From owner-freebsd-security Sun Nov 4 11:11:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from koza.acecape.com (koza2.acecape.com [66.9.36.222]) by hub.freebsd.org (Postfix) with ESMTP id 3698937B416 for ; Sun, 4 Nov 2001 11:11:21 -0800 (PST) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by koza.acecape.com (8.10.1/8.9.3) with ESMTP id fA4JBJc11192 for ; Sun, 4 Nov 2001 14:11:20 -0500 (EST) Date: Sun, 4 Nov 2001 14:10:43 -0500 (EST) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: FreeBSD Security List Subject: Chroot or jail? Message-ID: <20011104140305.C18599-100000@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am trying to see which method would be best for the following. I have an ID I use to copy data from one machine to another using SSH. I created some passwordless keys for the ID so the synchronization program, unison, could run unatended. As an additional precaution I wanted to isolate what the ID could see. I was unable to understand the chroot man page and the jail page will take me some time to read so I am going to print it and read it carefully. Does chroot need to be run as root? If so how does one specify what user it should be? If I get some good info on chroot I may try to improve the man page since it is a bit short and there doesn't seem to be much on this topic on the archives. All I believe I wil need the ID to be able to see is the directory where the data is, and the synchronization program which I can put on the target directory itself. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 11:15:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 676A037B405 for ; Sun, 4 Nov 2001 11:15:29 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.6/8.11.6) with ESMTP id fA4JESq21613; Sun, 4 Nov 2001 20:14:28 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Francisco Reyes Cc: FreeBSD Security List Subject: Re: Chroot or jail? In-Reply-To: Your message of "Sun, 04 Nov 2001 14:10:43 EST." <20011104140305.C18599-100000@zoraida.natserv.net> Date: Sun, 04 Nov 2001 20:14:28 +0100 Message-ID: <21611.1004901268@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20011104140305.C18599-100000@zoraida.natserv.net>, Francisco Reyes writes: >I am trying to see which method would be best for the following. I have an >ID I use to copy data from one machine to another using SSH. I created >some passwordless keys for the ID so the synchronization program, unison, could run >unatended. > >As an additional precaution I wanted to isolate what the ID could see. I >was unable to understand the chroot man page and the jail page will take >me some time to read so I am going to print it and read it carefully. Both chroot and jail must be run as root. Chroot doesn't hide anything only jail does. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 11:19:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.clifftop.net (machassociates-6.dsl.easynet.co.uk [217.204.162.182]) by hub.freebsd.org (Postfix) with ESMTP id 9D5C537B418 for ; Sun, 4 Nov 2001 11:19:37 -0800 (PST) Received: from sisko (sisko.clifftop.net [192.168.1.10]) (authenticated bits=0) by smtp.clifftop.net (8.12.1/8.12.1) with ESMTP id fA4JJQwp000681; Sun, 4 Nov 2001 19:19:30 GMT From: "Danny Horne" To: "Ian Smith" Cc: Subject: RE: OT - Attack on Apache? Date: Sun, 4 Nov 2001 19:20:33 -0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ian Smith > Sent: Saturday 03 November 2001 5:41pm > To: Danny Horne > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: OT - Attack on Apache? > > 408 is a Request Timeout. 'The client did not produce a request within > the time that the server was prepared to wait. The client MAY repeat > the request without modifications at any later time.' > > Most likely just the source box so bogged down that it can't complete > its requests in time. I've only seen such groups of these from Windows > webserver IPs infected with Nimda, 'randomly' scanning our subnet with > HTTP requests. Only a bother, not a danger. > > Note that the first octet of the IP address is the same as yours. You > may see as many or more of these (Nimda requests in general), over time, > from IPs having the same first two octets as your own address. We did, > anyway. Walling it off from tcp 80 access, at least until it's fixed, > won't hurt :-) > Thanks Ian, I've put a blanket ban on this IP for a while To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 11:22:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from koza.acecape.com (koza2.acecape.com [66.9.36.222]) by hub.freebsd.org (Postfix) with ESMTP id 887CA37B405 for ; Sun, 4 Nov 2001 11:22:40 -0800 (PST) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by koza.acecape.com (8.10.1/8.9.3) with ESMTP id fA4JMdc26859 for ; Sun, 4 Nov 2001 14:22:39 -0500 (EST) Date: Sun, 4 Nov 2001 14:22:03 -0500 (EST) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: FreeBSD Security List Subject: Free or Commercial crypto filesystem? Message-ID: <20011104142053.P18641-100000@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Didn't find much on the archives. Any currently working crypto filesystem for FreeBSD? I found tcfs, but it seems they don't have the BSD version ready yet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 11:35: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.isp-netsystem.de (pop.isp-netsystem.de [212.68.80.228]) by hub.freebsd.org (Postfix) with SMTP id 1858937B420 for ; Sun, 4 Nov 2001 11:34:49 -0800 (PST) Received: (qmail 23162 invoked from network); 4 Nov 2001 19:34:47 -0000 Received: from unknown (HELO gomorrha.mjmnet) (62.226.62.9) by 0 with SMTP; 4 Nov 2001 19:34:47 -0000 Received: from localhost (mjm@localhost) by gomorrha.mjmnet (8.11.3/8.11.3) with ESMTP id fA4JZmO03214; Sun, 4 Nov 2001 20:35:48 +0100 (CET) (envelope-from mjm@gomorrha.mjmnet) Date: Sun, 4 Nov 2001 20:35:45 +0100 (CET) From: "Martin J. Muench" To: Francisco Reyes Cc: FreeBSD Security List Subject: Re: Free or Commercial crypto filesystem? In-Reply-To: <20011104142053.P18641-100000@zoraida.natserv.net> Message-ID: <20011104203304.X3191-100000@gomorrha.mjmnet> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > Any currently working crypto filesystem for FreeBSD? CFS (Cryptographic File System): /usr/ports/security/cfs > I found tcfs, but it seems they don't have the BSD version ready yet. There is only a NetBSD and an OpenBSD version at the moment at http://tcfs.dia.unisa.it/ --[ Martin J. Muench ]-- --[ http://mjm.gmc-online.de ]-- --[ http://perl.gmc-online.de ]-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 11:49:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from koza.acecape.com (koza2.acecape.com [66.9.36.222]) by hub.freebsd.org (Postfix) with ESMTP id B834737B416 for ; Sun, 4 Nov 2001 11:49:18 -0800 (PST) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by koza.acecape.com (8.10.1/8.9.3) with ESMTP id fA4Jn7c27156; Sun, 4 Nov 2001 14:49:07 -0500 (EST) Date: Sun, 4 Nov 2001 14:48:31 -0500 (EST) From: Francisco Reyes X-X-Sender: fran@zoraida.natserv.net To: Poul-Henning Kamp Cc: FreeBSD Security List Subject: Re: Chroot or jail? In-Reply-To: <21611.1004901268@critter.freebsd.dk> Message-ID: <20011104144213.R18641-100000@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 4 Nov 2001, Poul-Henning Kamp wrote: > Both chroot and jail must be run as root. Chroot doesn't hide > anything only jail does. So what was chroot used for? For jail is it necessary to have an entire environment? I only need a few binaries. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 11:57:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 2787A37B416 for ; Sun, 4 Nov 2001 11:57:56 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.6/8.11.6) with ESMTP id fA4Jv5q22275; Sun, 4 Nov 2001 20:57:05 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Francisco Reyes Cc: FreeBSD Security List Subject: Re: Chroot or jail? In-Reply-To: Your message of "Sun, 04 Nov 2001 14:48:31 EST." <20011104144213.R18641-100000@zoraida.natserv.net> Date: Sun, 04 Nov 2001 20:57:05 +0100 Message-ID: <22273.1004903825@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20011104144213.R18641-100000@zoraida.natserv.net>, Francisco Reyes writes: >On Sun, 4 Nov 2001, Poul-Henning Kamp wrote: > >> Both chroot and jail must be run as root. Chroot doesn't hide >> anything only jail does. > >So what was chroot used for? See /usr/share/doc/papers/jail.ascii.gz >For jail is it necessary to have an entire environment? I only need a few >binaries. You only need the binaries you want. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 15:26:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from core.emailerotica.com (core.emailerotica.com [64.38.221.17]) by hub.freebsd.org (Postfix) with ESMTP id EC0E937B405 for ; Sun, 4 Nov 2001 15:26:20 -0800 (PST) Received: from smtp.com (localhost [127.0.0.1]) by core.emailerotica.com (Postfix) with SMTP id 97C0720931F for ; Sun, 4 Nov 2001 16:35:17 -0700 (MST) Date: Sun, 04 Nov 2001 16:35:17 -0700 From: tereza@emailerotica.com Subject: An Invitation To Email Erotica To: freebsd-security@freebsd.org Content-Type: text/plain; charset="us-ascii"; format=flowed MIME-Version: 1.0 Reply-To: support@emailerotica.com X-Bulkmail: 2.05 Message-Id: <20011104233517.97C0720931F@core.emailerotica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, This is the Tereza responding to your erotic e-mail request... Baby, you are just a few moments away from enjoying the HOTTEST ADULT NEWSLETTER AND SITES ON THE WEB! First, let's take care of some business. I need you to slide that little mouse pointer over to the link below and click to confirm your free subscription. http://core.emailerotica.com/confirm.php?tid=0ff035ec Now for the good stuff. After you confirm, you will join the millions of people across the world that enjoy what has been called the BEST FREE ADULT SERVICE ON THE NET. Here's what you'll experience: ==> Erotic XXX pictures delivered through your e-mail daily...and you get to choose your favorite categories!! We have a wide selection for all tastes! ==> The largest FREE video and live show collection on the web PLUS passwords to free hardcore video shows. ==> Ask Elxis - our beautiful sex advisor answers all of your sexual questions. You name it Elxis has the answers!! ==> Hot ADULT ONLY! chat. We have teamed up with The Adult Chat Network to offer you free access to the net's premier adult chatrooms. There's a room for everyone and thousands of people online at any given time. ==> Free Erotic Story archive - lurid tales of forbidden sex - lesbians, asians, fetish are just of the few categories to choose from ==> Hardcore Comics - updated daily, they will have you ROFLYAO! ==> Direct connection to our Adult Mall, Bookstore, Sexy Screensavers and Wallpaper, Online Casino and Messagez...our FREE e-mail account you can take anywhere. And MUCH MORE! So if you haven't done so already, I must ask the question: WHAT ARE YOU WAITING FOR??? =====> CONFIRM NOW! <===== (Click on the link below) http://core.emailerotica.com/confirm.php?tid=0ff035ec That's it!! It's all you need to do to start enjoying the widest selection of adult fun on the Internet! There's no other way to do it, so CONFIRM NOW! **************************************** IMPORTANT NOTICE: This message is not spam mail. Your e-mail address was entered on a website ad describing our newsletter and services. If you did NOT request this e-mail, then please DO NOT RESPOND and you will be AUTOMATICALLY REMOVED from the program. **************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 16:55:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 87B7937B405 for ; Sun, 4 Nov 2001 16:55:41 -0800 (PST) Received: (qmail 90377 invoked from network); 5 Nov 2001 00:56:12 -0000 Received: from localhost.nexgen.com (HELO daddy) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 5 Nov 2001 00:56:12 -0000 Message-ID: <001501c16594$96578d90$fb069840@daddy> From: "alexus" To: Subject: jail Date: Sun, 4 Nov 2001 19:55:38 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org does jail require to have NAT set up in order for jail users to go outside of jail (like browse, telneting out and etc..) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 17:20:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from vr5.trancer.com (fw0.trancer.com [206.147.211.9]) by hub.freebsd.org (Postfix) with ESMTP id 6A81A37B405 for ; Sun, 4 Nov 2001 17:20:37 -0800 (PST) Received: (from tomg@localhost) by vr5.trancer.com (8.11.6/8.11.6) id fA51Ke400467 for freebsd-security@freebsd.org; Sun, 4 Nov 2001 19:20:40 -0600 (CST) (envelope-from tomg) Message-Id: <200111050120.fA51Ke400467@vr5.trancer.com> Content-Type: text/plain; charset="iso-8859-1" From: "Thomas S. Greenwalt" Reply-To: tomg@trancer.com Organization: Trancer Software Inc. To: freebsd-security@freebsd.org Subject: firewall question Date: Sun, 4 Nov 2001 19:20:40 -0600 X-Mailer: KMail [version 1.3] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been playing with setting up a firewall. This is the setup: The firewall PC is running FreeBSD 4.4 with the default 'simple' firewall running. There are two ethernet cards in it, one at IP 206.147.211.9 talking to the outside network. The other ethernet card is using IP 10.0.0.1 and is talking to an internel network of two PCs. One PC is running FreeBSD 4.4 and is at IP 10.0.0.2 and the other PC is running Win98 and is at IP 10.0.0.3. Both are using 10.0.0.1 as the default gateway. If both machines are plugged into the network and running everything seems to be working fine. However as soon as I shut down the Win98 box or unplug it from the network, the FreeBSD machine can't communicate out of the firewall anymore. Plug the Win98 box back in and it starts working again. Any suggestions? TIA -- Tom Greenwalt (F.O.E.) Trancer Software Inc. tomg@trancer.com 9099 7th Street NE http://www.trancer.com/ Minneapolis, MN 55434-1113 http://www.trancer.com/~tomg ---- When I'm good I'm very good, when I'm bad I'm better, ---- ---------- But when I'm evil you better run. ------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 22:34:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id E3E6C37B405 for ; Sun, 4 Nov 2001 22:34:21 -0800 (PST) Received: from dialup-209.247.138.86.dial1.sanjose1.level3.net ([209.247.138.86] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 160dKB-0007ZP-00; Sun, 04 Nov 2001 22:34:11 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA56Whv02486; Sun, 4 Nov 2001 22:32:43 -0800 (PST) (envelope-from cjc) Date: Sun, 4 Nov 2001 22:32:30 -0800 From: "Crist J. Clark" To: alexus Cc: freebsd-security@FreeBSD.ORG Subject: Re: jail Message-ID: <20011104223230.C325@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <001501c16594$96578d90$fb069840@daddy> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001501c16594$96578d90$fb069840@daddy>; from ml@db.nexgen.com on Sun, Nov 04, 2001 at 07:55:38PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Nov 04, 2001 at 07:55:38PM -0500, alexus wrote: > does jail require to have NAT set up in order for jail users to go outside > of jail (like browse, telneting out and etc..) No. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 23:21:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.RWTH-Aachen.DE [137.226.46.168]) by hub.freebsd.org (Postfix) with ESMTP id BDA3437B405 for ; Sun, 4 Nov 2001 23:21:47 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.11.1/8.9.3) id fA57Lko76929 for freebsd-security@freebsd.org; Mon, 5 Nov 2001 08:21:46 +0100 (CET) (envelope-from kuku) Date: Mon, 5 Nov 2001 08:21:46 +0100 (CET) From: Christoph Kukulies Message-Id: <200111050721.fA57Lko76929@gilberto.physik.rwth-aachen.de> To: freebsd-security@freebsd.org Subject: sshd - corrupted check bytes on input Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I found a syslog of Nov 2, 00:30 saying: sshd: Local: Corrupted check bytes on input. Possible attack? What is the way to go with sshd and FreeBSD? -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 23:54:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id CBEC437B405 for ; Sun, 4 Nov 2001 23:54:17 -0800 (PST) Received: (qmail 91661 invoked from network); 5 Nov 2001 07:54:50 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 5 Nov 2001 07:54:50 -0000 Message-ID: <001901c165cf$11bf7440$0f00a8c0@alexus> From: "alexus" To: Cc: References: <001501c16594$96578d90$fb069840@daddy> <20011104223230.C325@blossom.cjclark.org> Subject: Re: jail Date: Mon, 5 Nov 2001 02:54:16 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org how else should i set it up then? my jail users seems to be really in jail :) i mean they can't go outside of jail to evil internet:] they can't browse they can't telnet/ssh outside they can't use irc nothing any ideas? ----- Original Message ----- From: "Crist J. Clark" To: "alexus" Cc: Sent: Monday, November 05, 2001 1:32 AM Subject: Re: jail > On Sun, Nov 04, 2001 at 07:55:38PM -0500, alexus wrote: > > does jail require to have NAT set up in order for jail users to go outside > > of jail (like browse, telneting out and etc..) > > No. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 4 23:57: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id E8FB937B419 for ; Sun, 4 Nov 2001 23:56:58 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.1) with ESMTP id fA57ubh43363; Mon, 5 Nov 2001 09:56:37 +0200 (EET) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Mon, 5 Nov 2001 09:56:37 +0200 (EET) From: Domas Mituzas X-X-Sender: To: alexus Cc: , Subject: Re: jail In-Reply-To: <001901c165cf$11bf7440$0f00a8c0@alexus> Message-ID: <20011105095522.B42590-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, > i mean they can't go outside of jail to evil internet:] they can't browse > they can't telnet/ssh outside they can't use irc nothing That depends on which jail IP address you specified, what firewall rules you have on that box. Jail is a synonim for fine-tuning userland's environment. -- Regards, Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 0: 7:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.secna.ru (mirage.secna.ru [212.192.0.20]) by hub.freebsd.org (Postfix) with ESMTP id 15A4837B405 for ; Mon, 5 Nov 2001 00:07:20 -0800 (PST) Received: from agtu.secna.ru (agtu.secna.ru [212.192.0.25]) by mirage.secna.ru (8.9.1/8.9.1-secna) with ESMTP id OAA38947 for ; Mon, 5 Nov 2001 14:09:38 +0600 (NOVT) Received: from spider.secna.ru (spider.secna.ru [212.192.26.98]) by agtu.secna.ru (8.8.8/Relcom-2A) with ESMTP id NAA24598 ;Mon, 5 Nov 2001 13:59:15 +0600 (NSK) Message-ID: <3BE64716.52C2CECF@agtu.secna.ru> Date: Mon, 05 Nov 2001 14:00:23 +0600 From: "Denis P. Kravar" X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: top: nlist failed Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all! I install 4.4-RELEASE and recompile kernel. After rebooting type /root> top and receive next: top: nlist failed What it mind and how i can run `top`? -- With best regards Denis Kravar ICQ: 15561179 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 0:12: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from terminus.dnttm.ro (terminus.dnttm.ro [193.226.98.11]) by hub.freebsd.org (Postfix) with ESMTP id 120A837B417 for ; Mon, 5 Nov 2001 00:12:01 -0800 (PST) Received: from unix.edc.dnttm.ro (edc.dnttm.ro [193.226.98.104]) by terminus.dnttm.ro (8.9.3/8.9.3) with ESMTP id KAA14915 for ; Mon, 5 Nov 2001 10:11:52 +0200 Received: (from root@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2) id fA58BqA58622 for freebsd-security@freebsd.org; Mon, 5 Nov 2001 10:11:52 +0200 (EET) (envelope-from titus) Received: (from titus@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2av) id fA58Bow58614 for freebsd-security@FreeBSD.ORG; Mon, 5 Nov 2001 10:11:50 +0200 (EET) (envelope-from titus) Date: Mon, 5 Nov 2001 10:11:50 +0200 From: titus manea To: freebsd-security@FreeBSD.ORG Subject: Re: top: nlist failed Message-ID: <20011105101150.A58582@unix.edc.dnttm.ro> References: <3BE64716.52C2CECF@agtu.secna.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BE64716.52C2CECF@agtu.secna.ru>; from Denis_Kravar@agtu.secna.ru on Mon, Nov 05, 2001 at 02:00:23PM +0600 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Make sure you boot via loader(8) and you NOT load kernel directly. You may have /boot on a separate partition and the bootstrap code is unable to load /boot/loader and will fall back to /kernel. On Mon, Nov 05, 2001 at 02:00:23PM +0600, Denis P. Kravar wrote: > Hi all! > > I install 4.4-RELEASE and recompile kernel. After rebooting type > /root> top > and receive next: > top: nlist failed > > What it mind and how i can run `top`? > > -- > With best regards Denis Kravar > ICQ: 15561179 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __________________________________________________________________________ Titus Manea | Eastern Digital Inc. Lab owner | http://2edc.com | +40-56-192091 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 2: 4:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card3-0-cust143.cdf.cable.ntl.com [62.252.49.143]) by hub.freebsd.org (Postfix) with ESMTP id 0484437B418 for ; Mon, 5 Nov 2001 02:04:18 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 160gZg-000666-00; Mon, 05 Nov 2001 10:01:48 +0000 Date: Mon, 5 Nov 2001 10:01:48 +0000 From: Rasputin To: "Denis P. Kravar" Cc: security@freebsd.org Subject: Re: top: nlist failed Message-ID: <20011105100148.A23407@shikima.mine.nu> Reply-To: Rasputin References: <3BE64716.52C2CECF@agtu.secna.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BE64716.52C2CECF@agtu.secna.ru>; from Denis_Kravar@agtu.secna.ru on Mon, Nov 05, 2001 at 02:00:23PM +0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Denis P. Kravar [011105 08:10]: > Hi all! > > I install 4.4-RELEASE and recompile kernel. After rebooting type ^^^^^^^ Looks like you need to do make world too. See Handbook for details. > /root> top > and receive next: > top: nlist failed -- How wonderful opera would be if there were no singers. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 2:10: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from terminus.dnttm.ro (terminus.dnttm.ro [193.226.98.11]) by hub.freebsd.org (Postfix) with ESMTP id 509A037B416 for ; Mon, 5 Nov 2001 02:09:55 -0800 (PST) Received: from unix.edc.dnttm.ro (edc.dnttm.ro [193.226.98.104]) by terminus.dnttm.ro (8.9.3/8.9.3) with ESMTP id MAA29244 for ; Mon, 5 Nov 2001 12:09:48 +0200 Received: (from root@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2) id fA5A9lt59923 for security@freebsd.org; Mon, 5 Nov 2001 12:09:47 +0200 (EET) (envelope-from titus) Received: (from titus@localhost) by unix.edc.dnttm.ro (8.11.6/8.11.2av) id fA5A9jb59915 for security@freebsd.org; Mon, 5 Nov 2001 12:09:45 +0200 (EET) (envelope-from titus) Date: Mon, 5 Nov 2001 12:09:45 +0200 From: titus manea To: security@freebsd.org Subject: Re: top: nlist failed Message-ID: <20011105120945.A59879@unix.edc.dnttm.ro> References: <3BE64716.52C2CECF@agtu.secna.ru> <20011105100148.A23407@shikima.mine.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011105100148.A23407@shikima.mine.nu>; from rasputin@submonkey.net on Mon, Nov 05, 2001 at 10:01:48AM +0000 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There is no reason to make world if you didnt update source He never said he cvs[up] or updated kernel source in any way On Mon, Nov 05, 2001 at 10:01:48AM +0000, Rasputin wrote: > * Denis P. Kravar [011105 08:10]: > > Hi all! > > > > I install 4.4-RELEASE and recompile kernel. After rebooting type > ^^^^^^^ > Looks like you need to do make world too. > > See Handbook for details. > > > /root> top > > and receive next: > > top: nlist failed > > -- > How wonderful opera would be if there were no singers. > Rasputin :: Jack of All Trades - Master of Nuns :: > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __________________________________________________________________________ Titus Manea | Eastern Digital Inc. Lab owner | http://2edc.com | +40-56-192091 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 3:33:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-80.dsl.lsan03.pacbell.net [63.207.60.80]) by hub.freebsd.org (Postfix) with ESMTP id 3F4A537B405 for ; Mon, 5 Nov 2001 03:33:51 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 865AC66BD5; Mon, 5 Nov 2001 03:33:47 -0800 (PST) Date: Mon, 5 Nov 2001 03:33:46 -0800 From: Kris Kennaway To: "Denis P. Kravar" Cc: freebsd-security@FreeBSD.ORG Subject: Re: top: nlist failed Message-ID: <20011105033346.A13697@xor.obsecurity.org> References: <3BE64716.52C2CECF@agtu.secna.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BE64716.52C2CECF@agtu.secna.ru>; from Denis_Kravar@agtu.secna.ru on Mon, Nov 05, 2001 at 02:00:23PM +0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 05, 2001 at 02:00:23PM +0600, Denis P. Kravar wrote: > Hi all! >=20 > I install 4.4-RELEASE and recompile kernel. After rebooting type > /root> top > and receive next: > top: nlist failed >=20 > What it mind and how i can run `top`? What on earth does this have to do with security? Please don't abuse the mailing lists. Kris --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE75nkZWry0BWjoQKURAsv7AJ9nxPqwmqg44szgl0bAtXmJ7yH3ggCfVNjH MF8lU6XbKLIeWAf0cgmlg5c= =ZGUf -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 7:49:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.uh.ru (ns.uh.ru [62.118.252.32]) by hub.freebsd.org (Postfix) with ESMTP id CEE6D37B416 for ; Mon, 5 Nov 2001 07:49:44 -0800 (PST) Received: from there (ppp74.yaroslavl.ru [217.15.128.74]) by ns.uh.ru (8.11.6/8.11.6) with SMTP id fA5FkLu62095 for ; Mon, 5 Nov 2001 18:46:22 +0300 (MSK) (envelope-from volax@uh.ru) Message-Id: <200111051546.fA5FkLu62095@ns.uh.ru> Content-Type: text/plain; charset="koi8-r" From: "Alexander S. Volchenkov" Reply-To: volax@uh.ru Organization: Superbmarket To: freebsd-security@FreeBSD.ORG Subject: Chrooted SSH2 problem Date: Mon, 5 Nov 2001 18:51:52 +0300 X-Mailer: KMail [version 1.3] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All! I've just installed ssh2 and trying to implement it's chroot feature. I have a problem with user login. User "dummy" is in the "chrooted" group. His home directory : /home/chrooted/dummy contains bin subdirectory with a mirror of /bin. User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine. From /etc/sshd2_conf: ------------------------------------------- AllowGroups chrooted ChRootGroups chrooted ------------------------------------------- Client session: ------------------------------------------- gate# ssh2 -l dummy localhost dummy@localhost's password: Authentication successful. Connection to localhost closed. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------------------- tail /var/log/messages: ------------------------------------------- sshd[16513]: User dummy's local password accepted. sshd[16513]: Password authentication for user dummy accepted. sshd[16513]: User dummy, coming from localhost.sbm, authenticated. ------------------------------------------- What I need to do to fix it? Thanks, Alexander S. Volchenkov (mailto:volax@uh.ru) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 8: 2:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id 87B3037B417 for ; Mon, 5 Nov 2001 08:02:18 -0800 (PST) Received: (qmail 2326 invoked by uid 1000); 5 Nov 2001 15:46:39 -0000 Date: Mon, 5 Nov 2001 17:46:39 +0200 From: Peter Pentchev To: "Alexander S. Volchenkov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Chrooted SSH2 problem Message-ID: <20011105174639.C77919@straylight.oblivion.bg> Mail-Followup-To: "Alexander S. Volchenkov" , freebsd-security@FreeBSD.ORG References: <200111051546.fA5FkLu62095@ns.uh.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111051546.fA5FkLu62095@ns.uh.ru>; from volax@uh.ru on Mon, Nov 05, 2001 at 06:51:52PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 05, 2001 at 06:51:52PM +0300, Alexander S. Volchenkov wrote: > Hi All! > > I've just installed ssh2 and trying to implement it's chroot feature. > I have a problem with user login. > > User "dummy" is in the "chrooted" group. His home directory : > /home/chrooted/dummy contains bin subdirectory with a mirror of /bin. > User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine. > > From /etc/sshd2_conf: > ------------------------------------------- > AllowGroups chrooted > ChRootGroups chrooted > ------------------------------------------- > > Client session: > ------------------------------------------- > gate# ssh2 -l dummy localhost > dummy@localhost's password: > Authentication successful. > Connection to localhost closed. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ------------------------------------------- > > tail /var/log/messages: > ------------------------------------------- > sshd[16513]: User dummy's local password accepted. > sshd[16513]: Password authentication for user dummy accepted. > sshd[16513]: User dummy, coming from localhost.sbm, authenticated. > ------------------------------------------- > > What I need to do to fix it? On the server, stop any sshd's running, then run an 'sshd -d' and watch its output. G'luck, Peter -- This sentence was in the past tense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 8:48:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f149.pav1.hotmail.com [64.4.31.149]) by hub.freebsd.org (Postfix) with ESMTP id E640237B416 for ; Mon, 5 Nov 2001 08:48:22 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 5 Nov 2001 08:48:22 -0800 Received: from 212.30.183.3 by pv1fd.pav1.hotmail.msn.com with HTTP; Mon, 05 Nov 2001 16:48:22 GMT X-Originating-IP: [212.30.183.3] From: "Magdalinin Kirill" To: volax@uh.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: Chrooted SSH2 problem Date: Mon, 05 Nov 2001 19:48:22 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 05 Nov 2001 16:48:22.0725 (UTC) FILETIME=[AE47EF50:01C16619] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >gate# ssh2 -l dummy localhost >dummy@localhost's password: >Authentication successful. >Connection to localhost closed. >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ at this point sshd already made chroot for the user and tries to run /bin/sh, which does not exist, because there is no sh in /home/chrooted/dummy/bin/ (after chroot /home/chrooted/dummy/bin/ is not a link to system /bin, it is just empty /bin). If you want to allow a couple of users at your box, then placing sh (which is statically linked) in /home/chrooted/dummy/bin/ should do the trick. If there must be many users, then consider making bin, usr and even var directories under /home/chrooted, and chroot all users to /home/chrooted. All binaries in bin, usr must be statically linked or you will have to place all necessary libraries over there, which is a security risk(?). I don't remember exectly why, but instead of chrooting users by sshd I use the following would-be-shell to chroot users, that shell is set as user's default shell and is called by sshd at login time: #include #include int main (int argc, char *argv []) { char *dir, *cmd; chroot("/home"); asprintf(&dir, "/home/home/%s", getenv("LOGNAME")); chdir(dir); free(dir); if (argc > 2) { asprintf(&cmd, "/usr/local/bin/bash %s %s", argv[1], argv[2]); } else { asprintf(&cmd, "/usr/local/bin/bash"); } system(cmd); free(cmd); } Hope this helps, Kirill Magdalinin bsdforumen@hotmail.com >From: "Alexander S. Volchenkov" >Reply-To: volax@uh.ru >To: freebsd-security@FreeBSD.ORG >Subject: Chrooted SSH2 problem >Date: Mon, 5 Nov 2001 18:51:52 +0300 > >Hi All! > >I've just installed ssh2 and trying to implement it's chroot feature. >I have a problem with user login. > >User "dummy" is in the "chrooted" group. His home directory : >/home/chrooted/dummy contains bin subdirectory with a mirror of /bin. >User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine. > >From /etc/sshd2_conf: >------------------------------------------- >AllowGroups chrooted >ChRootGroups chrooted >------------------------------------------- > >Client session: >------------------------------------------- >gate# ssh2 -l dummy localhost >dummy@localhost's password: >Authentication successful. >Connection to localhost closed. >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >------------------------------------------- > >tail /var/log/messages: >------------------------------------------- >sshd[16513]: User dummy's local password accepted. >sshd[16513]: Password authentication for user dummy accepted. >sshd[16513]: User dummy, coming from localhost.sbm, authenticated. >------------------------------------------- > >What I need to do to fix it? > >Thanks, >Alexander S. Volchenkov (mailto:volax@uh.ru) > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 9:14:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 8B9B537B405 for ; Mon, 5 Nov 2001 09:14:41 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA5HE8D63614; Mon, 5 Nov 2001 18:14:08 +0100 (CET) Message-ID: <016d01c1661d$5ac99690$0a00000a@atkielski.com> From: "Anthony Atkielski" To: Subject: SecureCRT and SSH2 on FreeBSD Date: Mon, 5 Nov 2001 18:14:29 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can anyone assist me with the exact configuration for getting SecureCRT (on Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work okay, and--mysteriously--SSH2 seems to work against my Web server (4.2 release) on the Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get is a message saying Public-key authentication with the SSH2 server for user root failed. Please verify username and public/private key pair. Do I have to run anything to make SSH2 work, or is sshd sufficient? I have telnetd disabled. I have PermitRootLogin set to without-password. root can log in under SSH1, but nobody can log in under SSH2. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 9:28: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 0C30D37B405 for ; Mon, 5 Nov 2001 09:27:56 -0800 (PST) Received: (qmail 95743 invoked from network); 5 Nov 2001 17:28:27 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 5 Nov 2001 17:28:27 -0000 Message-ID: <015101c1661f$31c61910$0d00a8c0@alexus> From: "alexus" To: "Anthony Atkielski" , References: <016d01c1661d$5ac99690$0a00000a@atkielski.com> Subject: Re: SecureCRT and SSH2 on FreeBSD Date: Mon, 5 Nov 2001 12:27:50 -0500 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org check your secure crt configuration most likly you specify to use public key instead of password ----- Original Message ----- From: "Anthony Atkielski" To: Sent: Monday, November 05, 2001 12:14 PM Subject: SecureCRT and SSH2 on FreeBSD > Can anyone assist me with the exact configuration for getting SecureCRT (on > Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work okay, > and--mysteriously--SSH2 seems to work against my Web server (4.2 release) on the > Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get is a > message saying > > Public-key authentication with the SSH2 server for user root failed. Please > verify username and public/private key pair. > > Do I have to run anything to make SSH2 work, or is sshd sufficient? I have > telnetd disabled. I have PermitRootLogin set to without-password. root can log > in under SSH1, but nobody can log in under SSH2. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 9:32:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 4B21337B417 for ; Mon, 5 Nov 2001 09:32:26 -0800 (PST) Received: (qmail 95873 invoked from network); 5 Nov 2001 17:33:00 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 5 Nov 2001 17:33:00 -0000 Message-ID: <019601c1661f$d441dcb0$0d00a8c0@alexus> From: "alexus" To: "Domas Mituzas" Cc: , References: <20011105095522.B42590-100000@axis.tdd.lt> Subject: Re: jail Date: Mon, 5 Nov 2001 12:32:23 -0500 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org jail ip is set one of those private ip address like 172.16-19.0.0 192.168.0.0 10.0.0.0 and i have no rules on my firewall ----- Original Message ----- From: "Domas Mituzas" To: "alexus" Cc: ; Sent: Monday, November 05, 2001 2:56 AM Subject: Re: jail > Hi there, > > > i mean they can't go outside of jail to evil internet:] they can't browse > > they can't telnet/ssh outside they can't use irc nothing > > That depends on which jail IP address you specified, what firewall rules > you have on that box. Jail is a synonim for fine-tuning userland's > environment. > > > -- > Regards, > Domas > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 9:51:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from regulus.spawar.navy.mil (regulus.nosc.mil [128.49.241.28]) by hub.freebsd.org (Postfix) with ESMTP id BE3A837B405 for ; Mon, 5 Nov 2001 09:51:31 -0800 (PST) Received: by REGULUS with Internet Mail Service (5.5.2650.21) id <47BVYG5L>; Mon, 5 Nov 2001 09:51:31 -0800 Message-ID: <9D20F9E38A32D411AA3C00508B94CCD5066BEF72@REGULUS> From: "Noonan, Mr. Sean P." To: 'Anthony Atkielski' Cc: "'freebsd-security@FreeBSD.ORG'" Subject: RE: SecureCRT and SSH2 on FreeBSD Date: Mon, 5 Nov 2001 09:51:30 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C16622.800188F0" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C16622.800188F0 Content-Type: text/plain; charset="iso-8859-1" I use CRT v3.3 with SSH2 against 4.3-STABLE without problems. Here's my /etc/sshd/sshd_config and the method I use to convert the v2 key for use with ssh2. Any problems email me at my personal address, snoonan@snoonan.com. P.S. - I don't allow root to login directly, but that's not the crux of your problem...so it shouldn't matter... Good luck, Sean. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Anthony Atkielski Sent: Monday, November 05, 2001 9:14 AM To: freebsd-security@FreeBSD.ORG Subject: SecureCRT and SSH2 on FreeBSD Can anyone assist me with the exact configuration for getting SecureCRT (on Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work okay, and--mysteriously--SSH2 seems to work against my Web server (4.2 release) on the Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get is a message saying Public-key authentication with the SSH2 server for user root failed. Please verify username and public/private key pair. Do I have to run anything to make SSH2 work, or is sshd sufficient? I have telnetd disabled. I have PermitRootLogin set to without-password. root can log in under SSH1, but nobody can log in under SSH2. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_000_01C16622.800188F0 Content-Type: text/plain; name="key_conversion.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="key_conversion.txt" How can I configure OpenSSH SSH2 server to recognize my SecureCRT = Indentity.pub file? Answer:=20 In order to use your public key you must transfer the xxxxxxxx.pub file = created by the Key Generation wizard to the ~/.ssh directory on the = SSH2 server. It is recommended that you follow the procedure below for = using copy and paste to create a copy of the Identity.pub file in the = ~/.ssh directory on the remote machine. If you decide instead to = transfer the Identity.pub file to the ~/.ssh directory using an FTP = client, be sure to transfer the file in ASCII mode. Also be sure to = complete step 4-d below. To use copy and paste to configure the SSH2 server to recognize your = Identity.pub file: 1. Log on to the remote SSH2 server using SSH2 and password = authentication.=20 2. On the local machine, use Notepad.exe to open the Identity.pub file = that was created with the Key Generation wizard.=20 3. With the Identity.pub file opened in the Notepad application, open = the Edit menu and choose Select All. Once everything is selected, open = the Edit menu again and select Copy.=20 4. On the remote machine, complete the following steps:=20 a. Issue the following command: % cat > ~/.ssh/identity.pub=20 b. Click on the SecureCRT paste button to paste the contents of the = Clipboard (which should now contain the contents of your Identity.pub = file).=20 c. Issue a CTRL+D to close the Identity.pub file.=20 d. Convert the key to one that OpenSSH will recognize using the = following command: % ssh-keygen -X -f ~/.ssh/identity.pub >> authorized_keys2=20 ------_=_NextPart_000_01C16622.800188F0 Content-Type: text/plain; name="sshd_config.txt" Content-Disposition: attachment; filename="sshd_config.txt" # This is ssh server systemwide configuration file. # # $FreeBSD: src/crypto/openssh/sshd_config,v 1.4.2.5 2001/01/18 22:36:53 green Exp $ Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key HostDsaKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 120 KeyRegenerationInterval 3600 PermitRootLogin no # ConnectionsPerPeriod has been deprecated completely # After 10 unauthenticated connections, refuse 30% of the new ones, and # refuse any more than 60 total. MaxStartups 10:30:60 # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no #KbdInteractiveAuthentication yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail yes #UseLogin no # Uncomment if you want to enable sftp #Subsystem sftp /usr/libexec/sftp-server ------_=_NextPart_000_01C16622.800188F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 11:25:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id E695F37B416 for ; Mon, 5 Nov 2001 11:25:23 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA5JOnh83620; Mon, 5 Nov 2001 20:24:49 +0100 (CET) Message-ID: <001a01c1662f$9ccc5f20$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "alexus" , References: <016d01c1661d$5ac99690$0a00000a@atkielski.com> <015101c1661f$31c61910$0d00a8c0@alexus> Subject: Re: SecureCRT and SSH2 on FreeBSD Date: Mon, 5 Nov 2001 20:24:12 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Public-key is what I want, not password. In fact, PermitRootLogin without-password supposedly prevents password authentication from being used in SSH, forcing PK authentification. ----- Original Message ----- From: "alexus" To: "Anthony Atkielski" ; Sent: Monday, November 05, 2001 18:27 Subject: Re: SecureCRT and SSH2 on FreeBSD > check your secure crt configuration > > most likly you specify to use public key instead of password > > ----- Original Message ----- > From: "Anthony Atkielski" > To: > Sent: Monday, November 05, 2001 12:14 PM > Subject: SecureCRT and SSH2 on FreeBSD > > > > Can anyone assist me with the exact configuration for getting SecureCRT > (on > > Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work > okay, > > and--mysteriously--SSH2 seems to work against my Web server (4.2 release) > on the > > Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get > is a > > message saying > > > > Public-key authentication with the SSH2 server for user root failed. > Please > > verify username and public/private key pair. > > > > Do I have to run anything to make SSH2 work, or is sshd sufficient? I > have > > telnetd disabled. I have PermitRootLogin set to without-password. root > can log > > in under SSH1, but nobody can log in under SSH2. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 12: 4:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from upeople.iserver.net (upeople.iserver.net [128.121.116.62]) by hub.freebsd.org (Postfix) with ESMTP id D839437B405 for ; Mon, 5 Nov 2001 12:04:37 -0800 (PST) Received: from mesa.unixan.com (djb@mesa.dsl.unixan.com [206.124.137.18]) by upeople.iserver.net (8.11.6) id fA5K4Te87700; Mon, 5 Nov 2001 13:04:29 -0700 (MST) Date: Mon, 5 Nov 2001 12:04:28 -0800 From: Daniel Brown To: "alexus" Cc: domas.mituzas@delfi.lt, cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: jail Message-Id: <20011105120428.5cad1f50.djb@unixan.com> In-Reply-To: <019601c1661f$d441dcb0$0d00a8c0@alexus> References: <20011105095522.B42590-100000@axis.tdd.lt> <019601c1661f$d441dcb0$0d00a8c0@alexus> X-Mailer: Sylpheed version 0.6.4 (GTK+ 1.2.7; i686-pc-linux-gnu) X-Face: ".E)>Dp:mHJC%;_j&|O(iET^Y#v)'R,3Th)?un#2[`x7J&@ClPD0?MlzHBP61gci=t1G!Jf8V9r+nMFv:GX&}5R2YZ@lzKO_S5,^.!^<^OijwA[0*`cfC'.Ft7-qcuK4^-Cu X-Frustrated-Since: 999302400 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 192.168.x.x and 10.x.x.x IP ranges are non-routable (publicly accessible), and unless you own the 172.16-19.x.x range, neither is it. In these cases you do need to use NAT. However, most uses for Jail are for binding a prison to a publicly accessible IP address, which means no NAT is necessary. If you only have one publicly available IP address and you do not intend them to accept incoming connections, perhaps you should consider binding your prisons to that IP address instead of the private non-routable IPs instead. You can run Jail multiple times with the same IP address, including the primary IP of your machine. This assumes, of course, that the machine these prisons exist on has a publicly available IP. If it exists entirely on a private network, you should turn on NAT on your router/firewall. -Daniel ------------ Quoted Message ------------ Date...: Mon, 5 Nov 2001 12:32:23 -0500 From...: "alexus" To.....: "Domas Mituzas" CC.....: Subject: Re: jail jail ip is set one of those private ip address like 172.16-19.0.0 192.168.0.0 10.0.0.0 and i have no rules on my firewall ----- Original Message ----- From: "Domas Mituzas" To: "alexus" Cc: ; Sent: Monday, November 05, 2001 2:56 AM Subject: Re: jail > Hi there, > > > i mean they can't go outside of jail to evil internet:] they can't browse > > they can't telnet/ssh outside they can't use irc nothing > > That depends on which jail IP address you specified, what firewall rules > you have on that box. Jail is a synonim for fine-tuning userland's > environment. > > > -- > Regards, > Domas > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 12: 9:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 488DD37B416 for ; Mon, 5 Nov 2001 12:09:51 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA5K9Ew90564; Mon, 5 Nov 2001 21:09:14 +0100 (CET) Message-ID: <004701c16635$d18a34c0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Noonan, Mr. Sean P." , References: <9D20F9E38A32D411AA3C00508B94CCD5066BEF72@REGULUS> Subject: Re: SecureCRT and SSH2 on FreeBSD Date: Mon, 5 Nov 2001 21:09:44 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That fixed it! The sshgen step was missing; I had a vague recollection of doing something like that before, but I was unable to remember what it was. Your note explained what to do. Thanks. ----- Original Message ----- From: "Noonan, Mr. Sean P." To: "'Anthony Atkielski'" Cc: Sent: Monday, November 05, 2001 18:51 Subject: RE: SecureCRT and SSH2 on FreeBSD > I use CRT v3.3 with SSH2 against 4.3-STABLE without problems. Here's my > /etc/sshd/sshd_config and the method I use to convert the v2 key for use > with ssh2. Any problems email me at my personal address, > snoonan@snoonan.com. > > P.S. - I don't allow root to login directly, but that's not the crux of your > problem...so it shouldn't matter... > > Good luck, > > Sean. > > > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Anthony > Atkielski > Sent: Monday, November 05, 2001 9:14 AM > To: freebsd-security@FreeBSD.ORG > Subject: SecureCRT and SSH2 on FreeBSD > > > Can anyone assist me with the exact configuration for getting SecureCRT (on > Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work > okay, > and--mysteriously--SSH2 seems to work against my Web server (4.2 release) on > the > Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get is > a > message saying > > Public-key authentication with the SSH2 server for user root failed. Please > verify username and public/private key pair. > > Do I have to run anything to make SSH2 work, or is sshd sufficient? I have > telnetd disabled. I have PermitRootLogin set to without-password. root can > log > in under SSH1, but nobody can log in under SSH2. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 12:23:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.san.yahoo.com (mail.san.yahoo.com [209.132.1.30]) by hub.freebsd.org (Postfix) with ESMTP id 61F1137B41B for ; Mon, 5 Nov 2001 12:23:18 -0800 (PST) Received: from notebook1 (206.170.29.126) by mail.san.yahoo.com (5.5.053) id 3BD4A22000195834 for security@freebsd.org; Mon, 5 Nov 2001 12:21:28 -0800 Reply-To: From: "Paul Lapan" To: Subject: unsubscribe Date: Mon, 5 Nov 2001 12:24:15 -0800 Message-ID: <000701c16637$d7f533d0$0914a8c0@notebook1> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Disposition-Notification-To: "Paul Lapan" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 13:48:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id BB66B37B405 for ; Mon, 5 Nov 2001 13:48:55 -0800 (PST) Received: (from dillon@localhost) by apollo.backplane.com (8.11.6/8.9.1) id fA5Lmqb51361; Mon, 5 Nov 2001 13:48:52 -0800 (PST) (envelope-from dillon) Date: Mon, 5 Nov 2001 13:48:52 -0800 (PST) From: Matthew Dillon Message-Id: <200111052148.fA5Lmqb51361@apollo.backplane.com> To: Spades Cc: freebsd-security@FreeBSD.ORG Subject: Re: IDS135/ICMP_ICMP-REDIRECT_HOST References: <3.0.32.20011101103631.02115a1c@smtp.magix.com.sg> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :Just a quick question.. : :By default of denying all incoming/outgoing ICMP via :ipfw using: ipfw add 120 deny icmp from any to any : :Does it deny ICMP-REDIRECT packets? : :Bryan Yes, but you don't want to block all ICMP packets or you will break TCP connections through paths which have smaller MTUs, because the TCP stack will never get code 3's. I recommend the following. If you have a recent system also see 'man firewall'. add 120 allow icmp from any to any icmptypes 0,8,11,12,13,14 add 121 deny icmp from any to any -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 16:15:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 0AC6C37B417 for ; Mon, 5 Nov 2001 16:15:29 -0800 (PST) Received: (qmail 5316 invoked by uid 0); 6 Nov 2001 00:15:26 -0000 Received: from cp427045-b.mtgmry1.md.home.com (HELO danny) (67.161.38.142) by mail.gmx.net (mp004-rz3) with SMTP; 6 Nov 2001 00:15:26 -0000 From: "Danny" To: Subject: Qmail Relay Date: Mon, 5 Nov 2001 19:15:03 -0500 Message-ID: <003301c16658$1c36c070$020144c0@danny> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From reading all the FAQs and whatnot from DJB (who seems to be quite the arrogant prick) it doesn't appear that there is any way of using a q-mail server as a realy besides running his 'tcpserver'. Is this the case or can I use qmail as a realy without relying on anything besisides the 4.4 base system? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 17:28:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-80.dsl.lsan03.pacbell.net [63.207.60.80]) by hub.freebsd.org (Postfix) with ESMTP id C6BCB37B417 for ; Mon, 5 Nov 2001 17:28:24 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 670B166B10; Mon, 5 Nov 2001 17:28:24 -0800 (PST) Date: Mon, 5 Nov 2001 17:28:24 -0800 From: Kris Kennaway To: Danny Cc: freebsd-security@freebsd.org Subject: Re: Qmail Relay Message-ID: <20011105172824.A21254@xor.obsecurity.org> References: <003301c16658$1c36c070$020144c0@danny> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003301c16658$1c36c070$020144c0@danny>; from eyezonme@gmx.net on Mon, Nov 05, 2001 at 07:15:03PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 05, 2001 at 07:15:03PM -0500, Danny wrote: > >From reading all the FAQs and whatnot from DJB (who seems to be quite > the arrogant prick) it doesn't appear that there is any way of using a > q-mail server as a realy besides running his 'tcpserver'. Is this the > case or can I use qmail as a realy without relying on anything besisides > the 4.4 base system? This is not a security-related question: please don't abuse the mailing lists, and ask your general support questions on questions@FreeBSD.org. Kris --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE75zy3Wry0BWjoQKURAhvvAJ452mkin/st5IhKxrNYj+88y7+c4QCeLmB7 ogJxoEn2NEe8KA70rkRogGg= =R934 -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 17:31:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (dsl027-182-008.sfo1.dsl.speakeasy.net [216.27.182.8]) by hub.freebsd.org (Postfix) with SMTP id 2695637B417 for ; Mon, 5 Nov 2001 17:31:24 -0800 (PST) Received: (qmail 1298 invoked by uid 1000); 6 Nov 2001 01:31:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Nov 2001 01:31:53 -0000 Date: Mon, 5 Nov 2001 17:31:53 -0800 (PST) From: Brian Behlendorf X-X-Sender: To: Danny Cc: Subject: Re: Qmail Relay In-Reply-To: <003301c16658$1c36c070$020144c0@danny> Message-ID: <20011105172917.J388-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is really not on-topic for this list, but to answer it anyways, tcpserver is like inetd in that it passes along network connections to particular processes (in this case, qmail-smtpd) and is what listens on port 25 for SMTP traffic, so it is a necessary part of using qmail as your MTA. If all you need to do is be able to send mail, you don't even really need an MTA, as most modern mail clients (all the GUI ones I know of, pine, mutt, etc) can SMTP connect to a remote mail server. Brian On Mon, 5 Nov 2001, Danny wrote: > From reading all the FAQs and whatnot from DJB (who seems to be quite > the arrogant prick) it doesn't appear that there is any way of using a > q-mail server as a realy besides running his 'tcpserver'. Is this the > case or can I use qmail as a realy without relying on anything besisides > the 4.4 base system? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 17:50:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from lethargic.dyndns.org (dialin-135-163.hamilton.primus.ca [209.90.135.163]) by hub.freebsd.org (Postfix) with ESMTP id CB7F837B405 for ; Mon, 5 Nov 2001 17:50:21 -0800 (PST) Received: from localhost (leth@localhost) by lethargic.dyndns.org (8.11.4/8.11.1) with ESMTP id fA61oGL25887; Mon, 5 Nov 2001 20:50:17 -0500 (EST) (envelope-from leth@lethargic.dyndns.org) Date: Mon, 5 Nov 2001 20:50:16 -0500 (EST) From: Jason Hunt To: Anthony Atkielski Cc: freebsd-security@FreeBSD.ORG Subject: Re: SecureCRT and SSH2 on FreeBSD In-Reply-To: <001a01c1662f$9ccc5f20$0a00000a@atkielski.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have the following for my SecureCRT settings. I am using a password, not a public key, but I was having problems implementing ssh2 at first. My settings for the connection are as follows: Protocol: ssh2 Port: 22 Cipher: 3DES MAC: MD5 Authentication: Password SSH Server: Standard When you create a new connection in SecureCRT (atleast for 3.01), ssh2 defaults to the SSH Server type of "DataFellows 2.0.13", which does not work. However, this may not even be the problem, since your using a public key instead of password. Hope this helps. On Mon, 5 Nov 2001, Anthony Atkielski wrote: > Public-key is what I want, not password. In fact, PermitRootLogin > without-password supposedly prevents password authentication from being used in > SSH, forcing PK authentification. > > ----- Original Message ----- > From: "alexus" > To: "Anthony Atkielski" ; > Sent: Monday, November 05, 2001 18:27 > Subject: Re: SecureCRT and SSH2 on FreeBSD > > > > check your secure crt configuration > > > > most likly you specify to use public key instead of password > > > > ----- Original Message ----- > > From: "Anthony Atkielski" > > To: > > Sent: Monday, November 05, 2001 12:14 PM > > Subject: SecureCRT and SSH2 on FreeBSD > > > > > > > Can anyone assist me with the exact configuration for getting SecureCRT > > (on > > > Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work > > okay, > > > and--mysteriously--SSH2 seems to work against my Web server (4.2 release) > > on the > > > Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get > > is a > > > message saying > > > > > > Public-key authentication with the SSH2 server for user root failed. > > Please > > > verify username and public/private key pair. > > > > > > Do I have to run anything to make SSH2 work, or is sshd sufficient? I > > have > > > telnetd disabled. I have PermitRootLogin set to without-password. root > > can log > > > in under SSH1, but nobody can log in under SSH2. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 18: 2:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from cc415903-b.ebnsk1.nj.home.com (cc415903-b.ebnsk1.nj.home.com [24.180.16.158]) by hub.freebsd.org (Postfix) with SMTP id 19F8537B416 for ; Mon, 5 Nov 2001 18:02:21 -0800 (PST) Received: (qmail 28065 invoked from network); 6 Nov 2001 02:05:33 -0000 Received: from athena.faerunhome.com (HELO athena.home.com) (192.168.0.2) by cc415903-b.ebnsk1.nj.home.com with SMTP; 6 Nov 2001 02:05:33 -0000 Message-Id: <5.1.0.14.2.20011105210136.026df1a0@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 05 Nov 2001 21:02:52 -0500 To: "Danny" From: Carroll Kong Subject: Re: Qmail Relay Cc: In-Reply-To: <003301c16658$1c36c070$020144c0@danny> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:15 PM 11/5/01 -0500, Danny wrote: > From reading all the FAQs and whatnot from DJB (who seems to be quite >the arrogant prick) it doesn't appear that there is any way of using a >q-mail server as a realy besides running his 'tcpserver'. Is this the >case or can I use qmail as a realy without relying on anything besisides >the 4.4 base system? http://www.qmail.org/man/man8/qmail-remote.html smtproutes seems to create a relay. Also, he highly suggests using tcpserver for all qmail activity, relay or not. It really is not all that hard to use, just use tcpserver. -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 20: 4:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 61D2837B418 for ; Mon, 5 Nov 2001 20:04:09 -0800 (PST) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.11.6/8.11.6) id fA643kC82430 for security@freebsd.org; Tue, 6 Nov 2001 11:03:46 +0700 (KRAT) (envelope-from eugen) Date: Tue, 6 Nov 2001 11:03:46 +0700 From: Eugene Grosbein To: security@freebsd.org Subject: Running secured local anoncvs server for FreeBSD CVS Repository Message-ID: <20011106110346.A77269@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I run local cvsup-mirror of FreeBSD CVS Repository. It runs just fine. I would like to provide read-only anoncvs access to the Repo and wonder how to make it secure. E.g. I do not want users to: - make brute-force attacks to /etc/master.passwd - touch the Repo in any way, no commits, no tags, no val-tags nor history nor any other file modifications. Is it possible? Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 20:11:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 4F06D37B405 for ; Mon, 5 Nov 2001 20:11:22 -0800 (PST) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id fA64BL523873; Mon, 5 Nov 2001 21:11:21 -0700 (MST) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id fA64BKh11658; Mon, 5 Nov 2001 21:11:21 -0700 (MST) Message-Id: <200111060411.fA64BKh11658@faith.cs.utah.edu> Subject: Re: Running secured local anoncvs server for FreeBSD CVS Repository To: eugen@grosbein.pp.ru (Eugene Grosbein) Date: Mon, 5 Nov 2001 21:11:20 -0700 (MST) Cc: security@FreeBSD.ORG In-Reply-To: <20011106110346.A77269@svzserv.kemerovo.su> from "Eugene Grosbein" at Nov 06, 2001 11:03:46 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See 'anoncvssh', from the OpenBSD project: http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps Then grab the distribution: http://www.openbsd.org/anoncvs.shar Then follow the instructions in the README. Since this isn't a real CVS tree that you're granting access to (i.e. not one that you're making commits to yourself), the setup is really quite straightforward. Works well, is a CPU and disk bandwidth/seek hog, but it's super convenient for local access. (These are features of using CVS instead of CVSup, NOT features of anoncvssh. anoncvssh just gives you a more secure way of doing the ssh). If you're super paranoid, you can mount large parts of the CVS repository read-only. -Dave Lo and behold, Eugene Grosbein once said: > > Hi! > > I run local cvsup-mirror of FreeBSD CVS Repository. It runs just fine. > I would like to provide read-only anoncvs access to the Repo and wonder > how to make it secure. E.g. I do not want users to: > > - make brute-force attacks to /etc/master.passwd > - touch the Repo in any way, no commits, no tags, no > val-tags nor history nor any other file modifications. > > Is it possible? > > Eugene Grosbein > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 21:19:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id D346237B417 for ; Mon, 5 Nov 2001 21:19:09 -0800 (PST) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.11.6/8.11.6) id fA65IeS87440; Tue, 6 Nov 2001 12:18:40 +0700 (KRAT) (envelope-from eugen) Date: Tue, 6 Nov 2001 12:18:40 +0700 From: Eugene Grosbein To: David G Andersen Cc: security@FreeBSD.ORG Subject: Re: Running secured local anoncvs server for FreeBSD CVS Repository Message-ID: <20011106121840.B77269@svzserv.kemerovo.su> References: <20011106110346.A77269@svzserv.kemerovo.su> <200111060411.fA64BKh11658@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111060411.fA64BKh11658@faith.cs.utah.edu>; from danderse@cs.utah.edu on Mon, Nov 05, 2001 at 09:11:20PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 05, 2001 at 09:11:20PM -0700, David G Andersen wrote: > See 'anoncvssh', from the OpenBSD project: > http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps > Then grab the distribution: > http://www.openbsd.org/anoncvs.shar > > Then follow the instructions in the README. Since this isn't > a real CVS tree that you're granting access to (i.e. not one > that you're making commits to yourself), the setup is really > quite straightforward. Works well, is a CPU and disk bandwidth/seek > hog, but it's super convenient for local access. > (These are features of using CVS instead of CVSup, NOT features > of anoncvssh. anoncvssh just gives you a more secure way of > doing the ssh). > > If you're super paranoid, you can mount large parts of the > CVS repository read-only. It seems anoncvssh need OpenBSD's cvs distribution and modifications of some files inside the Repo that is what I would rather avoid to do. Is it safe to hack CVSROOT/*? And if I'll want to provide public access once, will I be allowed to limit using of compression? Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 22:40:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from raven.mail.pas.earthlink.net (raven.mail.pas.earthlink.net [207.217.120.39]) by hub.freebsd.org (Postfix) with ESMTP id 2694037B418 for ; Mon, 5 Nov 2001 22:40:14 -0800 (PST) Received: from 1cust1.tnt2.clarksburg.wv.da.uu.net ([63.21.115.1] helo=colltech.com) by raven.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 160ztj-00038c-00; Mon, 05 Nov 2001 22:39:48 -0800 Message-ID: <3BE786E6.1DB9227C@colltech.com> Date: Tue, 06 Nov 2001 01:44:54 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd - corrupted check bytes on input References: <200111050721.fA57Lko76929@gilberto.physik.rwth-aachen.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You are probably being attacked. See http://www.cert.org/incident_notes/IN-2001-12.html for information on this vulnerability. Daniel Christoph Kukulies wrote: > > I found a syslog of Nov 2, 00:30 saying: > > sshd: Local: Corrupted check bytes on input. > > Possible attack? > > What is the way to go with sshd and FreeBSD? > > -- > Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 23:21: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.uh.ru (ns.uh.ru [62.118.252.32]) by hub.freebsd.org (Postfix) with ESMTP id B34DE37B416 for ; Mon, 5 Nov 2001 23:21:00 -0800 (PST) Received: from there (ppp92.yaroslavl.ru [217.15.128.92]) by ns.uh.ru (8.11.6/8.11.6) with SMTP id fA67HZu81881; Tue, 6 Nov 2001 10:17:36 +0300 (MSK) (envelope-from volax@uh.ru) Message-Id: <200111060717.fA67HZu81881@ns.uh.ru> Content-Type: text/plain; charset="koi8-r" From: "Alexander S. Volchenkov" Reply-To: volax@uh.ru Organization: Superbmarket To: Peter Pentchev Subject: Re: Chrooted SSH2 problem Date: Tue, 6 Nov 2001 10:21:40 +0300 X-Mailer: KMail [version 1.3] References: <200111051546.fA5FkLu62095@ns.uh.ru> <20011105174639.C77919@straylight.oblivion.bg> In-Reply-To: <20011105174639.C77919@straylight.oblivion.bg> Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Peter! > > > > I've just installed ssh2 and trying to implement it's chroot feature. > > I have a problem with user login. > > > > User "dummy" is in the "chrooted" group. His home directory : > > /home/chrooted/dummy contains bin subdirectory with a mirror of /bin. > > User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine. > > > > From /etc/sshd2_conf: > > ------------------------------------------- > > AllowGroups chrooted > > ChRootGroups chrooted > > ------------------------------------------- -------------- SKIP ----------------- > On the server, stop any sshd's running, then run an 'sshd -d' and > watch its output. The output of sshd2 -d1: gate# ssh2 -l dummy gate dummy@gate's password: Authentication successful. sshd2[1296]: /etc/spwd.db: No such file or directory debug: ssh_user_become: getpwnam: Bad file descriptor debug: Switching to user 'dummy' failed! Connection to gate closed. Does it mean i must provide /etc/spwd.db file in the user home directory? In this case, how can I create this file for single user usage? Thanks, Alexander S. Volchenkov (mailto:volax@uh.ru) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 5 23:39:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.RWTH-Aachen.DE [137.226.46.168]) by hub.freebsd.org (Postfix) with ESMTP id BB33F37B416 for ; Mon, 5 Nov 2001 23:39:42 -0800 (PST) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.11.1/8.9.3) id fA67dZG07698; Tue, 6 Nov 2001 08:39:35 +0100 (CET) (envelope-from kuku) Date: Tue, 6 Nov 2001 08:39:34 +0100 From: Christoph Kukulies To: Daniel Hagan Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: sshd - corrupted check bytes on input Message-ID: <20011106083934.B7604@gil.physik.rwth-aachen.de> References: <200111050721.fA57Lko76929@gilberto.physik.rwth-aachen.de> <3BE786E6.1DB9227C@colltech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3BE786E6.1DB9227C@colltech.com>; from dhagan@colltech.com on Tue, Nov 06, 2001 at 01:44:54AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Nov 06, 2001 at 01:44:54AM -0500, Daniel Hagan wrote: > You are probably being attacked. See > http://www.cert.org/incident_notes/IN-2001-12.html for information on > this vulnerability. > > Daniel > > Christoph Kukulies wrote: > > > > I found a syslog of Nov 2, 00:30 saying: > > > > sshd: Local: Corrupted check bytes on input. Although it doesn't have exactly the pattern. No host that disconnected. I logged into the machine at that time from home via ISDN at that time. Well, time anyway to switch to openssh. -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 6 2:21:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id A710F37B418 for ; Tue, 6 Nov 2001 02:21:25 -0800 (PST) Received: (qmail 10160 invoked by uid 1000); 6 Nov 2001 09:53:03 -0000 Date: Tue, 6 Nov 2001 11:53:03 +0200 From: Peter Pentchev To: Danny Cc: freebsd-security@freebsd.org Subject: Re: Qmail Relay Message-ID: <20011106115303.B10023@straylight.oblivion.bg> Reply-To: Peter Pentchev Mail-Followup-To: Danny , freebsd-security@freebsd.org References: <003301c16658$1c36c070$020144c0@danny> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <003301c16658$1c36c070$020144c0@danny>; from eyezonme@gmx.net on Mon, Nov 05, 2001 at 07:15:03PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 05, 2001 at 07:15:03PM -0500, Danny wrote: > From reading all the FAQs and whatnot from DJB (who seems to be quite > the arrogant prick) it doesn't appear that there is any way of using a > q-mail server as a realy besides running his 'tcpserver'. Is this the > case or can I use qmail as a realy without relying on anything besisides > the 4.4 base system? First, as many people already pointed out, this is off-topic for this list. Hence, I've set the reply-to to my own address, should you wish to continue this discussion in private. Second.. have you actually read the qmail FAQ? :) You know, the one installed in /var/qmail/doc/FAQ? :) 5.4. How do I allow selected clients to use this host as a relay? I see that qmail-smtpd rejects messages to any host not listed in control/rcpthosts. This is followed by a very simple procedure involving inetd.conf and /etc/hosts.allow. Please take another look before resorting to name-calling :) G'luck, Peter -- This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 6 2:24:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 5881737B417 for ; Tue, 6 Nov 2001 02:24:45 -0800 (PST) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id KAA00905; Tue, 6 Nov 2001 10:23:26 GMT Date: Tue, 6 Nov 2001 10:23:26 +0000 (GMT) From: rik@rikrose.net X-Sender: rik@pkl.net To: "Alexander S. Volchenkov" Cc: Peter Pentchev , freebsd-security@FreeBSD.ORG Subject: Re: Chrooted SSH2 problem In-Reply-To: <200111060717.fA67HZu81881@ns.uh.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 6 Nov 2001, Alexander S. Volchenkov wrote: > The output of sshd2 -d1: > sshd2[1296]: /etc/spwd.db: No such file or directory > Connection to gate closed. I've not been wathing the whole conversation, but that error I've left above (and consequently the other errors too) look to me like you've chrooted the sshd, rather than letting it chroot a certain group of users. sshd must run as root, in order to switch to the required users, and therefore has the permissions to chroot when required, so if you just leae it with its default setup, and add those 2 lines to the config file that were specified above, then everything ought to be fine. Good luck -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 6 2:24:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id 460F637B416 for ; Tue, 6 Nov 2001 02:24:42 -0800 (PST) Received: (qmail 10212 invoked by uid 1000); 6 Nov 2001 09:56:31 -0000 Date: Tue, 6 Nov 2001 11:56:31 +0200 From: Peter Pentchev To: "Alexander S. Volchenkov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Chrooted SSH2 problem Message-ID: <20011106115631.C10023@straylight.oblivion.bg> Mail-Followup-To: "Alexander S. Volchenkov" , freebsd-security@FreeBSD.ORG References: <200111051546.fA5FkLu62095@ns.uh.ru> <20011105174639.C77919@straylight.oblivion.bg> <200111060717.fA67HZu81881@ns.uh.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111060717.fA67HZu81881@ns.uh.ru>; from volax@uh.ru on Tue, Nov 06, 2001 at 10:21:40AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Nov 06, 2001 at 10:21:40AM +0300, Alexander S. Volchenkov wrote: > Hello, Peter! > > > > > > > I've just installed ssh2 and trying to implement it's chroot feature. > > > I have a problem with user login. > > > > > > User "dummy" is in the "chrooted" group. His home directory : > > > /home/chrooted/dummy contains bin subdirectory with a mirror of /bin. > > > User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine. > > > > > > From /etc/sshd2_conf: > > > ------------------------------------------- > > > AllowGroups chrooted > > > ChRootGroups chrooted > > > ------------------------------------------- > > -------------- SKIP ----------------- > > > On the server, stop any sshd's running, then run an 'sshd -d' and > > watch its output. > > The output of sshd2 -d1: > > gate# ssh2 -l dummy gate > dummy@gate's password: > Authentication successful. > sshd2[1296]: /etc/spwd.db: No such file or directory > debug: ssh_user_become: getpwnam: Bad file descriptor > debug: Switching to user 'dummy' failed! > Connection to gate closed. > > Does it mean i must provide /etc/spwd.db file in the user home directory? > In this case, how can I create this file for single user usage? Yes, this is exactly what it means. To create this file, take your /etc/passwd and /etc/master.passwd, copy them to the user's $HOME/etc/, then run 'vipw -d /path/to/usershome/etc' and delete all the lines you do not want. Alternatively, you could do something like: # fgrep username /etc/passwd > /userhome/etc/passwd # fgrep username /etc/master.passwd > /userhome/etc/master.passwd # pwd_mkdb -d /userhome/etc/master.passwd ..which might be preferable if you intend to set up more than one of these jails. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 6 2:30:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from sanyu1.sanyutel.com (sanyu1.sanyutel.com [216.250.215.14]) by hub.freebsd.org (Postfix) with ESMTP id 9B74B37B405 for ; Tue, 6 Nov 2001 02:30:10 -0800 (PST) Received: from localhost (ksemat@localhost) by sanyu1.sanyutel.com (8.11.3/) with ESMTP id fA6AVXd01011; Tue, 6 Nov 2001 13:31:40 +0300 X-Authentication-Warning: sanyu1.sanyutel.com: ksemat owned process doing -bs Date: Tue, 6 Nov 2001 13:31:33 +0300 (EAT) From: X-X-Sender: To: Carroll Kong Cc: Danny , Subject: Re: Qmail Relay In-Reply-To: <5.1.0.14.2.20011105210136.026df1a0@netmail.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cat /etc/inetd.conf |grep 'qmail' You can use inetd to do qmail. I did this for sometime before changing to postfix. Noah. On Mon, 5 Nov 2001, Carroll Kong wrote: > At 07:15 PM 11/5/01 -0500, Danny wrote: > > From reading all the FAQs and whatnot from DJB (who seems to be quite > >the arrogant prick) it doesn't appear that there is any way of using a > >q-mail server as a realy besides running his 'tcpserver'. Is this the > >case or can I use qmail as a realy without relying on anything besisides > >the 4.4 base system? > > http://www.qmail.org/man/man8/qmail-remote.html > > smtproutes seems to create a relay. Also, he highly suggests using > tcpserver for all qmail activity, relay or not. It really is not all that > hard to use, just use tcpserver. > > > > -Carroll Kong > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 6 5:32:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id D1FA237B405 for ; Tue, 6 Nov 2001 05:32:30 -0800 (PST) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id fA6DWT529561; Tue, 6 Nov 2001 06:32:29 -0700 (MST) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id fA6DWTI16199; Tue, 6 Nov 2001 06:32:29 -0700 (MST) Message-Id: <200111061332.fA6DWTI16199@faith.cs.utah.edu> Subject: Re: Running secured local anoncvs server for FreeBSD CVS Repository To: eugen@grosbein.pp.ru (Eugene Grosbein) Date: Tue, 6 Nov 2001 06:32:29 -0700 (MST) Cc: danderse@cs.utah.edu (David G Andersen), security@FreeBSD.ORG In-Reply-To: <20011106121840.B77269@svzserv.kemerovo.su> from "Eugene Grosbein" at Nov 06, 2001 12:18:40 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lo and behold, Eugene Grosbein once said: > > On Mon, Nov 05, 2001 at 09:11:20PM -0700, David G Andersen wrote: > > > See 'anoncvssh', from the OpenBSD project: > > http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps > > Then grab the distribution: > > http://www.openbsd.org/anoncvs.shar > > It seems anoncvssh need OpenBSD's cvs distribution and > modifications of some files inside the Repo that is what > I would rather avoid to do. Is it safe to hack CVSROOT/*? Likely so. I didn't have to hack much the last time I exported a CVS tree, but that was a bit ago. > And if I'll want to provide public access once, will I be allowed > to limit using of compression? You can hack anoncvssh.c to strip out the compression request, I'd think. Haven't tried it. -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 6 22:38:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id C30E637B405 for ; Tue, 6 Nov 2001 22:38:48 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 161MMI-0007ME-00 for ; Wed, 07 Nov 2001 16:38:46 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 161MMI-0007jm-00 for ; Wed, 07 Nov 2001 16:38:46 +1000 Date: Wed, 7 Nov 2001 16:38:46 +1000 From: Nick Slager To: freebsd-security@freebsd.org Subject: KAME IPsec on low-end hardware Message-ID: <20011107163846.H25762@BlueSkyFrog.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just set up my first IPsec link between two 4.4-REL boxes. They are connected thusly: IPsec Linux IPsec Box 1 ----- router box ----- Box 2 192.168.1.1 192.168.2.1 This is all set up on a 100mb ethernet LAN. When pinging the box with the IPsec link active, I'm getting suboptimal response times: box1 ~ % ping box2 PING box2.internal (192.168.2.1): 56 data bytes 64 bytes from 192.168.2.1: icmp_seq=0 ttl=63 time=35.338 ms 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms With IPsec not active, response times are "normal" (~ 0.5ms) I'm guessing these high response times are due to the low end hardware in use. Box 1 is a 486DX4/100; Box 2 is a P90 (no laughing please!). Would this assumption be correct? Regards, Nick -- Excuse of the day: Look, buddy: Windows 3.1 IS A General Protection Fault. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 6 22:46:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-80.dsl.lsan03.pacbell.net [63.207.60.80]) by hub.freebsd.org (Postfix) with ESMTP id 6630737B417 for ; Tue, 6 Nov 2001 22:46:17 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 05E1566B10; Tue, 6 Nov 2001 22:46:16 -0800 (PST) Date: Tue, 6 Nov 2001 22:46:16 -0800 From: Kris Kennaway To: Nick Slager Cc: freebsd-security@freebsd.org Subject: Re: KAME IPsec on low-end hardware Message-ID: <20011106224616.A37425@xor.obsecurity.org> References: <20011107163846.H25762@BlueSkyFrog.COM> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011107163846.H25762@BlueSkyFrog.COM>; from ns@BlueSkyFrog.COM on Wed, Nov 07, 2001 at 04:38:46PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 07, 2001 at 04:38:46PM +1000, Nick Slager wrote: > box1 ~ % ping box2 > PING box2.internal (192.168.2.1): 56 data bytes > 64 bytes from 192.168.2.1: icmp_seq=3D0 ttl=3D63 time=3D35.338 ms > 64 bytes from 192.168.2.1: icmp_seq=3D1 ttl=3D63 time=3D34.032 ms > 64 bytes from 192.168.2.1: icmp_seq=3D2 ttl=3D63 time=3D33.999 ms >=20 > With IPsec not active, response times are "normal" (~ 0.5ms) >=20 > I'm guessing these high response times are due to the low end hardware > in use. Box 1 is a 486DX4/100; Box 2 is a P90 (no laughing please!). > Would this assumption be correct? Seems reasonable. Your throughput will definitely be CPU-bound here. Kris --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE76Ni4Wry0BWjoQKURAuwCAKCsCTaLNeHV/eUkwQOjB4i9KvgA0gCfTGeg zGbJ4fRoNg7M860cnH24Bnk= =uCoY -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 0:31: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 1499C37B41C for ; Wed, 7 Nov 2001 00:30:59 -0800 (PST) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id fA78UuWK029672; Wed, 7 Nov 2001 19:30:56 +1100 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id fA78Uu0W029670; Wed, 7 Nov 2001 19:30:56 +1100 (EST) From: Darren Reed Message-Id: <200111070830.fA78Uu0W029670@cairo.anu.edu.au> Subject: Re: KAME IPsec on low-end hardware To: ns@BlueSkyFrog.COM (Nick Slager) Date: Wed, 7 Nov 2001 19:30:56 +1100 (Australia/NSW) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20011107163846.H25762@BlueSkyFrog.COM> from "Nick Slager" at Nov 07, 2001 04:38:46 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Nick Slager, sie said: > > Just set up my first IPsec link between two 4.4-REL boxes. They are > connected thusly: > > IPsec Linux IPsec > Box 1 ----- router box ----- Box 2 > 192.168.1.1 192.168.2.1 > > This is all set up on a 100mb ethernet LAN. > > When pinging the box with the IPsec link active, I'm getting > suboptimal response times: > > box1 ~ % ping box2 > PING box2.internal (192.168.2.1): 56 data bytes > 64 bytes from 192.168.2.1: icmp_seq=0 ttl=63 time=35.338 ms > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms > > With IPsec not active, response times are "normal" (~ 0.5ms) That doesn't sound normal to me. I've been using IPsec on a OpenBSD/sparc (IPX) box which is definately not faster than either the DX4/100 or P90 and my ping times are still in the 3-5 ms range to a NetBSD/Celeron-533. In the absence of IPsec, ping times are sub-1ms. These are on the same LAN (no router between them), however. That is using DES-MD5. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 4:31:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id C225437B416 for ; Wed, 7 Nov 2001 04:31:51 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 161Rrx-0001TN-00; Wed, 07 Nov 2001 22:31:49 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 161Rrx-0008E3-00; Wed, 07 Nov 2001 22:31:49 +1000 Date: Wed, 7 Nov 2001 22:31:49 +1000 From: Nick Slager To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: KAME IPsec on low-end hardware Message-ID: <20011107223149.A31603@BlueSkyFrog.COM> References: <20011107163846.H25762@BlueSkyFrog.COM> <200111070830.fA78Uu0W029670@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111070830.fA78Uu0W029670@cairo.anu.edu.au>; from avalon@cairo.anu.edu.au on Wed, Nov 07, 2001 at 07:30:56PM +1100 X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Darren Reed (avalon@cairo.anu.edu.au): > > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms > > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms > > > > With IPsec not active, response times are "normal" (~ 0.5ms) > > That doesn't sound normal to me. > > I've been using IPsec on a OpenBSD/sparc (IPX) box which is > definately not faster than either the DX4/100 or P90 and my > ping times are still in the 3-5 ms range to a NetBSD/Celeron-533. > In the absence of IPsec, ping times are sub-1ms. These are > on the same LAN (no router between them), however. That is > using DES-MD5. Hmmm, odd. I've just changed the encryption/hash to DES/MD5. No change in response times. I will take the router box out of the loop tomorrow and see how things go, but don't think that's the problem. Nick -- Excuse of the day: Password is too complex to decrypt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 6:21:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id A83A637B405 for ; Wed, 7 Nov 2001 06:21:09 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fA7EL8405793; Wed, 7 Nov 2001 08:21:08 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA18328; Wed, 7 Nov 2001 08:21:07 -0600 (CST) Message-ID: <3BE94334.488CC3A8@centtech.com> Date: Wed, 07 Nov 2001 08:20:36 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nick Slager Cc: Darren Reed , freebsd-security@freebsd.org Subject: Re: KAME IPsec on low-end hardware References: <20011107163846.H25762@BlueSkyFrog.COM> <200111070830.fA78Uu0W029670@cairo.anu.edu.au> <20011107223149.A31603@BlueSkyFrog.COM> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have done many experiments with this, and never seen over 10ms ping times, using 2 486-133's to do the ipsec tunneling.. sounds like maybe something isn't set up just right.. ping every IP you know of, and see if anything else has high ping times, also, if there are multiple IP's on the ipsec boxes, try pinging from each of those to see how it turns out.. try turning encryption off, just using a tunnel.. anyway, I'm using blowfish (which seems to be one of the slowest) and still get sub 10ms ping times (usually 5-8ms). Eric Nick Slager wrote: > > Thus spake Darren Reed (avalon@cairo.anu.edu.au): > > > > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms > > > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms > > > > > > With IPsec not active, response times are "normal" (~ 0.5ms) > > > > That doesn't sound normal to me. > > > > I've been using IPsec on a OpenBSD/sparc (IPX) box which is > > definately not faster than either the DX4/100 or P90 and my > > ping times are still in the 3-5 ms range to a NetBSD/Celeron-533. > > In the absence of IPsec, ping times are sub-1ms. These are > > on the same LAN (no router between them), however. That is > > using DES-MD5. > > Hmmm, odd. I've just changed the encryption/hash to DES/MD5. > No change in response times. > > I will take the router box out of the loop tomorrow and > see how things go, but don't think that's the problem. > > Nick > > -- > Excuse of the day: > Password is too complex to decrypt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology No single raindrop believes it is to blame for the flood. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 10:29: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ganja.nubisci.net (ikhala.tcimet.net [198.109.166.215]) by hub.freebsd.org (Postfix) with ESMTP id 86C6737B428 for ; Wed, 7 Nov 2001 10:28:54 -0800 (PST) Received: (from guru@localhost) by ganja.nubisci.net (8.11.6/8.11.4) id fA7ISr437638 for freebsd-security@freebsd.org; Wed, 7 Nov 2001 13:28:53 -0500 (EST) (envelope-from guru) Date: Wed, 7 Nov 2001 13:28:53 -0500 From: GuRU To: freebsd-security@freebsd.org Subject: problems with clients behind ipf/ipnat firewall Message-ID: <20011107132853.B7624@nubisci.net> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 5.0-CURRENT i386 WWW-Home-Page: http://www.nubisci.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello folks I'm having some problems with my firewall setup and could use some insight/advice. I have a cable modem with a static ip. My gateway box is running -current. I'm seeing problems with both ipf/ipnat and ipfw/natd, but for the purpose of this email i'll use my ipf/ipnat configuration. Here's the deal, for all kinds of access to the internet, everything is slow or times out except ping. While everything from my gateway box is fine. My gateway box is running -current, while the clients are running 4.3-Release. Here are some examples of what I'm seeing: client box (FreeBSD kaleidoscope.nubisci.net 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sat Apr 21 10:54:49 GMT 2001 jkh@narf.osd.bsdi.com:/usr/src/sys/compile/GENERIC i386) kaleidoscope.nubisci.net:guru% ping -c 10 bantu.cl.msu.edu PING bantu.cl.msu.edu (35.8.3.18): 56 data bytes 64 bytes from 35.8.3.18: icmp_seq=0 ttl=60 time=4.382 ms 64 bytes from 35.8.3.18: icmp_seq=1 ttl=60 time=3.986 ms 64 bytes from 35.8.3.18: icmp_seq=2 ttl=60 time=3.633 ms 64 bytes from 35.8.3.18: icmp_seq=3 ttl=60 time=5.451 ms 64 bytes from 35.8.3.18: icmp_seq=4 ttl=60 time=3.545 ms 64 bytes from 35.8.3.18: icmp_seq=5 ttl=60 time=3.861 ms 64 bytes from 35.8.3.18: icmp_seq=6 ttl=60 time=3.512 ms 64 bytes from 35.8.3.18: icmp_seq=7 ttl=60 time=4.xxx ms 64 bytes from 35.8.3.18: icmp_seq=8 ttl=60 time=3.750 ms 64 bytes from 35.8.3.18: icmp_seq=9 ttl=60 time=6.950 ms --- bantu.cl.msu.edu ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.512/4.318/6.950/1.030 ms gateway box (FreeBSD ganja.nubisci.net 5.0-CURRENT FreeBSD 5.0-CURRENT #51: Wed Nov 7 09:16:18 EST 2001 root@ganja.nubisci.net:/usr/src/sys/i386/compile/GANJA i386) ganja.nubisci.net:guru% ping -c 10 bantu.cl.msu.edu PING bantu.cl.msu.edu (35.8.3.18): 56 data bytes 64 bytes from 35.8.3.18: icmp_seq=0 ttl=61 time=3.469 ms 64 bytes from 35.8.3.18: icmp_seq=1 ttl=61 time=2.890 ms 64 bytes from 35.8.3.18: icmp_seq=2 ttl=61 time=2.795 ms 64 bytes from 35.8.3.18: icmp_seq=3 ttl=61 time=4.070 ms 64 bytes from 35.8.3.18: icmp_seq=4 ttl=61 time=8.061 ms 64 bytes from 35.8.3.18: icmp_seq=5 ttl=61 time=2.877 ms 64 bytes from 35.8.3.18: icmp_seq=6 ttl=61 time=9.180 ms 64 bytes from 35.8.3.18: icmp_seq=7 ttl=61 time=3.613 ms 64 bytes from 35.8.3.18: icmp_seq=8 ttl=61 time=3.202 ms 64 bytes from 35.8.3.18: icmp_seq=9 ttl=61 time=3.788 ms --- bantu.cl.msu.edu ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.795/4.394/9.180/2.164 ms Ok now here are the results of traceroute -S client box: kaleidoscope.nubisci.net:guru% traceroute -S bantu.cl.msu.edu traceroute to bantu.cl.msu.edu (35.8.3.18), 30 hops max, 40 byte packets 1 ganja (192.168.0.1) 0.522 ms 0.434 ms 0.390 ms (0% loss) 2 xxx.xxx.xxx.193 (xxx.xxx.xxx.193) 3.462 ms * 5.353 ms (33% loss) 3 * com-rtr-ve61.net.msu.edu (35.12.51.1) 6.028 ms * (66% loss) 4 cc-rtr-ge15.net.msu.edu (35.9.101.13) 7.252 ms * 3.242 ms (33% loss) 5 * bantu.cl.msu.edu (35.8.3.18) 5.814 ms * (66% loss) as you can see i start seeing collisions once packets hit my upstream gateway :( now from my gateway box: ganja.nubisci.net:guru% traceroute -S bantu.cl.msu.edu traceroute to bantu.cl.msu.edu (35.8.3.18), 64 hops max, 40 byte packets 1 xxx.xxx.xxx.193 (xxx.xxx.xxx.193) 3.466 ms 2.871 ms 5.716 ms (0% loss) 2 com-rtr-ve61.net.msu.edu (35.12.51.1) 2.565 ms 2.781 ms 2.711 ms (0% loss) 3 cc-rtr-ge15.net.msu.edu (35.9.101.13) 2.767 ms 7.298 ms 4.367 ms (0% loss) 4 bantu.cl.msu.edu (35.8.3.18) 2.516 ms 2.121 ms 1.997 ms (0% loss) no problems whatsoever. Now i've upgraded nic's, cables, switched the public/private nics and the results are the same. If it's h/w i'm at a loss at what it can be except maybe the mobo or the cable modem, but i can't see why as the gateway performs with out any issues. I've tried many different ipf configurations and even with very permissive rules, i see the same symptoms :(. Here are my current ipf.rules and ipnat.rules files: # /etc/ipf.rules # ipf.rules # interface naming: # fxp0 = internet, addr=xxx.xxx.xxx.215/32 # fxp1 = local private net, addr=192.168.0.1/24 # # generic to all interfaces block in log quick all with opt lsrr block in log quick all with opt ssrr block in log quick all with ipopts block in log quick proto tcp all with short block in log quick proto icmp all with frag pass in quick on fxp0 proto tcp/udp from xxx.xxx.xxx.215/3 to ANY keep state # rules for the external fxp0 interface pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 22 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 25 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 53 flags S keep state pass in quick on fxp0 proto udp from any to xxx.xxx.xxx.215/32 port = 53 keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 80 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 110 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 113 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 443 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 6000 flags S keep state block in log on fxp0 all block return-rst in log quick on fxp0 proto tcp all flags S block return-icmp-as-dest(port-unr) in log quick on fxp0 proto udp all # now keep state at the external interface on outgoing traffic: pass out quick on fxp0 proto tcp from any to any flags S keep state pass out quick on fxp0 proto udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state pass out quick on fxp0 from any to any # # rules for the internal fxp1 interface # let the internal and loopback interfaces run free, but # squelch the netbios stuff so it doesn't create ipf states: block in quick on fxp1 from any to any port = 137 block in quick on fxp1 from any to any port = 138 block in quick on fxp1 from any to any port = 139 block in quick on fxp1 from any port = 137 to any block in quick on fxp1 from any port = 138 to any block in quick on fxp1 from any port = 139 to any pass in quick on fxp1 all pass out quick on fxp1 all # # no restrictions on loopback pass in quick on lo0 all pass out quick on lo0 all and here's my ipnat.rules #/etc/ipnat.rules map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32 proxy port ftp ftp/tcp map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32 portmap tcp/udp 1025:65000 map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32 any thoughts/ideas/criticisms? :) #;@0 -- Comparing information and knowledge is like asking whether the fatness of a pig is more or less green than the designated hitter rule." -- David Guaspari To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 15:24: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 8B49237B418 for ; Wed, 7 Nov 2001 15:23:59 -0800 (PST) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id fA7NNsH67514; Wed, 7 Nov 2001 15:23:54 -0800 (PST) Date: Wed, 7 Nov 2001 15:23:54 -0800 (PST) From: David Kirchner X-X-Sender: To: Magdalinin Kirill Cc: , Subject: Re: Chrooted SSH2 problem In-Reply-To: Message-ID: <20011107152206.C44499-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 5 Nov 2001, Magdalinin Kirill wrote: > If you want to allow a couple of users at your box, then > placing sh (which is statically linked) in > /home/chrooted/dummy/bin/ should do the trick. If there > must be many users, then consider making bin, usr and > even var directories under /home/chrooted, and chroot > all users to /home/chrooted. All binaries in bin, usr must > be statically linked or you will have to place all necessary > libraries over there, which is a security risk(?). Thankfully, you can get away with setting up a "skeleton" directory on that mountpoint and then creating hard links (with ln) from the skeleton directory to each chroot'd user directory. Note that this will only work (effectively) for regular files. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 16:54:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from blue.blueskyfrog.com (blue.blueskyfrog.com [203.185.223.22]) by hub.freebsd.org (Postfix) with ESMTP id 3BE7637B417 for ; Wed, 7 Nov 2001 16:54:28 -0800 (PST) Received: from gold.internal.blueskyfrog.com ([192.168.121.34]) by blue.blueskyfrog.com with esmtp (Exim 3.12 #1 (Debian)) id 161dSX-0004aG-00; Thu, 08 Nov 2001 10:54:21 +1000 Received: from ns by gold.internal.blueskyfrog.com with local (Exim 3.12 #1 (Debian)) id 161dSX-00011i-00; Thu, 08 Nov 2001 10:54:21 +1000 Date: Thu, 8 Nov 2001 10:54:21 +1000 From: Nick Slager To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: KAME IPsec on low-end hardware Message-ID: <20011108105421.A3785@BlueSkyFrog.COM> References: <20011107163846.H25762@BlueSkyFrog.COM> <200111070830.fA78Uu0W029670@cairo.anu.edu.au> <20011107223149.A31603@BlueSkyFrog.COM> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011107223149.A31603@BlueSkyFrog.COM>; from ns@BlueSkyFrog.COM on Wed, Nov 07, 2001 at 10:31:49PM +1000 X-Homer: Whoohooooooo! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Nick Slager (ns@BlueSkyFrog.COM): > Thus spake Darren Reed (avalon@cairo.anu.edu.au): > > > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=34.032 ms > > > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=33.999 ms > > > > > > With IPsec not active, response times are "normal" (~ 0.5ms) > > > > That doesn't sound normal to me. > > > > I've been using IPsec on a OpenBSD/sparc (IPX) box which is > > definately not faster than either the DX4/100 or P90 and my > > ping times are still in the 3-5 ms range to a NetBSD/Celeron-533. > > In the absence of IPsec, ping times are sub-1ms. These are > > on the same LAN (no router between them), however. That is > > using DES-MD5. > > Hmmm, odd. I've just changed the encryption/hash to DES/MD5. > No change in response times. Hmmm, seems that I failed to do this correctly last night :-\ Changing the encryption/hash to DES/MD5 *does* indeed make a difference to response times; I'm consistently seeing rtt times of 13-14ms now. Compare this to the "default" triple-DES/SHA-1 scheme, which consistently comes in at 33-34ms. I suspect that compression would also affect response times, but omitting: compression_algorithm deflate; from racoon.conf results in a parse error. Does anyone know if compression can be disabled? Also, is there much difference between racoon and isakmpd? AFAICT isakmpd supports dymamic client IP addresses, but that seems to be the only major difference. Regards, Nick -- Excuse of the day: Internet outage To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 16:57:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 469D937B405 for ; Wed, 7 Nov 2001 16:57:33 -0800 (PST) Received: (qmail 39914 invoked by uid 1000); 8 Nov 2001 00:57:31 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Nov 2001 00:57:31 -0000 Date: Wed, 7 Nov 2001 18:57:31 -0600 (CST) From: Mike Silbersack To: Nick Slager Cc: Darren Reed , Subject: Re: KAME IPsec on low-end hardware In-Reply-To: <20011108105421.A3785@BlueSkyFrog.COM> Message-ID: <20011107185550.K39446-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 8 Nov 2001, Nick Slager wrote: > > Hmmm, odd. I've just changed the encryption/hash to DES/MD5. > > No change in response times. > > Hmmm, seems that I failed to do this correctly last night :-\ > > Changing the encryption/hash to DES/MD5 *does* indeed make a difference > to response times; I'm consistently seeing rtt times of 13-14ms now. > > Compare this to the "default" triple-DES/SHA-1 scheme, which > consistently comes in at 33-34ms. Well, if you have a lot of free time, you could try wedging the openssl assembly cores into the kernel; they perform about 2x faster than their C equivalents, at least on p5 and better processors. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 18: 2:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from post2.inre.asu.edu (post2.inre.asu.edu [129.219.110.73]) by hub.freebsd.org (Postfix) with ESMTP id 0D62C37B417 for ; Wed, 7 Nov 2001 18:02:11 -0800 (PST) Received: from conversion.post2.inre.asu.edu by asu.edu (PMDF V6.1 #40111) id <0GMG00501LNM0J@asu.edu> for freebsd-security@FreeBSD.ORG; Wed, 07 Nov 2001 19:02:10 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.13.92]) by asu.edu (PMDF V6.1 #40111) with ESMTP id <0GMG003A4LNLGH@asu.edu> for freebsd-security@FreeBSD.ORG; Wed, 07 Nov 2001 19:02:09 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.120.183]) by smtp.asu.edu (8.9.3/8.9.3) with ESMTP id TAA25703 for ; Wed, 07 Nov 2001 19:02:09 -0700 (MST) Date: Wed, 07 Nov 2001 19:02:09 -0700 (MST) From: David Bear Subject: sharing /etc/passwd X-X-Sender: To: FreeBSD Security List Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I need to sync /etc/passwd and /etc/group among multiple machines. I was thinking ldap would be a good method but am concerned about 1) the most secure way to do it 2) the most stable 3) things I don't know about this but should... any pointers to man pages/docs would be appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 18:18:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 1DA6C37B419 for ; Wed, 7 Nov 2001 18:18:24 -0800 (PST) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 9A9F044AB66 for ; Thu, 8 Nov 2001 02:18:22 +0000 (GMT) Received: (qmail 7837 invoked by uid 1001); 8 Nov 2001 02:13:16 -0000 Date: Wed, 7 Nov 2001 21:13:16 -0500 From: Steve Shorter To: David Bear Cc: FreeBSD Security List Subject: Re: sharing /etc/passwd Message-ID: <20011107211316.A7830@nomad.lets.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from David.Bear@asu.edu on Wed, Nov 07, 2001 at 07:02:09PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 07, 2001 at 07:02:09PM -0700, David Bear wrote: > > I need to sync /etc/passwd and /etc/group among multiple machines. I was > thinking ldap would be a good method but am concerned about > > 1) the most secure way to do it > 2) the most stable > 3) things I don't know about this but should... > > any pointers to man pages/docs would be appreciated. Hmm... how about rsync? /usr/ports/net/rsync -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 18:50:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112]) by hub.freebsd.org (Postfix) with ESMTP id 9EFE837B405 for ; Wed, 7 Nov 2001 18:50:26 -0800 (PST) Received: from vectra (dhcp235214.columbus.rr.com [204.210.235.214]) by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with SMTP id fA82k7T27956; Wed, 7 Nov 2001 21:46:07 -0500 (EST) Message-Id: <4.1.20011107214347.0091ce80@pop.service.ohio-state.edu> X-Sender: kennsmit@none (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 07 Nov 2001 21:45:43 -0500 To: freebsd-security@FreeBSD.ORG From: K Smith Subject: Re:firewall question Cc: tomg@trancer.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tom: I would suggest double checking each IP configuration (including subnet mask). The next step is to use basic tools such as ping, traceroute and arp to determine the behavior of your network. Utilize a traffic analyzer such as tcpdump or ethereal and an ethernet hub (if you are using a switch) if you haven't discovered the source of the problem using the previous steps. Your problem could be complex, but will most likely be caused by a simple configuration error. BTW: You would probably get a better response posting this to a more general Q&A list, as it doesn't particularly pertain to security. Good Luck! ks >I've been playing with setting up a firewall. This is the setup: >The firewall PC is running FreeBSD 4.4 with the default 'simple' firewall >running. There are two ethernet cards in it, one at IP 206.147.211.9 talking >to the outside network. The other ethernet card is using IP 10.0.0.1 and is >talking to an internel network of two PCs. >One PC is running FreeBSD 4.4 and is at IP 10.0.0.2 and the other PC is >running Win98 and is at IP 10.0.0.3. Both are using 10.0.0.1 as the default >gateway. >If both machines are plugged into the network and running everything seems to >be working fine. However as soon as I shut down the Win98 box or unplug it >from the network, the FreeBSD machine can't communicate out of the firewall >anymore. Plug the Win98 box back in and it starts working again. >Any suggestions? TIA >-- >Tom Greenwalt (F.O.E.) Trancer Software Inc. tomg@trancer.com >9099 7th Street NE http://www.trancer.com/ >Minneapolis, MN 55434-1113 http://www.trancer.com/~tomg >---- When I'm good I'm very good, when I'm bad I'm better, ---->---------- But when I'm evil you better run. ------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 19:37:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id 0473937B418 for ; Wed, 7 Nov 2001 19:37:16 -0800 (PST) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fA83bWF17460 for ; Wed, 7 Nov 2001 22:37:36 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Wed, 7 Nov 2001 22:37:27 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: sharing /etc/passwd In-Reply-To: Message-ID: <20011107223549.B80839-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 7 Nov 2001, David Bear wrote: > > I need to sync /etc/passwd and /etc/group among multiple machines. I was > thinking ldap would be a good method but am concerned about > > 1) the most secure way to do it > 2) the most stable > 3) things I don't know about this but should... > > any pointers to man pages/docs would be appreciated. NIS is the standard way to do this. I dunno if FreeBSD supports NIS+, which buys you encryption when the maps are pushed from masters to slaves, and for ypbind queries to ypserv (standard NIS does this in cleartext). -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 19:37:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id ADFD837B417 for ; Wed, 7 Nov 2001 19:37:37 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id fA83bah72147; Wed, 7 Nov 2001 19:37:36 -0800 (PST) (envelope-from emechler) Date: Wed, 7 Nov 2001 19:37:36 -0800 From: Erick Mechler To: David Bear Cc: FreeBSD Security List Subject: Re: sharing /etc/passwd Message-ID: <20011107193736.V64838@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from David Bear on Wed, Nov 07, 2001 at 07:02:09PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How 'bout PAM? /usr/ports/security/pam_ldap. If you have machines that can't do PAM, perhaps NIS is the way to go (assuming, of course, you're behind a firewall). You can store login information in LDAP like you want, then use a home-grown script to extract the information to a NIS map. Or, if you have a Solaris 8 machine lying around, you can cut out the middle step and use Sun's NIS server which can backend directly into LDAP. Cheers - Erick At Wed, Nov 07, 2001 at 07:02:09PM -0700, David Bear said this: :: :: I need to sync /etc/passwd and /etc/group among multiple machines. I was :: thinking ldap would be a good method but am concerned about :: :: 1) the most secure way to do it :: 2) the most stable :: 3) things I don't know about this but should... :: :: any pointers to man pages/docs would be appreciated. :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 19:47:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from post2.inre.asu.edu (post2.inre.asu.edu [129.219.110.73]) by hub.freebsd.org (Postfix) with ESMTP id E70E437B416 for ; Wed, 7 Nov 2001 19:47:36 -0800 (PST) Received: from conversion.post2.inre.asu.edu by asu.edu (PMDF V6.1 #40111) id <0GMG00D01QJCWU@asu.edu> for security@freebsd.org; Wed, 07 Nov 2001 20:47:36 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.13.92]) by asu.edu (PMDF V6.1 #40111) with ESMTP id <0GMG00D3BQJCPC@asu.edu> for security@freebsd.org; Wed, 07 Nov 2001 20:47:36 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.120.183]) by smtp.asu.edu (8.9.3/8.9.3) with ESMTP id UAA03985 for ; Wed, 07 Nov 2001 20:47:36 -0700 (MST) Date: Wed, 07 Nov 2001 20:47:35 -0700 (MST) From: David Bear Subject: NIS, rsync, and LDAP Re: sharing /etc/passwd In-reply-to: <20011107223549.B80839-100000@topperwein.dyndns.org> X-X-Sender: To: security@freebsd.org Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 7 Nov 2001, Chris BeHanna wrote: > > On Wed, 7 Nov 2001, David Bear wrote: > > > > > I need to sync /etc/passwd and /etc/group among multiple machines. I was > > thinking ldap would be a good method but am concerned about > > > > 1) the most secure way to do it > > 2) the most stable > > 3) things I don't know about this but should... > > > > any pointers to man pages/docs would be appreciated. > > NIS is the standard way to do this. I dunno if FreeBSD supports > NIS+, which buys you encryption when the maps are pushed from masters > to slaves, and for ypbind queries to ypserv (standard NIS does this in > cleartext). > other recommendations include ldap_pam and rsync. Thanks for the suggestions. I was not even considering NIS becuase of what I have heard about security issue with it. I live in a completely untrusted network. So, it really needs to be safe. It would be nice to be able to share /etc/passwd between Linux and Freebsd -- so some layer of abstraction like an ldap_pam would be great. I didn't know ldap pam existed. I'll look into it. any other pointers? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 20: 5:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from dcb.hz.zj.cn (dcb.hz.zj.cn [202.96.103.1]) by hub.freebsd.org (Postfix) with ESMTP id E314C37B433 for ; Wed, 7 Nov 2001 20:05:18 -0800 (PST) Received: from c ([61.154.132.141]) by dcb.hz.zj.cn (8.11.0/8.11.0) with SMTP id fA841Zv02217 for ; Thu, 8 Nov 2001 12:01:35 +0800 (CST) From: Reply-To: c.h@china-lutong.com Message-ID: {7C0F129F-D429-11D5-A6CB-444553540000}@c Subject: Head & Rotor VE(CHINA-LuTong) 11/08 To: china-diesel.fuel.injection@dcb.hz.zj.cn X-Mailer: DiffondiCool V3,1,7,1 (W95/NT) (Build: Apr 14 2000) Mime-Version: 1.0 Date: Thu, 08 Nov 2001 12:02:04 +0800 Content-Type: multipart/mixed; boundary="----=_NextPart_000_007F_01BDF6C7.FABAC1B0" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a MIME Message ------=_NextPart_000_007F_01BDF6C7.FABAC1B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable hi: My name is ChenHua, and I'm writing on behalf of the China-Lutong mechanical company=2E Located in the south east of China, we specialize in hydraulic heads for the VE distributor pump=2E We can supply standard, good quality units at a very competitive price=2E The following types are available: Engine model VE PUMS code NO UNIT PRICE(EX WORKS) ISUZU) NP-VE4/11L 096400-1600 $USD40 (NIPPON DENSO) ISUZU NP-VE4/11R 146402-0820(zexel) $USD45 ISUZU NP-VE4/11L 146402-0920(zexel) $USD40 ISUZU NP-VE4/11L 146402-3820(zexel) $USD45 NISSAN NP-VE4/12R 146402-4320(zexel) $USD50 IVECO NP-VE4/11R 1 468 334 798(BOSCH) $USD45 CUMMINS NP-VE6/12R 1 468 336 423(BOSCH) $USD50 In addition,the following models have been produced by us,but there is no stock at present=2E 096400-1240 (NIPPON DENSO) 1 468 333 323(BOSCH) 2 468 334 021(BOSCH) 2 468 334 050(BOSCH) 1 468 334 565(BOSCH) 1 468 334 580(BOSCH) 1 468 334 590(BOSCH) 1 468 334 596(BOSCH) 1 468 334 603(BOSCH) 1 468 334 604(BOSCH) 1 468 334 837(BOSCH) 1 468 334 874(BOSCH) 1 468 334 899(BOSCH) 2 468 335 022(BOSCH) 1 468 336 528(BOSCH) 1 468 336 464(BOSCH) 1 468 336 480(BOSCH) 2 468 336 013(BOSCH) 1 468 336 614(BOSCH) 146400-8821(zexel) 146402-4020(zexel) VE distributor head: 3-cyl:USD:45/1pcs 4-cyl:USD:45/1pcs 5-cyl:USD:50/1pcs 6-cyl:USD:50/1pcs Minimum order is 48pcs a model=2E We also can make to order for other models as required=2E We use precision forging technology to create our products and surface treat them using an imported shot-blasting machine=2E The constant grinding process guarantees identical clearance in each plunger=2E Because we have been in the field of diesel fuel injection systems for quite a few years, we are acquainted with many domestic manufacturers of, and sales agents for, parts such as injector nozzles, plungers, delivery valves and so on=2E If you are interested in our products, please contact me=2E Thank you for your interest in our company=2E Thanks and best regards ! C=2EHua Sales & purchasing director HTTP://WWW=2EChina-LuTong=2ECOM c=2Eh@china-lutong=2Ecom ------=_NextPart_000_007F_01BDF6C7.FABAC1B0 Content-Type: application/octet-stream; name="error.txt" Content-Transfer-Encoding: quoted-printable Content-Description: error.txt Content-Disposition: inline; filename="error.txt" Sorry, but we couldn't open the attach file when sending this message original file: f:\=D7=CA=C1=CF\=B8=F6=C8=CB=CD=BC=C6=AC\=CD=BC=C6=AC\ve'head&rotor'(146833= 6423)=2Ejpg ------=_NextPart_000_007F_01BDF6C7.FABAC1B0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 21: 1:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from web14501.mail.yahoo.com (web14501.mail.yahoo.com [216.136.224.64]) by hub.freebsd.org (Postfix) with SMTP id A6F6337B405 for ; Wed, 7 Nov 2001 21:01:09 -0800 (PST) Message-ID: <20011108050109.25500.qmail@web14501.mail.yahoo.com> Received: from [63.204.249.241] by web14501.mail.yahoo.com via HTTP; Wed, 07 Nov 2001 21:01:09 PST Date: Wed, 7 Nov 2001 21:01:09 -0800 (PST) From: Jano Lukac Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd To: security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --- David Bear wrote: > other recommendations include ldap_pam and rsync. > > Thanks for the suggestions. I was not even considering NIS becuase of > what I have heard about security issue with it. I live in a completely > untrusted network. So, it really needs to be safe. > > It would be nice to be able to share /etc/passwd between Linux and Freebsd > -- so some layer of abstraction like an ldap_pam would be great. I didn't > know ldap pam existed. I'll look into it. The ldap_pam stuff is cool as it works; it could be considered "secure" because new implementations of the openldap 2 have connections via ssl, or you could wrap the old openldap 1 through an stunnel. But a small warning: I've been working about a month now trying to figgure out how to allow users to change passwords, without luck. I went as far as setting up an ldap v3 with pam->ldap->sasl->kerberos, no luck. Additionally, I've recently received word that the openldap c-libs have memory leaks (unsure how true this is); there are the other ldap libs, though *shrug* Which reminds me.. another alternative for secure, remote authentication without copying passwd/shadow files is through kerberos (unsure about freebsd support for kerberos). Jano > > any other pointers? > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 21: 9:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 1CA4037B405 for ; Wed, 7 Nov 2001 21:09:52 -0800 (PST) Received: from localhost ([3ffe:501:4819:bbbb::2]) by mine.kame.net (8.11.1/3.7W) with ESMTP id fA855BE14571; Thu, 8 Nov 2001 14:05:11 +0900 (JST) To: ns@BlueSkyFrog.COM Cc: avalon@cairo.anu.edu.au, freebsd-security@FreeBSD.ORG Subject: Re: KAME IPsec on low-end hardware In-Reply-To: Your message of "Thu, 8 Nov 2001 10:54:21 +1000" <20011108105421.A3785@BlueSkyFrog.COM> References: <20011108105421.A3785@BlueSkyFrog.COM> X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20011108140840L.sakane@kame.net> Date: Thu, 08 Nov 2001 14:08:40 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 18 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I suspect that compression would also affect response times, but > omitting: > > compression_algorithm deflate; > > from racoon.conf results in a parse error. Does anyone know if > compression can be disabled? "compression_algorithm deflate;" is just a information. the compression algorithm would not be used when it was in the configuration file. when you define ipcomp to the SPD, then the compression will be used. > Also, is there much difference between racoon and isakmpd? AFAICT > isakmpd supports dymamic client IP addresses, but that seems to be the > only major difference. racoon can do too. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 21:15: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from peony.ezo.net (peony.ezo.net [206.102.130.11]) by hub.freebsd.org (Postfix) with ESMTP id 5683F37B416 for ; Wed, 7 Nov 2001 21:15:02 -0800 (PST) Received: from savvyd (c3-1a119.neo.rr.com [24.93.230.119]) by peony.ezo.net (8.11.0.Beta3/8.11.0.Beta3) with SMTP id fA85JG636420; Thu, 8 Nov 2001 00:19:16 -0500 (EST) Message-ID: <001b01c16814$48a1ea50$22b197ce@ezo.net> From: "Jim Flowers" To: "David Bear" , References: Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd Date: Thu, 8 Nov 2001 00:14:45 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org An advantage of Kerberos, perhaps? > > It would be nice to be able to share /etc/passwd between Linux and Freebsd > -- so some layer of abstraction like an ldap_pam would be great. I didn't > know ldap pam existed. I'll look into it. > > any other pointers? > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 21:19:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.hq.newdream.net (mail.hq.newdream.net [216.246.35.10]) by hub.freebsd.org (Postfix) with ESMTP id 2019737B416 for ; Wed, 7 Nov 2001 21:19:27 -0800 (PST) Received: from zugzug.hq.newdream.net (zugzug.hq.newdream.net [127.0.0.1]) by ravscan.zugzug.hq.newdream.net (Postfix) with SMTP id 21A993B394 for ; Wed, 7 Nov 2001 21:19:27 -0800 (PST) Received: by mail.hq.newdream.net (Postfix, from userid 1012) id F04A33B37D; Wed, 7 Nov 2001 21:19:26 -0800 (PST) Date: Wed, 7 Nov 2001 21:19:26 -0800 From: Will Yardley To: security@FreeBSD.ORG Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd Message-ID: <20011107211926.A28670@hq.newdream.net> Mail-Followup-To: security@FreeBSD.ORG References: <001b01c16814$48a1ea50$22b197ce@ezo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001b01c16814$48a1ea50$22b197ce@ezo.net> User-Agent: Mutt/1.3.23i Organization: New Dream Network Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jim Flowers wrote: > > It would be nice to be able to share /etc/passwd between Linux and > > Freebsd -- so some layer of abstraction like an ldap_pam would be > > great. I didn't know ldap pam existed. I'll look into it. > An advantage of Kerberos, perhaps? we use the same database for multiple platforms by storing everything in a mysql database and then using a perl script to create the password files and push them onto the machines (and create the passwd db files for freebsd of course). perhaps not as elegant or complicated as ldap or kerberos, but it is pretty effective, and pretty secure since scp is used to copy the files from the controller machines. most of our machines are linux, but i've been working on getting everything working with freebsd, and that part seems to work ok so far (just a few changes in the passwd file format). the system will also update passwords in the db if a user has changed it. it doesn't currently add users that are added manually, although such a change would probably be trivial. the 'standard' users are stored as parameters and are appended to the top of every password / shadow / master.passwd file w -- GPG Public Key: http://infinitejazz.net/will/pgp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 22: 1:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from loverboy.highspeedweb.net (loverboy.highspeedweb.net [204.181.12.40]) by hub.freebsd.org (Postfix) with SMTP id 00AEA37B405 for ; Wed, 7 Nov 2001 22:01:51 -0800 (PST) Received: (qmail 23947 invoked by uid 510); 8 Nov 2001 06:01:36 -0000 Received: from unknown (HELO padjajaran) (202.150.91.162) by progs4wealth.com with SMTP; 8 Nov 2001 06:01:36 -0000 Message-ID: <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> From: "Purwa R. Sastro" To: References: <001b01c16814$48a1ea50$22b197ce@ezo.net> Subject: reboot,ctrl+alt+del,shutdown Date: Thu, 8 Nov 2001 13:07:44 +0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear FreeBSDer, I just wanna ask again....? oops, sorry...new comer . ;-) If I wanna set my machine(FreeBSD 3.3-RELEASE), so nobody (also root) can take effect with press CTRL+ALT+DEL or reboot command or shutdown command. What should script which I set? Thx for your help. Best Rgds, Purwa Riadi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 22:47:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 90E9637B41B for ; Wed, 7 Nov 2001 22:47:33 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 707DA81D01; Thu, 8 Nov 2001 00:47:28 -0600 (CST) Date: Thu, 8 Nov 2001 00:47:28 -0600 From: Bill Fumerola To: "Purwa R. Sastro" Cc: security@FreeBSD.ORG Subject: Re: reboot,ctrl+alt+del,shutdown Message-ID: <20011108004728.W51024@elvis.mu.org> Reply-To: Bill Fumerola References: <001b01c16814$48a1ea50$22b197ce@ezo.net> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com>; from purwa@progs4wealth.com on Thu, Nov 08, 2001 at 01:07:44PM +0700 X-Operating-System: FreeBSD 4.4-FEARSOME-20010909 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 08, 2001 at 01:07:44PM +0700, Purwa R. Sastro wrote: > If I wanna set my machine(FreeBSD 3.3-RELEASE), so nobody (also root) can > take effect with press CTRL+ALT+DEL or reboot command or shutdown command. > What should script which I set? from /usr/src/sys/i386/conf/LINT, where you can find lots of useful kernel options: options SC_DISABLE_REBOOT # disable reboot key sequence -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 7 23:14:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 59A9337B405; Wed, 7 Nov 2001 23:14:37 -0800 (PST) Received: from dialup-209.245.128.79.dial1.sanjose1.level3.net ([209.245.128.79] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 161jOW-0000Z3-00; Wed, 07 Nov 2001 23:14:36 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fA87Dx350763; Wed, 7 Nov 2001 23:13:59 -0800 (PST) (envelope-from cjc) Date: Wed, 7 Nov 2001 23:13:59 -0800 From: "Crist J. Clark" To: GuRU Cc: freebsd-questions@FreeBSD.ORG Subject: Re: problems with clients behind ipf/ipnat firewall Message-ID: <20011107231359.J301@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011107132853.B7624@nubisci.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011107132853.B7624@nubisci.net>; from guru@nubisci.net on Wed, Nov 07, 2001 at 01:28:53PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [This is not actually a security issue. Moved to -questions.] On Wed, Nov 07, 2001 at 01:28:53PM -0500, GuRU wrote: [snip] > Ok now here are the results of traceroute -S > client box: Just for kicks, what does, $ traceroute -Sn bantu.cl.msu.edu Return? Some comparitive tcpdump(8)s on the inner and outer interfaces would help too. > # fxp0 = internet, addr=xxx.xxx.xxx.215/32 Not much of a point in trying to hide this. It's in your email header. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 1: 8:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from virginia.yamato.ibm.co.jp (virginia.yamato.ibm.co.jp [203.141.89.165]) by hub.freebsd.org (Postfix) with ESMTP id 7AD3B37B417 for ; Thu, 8 Nov 2001 01:08:03 -0800 (PST) Received: from ns.trl.ibm.com (ns.trl.ibm.com [9.116.48.18]) by virginia.yamato.ibm.co.jp (8.11.6/3.7W/GW3.3) with ESMTP id fA896j104750; Thu, 8 Nov 2001 18:06:45 +0900 Received: from localhost by ns.trl.ibm.com (AIX4.3/8.9.3/TRL4.5SRV) id SAA26528; Thu, 8 Nov 2001 18:06:44 +0900 To: kris@obsecurity.org Cc: luc@2113.ch, freebsd-security@freebsd.org, kzaraska@student.uci.agh.edu.pl Subject: Re: BUFFER OVERFLOW EXPLOITS In-Reply-To: <20011029132504.A98067@xor.obsecurity.org> References: <3BDD11C8.4746A7BD@2113.ch> <20011029132504.A98067@xor.obsecurity.org> X-Mailer: Mew version 1.94b48 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20011108180644Y.etoh@trl.ibm.com> Date: Thu, 08 Nov 2001 18:06:44 +0900 From: Hiroaki Etoh X-Dispatcher: imput version 990813(IM119) Lines: 16 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At Mon, 29 Oct 2001 13:25:04 -0800, Kris Kennaway wrote: > Because it can cause problems for certain things. The main one I've > found is XFree86, which will fail to run if you build it with > -fstack-protector. I think it's overriding CFLAGS in parts of the > build, which means that certain things aren't being compiled with > -fstack-protector and fail to link at runtime as a result. > > I also found a spurious failure in another application which would > cause it to hit the overflow trap even though nothing was apparently > overflowing. Could you send any bug report to me? I'll fix the problem. Hiroaki Etoh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 3: 0: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from dnvrpop1.dnvr.uswest.net (dnvrpop5.dnvr.uswest.net [206.196.128.7]) by hub.freebsd.org (Postfix) with SMTP id 024E337B405 for ; Thu, 8 Nov 2001 02:59:46 -0800 (PST) Received: (qmail 49464 invoked by uid 0); 8 Nov 2001 10:59:44 -0000 Received: from dnvr-dsl-gw9-d57.dnvr.uswest.net (HELO pop.dnvr.uswest.net) (63.227.47.57) by dnvrpop5.dnvr.uswest.net with SMTP; 8 Nov 2001 10:59:44 -0000 Date: Wed, 07 Nov 2001 16:01:38 -0700 Message-Id: <1005174098.70@dnvr.uswest.net> From: "jewelryanimations" To: freebsd-security@freebsd.org Subject: Holiday Gifts! Cartoon Character Jewelry from Jewelryanimations.com MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Holiday Gifts! Cartoon Character Jewelry from Jewelryanimations.com
   
 

Delightful gifts, delivered right to your door!

Reasonably priced, and absolutely charming character jewelry! Perfect for your office party, "Secret Santa" or stocking stuffers. Disney, Warner Bros., Dr. Seuss, Garfield, Grimmy, and more. Designed and handcrafted in Colorado, jewelryanimations has been setting the standard in Cartoon Character jewelry for more than a decade.

  

 

Character Pins, Pendants, & Earrings in 14K, Sterling, & Pewter!

 

Let us take the stress out of your Holiday season!

Ordering from us is easy! Click the link below to shop. Browse our online store, and use the convenient "shopping cart" to select your purchases. We accept Checks, Money Orders, and Credit Cards (via Paypal). Have your order shipped to you, or specify a recipient and we will ship directly to them! Our flexible shipping options assure you a safe and worry-free shopping experience.
x

 
 


©2001 jewelryanimations.com

 
To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 3: 1:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id 0818937B421 for ; Thu, 8 Nov 2001 03:01:20 -0800 (PST) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fA8B1hF29236 for ; Thu, 8 Nov 2001 06:01:43 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Thu, 8 Nov 2001 06:01:38 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd In-Reply-To: <20011107211926.A28670@hq.newdream.net> Message-ID: <20011108060035.E29102-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 7 Nov 2001, Will Yardley wrote: > Jim Flowers wrote: > > > > It would be nice to be able to share /etc/passwd between Linux and > > > Freebsd -- so some layer of abstraction like an ldap_pam would be > > > great. I didn't know ldap pam existed. I'll look into it. > > > An advantage of Kerberos, perhaps? > > we use the same database for multiple platforms by storing everything in > a mysql database and then using a perl script to create the password > files and push them onto the machines (and create the passwd db files > for freebsd of course). > > perhaps not as elegant or complicated as ldap or kerberos, but it is > pretty effective, and pretty secure since scp is used to copy the files > from the controller machines. This sounds pretty cool, although you should go to the dsniff home page and read what the guy has to say about defeating ssh/scp. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 3: 6:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id E9F4837B41E for ; Thu, 8 Nov 2001 03:06:35 -0800 (PST) Received: (qmail 1003 invoked by uid 1000); 8 Nov 2001 11:06:34 -0000 Date: Thu, 8 Nov 2001 12:06:34 +0100 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: Re: reboot,ctrl+alt+del,shutdown Message-ID: <20011108120634.B965@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <001b01c16814$48a1ea50$22b197ce@ezo.net> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com>; from purwa@progs4wealth.com on Thu, Nov 08, 2001 at 01:07:44PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 08, 2001 at 01:07:44PM +0700, Purwa R. Sastro wrote: > If I wanna set my machine(FreeBSD 3.3-RELEASE), so nobody (also root) can > take effect with press CTRL+ALT+DEL or reboot command or shutdown command. > What should script which I set? I dont think this qualifies as a freebsd security related question. Please post this sort of stuff to freebsd-questions@freebsd.org B. -- Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 5:28: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail7.wlv.netzero.net (mail7.wlv.netzero.net [209.247.163.57]) by hub.freebsd.org (Postfix) with SMTP id 9569C37B417 for ; Thu, 8 Nov 2001 05:28:06 -0800 (PST) Received: (qmail 18607 invoked from network); 8 Nov 2001 13:28:00 -0000 Received: from ppp-65-88-144-116.mclass.broadwing.net (HELO KevinD) (65.88.144.116) by mail7.wlv.netzero.net with SMTP; 8 Nov 2001 13:28:00 -0000 Message-ID: <034101c16859$67c004e0$1e69493f@Kinsey> From: "Kevin & Anita Kinsey" To: Subject: Fw: Buffer overflow in lpd? Date: Thu, 8 Nov 2001 07:29:17 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_033E_01C16827.133A84E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_033E_01C16827.133A84E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable from http://icat.nist.gov/icat.cfm?cvename=3DCAN-2001-0670 : =20 "Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various = BSD-based operating systems allows remote attackers to execute arbitrary = code via an incomplete print job followed by a request to display the = printer queue." Was this fixed prior to 4.4-REL? Date on site is "prior to 10/3/2001." = REL was Sept, correct? ------=_NextPart_000_033E_01C16827.133A84E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
from http://ica= t.nist.gov/icat.cfm?cvename=3DCAN-2001-0670 :
 
"Buffer overflow in BSD line printer = daemon (in.lpd=20 or lpd) in various BSD-based operating systems allows remote attackers = to=20 execute arbitrary code via an incomplete print job followed by a request = to=20 display the printer queue."
 
Was this fixed prior to 4.4-REL?  = Date on site=20 is "prior to 10/3/2001."  REL was Sept, = correct?
------=_NextPart_000_033E_01C16827.133A84E0-- ---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 5:41:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id E888837B41A for ; Thu, 8 Nov 2001 05:40:49 -0800 (PST) Received: (qmail 67833 invoked by uid 1000); 8 Nov 2001 13:39:16 -0000 Date: Thu, 8 Nov 2001 15:39:16 +0200 From: Peter Pentchev To: Kevin & Anita Kinsey Cc: freebsd-security@freebsd.org Subject: Re: Fw: Buffer overflow in lpd? Message-ID: <20011108153916.A67725@straylight.oblivion.bg> Mail-Followup-To: Kevin & Anita Kinsey , freebsd-security@freebsd.org References: <034101c16859$67c004e0$1e69493f@Kinsey> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <034101c16859$67c004e0$1e69493f@Kinsey>; from k_a_kinsey@netzero.net on Thu, Nov 08, 2001 at 07:29:17AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 08, 2001 at 07:29:17AM -0600, Kevin & Anita Kinsey wrote: > from http://icat.nist.gov/icat.cfm?cvename=CAN-2001-0670 : > > "Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various BSD-based operating systems allows remote attackers to execute arbitrary code via an incomplete print job followed by a request to display the printer queue." > > Was this fixed prior to 4.4-REL? Date on site is "prior to 10/3/2001." REL was Sept, correct? All the information is there at the FreeBSD Project website. Go to http://www.FreeBSD.org/, follow the Security link, follow the Security Advisories link, there is a list of advisories. SA-01:58 is labeled as 'FreeBSD-SA-01:58.lpd', suggesting that it has something to do with, well, lpd :) This advisory lists a correction date of 2001-08-30 (FreeBSD 4.3-STABLE) and states that "[the] base system that will ship with FreeBSD 4.4 does not contain this problem since it was corrected before the release". G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 6:56:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from boromir.vpop.net (dns1.vpop.net [206.117.147.2]) by hub.freebsd.org (Postfix) with ESMTP id 7682337B416 for ; Thu, 8 Nov 2001 06:56:20 -0800 (PST) Received: from vpop.net (bilbo.vpop.net [63.231.252.113]) by boromir.vpop.net (8.11.4/8.11.4) with ESMTP id fA8EuHR99236; Thu, 8 Nov 2001 06:56:18 -0800 (PST) (envelope-from mreimer@vpop.net) Message-ID: <3BEA9D4E.83E069EB@vpop.net> Date: Thu, 08 Nov 2001 08:57:18 -0600 From: Matthew Reimer Organization: VPOP Technologies, Inc. X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: KAME IPsec on low-end hardware References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does compression work with tunnels? If so, could you give an example SPD that demonstrates this? Thanks for all your ipsec work! Matt Shoichi Sakane wrote: > > > I suspect that compression would also affect response times, but > > omitting: > > > > compression_algorithm deflate; > > > > from racoon.conf results in a parse error. Does anyone know if > > compression can be disabled? > > "compression_algorithm deflate;" is just a information. > the compression algorithm would not be used when it was > in the configuration file. when you define ipcomp to the SPD, then > the compression will be used. > > > Also, is there much difference between racoon and isakmpd? AFAICT > > isakmpd supports dymamic client IP addresses, but that seems to be the > > only major difference. > > racoon can do too. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 8: 7:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from dnvrpop1.dnvr.uswest.net (dnvrpop5.dnvr.uswest.net [206.196.128.7]) by hub.freebsd.org (Postfix) with SMTP id C303637B421 for ; Thu, 8 Nov 2001 08:07:06 -0800 (PST) Received: (qmail 20151 invoked by uid 0); 8 Nov 2001 16:07:05 -0000 Received: from dnvr-dsl-gw9-d57.dnvr.uswest.net (HELO pop.dnvr.uswest.net) (63.227.47.57) by dnvrpop5.dnvr.uswest.net with SMTP; 8 Nov 2001 16:07:05 -0000 Date: Wed, 07 Nov 2001 21:08:57 1700 Message-Id: <1005192537.160@dnvr.uswest.net> From: "jewelryanimations" To: security@freebsd.org Subject: Holiday Gifts! Cartoon Character Jewelry from Jewelryanimations.com MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Holiday Gifts! Cartoon Character Jewelry from Jewelryanimations.com
   
 

Delightful gifts, delivered right to your door!

Reasonably priced, and absolutely charming character jewelry! Perfect for your office party, "Secret Santa" or stocking stuffers. Disney, Warner Bros., Dr. Seuss, Garfield, Grimmy, and more. Designed and handcrafted in Colorado, jewelryanimations has been setting the standard in Cartoon Character jewelry for more than a decade.

  

 

Character Pins, Pendants, & Earrings in 14K, Sterling, & Pewter!

 

Let us take the stress out of your Holiday season!

Ordering from us is easy! Click the link below to shop. Browse our online store, and use the convenient "shopping cart" to select your purchases. We accept Checks, Money Orders, and Credit Cards (via Paypal). Have your order shipped to you, or specify a recipient and we will ship directly to them! Our flexible shipping options assure you a safe and worry-free shopping experience.
x

 
 


©2001 jewelryanimations.com

 
To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 9: 5:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay2.agava.net.ru (ofc.agava.net [213.59.3.194]) by hub.freebsd.org (Postfix) with ESMTP id A089E37B41E for ; Thu, 8 Nov 2001 09:05:22 -0800 (PST) Received: from hellbell.domain (hellbell.domain [192.168.1.12]) by relay2.agava.net.ru (Postfix) with ESMTP id 1AC03668B2 for ; Thu, 8 Nov 2001 20:05:21 +0300 (MSK) Received: from localhost (localhost [127.0.0.1]) by hellbell.domain (Postfix) with ESMTP id E97EFCCFC for ; Thu, 8 Nov 2001 20:05:20 +0300 (MSK) Date: Thu, 8 Nov 2001 20:05:20 +0300 (MSK) From: Alexey Zakirov X-X-Sender: Cc: Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd In-Reply-To: <20011108050109.25500.qmail@web14501.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 7 Nov 2001, Jano Lukac wrote: > new implementations of the openldap 2 have connections via ssl, or you could > wrap the old openldap 1 through an stunnel. But a small warning: I've been > working about a month now trying to figgure out how to allow users to change > passwords, without luck. I went as far as setting up an ldap v3 with something like a custom passwd(1) program would be pretty trivial. > pam->ldap->sasl->kerberos, no luck. Additionally, I've recently received word > that the openldap c-libs have memory leaks (unsure how true this is); there are They've changed API a bit so any programs must call ldap_memfree after ldap_first_attribute. Older versions of the OpenLDAP libraries didn't require that call. *** WBR, Alexey Zakirov (frank@agava.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 10: 5: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from post1.inre.asu.edu (post1.inre.asu.edu [129.219.110.72]) by hub.freebsd.org (Postfix) with ESMTP id 56ACF37B41D for ; Thu, 8 Nov 2001 10:04:57 -0800 (PST) Received: from conversion.post1.inre.asu.edu by asu.edu (PMDF V6.1 #40110) id <0GMH00A01RR6V8@asu.edu> for freebsd-security@freebsd.org; Thu, 08 Nov 2001 10:11:30 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.13.92]) by asu.edu (PMDF V6.1 #40110) with ESMTP id <0GMH008LFRR6D8@asu.edu> for freebsd-security@freebsd.org; Thu, 08 Nov 2001 10:11:30 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.120.183]) by smtp.asu.edu (8.9.3/8.9.3) with ESMTP id KAA30031 for ; Thu, 08 Nov 2001 10:10:16 -0700 (MST) Date: Thu, 08 Nov 2001 10:10:15 -0700 (MST) From: David Bear Subject: Re: Fw: Buffer overflow in lpd? In-reply-to: <20011108153916.A67725@straylight.oblivion.bg> X-X-Sender: To: FreeBSD Security List Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 8 Nov 2001, Peter Pentchev wrote: > Date: Thu, 08 Nov 2001 15:39:16 +0200 > On Thu, Nov 08, 2001 at 07:29:17AM -0600, Kevin & Anita Kinsey wrote: > > from http://icat.nist.gov/icat.cfm?cvename=CAN-2001-0670 : > > > > "Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various BSD-based operating systems allows remote attackers to execute arbitrary code via an incomplete print job followed by a request to display the printer queue." > > > > Was this fixed prior to 4.4-REL? Date on site is "prior to 10/3/2001." REL was Sept, correct? > > All the information is there at the FreeBSD Project website. > Go to http://www.FreeBSD.org/, follow the Security link, follow > the Security Advisories link, there is a list of advisories. > SA-01:58 is labeled as 'FreeBSD-SA-01:58.lpd', suggesting that > it has something to do with, well, lpd :) > > This advisory lists a correction date of 2001-08-30 (FreeBSD 4.3-STABLE) > and states that "[the] base system that will ship with FreeBSD 4.4 does > not contain this problem since it was corrected before the release". > As a side note, it is also curious that if 4.4-RELEASE LPRng was NOT included in the ports directory. /usr/ports make search key=lprng only found ifhp -- the lprng filter. Anyone know why lprng (the supposedly more secure lpr) was not included in the ports dist? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 11: 9:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id A1C8C37B41B for ; Thu, 8 Nov 2001 11:09:56 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id fA8J9fT39163 for security@freebsd.org; Thu, 8 Nov 2001 14:09:41 -0500 (EST) (envelope-from str) Date: Thu, 8 Nov 2001 14:09:41 -0500 (EST) From: Igor Roshchin Message-Id: <200111081909.fA8J9fT39163@giganda.komkon.org> To: security@freebsd.org Subject: webalizer ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! SuSE announced a vulnerability of webalizer. (see e.g. BUGTRAQ between Nov 6 and today) Does somebody know if FreeBSD port of webalizer is vulnerable too, or it was fixed (if so, when) ? Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 12:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by hub.freebsd.org (Postfix) with ESMTP id 2EC2C37B405; Thu, 8 Nov 2001 12:12:19 -0800 (PST) Received: from pc3-card3-0-cust122.cdf.cable.ntl.com ([62.254.251.122] helo=rhadamanth.private.submonkey.net ident=exim) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 161vX7-0007MU-00; Thu, 08 Nov 2001 20:12:17 +0000 Received: from setantae by rhadamanth.private.submonkey.net with local (Exim 3.33 #1) id 161vWx-000Cxu-00; Thu, 08 Nov 2001 20:12:07 +0000 Date: Thu, 8 Nov 2001 20:12:07 +0000 From: setantae To: questions@freebsd.org, security@freebsd.org Subject: too many dynamic rules Message-ID: <20011108201207.GA49594@rhadamanth> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="UugvWAfsgieZRqgk" Content-Disposition: inline User-Agent: Mutt/1.3.23.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Can't find anything in the archives at MARC, and not sure which list I should be talking to, so please set followups appropriately if it bothers you. For approximately 18 seconds today my firewall went apesh*t (these are all relevant entries) : Nov 8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:45 rhadamanth last message repeated 15 times Nov 8 14:47:46 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:46 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:46 rhadamanth last message repeated 23 times Nov 8 14:47:47 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:47 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:47 rhadamanth last message repeated 14 times Nov 8 14:47:48 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:48 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:48 rhadamanth last message repeated 6 times Nov 8 14:47:49 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:49 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:49 rhadamanth last message repeated 11 times Nov 8 14:47:50 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:50 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:50 rhadamanth last message repeated 2 times Nov 8 14:47:51 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:51 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:51 rhadamanth last message repeated 2 times Nov 8 14:47:53 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:53 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:53 rhadamanth last message repeated 17 times Nov 8 14:47:59 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:59 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:00 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:48:00 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:00 rhadamanth last message repeated 2 times Nov 8 14:48:01 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:48:01 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:01 rhadamanth last message repeated 2 times Nov 8 14:48:02 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:48:02 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:02 rhadamanth last message repeated 2 times Nov 8 14:48:03 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:48:03 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:03 rhadamanth last message repeated 2 times At the time there was only one user logged onto the box, and no clients behind the firewall - unfortunately I have no idea what I was doing at the time, although I have been upgrading older ports today (cannot find any files that were created at the times above though). This box is a dual piii-866 with 512mb of ram, doesn't do much and has maxusers set to 128. The other interesting thing is that although dynamic rules are still being created (since I can access stuff from another box on the LAN), ipfw -at l no longer shows them. I'm sure that a reboot would fix this, but if there is a bug then I'd rather not do that until I know what information would help to fix it. My ruleset is very small, so I have attached it. Basically, what caused this, how do I stop it happening again, and why doesn't ``ipfw -at l'' show the dynamic rules anymore ? Thanks, Ceri -- keep a mild groove on --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw.rules" ## Deny fragments add 00105 deny all from any to any frag #### 00110 Unprotect the LAN interface add 00110 allow all from any to any via dc0 #### 00200 Stop RFC 1918 traffic #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0 #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0 add 00202 deny log all from any to 10.0.0.0/8 add 00203 deny log all from 10.0.0.0/8 to any add 00204 deny log all from any to 172.16.0.0/12 add 00205 deny log all from 172.16.0.0/12 to any #add 00206 deny log all from 192.168.0.0/16 to any in via ed0 #add 00207 deny log all from any to 192.168.0.0/16 in via ed0 add 00206 divert natd all from any to any via ed0 add 00207 pass all from 192.168.10.0/24 to any via ed0 add 00208 pass all from any to 192.168.10.0/24 via ed0 add 00209 deny log all from any to 192.168.0.0/16 via ed0 add 00210 deny log all from 192.168.0.0/16 to any via ed0 #### 00400 Check state and allow tcp connections created by us. add 00400 check-state add 00401 allow tcp from any to any out keep-state #add 00402 deny log tcp from any to any in established add 00403 allow udp from any to any 53 keep-state add 00404 allow udp from any to any out ##NTP add 00421 allow udp from 130.88.200.98 123 to any add 00422 allow udp from 130.88.203.12 123 to any #### 00500 DHCP stuff add 00501 allow udp from 62.252.32.3 to any 68 in via ed0 #### 00600 ICMP stuff # path-mtu add 00600 allow icmp from any to any icmptypes 3 # source quench add 00601 allow icmp from any to any icmptypes 4 #ping add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in #traceroute add 00604 allow icmp from any to any icmptypes 11 in #### 00700 Services we want to make available. add 00701 allow tcp from any to any 22 add 00702 allow tcp from 194.168.4.200 to any 113 #add 00703 allow tcp from any to any 21 out #### 65000 And deny everything else. add 65007 deny log ip from any to any --UugvWAfsgieZRqgk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 12:20: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by hub.freebsd.org (Postfix) with ESMTP id 8614C37B41B for ; Thu, 8 Nov 2001 12:19:57 -0800 (PST) Received: from tintin.alzaid.net (user-38ld90f.dsl.mindspring.com [209.86.164.15]) by granger.mail.mindspring.net (8.9.3/8.8.5) with SMTP id PAA26963 for ; Thu, 8 Nov 2001 15:19:56 -0500 (EST) Received: (qmail 50975 invoked by uid 85); 8 Nov 2001 20:19:56 -0000 Date: Thu, 8 Nov 2001 15:19:52 -0500 From: Rami AlZaid To: FreeBSD Security List Subject: Re: Fw: Buffer overflow in lpd? Message-ID: <20011108201952.GA41784@alzaid.net> References: <20011108153916.A67725@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23.1i X-PGP-Key-Available-From: http://www.alzaid.com/pgp.txt X-Operating-System: FreeBSD 4.4-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 11/08/01 10:10AM or some time around that time, David Bear wrote: >=20 > As a side note, it is also curious that if 4.4-RELEASE LPRng was NOT > included in the ports directory. /usr/ports make search key=3Dlprng only > found ifhp -- the lprng filter. Anyone know why lprng (the supposedly > more secure lpr) was not included in the ports dist? >=20 It is included in the ports. It's at /usr/ports/sysutils/LPRng --=20 Rami AlZaid * ICQ # 1071118=20 WebPages: www.alzaid.com * www.wooyeah.com Phone: (305) 385-5126 * Cell: (786) 374-7509 --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE76ujoUrUz9+Y1i2ERAu77AKCaPdEwzUyoFl53+HuXVpV+RhjAdgCfdC4y IIw3Iro4s/Kq22lGuaTuhjU= =/g4U -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 14:16: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id ADEE837B41B for ; Thu, 8 Nov 2001 14:16:00 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA8MFHu79077; Thu, 8 Nov 2001 23:15:17 +0100 (CET) Message-ID: <00dd01c168a2$f1590be0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "alexus" , References: <016d01c1661d$5ac99690$0a00000a@atkielski.com> <015101c1661f$31c61910$0d00a8c0@alexus> Subject: Re: SecureCRT and SSH2 on FreeBSD Date: Thu, 8 Nov 2001 23:15:52 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was missing the sshgen step. I did that, and it works now. ----- Original Message ----- From: "alexus" To: "Anthony Atkielski" ; Sent: Monday, November 05, 2001 18:27 Subject: Re: SecureCRT and SSH2 on FreeBSD > check your secure crt configuration > > most likly you specify to use public key instead of password > > ----- Original Message ----- > From: "Anthony Atkielski" > To: > Sent: Monday, November 05, 2001 12:14 PM > Subject: SecureCRT and SSH2 on FreeBSD > > > > Can anyone assist me with the exact configuration for getting SecureCRT > (on > > Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work > okay, > > and--mysteriously--SSH2 seems to work against my Web server (4.2 release) > on the > > Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get > is a > > message saying > > > > Public-key authentication with the SSH2 server for user root failed. > Please > > verify username and public/private key pair. > > > > Do I have to run anything to make SSH2 work, or is sshd sufficient? I > have > > telnetd disabled. I have PermitRootLogin set to without-password. root > can log > > in under SSH1, but nobody can log in under SSH2. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 14:32:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id D713C37B418 for ; Thu, 8 Nov 2001 14:32:37 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 161xjk-0000nD-00; Fri, 09 Nov 2001 00:33:28 +0200 From: Sheldon Hearn To: Bart Matthaei Cc: freebsd-security@freebsd.org Subject: Re: reboot,ctrl+alt+del,shutdown In-reply-to: Your message of "Thu, 08 Nov 2001 12:06:34 +0100." <20011108120634.B965@heresy.dreamflow.nl> Date: Fri, 09 Nov 2001 00:33:28 +0200 Message-ID: <3050.1005258808@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 08 Nov 2001 12:06:34 +0100, Bart Matthaei wrote: > On Thu, Nov 08, 2001 at 01:07:44PM +0700, Purwa R. Sastro wrote: > > If I wanna set my machine(FreeBSD 3.3-RELEASE), so nobody (also root) can > > take effect with press CTRL+ALT+DEL or reboot command or shutdown command. > > What should script which I set? > > I dont think this qualifies as a freebsd security related question. > Please post this sort of stuff to freebsd-questions@freebsd.org Actually, it doesn't belong on freebsd-questions either, because it's answered in the FAQ. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 15:23: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.uniserve.com (mail2.uniserve.com [204.244.156.10]) by hub.freebsd.org (Postfix) with ESMTP id 70B7637B418 for ; Thu, 8 Nov 2001 15:23:04 -0800 (PST) Received: from landons.vpp-office.uniserve.ca ([216.113.198.10] helo=pirahna.uniserve.com) by mail2.uniserve.com with esmtp (Exim 3.13 #1) id 161yVg-000KwY-00; Thu, 08 Nov 2001 15:23:00 -0800 Message-Id: <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com> X-Sender: landons@pop.uniserve.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 08 Nov 2001 15:22:59 -0800 To: Bart Matthaei , freebsd-security@freebsd.org From: Landon Stewart Subject: Re: reboot,ctrl+alt+del,shutdown In-Reply-To: <20011108120634.B965@heresy.dreamflow.nl> References: <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <001b01c16814$48a1ea50$22b197ce@ezo.net> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:06 PM 11/8/2001 +0100, Bart Matthaei wrote: >On Thu, Nov 08, 2001 at 01:07:44PM +0700, Purwa R. Sastro wrote: > > If I wanna set my machine(FreeBSD 3.3-RELEASE), so nobody (also root) can > > take effect with press CTRL+ALT+DEL or reboot command or shutdown command. > > What should script which I set? > >I dont think this qualifies as a freebsd security related question. >Please post this sort of stuff to freebsd-questions@freebsd.org > >B. Although its answered in the FAQ already, its definately security related. Physical security is the one of the most over looked security issues. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 18:59: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.tsl.ru (ns.tsl.ru [195.161.154.76]) by hub.freebsd.org (Postfix) with ESMTP id 4041B37B405 for ; Thu, 8 Nov 2001 18:58:56 -0800 (PST) Received: from hold.crystall.local (dial-up-26.tsl.ru [195.161.155.90]) by ns.tsl.ru (8.9.3/8.9.3) with ESMTP id LAA05321 for ; Fri, 9 Nov 2001 11:58:41 +0900 Received: from c1110101.crystall.local (c1110101.crystall.local [192.168.1.253]) by hold.crystall.local (8.11.6/8.11.6) with ESMTP id fA90c7n01960 for ; Fri, 9 Nov 2001 09:38:07 +0900 (YAKT) (envelope-from kulemzinn@mail.ru) Date: Fri, 9 Nov 2001 09:35:12 +0900 From: Igor Kulemzin X-Mailer: The Bat! (v1.45) Personal Organization: Amursky Crystall X-Priority: 3 (Normal) Message-ID: <15890110562.20011109093512@mail.ru> To: freebsd-security@freebsd.org Subject: smbfs strange works Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----------945E13D29BF7890" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------------945E13D29BF7890 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've use smbfs-1.4 port for mounting Windows NT shares. I've mount NT share to directory /var/ftp/pub/.0 Then I've got files using ftp from FreeBSD 4.4-STABLE server. When I fetching files, I get some files with data from other slices. I've got data from random disk areas. When I copy files from NT share to /var/ftp/pub/.0 filesystem I've fetch normal files. Contents of files changes when I remount /var/ftp/pub/.0 Is this security issue? - -- Friday, November 09, 2001 7:57:53 AM Best regards, Igor Kulemzin E-mail: kulemzinn@mail.ru -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQA/AwUBO+ujV13xahg666svEQJFFgCdFrvgQnRLP1INumjfmNd/c3I2+OkAoJl4 op4ovS+Jt26OmI+Bmd0nnQwZ =di2N -----END PGP SIGNATURE----- ------------945E13D29BF7890 Content-Type: application/octet-stream; name="avp.set.false" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="avp.set.false" AgAAAAIAAAACAAAAEQAAABAAAADAwAUIINAFCEDQBQgQAgAAwKgBAQAAAAAAAAAAMDk6MzI6MDgg cnUgRXhwIAIAAAACAAAAAQAAAAYAAAAQAAAAIMAFCGDQBQgAAAAAEAIAAMCoAQEAAAAAAAAAAGhl IGFkZHJlc3NlcyBhbmQAAAAAAAAAAAAAAAAB/wACAMgGCAMAAAAABQAAAAAAALQxBQgQAAAAAAAA AAAAAAC40AUIAAAAAMCoAf1lc2VuY2Ugb2YgdGhlIGRvbWFpbiBuYW1lIHNlcnZpY2Ugb3IgTklT LCB0aGlzIGZpbGUgbWF5CiMgbm90IGJlIGNvbnN1bHRlZCBhdCBhbGw7IHNlZSAvZXRjL2hvc3Qu Y29uZiBmb3IgdGhlIHJlc29sdXRpb24gb3JkZXIuCiMKIwo6OjEJCQlsb2NhbGhvc3QgbG9jYWxo b3N0Lm15LmRvbWFpbiBteW5hbWUubXkuZG9tYWluCjEyNy4wLjAuMQkJbG9jYWxob3N0IGxvY2Fs aG9zdC5teS5kb21haW4gbXluYW1lLm15LmRvbWFpbgojCiMgSW1hZ2luYXJ5IG5ldHdvcmsuCiMx MC4wLjAuMgkJbXluYW1lLm15LmRvbWFpbiBteW5hbWUKIzEwLjAuMC4zCQlteWZyaWVuZC5teS5k b21haW4gbXlmcmllbmQKIwojIEFjY29yZGluZyB0byBSRkMgMTkxOCwgeW91IGNhbiB1c2UgdGhl IGZvbGxvd2luZyBJUCBuZXR3b3JrcyBmb3IKIyBwcml2YXRlIG5ldHMgd2hpY2ggd2lsbCBuZXZl ciBiZSBjb25uZWN0ZWQgdG8gdGhlIEludGVybmV0OgojCiMJMTAuMC4wLjAJLSAgIDEwLjI1NS4y NTUuMjU1CiMJMTcyLjE2LjAuMAktICAgMTcyLjMxLjI1NS4yNTUKIwkxOTIuMTY4LjAuMAktICAg MTkyLjE2OC4yNTUuMjU1CiMKIyBJbiBjYXNlIHlvdSB3YW50IHRvIGJlIGFibGUgdG8gY29ubmVj dCB0byB0aGUgSW50ZXJuZXQsIHlvdSBuZWVkCiMgcmVhbCBvZmZpY2lhbCBhc3NpZ25lZCBudW1i ZXJzLiAgUExFQVNFIFBMRUFTRSBQTEVBU0UgZG8gbm90IHRyeQojIHRvIGludmVudCB5b3VyIG93 biBuZXR3b3JrIG51bWJlcnMgYnV0IGluc3RlYWQgZ2V0IG9uZSBmcm9tIHlvdXIKIyBuZXR3b3Jr IHByb3ZpZGVyIChpZiBhbnkpIG9yIGZyb20gdGhlIEludGVybmV0IFJlZ2lzdHJ5IChmdHAgdG8K IyBycy5pbnRlcm5pYy5uZXQsIGRpcmVjdG9yeSBgL3RlbXBsYXRlcycpLgojCgAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ------------945E13D29BF7890 Content-Type: application/octet-stream; name="avp.set.true" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="avp.set.true" a2VybmVsLmF2Yw0Ka3JudW5wLmF2Yw0Ka3JuZXhlLmF2Yw0Ka3JubWFjcm8uYXZjDQprcm5qYXZh LmF2Yw0Ka3JuZW5nbi5hdmMNCmtybmRvcy5hdmMNCnNtYXJ0LmF2Yw0KYXZwMDExMC5hdmMNCnNj cmlwdC5hdmMNCm1hY3JvLmF2Yw0KdHJvamFuLmF2Yw0KYmFja2Rvb3IuYXZjDQp1bnBhY2suYXZj DQp1cDAxMTAwNS5hdmMNCnVwMDExMDEyLmF2Yw0KdXAwMTEwMTkuYXZjDQp1cDAxMTEwMi5hdmMN CnVwMDExMDI2LmF2Yw0KZGFpbHkuYXZjDQpleHRyLWNhYi5hdmMNCmV4dHJhY3QuYXZjDQpjYS5h dmMNCm1haWwuYXZjDQptYWx3YXJlLmF2Yw0KZWljYXIuYXZjDQoNCjsgMFhMU3pucGRJNzFmQjMw MGU3VXdqMVRhQWx3Rk1rbFJsaEZXWjZOU3doYzFLZno3ZFAxZFNIQWZabq2t ------------945E13D29BF7890 Content-Type: application/octet-stream; name="up011005.avc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="up011005.avc" IyBEZXZpY2UJTW91bnRwb2ludAkJRlN0eXBlCQlPcHRpb25zCQlEdW1wCVBhc3MjCi9kZXYvYWQw czFiCW5vbmUJCQlzd2FwCQlzdwkJMAkwCi9kZXYvYWQwczFhCS8JCQl1ZnMJCXJ3CQkxCTEKL2Rl di9hZDBzMWQJL3VzcgkJCXVmcwkJcncsYXN5bmMJMgkyCi9kZXYvYWQwczFmCS92YXIJCQl1ZnMJ CXJ3LGFzeW5jCTIJMgovZGV2L2FkMHMxZwkvdmFyL21haWwJCXVmcwkJcncsYXN5bmMJMgkyCi9k ZXYvYWQwczFoCS92YXIvc3Bvb2wJCXVmcwkJcncsYXN5bmMJMgkyCi9kZXYvYWQwczFlCS92YXIv ZnRwL3B1YgkJdWZzCQlydyxhc3luYwkyCTIKL2Rldi9hY2QwYwkvY2Ryb20JCQljZDk2NjAJCXJv LG5vYXV0bwkwCTAKbGlucHJvYwkJL3Byb2MJCQlsaW5wcm9jZnMJcncJCTAJMAovL1NDSEVEVUxF UlVTRVJATk9SVC9ESVNUUklCCS92YXIvZnRwL3B1Yi8uMAlzbWJmcwlybyxub2F1dG8sLWQ1NTUs LWY0NDQJMAkwCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIT9v79I6AQI AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2s4ECNTOBAjSzgQI0M4ECM7OBAjMzgQIys4ECMjOBAjG zgQIxM4ECMLOBAjAzgQIAAAAADEuMQD1zgQI7s4ECOPOBAjczgQIAAAAAAAAAAAAAAAATTpQOlM6 YWRmaGttOm9wOnR3PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlcywgdmVyc2lvbiAlcwoKAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ------------945E13D29BF7890-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 23:13: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id E6AB937B417 for ; Thu, 8 Nov 2001 23:12:56 -0800 (PST) Received: (qmail 5459 invoked by uid 1000); 9 Nov 2001 07:12:55 -0000 Date: Fri, 9 Nov 2001 08:12:55 +0100 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: Re: reboot,ctrl+alt+del,shutdown Message-ID: <20011109081255.A5441@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <001b01c16814$48a1ea50$22b197ce@ezo.net> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <20011108120634.B965@heresy.dreamflow.nl> <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com>; from landons@uniserve.com on Thu, Nov 08, 2001 at 03:22:59PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 08, 2001 at 03:22:59PM -0800, Landon Stewart wrote: > Although its answered in the FAQ already, its definately security > related. Physical security is the one of the most over looked security issues. If someone has physical access to a machine, stopping him from rebooting with cntrl+alt+del wont do squat.. He can always flip the reset button, or unplug the cable. So I dont think disabling cntrl+alt+del is relevant in security. Therefor, its not a freebsd-security question. Imho, that is. Rgds, B. -- Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 8 23:26:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from warez.scriptkiddie.org (uswest-dsl-142-38.cortland.com [209.162.142.38]) by hub.freebsd.org (Postfix) with ESMTP id 1CB2E37B417 for ; Thu, 8 Nov 2001 23:26:46 -0800 (PST) Received: from [192.168.69.11] (unknown [192.168.69.11]) by warez.scriptkiddie.org (Postfix) with ESMTP id 9A0D562D01; Thu, 8 Nov 2001 23:26:45 -0800 (PST) Date: Thu, 8 Nov 2001 23:26:43 -0800 (PST) From: Lamont Granquist To: Bart Matthaei Cc: Subject: Re: reboot,ctrl+alt+del,shutdown In-Reply-To: <20011109081255.A5441@heresy.dreamflow.nl> Message-ID: <20011108232136.M5084-100000@coredump.scriptkiddie.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you extend security to include security from accidental mistakes then this most certainly does become appropriate. It prevents MCSEs from hitting ctrl-alt-del when they see the "Login: " prompt. On Fri, 9 Nov 2001, Bart Matthaei wrote: > On Thu, Nov 08, 2001 at 03:22:59PM -0800, Landon Stewart wrote: > > Although its answered in the FAQ already, its definately security > > related. Physical security is the one of the most over looked security issues. > > If someone has physical access to a machine, stopping him from > rebooting with cntrl+alt+del wont do squat.. He can always flip the > reset button, or unplug the cable. So I dont think disabling > cntrl+alt+del is relevant in security. Therefor, its not a > freebsd-security question. Imho, that is. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 4:19:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 1E07537B421 for ; Fri, 9 Nov 2001 04:19:18 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA9CIUZ93395; Fri, 9 Nov 2001 13:18:30 +0100 (CET) Message-ID: <01b301c16918$be1763a0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: Subject: FreeBSD and i386 VM hardware Date: Fri, 9 Nov 2001 13:19:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To what extent does FreeBSD actually use all the fancy virtual-memory features of latter-day i386 processors? As I recall (it has been several years since I looked into it), the Intel microprocessors provide some very elaborate features for management of virtual memory, I/O operations, and security, allowing total hardware isolation of untrusted processes. How much of this is used by FreeBSD? I know that UNIX is supposed to isolate users from each other, but how much of this is done in hardware, and how much of it is simulated in software? Very tight security usually requires a lot of interdependency between the hardware and the OS, and since UNIX is supposed to be a multiplatform OS, I'm wondering how much hardware support for security is actually used by the system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 4:22:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id B679837B421 for ; Fri, 9 Nov 2001 04:22:08 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA9CLPr93698; Fri, 9 Nov 2001 13:21:25 +0100 (CET) Message-ID: <01ba01c16919$2637e220$0a00000a@atkielski.com> From: "Anthony Atkielski" To: References: <20011108232136.M5084-100000@coredump.scriptkiddie.org> Subject: Re: reboot,ctrl+alt+del,shutdown Date: Fri, 9 Nov 2001 13:22:01 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That's why I did this yesterday. In MS-DOS days, Ctrl-Alt-Del did boot the machine, and so you learned to avoid it. But on Windows NT, it's the secure attention signal, used to log in and out of the system (and to get the system's attention if something goes terribly wrong), so you are using it regularly. The first time I did this on FreeBSD and the system instantly booted, I was quite surprised to say the least. I've fixed that now. In this case, it doesn't stop malicious persons, but it prevents a lot of accidents. Had there been 200 people on the machine when I pressed Ctrl-Alt-Del, I would have been very unhappy. ----- Original Message ----- From: "Lamont Granquist" To: "Bart Matthaei" Cc: Sent: Friday, November 09, 2001 08:26 Subject: Re: reboot,ctrl+alt+del,shutdown > > If you extend security to include security from accidental mistakes then > this most certainly does become appropriate. It prevents MCSEs from > hitting ctrl-alt-del when they see the "Login: " prompt. > > On Fri, 9 Nov 2001, Bart Matthaei wrote: > > On Thu, Nov 08, 2001 at 03:22:59PM -0800, Landon Stewart wrote: > > > Although its answered in the FAQ already, its definately security > > > related. Physical security is the one of the most over looked security issues. > > > > If someone has physical access to a machine, stopping him from > > rebooting with cntrl+alt+del wont do squat.. He can always flip the > > reset button, or unplug the cable. So I dont think disabling > > cntrl+alt+del is relevant in security. Therefor, its not a > > freebsd-security question. Imho, that is. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 4:58:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 9FE1937B417 for ; Fri, 9 Nov 2001 04:58:13 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id BBA46136AE; Fri, 9 Nov 2001 07:57:14 +0000 (GMT) Message-Id: <5.1.0.14.0.20011109075933.09030e08@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 09 Nov 2001 08:00:33 -0500 To: Bart Matthaei , freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: reboot,ctrl+alt+del,shutdown In-Reply-To: <20011109081255.A5441@heresy.dreamflow.nl> References: <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <001b01c16814$48a1ea50$22b197ce@ezo.net> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <20011108120634.B965@heresy.dreamflow.nl> <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:12 AM 11/9/2001 +0100, you wrote: >If someone has physical access to a machine, stopping him from >rebooting with cntrl+alt+del wont do squat.. He can always flip the >reset button, or unplug the cable. So I dont think disabling >cntrl+alt+del is relevant in security. Therefor, its not a >freebsd-security question. Imho, that is. What about if they have access to just the keyboard and the machine is in a locked cabinet? Would you consider it a valid security question then? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 5: 8: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id BD8CF37B626 for ; Fri, 9 Nov 2001 05:07:57 -0800 (PST) Received: (qmail 6551 invoked by uid 1000); 9 Nov 2001 13:07:55 -0000 Date: Fri, 9 Nov 2001 14:07:55 +0100 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: Re: reboot,ctrl+alt+del,shutdown Message-ID: <20011109140755.C6511@heresy.dreamflow.nl> Reply-To: Bart Matthaei References: <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <001b01c16814$48a1ea50$22b197ce@ezo.net> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <20011108120634.B965@heresy.dreamflow.nl> <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com> <20011109081255.A5441@heresy.dreamflow.nl> <5.1.0.14.0.20011109075933.09030e08@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20011109075933.09030e08@rfnj.org>; from all@biosys.net on Fri, Nov 09, 2001 at 08:00:33AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Nov 09, 2001 at 08:00:33AM -0500, Allen Landsidel wrote: > What about if they have access to just the keyboard and the machine is in a > locked cabinet? Would you consider it a valid security question then? 1. Its answered in the FAQ 2. Disabling cntrl+alt+del wont stop any malicious user. It will only stop accidents from happening. B. -- Bart Matthaei bart@dreamflow.nl /* Welcome to my world.. You just live in it */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 5:23:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card3-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id E259A37B428 for ; Fri, 9 Nov 2001 05:23:51 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 162BeN-0001c5-00; Fri, 09 Nov 2001 13:24:51 +0000 Date: Fri, 9 Nov 2001 13:24:51 +0000 From: Rasputin To: Anthony Atkielski Cc: security@freebsd.org Subject: Re: FreeBSD and i386 VM hardware Message-ID: <20011109132451.A6163@shikima.mine.nu> Reply-To: Rasputin References: <01b301c16918$be1763a0$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01b301c16918$be1763a0$0a00000a@atkielski.com>; from anthony@atkielski.com on Fri, Nov 09, 2001 at 01:19:06PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Anthony Atkielski [011109 12:25]: > To what extent does FreeBSD actually use all the fancy virtual-memory features > of latter-day i386 processors? As I recall (it has been several years since I > looked into it), the Intel microprocessors provide some very elaborate features > for management of virtual memory, I/O operations, and security, allowing total > hardware isolation of untrusted processes. How much of this is used by FreeBSD? > I know that UNIX is supposed to isolate users from each other, but how much of > this is done in hardware, and how much of it is simulated in software? Very > tight security usually requires a lot of interdependency between the hardware > and the OS, and since UNIX is supposed to be a multiplatform OS, I'm wondering > how much hardware support for security is actually used by the system. Not much of a hardware guy myself, but I think (from the Daemon Book) most of the UNIX model works via the ability of the kernel to use protected mode features of the CPU, while limiting access to them through system calls to userland (i.e. non-privileged CPU instruction-based) processes. Hence the need for i386 CPUs or higher. Other than that, most of the isolation of processes from each other is based on context switching and (software-based) process structures. I'm sure I read that about 97% of the BSD source tree was platform-independant, the rest being things like MMU hardware-specific code. Any corrections/clarifications to the above are welcome.. -- Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 7:24: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id B796C37B417 for ; Fri, 9 Nov 2001 07:23:58 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id fA9FNuW09164; Fri, 9 Nov 2001 10:23:56 -0500 (EST) Date: Fri, 9 Nov 2001 10:23:56 -0500 (EST) From: Ralph Huntington To: Bart Matthaei Cc: Subject: Re: reboot,ctrl+alt+del,shutdown In-Reply-To: <20011109140755.C6511@heresy.dreamflow.nl> Message-ID: <20011109101749.E7523-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > 1. Its answered in the FAQ Agreed, and the querant should have been directed there. > 2. Disabling cntrl+alt+del wont stop any malicious user. It will only > stop accidents from happening. I disagree. If the reset button and the power switch have been disabled and the power cord is not accessible and/or the machine is locked in a cabinet (but the keyboard is not), then disabling ctrl-alt-del could well prevent malicious rebooting, especially if the malicious one is a casual miscreant rather than a "pro". This applies in particular for paranoid installations where it is likely a policy matter. Ergo, this is a security question, at least in my mind. However, it is addressed in the faq and the querant should have been directed there. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 7:29:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id AE2A037B41A for ; Fri, 9 Nov 2001 07:29:31 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fA9FTU408846 for ; Fri, 9 Nov 2001 09:29:30 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA22564 for ; Fri, 9 Nov 2001 09:29:30 -0600 (CST) Message-ID: <3BEBF636.7AF24D99@centtech.com> Date: Fri, 09 Nov 2001 09:28:54 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: reboot,ctrl+alt+del,shutdown References: <20011109101749.E7523-100000@mohegan.mohawk.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stop the madness! :) I think it's been drilled into the ground now.. > > > 1. Its answered in the FAQ > > Agreed, and the querant should have been directed there. > > > 2. Disabling cntrl+alt+del wont stop any malicious user. It will only > > stop accidents from happening. > > I disagree. If the reset button and the power switch have been disabled > and the power cord is not accessible and/or the machine is locked in a > cabinet (but the keyboard is not), then disabling ctrl-alt-del could well > prevent malicious rebooting, especially if the malicious one is a casual > miscreant rather than a "pro". This applies in particular for paranoid > installations where it is likely a policy matter. > > Ergo, this is a security question, at least in my mind. However, it is > addressed in the faq and the querant should have been directed there. > -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology No single raindrop believes it is to blame for the flood. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 8:41:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by hub.freebsd.org (Postfix) with ESMTP id A96A437B41E for ; Fri, 9 Nov 2001 08:41:18 -0800 (PST) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id IAA96847 for ; Fri, 9 Nov 2001 08:41:12 -0800 (PST) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id fA9Gc7S14887 for ; Fri, 9 Nov 2001 08:38:08 -0800 (PST) (envelope-from greg@thistle.bogs.org) Message-Id: <200111091638.fA9Gc7S14887@thistle.bogs.org> To: security@FreeBSD.ORG X-To: Bart Matthaei X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: The middle ground? (Was: reboot,ctrl+alt+del,shutdown In-reply-to: Your message of "Fri, 09 Nov 2001 14:07:55 +0100." <20011109140755.C6511@heresy.dreamflow.nl> Reply-To: gkshenaut@ucdavis.edu Date: Fri, 09 Nov 2001 08:38:06 -0800 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In (IIRC) bsd/os, ctl-alt-delete caused a query to appear on the console asking whether to reboot. It seems to me that if the concern is to prevent accidents, such a capability might be more useful than complete disabling of ctl-alt-delete reboot. If the concern is also to prevent malicious reboots, then perhaps the response to such a query might include some sort of trivial (e.g., compiled in or sysctl'ed in to the kernel) password checking. Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 14:36:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id A53A337B42A for ; Fri, 9 Nov 2001 14:36:03 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id 75181136AE for ; Fri, 9 Nov 2001 17:35:03 +0000 (GMT) Message-Id: <5.1.0.14.0.20011109173353.00b00c48@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 09 Nov 2001 17:38:29 -0500 To: freebsd-security@FreeBSD.ORG From: Allen Landsidel Subject: Re: reboot,ctrl+alt+del,shutdown In-Reply-To: <20011109140755.C6511@heresy.dreamflow.nl> References: <5.1.0.14.0.20011109075933.09030e08@rfnj.org> <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <001b01c16814$48a1ea50$22b197ce@ezo.net> <001401c1681b$b37b4310$ab5b96ca@kotamabunga.com> <20011108120634.B965@heresy.dreamflow.nl> <5.1.0.14.0.20011108152203.02deaca0@pop.uniserve.com> <20011109081255.A5441@heresy.dreamflow.nl> <5.1.0.14.0.20011109075933.09030e08@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:07 PM 11/9/2001 +0100, Bart Matthaei wrote: > > >2. Disabling cntrl+alt+del wont stop any malicious user. It will >only >stop accidents from >happening. > (blahblah stop this thread blahblah) If the keyboard is the only means of physical access then it certainly can stop a malicious user.. a malicious user who say... wants to reboot into single user mode, which if you were not aware, does not require a password. Anyway, I'll heed the advice of the joker that suggested this topic had been beaten into the ground now; Is the answer in the FAQ? Yes. Is it a possibly a security related question? Absolutely. I can be satisfied with a draw. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 9 16:12:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id B1A1C37B416 for ; Fri, 9 Nov 2001 16:12:54 -0800 (PST) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id fAA0DQF35169 for ; Fri, 9 Nov 2001 19:13:26 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Fri, 9 Nov 2001 19:13:21 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: reboot,ctrl+alt+del,shutdown In-Reply-To: <5.1.0.14.0.20011109173353.00b00c48@rfnj.org> Message-ID: <20011109191222.U35109-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 9 Nov 2001, Allen Landsidel wrote: > At 02:07 PM 11/9/2001 +0100, Bart Matthaei wrote: > > >2. Disabling cntrl+alt+del wont stop any malicious user. It will > >only happening. > > (blahblah stop this thread blahblah) > > If the keyboard is the only means of physical access then it certainly can > stop a malicious user.. a malicious user who say... wants to reboot into > single user mode, which if you were not aware, does not require a password. It does if you set the console to "insecure" in /etc/ttys. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message