Vasquez Organization: Aker Security Solutions X-Mailer: Mozilla 4.73 [en] (X11; I; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Sean Lutner Cc: security@freebsd.org Subject: Re: Failover firewalls with ipfw? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sean Lutner wrote: > I'm currently doing some research into firewalls, and which one(s) would > be right for my network. I'm considering everything from Checkpoint-1, to > Cisco Pix, to ipchains, to ipfw on FreeBSD. My question is this. Does > anyone out there know of any utilities/code/addons I could use to > implement a failover pair of firewalls using ipfw and fbsd? Ideally I'd > like to do stateful failover, but having two machines always on and a > heartbeat solution might wirk as well. If anyone can offer some pointers, > it would be much appreciated. > Dear Mr. Sean Lutner, Our product does everything you want (except for stateful failover) and, altough not open-sourced, is much cheaper than these commercial solutions you want. Altough a little bit unknown outside Brazil, we have no fear of saying our product is at least in par with Checkpoint Fw1 or Pix, for instance. Please take a look at our web page and download a free (english, of course) evaluation version. If you prefer, please send me your address and I'll have our customer service dept mail you a CD ASAP. jOrge -- Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions Manufacturer of the FreeBSD/Linux Aker Firewall http://www.aker.com.br tel. +55 - 61 - 340 9083 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 12:48:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id DF46637B402 for ; Fri, 19 Jan 2001 12:48:16 -0800 (PST) Received: from jenkins.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by jenkins.web.us.uu.net (Postfix) with ESMTP id EBCCE12686; Fri, 19 Jan 2001 15:48:15 -0500 (EST) To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Cc: djm@web.us.uu.net Subject: Re: pam_setcred confusion In-Reply-To: Message from "Jacques A. Vidrine" of "Fri, 19 Jan 2001 14:14:53 CST." <20010119141453.D66917@hamlet.nectar.com> Date: Fri, 19 Jan 2001 15:48:15 -0500 From: "David J. MacKenzie" Message-Id: <20010119204815.EBCCE12686@jenkins.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The FreeBSD PAM is based on Linux-PAM. If you do ultimately find out > that this is a problem, please drop the Linux-PAM authors a line, > also. On a practical level, it probably depends on the assumptions made by any PAM modules that support both calls. I think I'll check the source to the standard Linux-PAM modules for that. More formally, I checked the DCE RFC for PAM (DCE-RFC 86.0 according to the FreeBSD man pages). I found it at http://www.opengroup.org/tech/rfc/rfc86.0.html. The RFC doesn't actually state which order they should be called in, but the example code in the RFC shows pam_open_session() being called before pam_setcred(). This suggests that the FreeBSD setcred.3 man page is wrong, but maybe the Linux-PAM developers had a reason for changing the order; the RFC is dated 1995. > Also see my post to this list earlier this week about the fact that > pam_setcred does not seem to work (at least in the Linux-PAM -- and > therefore FreeBSD -- implementation). I'm not on list; could you forward me a copy please? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 13: 6:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 0143237B698 for ; Fri, 19 Jan 2001 13:06:06 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA09255; Fri, 19 Jan 2001 14:05:58 -0700 (MST) Message-Id: <4.3.2.7.2.20010119140526.049f1d80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 19 Jan 2001 14:05:53 -0700 To: "Mason Harding" , From: Brett Glass Subject: Re: Anti-Virus for SMTP In-Reply-To: References: <20010117214735.E7DAD46BC@dagger.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's a lot to this topic. See http://www.brettglass.com/spam/paper.html --Brett At 11:17 AM 1/18/2001, Mason Harding wrote: >I have a FreeBSD 4.2 e-mail server running Sendmail. I will probably soon >be moving that to qmail. My question is this, can anyone recommend a good >Anti-Virus scanner for SMTP? Nearly all of the client machines are on Win*. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 13: 8:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id EE45737B401 for ; Fri, 19 Jan 2001 13:08:20 -0800 (PST) Received: by jenkins.web.us.uu.net (Postfix, from userid 515) id 111B912686; Fri, 19 Jan 2001 16:08:20 -0500 (EST) To: djm@web.us.uu.net, n@nectar.com Subject: Re: Fwd: [PAM broken design? pam_setcred] Cc: freebsd-security@freebsd.org Message-Id: <20010119210820.111B912686@jenkins.web.us.uu.net> Date: Fri, 19 Jan 2001 16:08:20 -0500 (EST) From: djm@web.us.uu.net (David J. MacKenzie) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Regardless of whether you authenticate with `skey', `krb5', or `unix', > pam_sm_setcred is called in pam_skey.so, i.e. the module search starts > over. By my reading of the Solaris man page, pam_sm_setcred should be > called in the module that successfully authenticated the user. At any > rate this seems infinitely more useful. > > Excerpt from Solaris 2.6 pam(3): > > If the user has been successfully authenticated, the application > calls pam_setcred() to set any user credentials associated with > the authentication service. [...] For example, during the call to > pam_authenticate(), service modules may store data in the handle > that is intended for use by pam_setcred(). I think the PAM spec is unclear on this. The way ports/security/pam_krb5 handles this situation is: In pam_sm_authenticate() it does: if ((pamret = pam_set_data(pamh, "ccache", ccache, cleanup_cache)) != 0) { DLOG("pam_set_data()", pam_strerror(pamh, pamret)); (void) krb5_cc_destroy(pam_context, ccache); pamret = PAM_SERVICE_ERR; goto cleanup; } In pam_sm_setcred() and pam_sm_acct_mgmt() it does: if (pam_get_data(pamh, "ccache", (const void **) &ccache)) { /* User did not use krb5 to login */ DLOG("ccache", "not found"); return PAM_SUCCESS; } That is, if there's no data stored by its authenticate function, that means the user authenticated using some other PAM module. So it punts and returns success (meaning "I pass, no-op" in this case). This seems reasonable. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 14:43:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 48CFA37B401 for ; Fri, 19 Jan 2001 14:42:56 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0JMhRN12181; Fri, 19 Jan 2001 14:43:27 -0800 (PST) (envelope-from kris) Date: Fri, 19 Jan 2001 14:43:27 -0800 From: Kris Kennaway To: Andy Cc: freebsd-security@FreeBSD.ORG Subject: Re: Why you keep old IPFilter package? Message-ID: <20010119144327.A12089@citusc17.usc.edu> References: <20010119220836.A18256@yogya.indosat.net.id> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010119220836.A18256@yogya.indosat.net.id>; from andy@yogya.indosat.net.id on Fri, Jan 19, 2001 at 10:08:36PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 19, 2001 at 10:08:36PM +0700, Andy wrote: > Dear officers, > Why there are still IPFilter 4.8 on my 4.2-STABLE source tree? I looked a= t ipfilter's page > and found 4.11 there... > is there no scheduled upgrade on base tree for IPFilter from 4.8 to 4.11 = soon?=20 Because Darren Reed, the ipfilter author and FreeBSD maintainer, has not yet updated it. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6aMMPWry0BWjoQKURAkfJAKD7XmbYkYzK0jmEU3PwEZ9MOdwN5wCeN7bC DApqVVFErURCtKZDdBkm9Bo= =f7ln -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 14:45:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 1D66837B401 for ; Fri, 19 Jan 2001 14:45:32 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0JMmfj12274; Fri, 19 Jan 2001 14:48:41 -0800 (PST) (envelope-from kris) Date: Fri, 19 Jan 2001 14:48:41 -0800 From: Kris Kennaway To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: login_access() Message-ID: <20010119144841.B12089@citusc17.usc.edu> References: <20010119203218.E79A912686@jenkins.web.us.uu.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010119203218.E79A912686@jenkins.web.us.uu.net>; from djm@web.us.uu.net on Fri, Jan 19, 2001 at 03:32:18PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 19, 2001 at 03:32:18PM -0500, David J. MacKenzie wrote: > login.c in -stable is compiled by default with login_access(), > which is in the login source directory. It reads /etc/login.access > to restrict who can login. sshd also uses that source file. >=20 > However, rshd and the MIT krb5 port don't check that file, > so relying on it for authorization is risky. > I suggest that login_access() be removed from the login source directory > and turned into a PAM module account management function so it can be > used uniformly without specially hacking each program that needs it. This sounds like a good way to proceed (well, PAM module first, then removal/deprecation). Are you able to submit code to do the former? Kris P.S. FreeBSD is in desperate need of a maintainer for PAM. Keep this up, and you'll soon find yourself a committer. --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --Bn2rw/3z4jIqBvZU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6aMRJWry0BWjoQKURAvpvAJ0Z8HyDqIyKL0BB02fvPUIkd8SIZQCdFY04 Y0maunrqe4roQw/fZ0d77ek= =HXGx -----END PGP SIGNATURE----- --Bn2rw/3z4jIqBvZU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 15:54:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 435DD37B401 for ; Fri, 19 Jan 2001 15:53:45 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Fri, 19 Jan 2001 15:53:44 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0243A0@goofy.epylon.lan> From: Jason DiCioccio To: 'Jorge Peixoto Vasquez' , Sean Lutner Cc: security@freebsd.org Subject: RE: Failover firewalls with ipfw? Date: Fri, 19 Jan 2001 15:53:42 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C08273.0D80F920" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C08273.0D80F920 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C08273.0D80F920" ------_=_NextPart_001_01C08273.0D80F920 Content-Type: text/plain; charset="iso-8859-1" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Better than PIX? That's not a tough claim considering PIX has more holes in it than the Titanic :-) Just thought I'd throw my PIX gripe in there. - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Jorge Peixoto Vasquez [mailto:jorge@aker.com.br] Sent: Friday, January 19, 2001 12:34 PM To: Sean Lutner Cc: security@freebsd.org Subject: Re: Failover firewalls with ipfw? Sean Lutner wrote: > I'm currently doing some research into firewalls, and which one(s) > would be right for my network. I'm considering everything from > Checkpoint-1, to Cisco Pix, to ipchains, to ipfw on FreeBSD. My > question is this. Does anyone out there know of any > utilities/code/addons I could use to > implement a failover pair of firewalls using ipfw and fbsd? Ideally > I'd like to do stateful failover, but having two machines always on > and a heartbeat solution might wirk as well. If anyone can offer > some pointers, it would be much appreciated. > Dear Mr. Sean Lutner, Our product does everything you want (except for stateful failover) and, altough not open-sourced, is much cheaper than these commercial solutions you want. Altough a little bit unknown outside Brazil, we have no fear of saying our product is at least in par with Checkpoint Fw1 or Pix, for instance. Please take a look at our web page and download a free (english, of course) evaluation version. If you prefer, please send me your address and I'll have our customer service dept mail you a CD ASAP. jOrge - -- Jorge Peixoto Vasquez, Elet. Eng. Aker Security Solutions Manufacturer of the FreeBSD/Linux Aker Firewall http://www.aker.com.br tel. +55 - 61 - 340 9083 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOmjT4FCmU62pemyaEQIPeQCg5jT0FkKgyNB3nC9j9TiTXRjG6DsAnj6N R/skYSbPpn/5IYcixaQ5e8qx =m7PA -----END PGP SIGNATURE----- ------_=_NextPart_001_01C08273.0D80F920 Content-Type: text/html; charset="iso-8859-1" RE: Failover firewalls with ipfw?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Better than PIX? That's not a tough claim considering PIX has more
holes in it than the Titanic :-)

Just thought I'd throw my PIX gripe in there.

- -JD-


- -------
Jason DiCioccio
Evil Genius
Unix BOFH

mailto:jasond@epylon.com

415-593-2761          Direct & Fax
415-593-2900          Main

Epylon Corporation
645 Harrison Street, Suite 200
San Francisco, CA 94107
www.epylon.com

BSD is for people who love Unix -
Linux is for people who hate Microsoft


- -----Original Message-----
From: Jorge Peixoto Vasquez [mailto:jorge@aker.com.br]
Sent: Friday, January 19, 2001 12:34 PM
To: Sean Lutner
Cc: security@freebsd.org
Subject: Re: Failover firewalls with ipfw?


Sean Lutner wrote:
> I'm currently doing some research into firewalls, and which one(s)
> would be right for my network. I'm considering everything from
> Checkpoint-1, to Cisco Pix, to ipchains, to ipfw on FreeBSD. My
> question is this. Does anyone out there know of any
> utilities/code/addons I could use to
> implement a failover pair of firewalls using ipfw and fbsd? Ideally
> I'd like to do stateful failover, but having two machines always on
> and a heartbeat solution might wirk as well. If anyone can offer
> some pointers, it would be much appreciated.
>

Dear Mr. Sean Lutner,

Our product does everything you want (except for stateful failover)
and,
altough not open-sourced, is much cheaper than these commercial
solutions you want.

Altough a little bit unknown outside Brazil, we have no fear of
saying
our product is at least in par with Checkpoint Fw1 or Pix, for
instance.

Please take a look at our web page and download a free (english, of
course) evaluation version. If you prefer, please send me your
address
and I'll have our customer service dept mail you a CD ASAP.

jOrge
- --
Jorge Peixoto Vasquez, Elet. Eng.
Aker Security Solutions
Manufacturer of the FreeBSD/Linux Aker Firewall
http://www.aker.com.br
tel. +55 - 61 - 340 9083


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOmjT4FCmU62pemyaEQIPeQCg5jT0FkKgyNB3nC9j9TiTXRjG6DsAnj6N
R/skYSbPpn/5IYcixaQ5e8qx
=m7PA
-----END PGP SIGNATURE-----

  ------_=_NextPart_001_01C08273.0D80F920-- ------_=_NextPart_000_01C08273.0D80F920 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C08273.0D80F920-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 17:35:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from web4505.mail.yahoo.com (web4505.mail.yahoo.com [216.115.105.66]) by hub.freebsd.org (Postfix) with SMTP id 9128D37B400 for ; Fri, 19 Jan 2001 17:35:11 -0800 (PST) Message-ID: <20010120013511.5845.qmail@web4505.mail.yahoo.com> Received: from [63.11.56.107] by web4505.mail.yahoo.com; Fri, 19 Jan 2001 17:35:11 PST Date: Fri, 19 Jan 2001 17:35:11 -0800 (PST) From: Jon Reply-To: cykyc@yahoo.com Subject: RE: Failover firewalls with ipfw? To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It would have sure been nice of the NSA, Secure Computing, and others to help out on the TrustedBSD structure when they whipped up Secure Linux (http://www.nsa.gov/selinux). It's especially funny since Secure Computing is based on BSDi. Oh, well... At least that would be a more secure firewall, but since the original post was about failover, I'm not helping... --- Jason DiCioccio wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Better than PIX? That's not a tough claim > considering PIX has more > holes in it than the Titanic :-) > > Just thought I'd throw my PIX gripe in there. > > - -JD- > > > - ------- > Jason DiCioccio > Evil Genius > Unix BOFH > __________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 18:24:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id AEEF237B400 for ; Fri, 19 Jan 2001 18:24:02 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id DAA56456; Sat, 20 Jan 2001 03:23:59 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: cykyc@yahoo.com Cc: security@FreeBSD.ORG Subject: Re: Failover firewalls with ipfw? References: <20010120013511.5845.qmail@web4505.mail.yahoo.com> From: Dag-Erling Smorgrav Date: 20 Jan 2001 03:23:58 +0100 In-Reply-To: Jon's message of "Fri, 19 Jan 2001 17:35:11 -0800 (PST)" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jon writes: > It would have sure been nice of the NSA, Secure > Computing, and others to help out on the TrustedBSD > structure when they whipped up Secure Linux If you knew who actually did most of the Secure Linux work, and who does most (?) of the TrustedBSD work, you wouldn't be saying that 8) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 20:24:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id A92CB37B402; Fri, 19 Jan 2001 20:23:54 -0800 (PST) Received: by jenkins.web.us.uu.net (Postfix, from userid 515) id C4E1912686; Fri, 19 Jan 2001 23:23:53 -0500 (EST) To: djm@web.us.uu.net, kris@FreeBSD.ORG Subject: Re: login_access() Cc: freebsd-security@FreeBSD.ORG Message-Id: <20010120042353.C4E1912686@jenkins.web.us.uu.net> Date: Fri, 19 Jan 2001 23:23:53 -0500 (EST) From: djm@web.us.uu.net (David J. MacKenzie) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This sounds like a good way to proceed (well, PAM module first, then > removal/deprecation). Are you able to submit code to do the former? It's been done back in 1997, actually. Linux-PAM comes with a pam_access module that is a pamified version of that login_access() function. FreeBSD (-stable) comes with Linux-PAM 0.66, apparently from 1998. Recent versions (0.72) come with several modules not included in FreeBSD (-stable), including pam_access. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 19 23: 4:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id DD86C37B401 for ; Fri, 19 Jan 2001 23:04:03 -0800 (PST) Received: by jenkins.web.us.uu.net (Postfix, from userid 515) id 43D3A12686; Sat, 20 Jan 2001 02:04:03 -0500 (EST) To: n@nectar.com Subject: Re: Fwd: [PAM broken design? pam_setcred] Cc: djm@web.us.uu.net, freebsd-security@freebsd.org Message-Id: <20010120070403.43D3A12686@jenkins.web.us.uu.net> Date: Sat, 20 Jan 2001 02:04:03 -0500 (EST) From: djm@web.us.uu.net (David J. MacKenzie) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is it just me, or is pam_setcred broken? For example, with the > following config file: > > login auth sufficient pam_skey.so > login auth sufficient pam_krb5.so > login auth required pam_unix.so > > Regardless of whether you authenticate with `skey', `krb5', or `unix', > pam_sm_setcred is called in pam_skey.so, i.e. the module search starts > over. By my reading of the Solaris man page, pam_sm_setcred should be > called in the module that successfully authenticated the user. At any > rate this seems infinitely more useful. Note a few complications: 1. That several auth checks could be listed as "required". It would be more common to have several account management functions be required, but it's possible for any module type. 2. The auth info saved can be used by the account management function as well as by the setcred function. This is the case for the pam_krb5 module. I checked against the reference implementation of PAM, Sun's, by creating a pam_echo module that is like pam_permit but it also prints a line when it enters each of its functions. Then I duplicated it into a pam_echo2 module that's the same except for the name and the messages it prints. Then I duplicated it again into a pam_echodeny module that's the same except its auth function always fails instead of always succeeding. I duplicated it again to create pam_echodeny2, where both the auth and setcred functions fail. I ran a few tests on Solaris 8 and on FreeBSD 4.2-stable, using my PAM-patched su. I also ran them on Linux-Mandrake 7.0, using Linux-PAM 0.72 just in case it's changed since FreeBSD imported it. 1: Everything required for both modules: Solaris: djm@rampart 21 $ su pam_echo pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_setcred pam_echo2 pam_sm_setcred bash-2.03# grep '^su' /etc/pam.conf su auth required /usr/lib/security/$ISA/pam_echo.so.1 su auth required /usr/lib/security/$ISA/pam_echo2.so.1 su account required /usr/lib/security/$ISA/pam_echo.so.1 su account required /usr/lib/security/$ISA/pam_echo2.so.1 su session required /usr/lib/security/$ISA/pam_echo.so.1 su session required /usr/lib/security/$ISA/pam_echo2.so.1 FreeBSD: djm@gaius 27 $ su pam_echo pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_open_session pam_echo2 pam_sm_open_session pam_echo pam_sm_setcred pam_echo2 pam_sm_setcred ~ root@gaius 31 $ grep '^su' /etc/pam.conf su auth required pam_echo.so su auth required pam_echo2.so su account required pam_echo.so su account required pam_echo2.so su session required pam_echo.so su session required pam_echo2.so ~ root@gaius 32 $ Linux: djm@dagger 2 $ su pam_echo pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_open_session pam_echo2 pam_sm_open_session pam_echo pam_sm_setcred pam_echo2 pam_sm_setcred ~ root@dagger 1 $ cat /etc/pam.d/su auth required /lib/security/pam_echo.so auth required /lib/security/pam_echo2.so account required /lib/security/pam_echo.so account required /lib/security/pam_echo2.so session required /lib/security/pam_echo.so session required /lib/security/pam_echo2.so 2: First module auth sufficient: Solaris: djm@rampart 22 $ su pam_echo pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_setcred pam_echo2 pam_sm_setcred bash-2.03# grep '^su' /etc/pam.conf su auth sufficient /usr/lib/security/$ISA/pam_echo.so.1 su auth required /usr/lib/security/$ISA/pam_echo2.so.1 su account required /usr/lib/security/$ISA/pam_echo.so.1 su account required /usr/lib/security/$ISA/pam_echo2.so.1 su session required /usr/lib/security/$ISA/pam_echo.so.1 su session required /usr/lib/security/$ISA/pam_echo2.so.1 FreeBSD: djm@gaius 28 $ su pam_echo pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_open_session pam_echo2 pam_sm_open_session pam_echo pam_sm_setcred ~ root@gaius 31 $ grep '^su' /etc/pam.conf su auth sufficient pam_echo.so su auth required pam_echo2.so su account required pam_echo.so su account required pam_echo2.so su session required pam_echo.so su session required pam_echo2.so Linux: djm@dagger 3 $ su pam_echo pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_open_session pam_echo2 pam_sm_open_session pam_echo pam_sm_setcred ~ root@dagger 1 $ cat /etc/pam.d/su auth sufficient /lib/security/pam_echo.so auth required /lib/security/pam_echo2.so account required /lib/security/pam_echo.so account required /lib/security/pam_echo2.so session required /lib/security/pam_echo.so session required /lib/security/pam_echo2.so 3. First auth is sufficient but fails, every setcred succeeds (this is your case): Solaris: djm@rampart 28 $ su pam_echodeny pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echodeny pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echodeny pam_sm_setcred pam_echo2 pam_sm_setcred bash-2.03# grep '^su' /etc/pam.conf su auth sufficient /usr/lib/security/$ISA/pam_echodeny.so.1 su auth required /usr/lib/security/$ISA/pam_echo2.so.1 su account required /usr/lib/security/$ISA/pam_echodeny.so.1 su account required /usr/lib/security/$ISA/pam_echo2.so.1 su session required /usr/lib/security/$ISA/pam_echodeny.so.1 su session required /usr/lib/security/$ISA/pam_echo2.so.1 FreeBSD: djm@gaius 55 $ su pam_echodeny pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echodeny pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echodeny pam_sm_open_session pam_echo2 pam_sm_open_session pam_echodeny pam_sm_setcred ~ root@gaius 31 $ grep '^su' /etc/pam.conf su auth sufficient pam_echodeny.so su auth required pam_echo2.so su account required pam_echodeny.so su account required pam_echo2.so su session required pam_echodeny.so su session required pam_echo2.so Linux: djm@dagger 4 $ su pam_echodeny pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echodeny pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echodeny pam_sm_open_session pam_echo2 pam_sm_open_session pam_echodeny pam_sm_setcred ~ root@dagger 1 $ cat /etc/pam.d/su auth sufficient /lib/security/pam_echodeny.so auth required /lib/security/pam_echo2.so account required /lib/security/pam_echodeny.so account required /lib/security/pam_echo2.so session required /lib/security/pam_echodeny.so session required /lib/security/pam_echo2.so 4. First auth is sufficient, first auth and first setcred fail (similar to your case): Solaris: pam_echodeny2 pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echodeny2 pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echodeny2 pam_sm_setcred pam_echo2 pam_sm_setcred bash-2.03# grep '^su' /etc/pam.conf su auth sufficient /usr/lib/security/$ISA/pam_echodeny2.so.1 su auth required /usr/lib/security/$ISA/pam_echo2.so.1 su account required /usr/lib/security/$ISA/pam_echodeny2.so.1 su account required /usr/lib/security/$ISA/pam_echo2.so.1 su session required /usr/lib/security/$ISA/pam_echodeny2.so.1 su session required /usr/lib/security/$ISA/pam_echo2.so.1 FreeBSD: pam_echodeny2 pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echodeny2 pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echodeny2 pam_sm_open_session pam_echo2 pam_sm_open_session pam_echodeny2 pam_sm_setcred pam_echo2 pam_sm_setcred ~ root@gaius 31 $ grep '^su' /etc/pam.conf su auth sufficient pam_echodeny2.so su auth required pam_echo2.so su account required pam_echodeny2.so su account required pam_echo2.so su session required pam_echodeny2.so su session required pam_echo2.so Linux: djm@dagger 5 $ su pam_echodeny2 pam_sm_authenticate pam_echo2 pam_sm_authenticate pam_echodeny2 pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echodeny2 pam_sm_open_session pam_echo2 pam_sm_open_session pam_echodeny2 pam_sm_setcred pam_echo2 pam_sm_setcred ~ root@dagger 1 $ cat /etc/pam.d/su auth sufficient /lib/security/pam_echodeny2.so auth required /lib/security/pam_echo2.so account required /lib/security/pam_echodeny2.so account required /lib/security/pam_echo2.so session required /lib/security/pam_echodeny2.so session required /lib/security/pam_echo2.so 5. Only one auth module specified, and everything succeeds: Solaris: djm@rampart 40 $ su pam_echo pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_setcred bash-2.03# grep '^su' /etc/pam.conf su auth required /usr/lib/security/$ISA/pam_echo.so.1 su account required /usr/lib/security/$ISA/pam_echo.so.1 su account required /usr/lib/security/$ISA/pam_echo2.so.1 su session required /usr/lib/security/$ISA/pam_echo.so.1 su session required /usr/lib/security/$ISA/pam_echo2.so.1 FreeBSD: djm@gaius 73 $ su pam_echo pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_open_session pam_echo2 pam_sm_open_session pam_echo pam_sm_setcred ~ root@gaius 31 $ grep '^su' /etc/pam.conf su auth required pam_echo.so su account required pam_echo.so su account required pam_echo2.so su session required pam_echo.so su session required pam_echo2.so Linux: djm@dagger 6 $ su pam_echo pam_sm_authenticate pam_echo pam_sm_acct_mgmt pam_echo2 pam_sm_acct_mgmt pam_echo pam_sm_open_session pam_echo2 pam_sm_open_session pam_echo pam_sm_setcred ~ root@dagger 1 $ cat /etc/pam.d/su auth required /lib/security/pam_echo.so account required /lib/security/pam_echo.so account required /lib/security/pam_echo2.so session required /lib/security/pam_echo.so session required /lib/security/pam_echo2.so Conclusions: It looks like su on Solaris doesn't call open/close session; apparently that's just for logins. I wonder how it deletes credentials (e.g., Kerberos ticket file) that it's created, when su exits. I'll have to explore that. My patches for the FreeBSD su do what the Linux su does, and also what the stock MIT krb5 su does in order to delete the ticket file, namely, fork and wait. It looks like su should be using setcred(PAM_DELETE_CRED) when it ends, and not using the session functions. I'll fix that. The main difference is in cases 2 and 3, where Solaris is calling setcred for all modules that have auth entries. It appears to be ignoring the "sufficient" tag for the setcred call. This is arguably a bug in Solaris PAM. The Solaris pam.conf man page does say: An authentication service module provides functionality to authenticate a user and set up user credentials. That indicates that the "auth" line should control the setcred call, and test 5 shows that it does. Linux-PAM (both versions) seems to be starting its loop at the top of the auth list for setcred calls and considering the first setcred to be "sufficient". Neither behavior is what you were hoping for, which would be for libpam to remember which module(s) succeeded in the authenticate call and only call setcred for those modules. I think the philosophy of the PAM config file is that the various entries are considered to be independent, and that the framework does not make assumptions about the needs of the modules. Thus the Linux-PAM behavior can be considered reasonable. This behavior should, however, be documented! I just read through the Linux-PAM HTML documentation and it doesn't specify subtleties such as this, either. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 2:12:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id E8F9537B401 for ; Sat, 20 Jan 2001 02:12:26 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 20 Jan 2001 02:10:37 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.0) id f0KACK413041; Sat, 20 Jan 2001 02:12:20 -0800 (PST) (envelope-from cjc) Date: Sat, 20 Jan 2001 02:12:19 -0800 From: "Crist J. Clark" To: Sean Lutner Cc: freebsd-security@FreeBSD.ORG Subject: Re: Failover firewalls with ipfw? Message-ID: <20010120021219.G10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from sean@rentul.net on Fri, Jan 19, 2001 at 02:30:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 19, 2001 at 02:30:38PM -0500, Sean Lutner wrote: > I'm currently doing some research into firewalls, and which one(s) would > be right for my network. I'm considering everything from Checkpoint-1, to > Cisco Pix, to ipchains, to ipfw on FreeBSD. My question is this. Does > anyone out there know of any utilities/code/addons I could use to > implement a failover pair of firewalls using ipfw and fbsd? Ideally I'd > like to do stateful failover, but having two machines always on and a > heartbeat solution might wirk as well. If anyone can offer some pointers, > it would be much appreciated. I've used Stonebeat and Firewall-1, and to be honest, I think you could probably toss together some home-built code and get something with >90% of its functionality in days... If you don't spend a lot of time testing every possible scenario (accurately simulating fizzling hardware is non-trivial) . Heck, if the price is right, I could build something for ya'. ;) -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 4:57:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 53B8E37B400 for ; Sat, 20 Jan 2001 04:57:11 -0800 (PST) Received: from ibmka ([192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id PAA44209 for ; Sat, 20 Jan 2001 15:57:02 +0300 (MSK) Message-ID: <000b01c082e0$0b32d5e0$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: Subject: Strange ipfw behavior Date: Sat, 20 Jan 2001 15:53:53 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all. i am running FreeBSD box with ipfw and natd. can you help me explaining some strange behavior of ipfw: box# ipfw show 2600 13 728 deny log ip from any to any 65535 75 23790 deny ip from any to any some explanations needed: rule 2600 is the last rule in my rc.firewall script. It is applied when packet coming through ipfw does not match any other rules - then packet is denied and logged. My question to FreeBSD gurus is: why are some packets still reaching rule 65535 despite rule 2600? Please help me, or show me another mailing list where i can ask this question - i posted it to security, because i consider all ipfw question as security-related (after all, firewalls are for security - that's my opinion). i am running 3.3-RELEASE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 4:59:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.polytechnic.edu.na (mail.polytechnic.edu.na [196.31.225.2]) by hub.freebsd.org (Postfix) with ESMTP id B915D37B400 for ; Sat, 20 Jan 2001 04:58:53 -0800 (PST) Received: from ns1.horizon.na ([196.31.225.199] helo=polytechnic.edu.na) by mail.polytechnic.edu.na with esmtp (Exim 3.02 #2) id 14K0Q5-0005z2-00; Sat, 20 Jan 2001 13:59:13 -0200 Message-ID: <3A698B84.8BF22034@polytechnic.edu.na> Date: Sat, 20 Jan 2001 14:58:44 +0200 From: Tim Priebe Reply-To: tim@iafrica.com.na X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Sean Lutner Cc: freebsd-security@freebsd.org Subject: Re: Failover firewalls with ipfw? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sean Lutner wrote: > > I'm currently doing some research into firewalls, and which one(s) would > be right for my network. I'm considering everything from Checkpoint-1, to > Cisco Pix, to ipchains, to ipfw on FreeBSD. My question is this. Does > anyone out there know of any utilities/code/addons I could use to > implement a failover pair of firewalls using ipfw and fbsd? Ideally I'd > like to do stateful failover, but having two machines always on and a > heartbeat solution might wirk as well. If anyone can offer some pointers, > it would be much appreciated. My approch to this problem is to use a pair of FreeBSD boxes running ipfw as firewalls, and dynamic routing to handle the fail over. I am running stateless rules, as I have not had time to look into writing the code to get them to exchange state information. Tim. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 7:51:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from k2.jozsef.kando.hu (k2.jozsef.kando.hu [193.224.40.3]) by hub.freebsd.org (Postfix) with SMTP id F336C37B402 for ; Sat, 20 Jan 2001 07:51:07 -0800 (PST) Received: (qmail 17537 invoked by uid 1000); 20 Jan 2001 15:51:00 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Jan 2001 15:51:00 -0000 Date: Sat, 20 Jan 2001 16:51:00 +0100 (CET) From: Attila Nagy X-X-Sender: To: Sean Lutner Cc: Subject: Re: Failover firewalls with ipfw? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, > I'm currently doing some research into firewalls, and which one(s) > would be right for my network. I'm considering everything from > Checkpoint-1, to Cisco Pix, to ipchains, to ipfw on FreeBSD. My > question is this. Does anyone out there know of any > utilities/code/addons I could use to implement a failover pair of > firewalls using ipfw and fbsd? Ideally I'd like to do stateful > failover, but having two machines always on and a heartbeat solution > might wirk as well. If anyone can offer some pointers, it would be > much appreciated. Take a look at soon-to-be released IPF 4.0 which will has such capabilities as far as I know. See http://false.net/ipfilter for the mailing list archive. -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 9:38:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from kj-sgcj2.i-village.ne.kr (unknown [211.116.65.78]) by hub.freebsd.org (Postfix) with ESMTP id 0AB1237B400 for ; Sat, 20 Jan 2001 09:38:22 -0800 (PST) Received: from cpimssmtpe04.msn.com (1Cust77.tnt1.canoga-park.ca.da.uu.net [63.22.174.77]) by kj-sgcj2.i-village.ne.kr (8.9.3/8.9.3) with SMTP id GAA17112; Sat, 6 Jan 2001 06:43:35 +0900 Date: Sat, 20 Jan 2001 09:37:26 -0800 From: grayndog@i-mail.com.au Subject: Has Anyone Stolen Your Name? Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8BIT X-Mailer: Allaire ColdFusion Application Server To: morjin@hotepmail.com Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Untitled Document

  
You may be a prime candidate for
Identity Theft if...

- You frequently receive offers of pre approved credit?
- Your social security number or driver's license number is printed on personal checks?
- Your employer sells or shares data about employees or customers?
- You are unaware of who has access to your personal information?
- You are unaware of how to guard your mail from theft?
- You don't know all the ways to guard your credit card information from theft?
- You don't know when, where, and how often to order your own credit report?

Is your name next on the theives list?...
It doesn't have to be!

Click Here to learn how to protect yourself

All requests to be taken off our mailing list are AUTOMATICALLY and IMMEDIATELY honored upon receipt.
Click here to be taken off our list.


Each year in the U.S. alone, the "postal" bulk mail industry consumes over 450 million trees just to make the paper used in sending their advertisements and promotions. Using email instead can significantly reduce this consumption, while at the same time decreasing the billions of tons of paper waste filling our landfills.
Save the trees, save the planet, use email!
 
To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 10: 4: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1C13437B401 for ; Sat, 20 Jan 2001 10:03:37 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f0KI3ND06500; Sat, 20 Jan 2001 13:03:23 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 20 Jan 2001 13:03:23 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: "David J. MacKenzie" Cc: freebsd-security@FreeBSD.ORG Subject: Re: improved: PAM support for login, rshd, and su In-Reply-To: <20010119181359.9A71212685@jenkins.web.us.uu.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So, at one point recently I sent e-mail to freebsd-arch proposing that we eliminate the #ifdef for LOGIN_CAP. I asked if anyone was actually not using the login.conf stuff in their configuration but haven't found any examples yet. Having two code paths for all sensitive authorization and authentication code really makes a mess of things, and also means that login.conf can't be used as a comprehensive source of policy. In the TrustedBSD MAC implementation, I currently maintain MAC labeling information in login.conf per-user-class, mandating using of LOGIN_CAP, and also making the use of PAM to manage security contexts very desirable. Would anyone object to removing the LOGIN_CAP ifdef? Are there any negative implications to this that I am not aware of? Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Fri, 19 Jan 2001, David J. MacKenzie wrote: > In reviewing the patches I sent to this list recently, > I realized that I had neglected to add support for PAM > "template users" to rshd and su. I also noticed that rshd didn't > use auth_checknologin() when LOGIN_CAP was defined (not my bug, > but I have fixed it). And I failed to add dependencies for > LIBPAM to the Makefiles. > > Here is a revised version of my patches, which supercedes > the previous one. The patches to login didn't change. > > --- ./libexec/rshd/Makefile 2001/01/17 00:04:57 1.1 > +++ ./libexec/rshd/Makefile 2001/01/19 17:33:26 > @@ -8,9 +8,9 @@ > #CFLAGS+= -DCRYPT > > # For login_cap handling > -CFLAGS+=-DLOGIN_CAP -Wall > -DPADD+= ${LIBUTIL} > -LDADD+= -lutil > +CFLAGS+=-DLOGIN_CAP -DUSE_PAM -Wall > +DPADD+= ${LIBUTIL} ${LIBPAM} > +LDADD+= -lutil -lpam > > # IPv6 support > CFLAGS+= -DINET6 > --- ./libexec/rshd/rshd.c 2000/11/12 07:00:38 1.1 > +++ ./libexec/rshd/rshd.c 2001/01/19 17:58:29 > @@ -80,6 +80,12 @@ > #include > #endif > > +#ifdef USE_PAM > +#include > +#include > +static pam_handle_t *pamh; > +#endif /* USE_PAM */ > + > /* wrapper for KAME-special getnameinfo() */ > #ifndef NI_WITHSCOPEID > #define NI_WITHSCOPEID 0 > @@ -219,6 +225,10 @@ > #ifdef LOGIN_CAP > login_cap_t *lc; > #endif > +#ifdef USE_PAM > + static struct pam_conv conv = { misc_conv, NULL }; > + int retcode; > +#endif /* USE_PAM */ > > (void) signal(SIGINT, SIG_DFL); > (void) signal(SIGQUIT, SIG_DFL); > @@ -341,6 +351,43 @@ > > getstr(locuser, sizeof(locuser), "locuser"); > getstr(cmdbuf, sizeof(cmdbuf), "command"); > + > +#ifdef USE_PAM > + retcode = pam_start("rsh", locuser, &conv, &pamh); > + if (retcode != PAM_SUCCESS) { > + syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retcode)); > + exit(1); > + } > + pam_set_item (pamh, PAM_RUSER, remuser); > + pam_set_item (pamh, PAM_RHOST, fromhost); > + pam_set_item (pamh, PAM_TTY, "tty"); > + > + retcode = pam_authenticate(pamh, 0); > + if (retcode == PAM_SUCCESS) { > + if ((retcode = pam_get_item(pamh, PAM_USER, &cp)) == PAM_SUCCESS) { > + strncpy(locuser, cp, sizeof(locuser)); > + } else > + syslog(LOG_ERR|LOG_AUTH, "Couldn't get PAM_USER: %s", > + pam_strerror(pamh, retcode)); > + retcode = pam_acct_mgmt(pamh, 0); > + } > + if (retcode == PAM_SUCCESS) { > + retcode = pam_open_session(pamh,0); > + } > + if (retcode == PAM_SUCCESS) { > + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); > + if (retcode != PAM_SUCCESS) > + pam_close_session(pamh, 0); > + } > + if (retcode != PAM_SUCCESS) { > + pam_end(pamh, retcode); > + syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", > + remuser, fromhost, locuser, pam_strerror(pamh, retcode), cmdbuf); > + error("Login incorrect.\n"); > + exit(1); > + } > +#endif /* USE_PAM */ > + > setpwent(); > pwd = getpwnam(locuser); > if (pwd == NULL) { > @@ -349,11 +396,42 @@ > remuser, fromhost, locuser, cmdbuf); > if (errorstr == NULL) > errorstr = "Login incorrect.\n"; > - goto fail; > + error(errorstr, fromhost); > + exit(1); > + } > + > +#ifndef USE_PAM > + if (errorstr || > + (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || > + iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, > + remuser, locuser) < 0) { > + if (__rcmd_errstr) > + syslog(LOG_INFO|LOG_AUTH, > + "%s@%s as %s: permission denied (%s). cmd='%.80s'", > + remuser, fromhost, locuser, __rcmd_errstr, > + cmdbuf); > + else > + syslog(LOG_INFO|LOG_AUTH, > + "%s@%s as %s: permission denied. cmd='%.80s'", > + remuser, fromhost, locuser, cmdbuf); > + if (errorstr == NULL) > + errorstr = "Login incorrect.\n"; > + error(errorstr, fromhost); > + exit(1); > } > -#ifdef LOGIN_CAP > +#endif /* USE_PAM */ > + > +#ifdef LOGIN_CAP > lc = login_getpwclass(pwd); > -#endif > + if (pwd->pw_uid) > + auth_checknologin(lc); > +#else /* !LOGIN_CAP */ > + if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { > + error("Logins currently disabled.\n"); > + exit(1); > + } > +#endif /* LOGIN_CAP */ > + > if (chdir(pwd->pw_dir) < 0) { > #ifdef LOGIN_CAP > if (chdir("/") < 0 || > @@ -377,30 +455,6 @@ > pwd->pw_dir = "/"; > } > > - if (errorstr || > - (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || > - iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, > - remuser, locuser) < 0) { > - if (__rcmd_errstr) > - syslog(LOG_INFO|LOG_AUTH, > - "%s@%s as %s: permission denied (%s). cmd='%.80s'", > - remuser, fromhost, locuser, __rcmd_errstr, > - cmdbuf); > - else > - syslog(LOG_INFO|LOG_AUTH, > - "%s@%s as %s: permission denied. cmd='%.80s'", > - remuser, fromhost, locuser, cmdbuf); > -fail: > - if (errorstr == NULL) > - errorstr = "Login incorrect.\n"; > - error(errorstr, fromhost); > - exit(1); > - } > - > - if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { > - error("Logins currently disabled.\n"); > - exit(1); > - } > #ifdef LOGIN_CAP > if (lc != NULL && fromp->su_family == AF_INET) { /*XXX*/ > char remote_ip[MAXHOSTNAMELEN]; > @@ -569,6 +623,10 @@ > (doencrypt && FD_ISSET(pv1[0], &readfrom)) || > #endif > FD_ISSET(pv[0], &readfrom)); > +#ifdef USE_PAM > + pam_close_session(pamh, 0); > + pam_end(pamh, PAM_SUCCESS); > +#endif /* USE_PAM */ > exit(0); > } > setpgrp(0, getpid()); > --- ./usr.bin/login/login.c 2000/08/08 03:12:59 1.1 > +++ ./usr.bin/login/login.c 2001/01/18 03:24:07 > @@ -81,6 +81,7 @@ > #ifndef NO_PAM > #include > #include > +#include > #endif > > #include "pathnames.h" > @@ -106,6 +107,7 @@ > > #ifndef NO_PAM > static int auth_pam __P((void)); > +pam_handle_t *pamh = NULL; > #endif > static int auth_traditional __P((void)); > extern void login __P((struct utmp *)); > @@ -150,6 +152,10 @@ > char tname[sizeof(_PATH_TTY) + 10]; > char *shell = NULL; > login_cap_t *lc = NULL; > +#ifndef NO_PAM > + pid_t pid; > + int e; > +#endif /* NO_PAM */ > > (void)signal(SIGQUIT, SIG_IGN); > (void)signal(SIGINT, SIG_IGN); > @@ -548,6 +554,35 @@ > if (!pflag) > environ = envinit; > > +#ifndef NO_PAM > + if (pamh) { > + /* > + * We must fork() before setuid() because we need to call > + * pam_close_session() as root. > + */ > + pid = fork(); > + if (pid < 0) { > + err(1, "fork"); > + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) > + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); > + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) > + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); > + exit(0); > + } else if (pid) { > + /* parent - wait for child to finish, then cleanup session */ > + wait(NULL); > + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) > + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); > + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) > + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); > + exit(0); > + } else { > + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) > + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); > + } > + } > +#endif /* NO_PAM */ > + > /* > * We don't need to be root anymore, so > * set the user and session context > @@ -562,6 +597,17 @@ > exit(1); > } > > +#ifndef NO_PAM > + if (pamh) { > + const char * const *env = (const char * const *)pam_getenvlist(pamh); > + int i; > + if (env != NULL) { > + for (i=0; env[i]; i++) > + putenv(env[i]); > + } > + } > +#endif /* NO_PAM */ > + > (void)setenv("SHELL", pwd->pw_shell, 1); > (void)setenv("HOME", pwd->pw_dir, 1); > if (term != NULL && *term != '\0') > @@ -663,7 +709,6 @@ > static int > auth_pam() > { > - pam_handle_t *pamh = NULL; > const char *tmpl_user; > const void *item; > int rval; > @@ -724,13 +769,36 @@ > break; > > default: > - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); > + syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e)); > rval = -1; > break; > } > - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { > - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); > - rval = -1; > + > + if (rval != -1) { > + e = pam_acct_mgmt(pamh, 0); > + if (e == PAM_NEW_AUTHTOK_REQD) { > + e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); > + if (e != PAM_SUCCESS) { > + syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e)); > + rval = -1; > + } > + } else if (e != PAM_SUCCESS) { > + rval = 1; > + } else if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { > + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e)); > + rval = -1; > + } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { > + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); > + rval = -1; > + pam_close_session(pamh, 0); > + } > + } > + > + if (rval == -1) { > + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { > + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); > + } > + pamh = NULL; > } > return rval; > } > @@ -745,7 +813,7 @@ > > /* > * Allow for authentication style and/or kerberos instance > - * */ > + */ > > #define NBUFSIZ UT_NAMESIZE + 64 > > --- ./usr.bin/su/Makefile 2001/01/16 21:33:47 1.1 > +++ ./usr.bin/su/Makefile 2001/01/19 17:41:13 > @@ -4,9 +4,9 @@ > PROG= su > SRCS= su.c > > -COPTS+= -DLOGIN_CAP -DSKEY > -DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} > -LDADD= -lutil -lskey -lmd -lcrypt > +COPTS+= -DLOGIN_CAP -DSKEY -DUSE_PAM > +DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} ${LIBPAM} > +LDADD= -lutil -lskey -lmd -lcrypt -lpam > > .if defined(WHEELSU) > COPTS+= -DWHEELSU > --- ./usr.bin/su/su.c 2000/02/24 21:06:21 1.1 > +++ ./usr.bin/su/su.c 2001/01/19 17:48:55 > @@ -65,6 +65,20 @@ > #include > #endif > > +#ifdef USE_PAM > +#include > +#include > +#include > +#include > +#define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ > + fprintf(stderr,"su: PAM error: %s\n",pam_strerror(pamh, retcode)); \ > + syslog(LOG_ERR,"PAM error: %s",pam_strerror(pamh, retcode)); \ > + pam_end(pamh, retcode); exit(1); \ > + } > +#define PAM_END { retcode = pam_close_session(pamh,0); \ > + pam_end(pamh,retcode); } > +#endif /* USE_PAM */ > + > #ifdef SKEY > #include > #endif > @@ -107,8 +121,7 @@ > char *targetpass; > int iswheelsu; > #endif /* WHEELSU */ > - char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np; > - struct group *gr; > + char *p, *user, *shell=NULL, *username, *cleanenv = NULL, **nargv, **np; > uid_t ruid; > gid_t gid; > int asme, ch, asthem, fastlogin, prio, i; > @@ -118,6 +131,18 @@ > char *class=NULL; > int setwhat; > #endif > +#ifdef USE_PAM > + int retcode; > + pam_handle_t *pamh = NULL; > + struct pam_conv conv = { misc_conv, NULL }; > + char myhost[MAXHOSTNAMELEN + 1], *mytty; > + int statusp=0; > + int child_pid, child_pgrp, ret_pid; > + const char * const *env; > +#else /* !USE_PAM */ > + char **g; > + struct group *gr; > +#endif /* USE_PAM */ > #ifdef KERBEROS > char *k; > #endif > @@ -214,6 +239,28 @@ > } > } > > +#ifdef USE_PAM > + retcode = pam_start("su", user, &conv, &pamh); > + PAM_FAIL_CHECK; > + > + if (ruid) { > + retcode = pam_authenticate(pamh, 0); > + PAM_FAIL_CHECK; > + > + if ((retcode = pam_get_item(pamh, PAM_USER, &p)) == PAM_SUCCESS) { > + user = p; > + } else > + syslog(LOG_ERR|LOG_AUTH, "Couldn't get PAM_USER: %s", > + pam_strerror(pamh, retcode)); > + > + retcode = pam_acct_mgmt(pamh, 0); > + if (retcode == PAM_NEW_AUTHTOK_REQD) > + retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); > + PAM_FAIL_CHECK; > + } > + > +#endif /* USE_PAM */ > + > /* get target login information, default to root */ > if ((pwd = getpwnam(user)) == NULL) { > errx(1, "unknown login: %s", user); > @@ -230,6 +277,7 @@ > } > #endif > > +#ifndef USE_PAM > #ifdef WHEELSU > targetpass = strdup(pwd->pw_passwd); > #endif /* WHEELSU */ > @@ -280,11 +328,12 @@ > #ifdef WHEELSU > || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass))) > #endif /* WHEELSU */ > - )) { > -#else > + )) > +#else /* !SKEY */ > p = getpass("Password:"); > - if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { > -#endif > + if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) > +#endif /* SKEY */ > + { > #ifdef KERBEROS > if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p))) > #endif > @@ -308,6 +357,7 @@ > exit(1); > } > } > +#endif /* USE_PAM */ > > if (asme) { > /* if asme and non-standard target shell, must be root */ > @@ -334,6 +384,60 @@ > > (void)setpriority(PRIO_PROCESS, 0, prio); > > +#ifdef USE_PAM > + gethostname(myhost, sizeof(myhost)); > + retcode = pam_set_item(pamh, PAM_RHOST, myhost); > + PAM_FAIL_CHECK; > + > + mytty = ttyname(STDERR_FILENO); > + if (!mytty) > + mytty = "tty"; > + retcode = pam_set_item(pamh, PAM_TTY, mytty); > + PAM_FAIL_CHECK; > + > + retcode = pam_open_session(pamh, 0); > + PAM_FAIL_CHECK; > + > + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); > + PAM_FAIL_CHECK; > + > + env = (const char * const *)pam_getenvlist(pamh); > + if (env != NULL) { > + for (i=0; env[i]; i++) > + putenv(env[i]); > + } > + > + /* > + * We must fork() before setuid() because we need to call > + * pam_close_session() as root. > + */ > + > + statusp = 1; > + switch ((child_pid = fork())) { > + default: > + while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) { > + if (WIFSTOPPED(statusp)) { > + child_pgrp = tcgetpgrp(1); > + kill(getpid(), SIGSTOP); > + tcsetpgrp(1, child_pgrp); > + kill(child_pid, SIGCONT); > + statusp = 1; > + continue; > + } > + break; > + } > + if (ret_pid == -1) > + err(1, "waitpid"); > + PAM_END; > + exit(statusp); > + case -1: > + err(1, "fork"); > + PAM_END; > + exit (1); > + case 0: > + pam_end(pamh, retcode); > +#endif /* USE_PAM */ > + > #ifdef LOGIN_CAP > /* Set everything now except the environment & umask */ > setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; > @@ -361,10 +465,7 @@ > #ifdef KERBEROS > k = getenv("KRBTKFILE"); > #endif > - if ((cleanenv = calloc(20, sizeof(char*))) == NULL) > - errx(1, "calloc"); > - cleanenv[0] = NULL; > - environ = cleanenv; > + environ = &cleanenv; > #ifdef LOGIN_CAP > /* set the su'd user's environment & umask */ > setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV); > @@ -403,6 +504,9 @@ > > execv(shell, np); > err(1, "%s", shell); > +#ifdef USE_PAM > + } > +#endif /* USE_PAM */ > } > > static void > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 11: 0: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 692D337B402 for ; Sat, 20 Jan 2001 10:59:43 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f0KIxgR38216 for ; Sat, 20 Jan 2001 10:59:42 -0800 (PST) Date: Sat, 20 Jan 2001 10:59:42 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Anti-Virus for SMTP In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > There's a lot to this topic. See > > http://www.brettglass.com/spam/paper.html Great stuff! Thanks Brett. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 15: 4:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 33C2737B698 for ; Sat, 20 Jan 2001 15:04:11 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0KN7C953449; Sat, 20 Jan 2001 15:07:12 -0800 (PST) (envelope-from kris) Date: Sat, 20 Jan 2001 15:07:12 -0800 From: Kris Kennaway To: "Nickolay A. Kritsky" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Strange ipfw behavior Message-ID: <20010120150712.B53292@citusc17.usc.edu> References: <000b01c082e0$0b32d5e0$0600a8c0@ibmka.internethelp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VrqPEDrXMn8OVzN4" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000b01c082e0$0b32d5e0$0600a8c0@ibmka.internethelp.ru>; from nkritsky@internethelp.ru on Sat, Jan 20, 2001 at 03:53:53PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --VrqPEDrXMn8OVzN4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 20, 2001 at 03:53:53PM +0300, Nickolay A. Kritsky wrote: > Hi all. > i am running FreeBSD box with ipfw and natd. > can you help me explaining some strange behavior of ipfw: >=20 > box# ipfw show > > 2600 13 728 deny log ip from any to any > 65535 75 23790 deny ip from any to any Do an ipfw -at show and I bet those packets arrived right after the system booted. There is a race condition between the network being brought up and the firewall rules being loaded, which means that a few packets (in your case, 75) can make it into the box before the rules are loaded. This is why a default to deny policy is essential, otherwise during that brief window your firewall would be passing packets in every direction unrestricted, and may allow an attacker to do stuff (if they could trigger a reboot of your firewall, they have quite a long time to play with your internal network). Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ahogWry0BWjoQKURAptFAJ90LBoJ83ZdzhfLoivQ6pqRot0ZbgCeO2n1 jPF6IWuYXN76ebQRjr7pdRM= =0Wq1 -----END PGP SIGNATURE----- --VrqPEDrXMn8OVzN4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 20:59: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 36F3937B698 for ; Sat, 20 Jan 2001 20:58:24 -0800 (PST) Received: from jenkins.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by jenkins.web.us.uu.net (Postfix) with ESMTP id 59DB212686; Sat, 20 Jan 2001 23:58:23 -0500 (EST) To: freebsd-security@freebsd.org Cc: djm@web.us.uu.net Subject: PAM patch, iteration 3 Date: Sat, 20 Jan 2001 23:58:23 -0500 From: "David J. MacKenzie" Message-Id: <20010121045823.59DB212686@jenkins.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After reading the RFC and considering my code some more, I've made more fixes to it, including initialization of supplementary groups and environment variables, and several other fixes. As before, this patch replaces the previous two that I sent out. It was generated against -stable. The rshd with PAM and without Kerberos won't be very useful until FreeBSD imports the pam_rhosts module from Linux-PAM. I don't think the rcmd/rsh protocol provides a way to prompt the remote user for a password. login was alone in using NO_PAM instead of USE_PAM for the #ifdef. sshd used USE_PAM and I used that in the other utilities as well, so I changed login to match. I think it's easier to understand that way. The Linux-PAM manual, the RFC example, and the Solaris man page all indicate that this patch to pam_setcred.3 is correct. --- ./contrib/libpam/doc/man/pam_setcred.3 1998/11/18 01:20:54 1.1 +++ ./contrib/libpam/doc/man/pam_setcred.3 2001/01/21 00:08:26 @@ -16,7 +16,7 @@ This function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been -authenticated and before a session is opened for the user (with +authenticated and after a session is opened for the user (with .BR pam_open_session "(3))." It should be noted that credentials come in many forms. Examples --- ./libexec/rshd/Makefile 2001/01/17 00:04:57 1.1 +++ ./libexec/rshd/Makefile 2001/01/21 04:45:35 @@ -12,6 +12,12 @@ DPADD+= ${LIBUTIL} LDADD+= -lutil +.if !defined(NOPAM) +CFLAGS+= -DUSE_PAM +DPADD+= ${LIBPAM} +LDADD+= ${MINUSLPAM} +.endif + # IPv6 support CFLAGS+= -DINET6 --- ./libexec/rshd/rshd.c 2000/11/12 07:00:38 1.1 +++ ./libexec/rshd/rshd.c 2001/01/21 04:25:51 @@ -80,6 +80,20 @@ #include #endif +#ifdef USE_PAM +#include +#include +static pam_handle_t *pamh; +#define PAM_END { \ + if ((retcode = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, retcode)); \ + if ((retcode = pam_close_session(pamh,0)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, retcode)); \ + if ((retcode = pam_end(pamh, retcode)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, retcode)); \ +} +#endif /* USE_PAM */ + /* wrapper for KAME-special getnameinfo() */ #ifndef NI_WITHSCOPEID #define NI_WITHSCOPEID 0 @@ -188,6 +202,20 @@ return(0); } +#ifdef USE_PAM +/* + * We can't have a conversation with the client over the rsh connection. + * You must use auth methods that don't require one, like pam_rhosts. + */ + +int null_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + syslog(LOG_ERR, "PAM conversation is not supported\n"); + return PAM_CONV_ERR; +} +#endif /* USE_PAM */ + char username[20] = "USER="; char homedir[64] = "HOME="; char shell[64] = "SHELL="; @@ -219,6 +247,11 @@ #ifdef LOGIN_CAP login_cap_t *lc; #endif +#ifdef USE_PAM + static struct pam_conv conv = { null_conv, NULL }; + int retcode, i; + const char * const *env; +#endif /* USE_PAM */ (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); @@ -341,6 +374,36 @@ getstr(locuser, sizeof(locuser), "locuser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); + +#ifdef USE_PAM + retcode = pam_start("rsh", locuser, &conv, &pamh); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retcode)); + exit(1); + } + pam_set_item (pamh, PAM_RUSER, remuser); + pam_set_item (pamh, PAM_RHOST, fromhost); + pam_set_item (pamh, PAM_TTY, "tty"); + + retcode = pam_authenticate(pamh, 0); + if (retcode == PAM_SUCCESS) { + if ((retcode = pam_get_item(pamh, PAM_USER, (const void **) &cp)) == PAM_SUCCESS) { + strncpy(locuser, cp, sizeof(locuser)); + locuser[sizeof(locuser) - 1] = '\0'; + } else + syslog(LOG_ERR|LOG_AUTH, "Couldn't get PAM_USER: %s", + pam_strerror(pamh, retcode)); + retcode = pam_acct_mgmt(pamh, 0); + } + if (retcode != PAM_SUCCESS) { + pam_end(pamh, retcode); + syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, pam_strerror(pamh, retcode), cmdbuf); + error("Login incorrect.\n"); + exit(1); + } +#endif /* USE_PAM */ + setpwent(); pwd = getpwnam(locuser); if (pwd == NULL) { @@ -349,11 +412,42 @@ remuser, fromhost, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect.\n"; - goto fail; + error(errorstr, fromhost); + exit(1); } -#ifdef LOGIN_CAP + +#ifndef USE_PAM + if (errorstr || + (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || + iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, + remuser, locuser) < 0) { + if (__rcmd_errstr) + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, __rcmd_errstr, + cmdbuf); + else + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied. cmd='%.80s'", + remuser, fromhost, locuser, cmdbuf); + if (errorstr == NULL) + errorstr = "Login incorrect.\n"; + error(errorstr, fromhost); + exit(1); + } +#endif /* USE_PAM */ + +#ifdef LOGIN_CAP lc = login_getpwclass(pwd); -#endif + if (pwd->pw_uid) + auth_checknologin(lc); +#else /* !LOGIN_CAP */ + if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { + error("Logins currently disabled.\n"); + exit(1); + } +#endif /* LOGIN_CAP */ + if (chdir(pwd->pw_dir) < 0) { #ifdef LOGIN_CAP if (chdir("/") < 0 || @@ -377,30 +471,6 @@ pwd->pw_dir = "/"; } - if (errorstr || - (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || - iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, - remuser, locuser) < 0) { - if (__rcmd_errstr) - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied (%s). cmd='%.80s'", - remuser, fromhost, locuser, __rcmd_errstr, - cmdbuf); - else - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); -fail: - if (errorstr == NULL) - errorstr = "Login incorrect.\n"; - error(errorstr, fromhost); - exit(1); - } - - if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { - error("Logins currently disabled.\n"); - exit(1); - } #ifdef LOGIN_CAP if (lc != NULL && fromp->su_family == AF_INET) { /*XXX*/ char remote_ip[MAXHOSTNAMELEN]; @@ -421,13 +491,36 @@ exit(1); } } -#endif /* !LOGIN_CAP */ +#endif /* LOGIN_CAP */ #if BSD > 43 /* before fork, while we're session leader */ if (setlogin(pwd->pw_name) < 0) syslog(LOG_ERR, "setlogin() failed: %m"); #endif + /* + * PAM modules might add supplementary groups in + * pam_setcred(), so initialize them first. + * But we need to open the session as root. + */ +#ifdef LOGIN_CAP + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) { + syslog(LOG_ERR, "setusercontext: %m"); + exit(1); + } +#else /* !LOGIN_CAP */ + (void) setgid((gid_t)pwd->pw_gid); + initgroups(pwd->pw_name, pwd->pw_gid); +#endif /* LOGIN_CAP */ + +#ifdef USE_PAM + if ((retcode = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, retcode)); + } else if ((retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, retcode)); + } +#endif /* USE_PAM */ + (void) write(STDERR_FILENO, "\0", 1); sent_null = 1; @@ -451,6 +544,9 @@ pid = fork(); if (pid == -1) { error("Can't fork; try again.\n"); +#ifdef USE_PAM + PAM_END; +#endif /* USE_PAM */ exit(1); } if (pid) { @@ -569,6 +665,9 @@ (doencrypt && FD_ISSET(pv1[0], &readfrom)) || #endif FD_ISSET(pv[0], &readfrom)); +#ifdef USE_PAM + PAM_END; +#endif /* USE_PAM */ exit(0); } setpgrp(0, getpid()); @@ -586,6 +685,23 @@ dup2(pv[1], 2); close(pv[1]); } +#ifdef USE_PAM + else { + pid = fork(); + if (pid == -1) { + error("Can't fork; try again.\n"); + PAM_END; + exit(1); + } + if (pid) { + /* Parent. */ + wait(NULL); + PAM_END; + exit(0); + } + } +#endif /* USE_PAM */ + if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; environ = envinit; @@ -598,17 +714,24 @@ cp++; else cp = pwd->pw_shell; + #ifdef LOGIN_CAP - if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL) != 0) { + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL & ~LOGIN_SETGROUP) != 0) { syslog(LOG_ERR, "setusercontext: %m"); exit(1); } login_close(lc); #else - (void) setgid((gid_t)pwd->pw_gid); - initgroups(pwd->pw_name, pwd->pw_gid); (void) setuid((uid_t)pwd->pw_uid); #endif +#ifdef USE_PAM + env = (const char * const *)pam_getenvlist(pamh); + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } +#endif /* USE_PAM */ + endpwent(); if (log_success || pwd->pw_uid == 0) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'", --- ./usr.bin/login/Makefile 2001/01/21 04:44:21 1.1 +++ ./usr.bin/login/Makefile 2001/01/21 04:44:45 @@ -11,9 +11,8 @@ DPADD= ${LIBUTIL} ${LIBCRYPT} LDADD= -lutil -lcrypt -.if defined(NOPAM) -CFLAGS+= -DNO_PAM -.else +.if !defined(NOPAM) +CFLAGS+= -DUSE_PAM DPADD+= ${LIBPAM} LDADD+= ${MINUSLPAM} .endif --- ./usr.bin/login/login.c 2000/08/08 03:12:59 1.1 +++ ./usr.bin/login/login.c 2001/01/21 04:44:15 @@ -78,10 +78,11 @@ #include #include -#ifndef NO_PAM +#ifdef USE_PAM #include #include -#endif +#include +#endif /* USE_PAM */ #include "pathnames.h" @@ -104,9 +105,18 @@ int login_access __P((char *, char *)); void login_fbtab __P((char *, uid_t, gid_t)); -#ifndef NO_PAM +#ifdef USE_PAM static int auth_pam __P((void)); -#endif +pam_handle_t *pamh = NULL; +#define PAM_END { \ + if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); \ + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); \ + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); \ +} +#endif /* USE_PAM */ static int auth_traditional __P((void)); extern void login __P((struct utmp *)); static void usage __P((void)); @@ -150,6 +160,10 @@ char tname[sizeof(_PATH_TTY) + 10]; char *shell = NULL; login_cap_t *lc = NULL; +#ifdef USE_PAM + pid_t pid; + int e; +#endif /* USE_PAM */ (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); @@ -309,19 +323,19 @@ (void)setpriority(PRIO_PROCESS, 0, -4); -#ifndef NO_PAM +#ifdef USE_PAM /* * Try to authenticate using PAM. If a PAM system error * occurs, perhaps because of a botched configuration, * then fall back to using traditional Unix authentication. */ if ((rval = auth_pam()) == -1) -#endif /* NO_PAM */ +#endif /* USE_PAM */ rval = auth_traditional(); (void)setpriority(PRIO_PROCESS, 0, 0); -#ifndef NO_PAM +#ifdef USE_PAM /* * PAM authentication may have changed "pwd" to the * entry for the template user. Check again to see if @@ -329,7 +343,7 @@ */ if (pwd != NULL && pwd->pw_uid == 0) rootlogin = 1; -#endif /* NO_PAM */ +#endif /* USE_PAM */ ttycheck: /* @@ -549,6 +563,43 @@ environ = envinit; /* + * PAM modules might add supplementary groups during pam_setcred(). + */ + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) { + syslog(LOG_ERR, "setusercontext() failed - exiting"); + exit(1); + } + +#ifdef USE_PAM + if (pamh) { + if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e)); + } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); + } + + /* + * We must fork() before setuid() because we need to call + * pam_close_session() as root. + */ + pid = fork(); + if (pid < 0) { + err(1, "fork"); + PAM_END; + exit(0); + } else if (pid) { + /* parent - wait for child to finish, then cleanup session */ + wait(NULL); + PAM_END; + exit(0); + } else { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + } +#endif /* USE_PAM */ + + /* * We don't need to be root anymore, so * set the user and session context */ @@ -557,7 +608,7 @@ exit(1); } if (setusercontext(lc, pwd, pwd->pw_uid, - LOGIN_SETALL & ~LOGIN_SETLOGIN) != 0) { + LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETGROUP)) != 0) { syslog(LOG_ERR, "setusercontext() failed - exiting"); exit(1); } @@ -573,6 +624,17 @@ (void)setenv("USER", username, 1); (void)setenv("PATH", rootlogin ? _PATH_STDPATH : _PATH_DEFPATH, 0); +#ifdef USE_PAM + if (pamh) { + const char * const *env = (const char * const *)pam_getenvlist(pamh); + int i; + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } + } +#endif /* USE_PAM */ + if (!quietlog) { char *cw; @@ -652,7 +714,7 @@ return rval; } -#ifndef NO_PAM +#ifdef USE_PAM /* * Attempt to authenticate the user using PAM. Returns 0 if the user is * authenticated, or 1 if not authenticated. If some sort of PAM system @@ -663,7 +725,6 @@ static int auth_pam() { - pam_handle_t *pamh = NULL; const char *tmpl_user; const void *item; int rval; @@ -724,17 +785,33 @@ break; default: - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); + syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e)); rval = -1; break; } - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - rval = -1; + + if (rval != -1) { + e = pam_acct_mgmt(pamh, 0); + if (e == PAM_NEW_AUTHTOK_REQD) { + e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (e != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e)); + rval = -1; + } + } else if (e != PAM_SUCCESS) { + rval = 1; + } + } + + if (rval == -1) { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + pamh = NULL; } return rval; } -#endif /* NO_PAM */ +#endif /* USE_PAM */ static void usage() @@ -745,7 +822,7 @@ /* * Allow for authentication style and/or kerberos instance - * */ + */ #define NBUFSIZ UT_NAMESIZE + 64 --- ./usr.bin/su/Makefile 2001/01/16 21:33:47 1.1 +++ ./usr.bin/su/Makefile 2001/01/21 04:45:12 @@ -8,6 +8,12 @@ DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} LDADD= -lutil -lskey -lmd -lcrypt +.if !defined(NOPAM) +CFLAGS+= -DUSE_PAM +DPADD+= ${LIBPAM} +LDADD+= ${MINUSLPAM} +.endif + .if defined(WHEELSU) COPTS+= -DWHEELSU .endif --- ./usr.bin/su/su.c 2000/02/24 21:06:21 1.1 +++ ./usr.bin/su/su.c 2001/01/21 04:27:04 @@ -65,6 +65,30 @@ #include #endif +#ifdef USE_PAM +#include +#include +#include +#include +#define PAM_FAIL_CHECK \ + if (retcode != PAM_SUCCESS) { \ + fprintf(stderr, "su: PAM error: %s\n", pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR, "PAM error: %s", pam_strerror(pamh, retcode)); \ + pam_end(pamh, retcode); \ + exit(1); \ + } +#define PAM_END { \ + if ((retcode = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) { \ + fprintf(stderr, "su: PAM error: %s\n", pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR, "PAM error: %s", pam_strerror(pamh, retcode)); \ + } \ + if ((retcode = pam_end(pamh,retcode)) != PAM_SUCCESS) { \ + fprintf(stderr, "su: PAM error: %s\n", pam_strerror(pamh, retcode)); \ + syslog(LOG_ERR, "PAM error: %s", pam_strerror(pamh, retcode)); \ + } \ +} +#endif /* USE_PAM */ + #ifdef SKEY #include #endif @@ -107,8 +131,7 @@ char *targetpass; int iswheelsu; #endif /* WHEELSU */ - char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np; - struct group *gr; + char *p, *user, *shell=NULL, *username, *cleanenv = NULL, **nargv, **np; uid_t ruid; gid_t gid; int asme, ch, asthem, fastlogin, prio, i; @@ -118,6 +141,18 @@ char *class=NULL; int setwhat; #endif +#ifdef USE_PAM + int retcode; + pam_handle_t *pamh = NULL; + struct pam_conv conv = { misc_conv, NULL }; + char myhost[MAXHOSTNAMELEN + 1], *mytty; + int statusp=0; + int child_pid, child_pgrp, ret_pid; + const char * const *env; +#else /* !USE_PAM */ + char **g; + struct group *gr; +#endif /* USE_PAM */ #ifdef KERBEROS char *k; #endif @@ -214,6 +249,38 @@ } } +#ifdef USE_PAM + retcode = pam_start("su", user, &conv, &pamh); + PAM_FAIL_CHECK; + + gethostname(myhost, sizeof(myhost)); + retcode = pam_set_item(pamh, PAM_RHOST, myhost); + PAM_FAIL_CHECK; + + mytty = ttyname(STDERR_FILENO); + if (!mytty) + mytty = "tty"; + retcode = pam_set_item(pamh, PAM_TTY, mytty); + PAM_FAIL_CHECK; + + if (ruid) { + retcode = pam_authenticate(pamh, 0); + PAM_FAIL_CHECK; + + if ((retcode = pam_get_item(pamh, PAM_USER, (const void **) &p)) == PAM_SUCCESS) { + user = p; + } else + syslog(LOG_ERR|LOG_AUTH, "Couldn't get PAM_USER: %s", + pam_strerror(pamh, retcode)); + + retcode = pam_acct_mgmt(pamh, 0); + if (retcode == PAM_NEW_AUTHTOK_REQD) + retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + PAM_FAIL_CHECK; + } + +#endif /* USE_PAM */ + /* get target login information, default to root */ if ((pwd = getpwnam(user)) == NULL) { errx(1, "unknown login: %s", user); @@ -230,6 +297,7 @@ } #endif +#ifndef USE_PAM #ifdef WHEELSU targetpass = strdup(pwd->pw_passwd); #endif /* WHEELSU */ @@ -280,11 +348,12 @@ #ifdef WHEELSU || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass))) #endif /* WHEELSU */ - )) { -#else + )) +#else /* !SKEY */ p = getpass("Password:"); - if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { -#endif + if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) +#endif /* SKEY */ + { #ifdef KERBEROS if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p))) #endif @@ -308,10 +377,11 @@ exit(1); } } +#endif /* USE_PAM */ if (asme) { /* if asme and non-standard target shell, must be root */ - if (!chshell(pwd->pw_shell) && ruid) + if (ruid && !chshell(pwd->pw_shell)) errx(1, "permission denied (shell)."); } else if (pwd->pw_shell && *pwd->pw_shell) { shell = pwd->pw_shell; @@ -334,9 +404,57 @@ (void)setpriority(PRIO_PROCESS, 0, prio); + /* + * PAM modules might add supplementary groups in + * pam_setcred(), so initialize them first. + */ +#ifdef LOGIN_CAP + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0) + err(1, "setusercontext"); +#else + if (setgid(pwd->pw_gid) < 0) + err(1, "setgid"); + if (initgroups(user, pwd->pw_gid)) + errx(1, "initgroups failed"); +#endif + +#ifdef USE_PAM + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); + PAM_FAIL_CHECK; + + /* + * We must fork() before setuid() because we need to call + * pam_setcred(pamh, PAM_DELETE_CRED) as root. + */ + + statusp = 1; + switch ((child_pid = fork())) { + default: + while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) { + if (WIFSTOPPED(statusp)) { + child_pgrp = tcgetpgrp(1); + kill(getpid(), SIGSTOP); + tcsetpgrp(1, child_pgrp); + kill(child_pid, SIGCONT); + statusp = 1; + continue; + } + break; + } + if (ret_pid == -1) + err(1, "waitpid"); + PAM_END; + exit(statusp); + case -1: + err(1, "fork"); + PAM_END; + exit (1); + case 0: +#endif /* USE_PAM */ + #ifdef LOGIN_CAP /* Set everything now except the environment & umask */ - setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; + setwhat = LOGIN_SETUSER|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; /* * Don't touch resource/priority settings if -m has been * used or -l and -c hasn't, and we're not su'ing to root. @@ -346,11 +464,6 @@ if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0) err(1, "setusercontext"); #else - /* set permissions */ - if (setgid(pwd->pw_gid) < 0) - err(1, "setgid"); - if (initgroups(user, pwd->pw_gid)) - errx(1, "initgroups failed"); if (setuid(pwd->pw_uid) < 0) err(1, "setuid"); #endif @@ -361,10 +474,7 @@ #ifdef KERBEROS k = getenv("KRBTKFILE"); #endif - if ((cleanenv = calloc(20, sizeof(char*))) == NULL) - errx(1, "calloc"); - cleanenv[0] = NULL; - environ = cleanenv; + environ = &cleanenv; #ifdef LOGIN_CAP /* set the su'd user's environment & umask */ setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV); @@ -385,6 +495,19 @@ (void)setenv("HOME", pwd->pw_dir, 1); (void)setenv("SHELL", shell, 1); } + +#ifdef LOGIN_CAP + login_close(lc); +#endif /* LOGIN_CAP */ + +#ifdef USE_PAM + env = (const char * const *)pam_getenvlist(pamh); + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } +#endif /* USE_PAM */ + if (iscsh == YES) { if (fastlogin) *np-- = "-f"; @@ -399,10 +522,11 @@ syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s", username, user, ontty()); - login_close(lc); - execv(shell, np); err(1, "%s", shell); +#ifdef USE_PAM + } +#endif /* USE_PAM */ } static void To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 20 21:10:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id B233337B401; Sat, 20 Jan 2001 21:10:26 -0800 (PST) Received: by jenkins.web.us.uu.net (Postfix, from userid 515) id CB06E12686; Sun, 21 Jan 2001 00:10:25 -0500 (EST) To: djm@web.us.uu.net, rwatson@FreeBSD.ORG Subject: Re: improved: PAM support for login, rshd, and su Cc: freebsd-security@FreeBSD.ORG Message-Id: <20010121051025.CB06E12686@jenkins.web.us.uu.net> Date: Sun, 21 Jan 2001 00:10:25 -0500 (EST) From: djm@web.us.uu.net (David J. MacKenzie) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > So, at one point recently I sent e-mail to freebsd-arch proposing that we > eliminate the #ifdef for LOGIN_CAP. I asked if anyone was actually not > using the login.conf stuff in their configuration but haven't found any > examples yet. Having two code paths for all sensitive authorization and > authentication code really makes a mess of things, and also means that > login.conf can't be used as a comprehensive source of policy. I agree. login already uses login_cap unconditionally, so I don't see any point in having su and rshd maintain two code paths. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message