From owner-freebsd-security Mon Mar 18 7: 3:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7015037B42A; Mon, 18 Mar 2002 07:00:04 -0800 (PST) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2IF04C32485; Mon, 18 Mar 2002 07:00:04 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Mon, 18 Mar 2002 07:00:04 -0800 (PST) Message-Id: <200203181500.g2IF04C32485@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:18 Security Advisory FreeBSD, Inc. Topic: zlib double-free Category: core, ports Module: zlib Announced: 2002-03-18 Credits: Matthias Clasen Owen Taylor Affects: All released versions of FreeBSD FreeBSD 4.5-STABLE prior to the correction date Various ports using or including zlib Corrected: 2002-02-22 02:48:40 UTC (RELENG_4) 2002-02-23 00:14:28 UTC (RELENG_4_5) 2002-02-23 00:15:19 UTC (RELENG_4_4) 2002-02-23 00:15:50 UTC (RELENG_4_3) CVE: CAN-2002-0059 FreeBSD only: NO I. Background zlib is a compression library used by numerous applications to provide data compression/decompression routines. II. Problem Description A programming error in zlib may cause segments of dynamically allocated memory to be released more than once (double-freed). If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data may cause the zlib routines to attempt to free memory multiple times. Unlike some implementations of malloc(3)/free(3), the malloc(3) and free(3) routines used in FreeBSD (aka phkmalloc, written by Poul-Henning Kamp ), are not vulnerable to this type of bug. From the author: Most mallocs keep their housekeeping data right next to the allocated range. This gives rise to all sorts of unpleassant situations if programs stray outside the dotted line, free(3) things twice or free(3) modified pointers. phkmalloc(3) does not store housekeeping next to allocated data, and in particular it has code that detects and complains about exactly this kind of double free. When attempting to double-free an area of memory, phkmalloc will issue a warning: progname in free(): error: chunk is already free and may call abort(3) if the malloc flag 'A' is used. III. Impact If an attacker is able to pass a specially-crafted block of invalid compressed data to an application that utilizes zlib, the attempt to decompress the data may cause incorrect operation of the application, including possibly crashing the application. Also, the malloc implementation will issue warnings and, if the `A' malloc option is used, cause the application to abort(3). In short, an attacker may cause a denial of service in applications utilizing zlib. IV. Workaround To prevent affected programs from aborting, remove the 'A' from the malloc flags. To check which malloc flags are in use, issue the following commands: # ls -l /etc/malloc.conf # echo $MALLOC_OPTIONS A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable means that no malloc flags are in use. See the malloc(3) man page for more information. V. Solution [FreeBSD 4.x base system] 1) Upgrade your vulnerable system to 4.5-STABLE or to one of the RELENG_4_4 or RELENG_4_5 security branches dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to all FreeBSD 4.x versions. # cd /usr/src # patch -p < /path/to/patch # cd lib/libz # make depend && make all install Then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. [ports] Various ports may statically link zlib or contain their own versions of zlib that have not been corrected by updating the FreeBSD libz. Efforts are underway to identify and correct these ports. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/lib/libz/infblock.c RELENG_4 1.1.1.4.6.1 RELENG_4_5 1.1.1.4.12.1 RELENG_4_4 1.1.1.4.10.1 RELENG_4_3 1.1.1.4.8.1 src/sys/net/zlib.c RELENG_4 1.10.2.1 RELENG_4_5 1.10.8.1 RELENG_4_4 1.10.6.1 RELENG_4_3 1.10.4.1 - ------------------------------------------------------------------------- VII. References The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0059 to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBPJXXsFUuHi5z0oilAQGjqwP/dozUEpfv3LqUE/uGcG9wzGwmhdAthjKH vLmKwoHjJE9v69W007cm4KWEYiF67GDkwYa+mBze+tG3lJknFUP7A3+U7ooGlatt 5wxngLIzl9i5bM9x2xeQmzue1xG3e+6j7xANG8O8a9aO08iDc/oSZN+4O3kkJhzf 7an7sq5rGQw= =P7az -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 8: 7:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from pike.epylon.com (mail03.epylon.com [63.93.9.99]) by hub.freebsd.org (Postfix) with ESMTP id 365D837B400 for ; Mon, 18 Mar 2002 08:07:42 -0800 (PST) Received: from [192.168.4.56] (sf-gw.epylon.com [63.93.9.98]) by pike.epylon.com (Postfix) with ESMTP id 3413359218 for ; Mon, 18 Mar 2002 08:07:41 -0800 (PST) Date: Mon, 18 Mar 2002 08:16:11 -0800 From: Jason DiCioccio Reply-To: "Jason DiCioccio (reply)" To: security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <2918868125.1016439371@[192.168.4.56]> In-Reply-To: <200203181500.g2IF04W32492@freefall.freebsd.org> References: <200203181500.g2IF04W32492@freefall.freebsd.org> X-Mailer: Mulberry/2.1.2 (Win32) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========2918888573==========" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==========2918888573========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I'm a bit confused now. So FreeBSD, 4.5-RELEASE is vulnerable? I am a bit unclear on this as I thought phkmalloc was not vulnerable to the double-free bug. Or does this only affect binaries statically linked with older revisions of libc and linux binaries? That's what I would think anyway. Cheers, -JD- --On Monday, March 18, 2002 7:00 AM -0800 FreeBSD Security Advisories=20 wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D=3D=3D FreeBSD-SA-02:18 = Security > Advisory > FreeBSD, Inc. > > Topic: zlib double-free > > Category: core, ports > Module: zlib > Announced: 2002-03-18 > Credits: Matthias Clasen > Owen Taylor > Affects: All released versions of FreeBSD > FreeBSD 4.5-STABLE prior to the correction date > Various ports using or including zlib > Corrected: 2002-02-22 02:48:40 UTC (RELENG_4) > 2002-02-23 00:14:28 UTC (RELENG_4_5) > 2002-02-23 00:15:19 UTC (RELENG_4_4) > 2002-02-23 00:15:50 UTC (RELENG_4_3) > CVE: CAN-2002-0059 > FreeBSD only: NO > > I. Background > > zlib is a compression library used by numerous applications to provide > data compression/decompression routines. > > II. Problem Description > > A programming error in zlib may cause segments of dynamically > allocated memory to be released more than once (double-freed). > If an attacker is able to pass a specially-crafted block of invalid > compressed data to a program that includes zlib, the program's > attempt to decompress the crafted data may cause the zlib routines > to attempt to free memory multiple times. > > Unlike some implementations of malloc(3)/free(3), the malloc(3) and > free(3) routines used in FreeBSD (aka phkmalloc, written by > Poul-Henning Kamp ), are not vulnerable to this type > of bug. From the author: > > Most mallocs keep their housekeeping data right next to the > allocated range. This gives rise to all sorts of unpleassant > situations if programs stray outside the dotted line, free(3) > things twice or free(3) modified pointers. > > phkmalloc(3) does not store housekeeping next to allocated data, > and in particular it has code that detects and complains about > exactly this kind of double free. > > When attempting to double-free an area of memory, phkmalloc will > issue a warning: > > progname in free(): error: chunk is already free > > and may call abort(3) if the malloc flag 'A' is used. > > III. Impact > > If an attacker is able to pass a specially-crafted block of invalid > compressed data to an application that utilizes zlib, the attempt to > decompress the data may cause incorrect operation of the application, > including possibly crashing the application. Also, the malloc > implementation will issue warnings and, if the `A' malloc option is > used, cause the application to abort(3). In short, an attacker may > cause a denial of service in applications utilizing zlib. > > IV. Workaround > > To prevent affected programs from aborting, remove the 'A' from > the malloc flags. To check which malloc flags are in use, issue the > following commands: > ># ls -l /etc/malloc.conf ># echo $MALLOC_OPTIONS > > A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable > means that no malloc flags are in use. See the malloc(3) man page for > more information. > > V. Solution > > [FreeBSD 4.x base system] > > 1) Upgrade your vulnerable system to 4.5-STABLE or to one of the > RELENG_4_4 or RELENG_4_5 security branches dated after the respective > correction dates. > > 2) To patch your present system: download the relevant patch from the > below location, and execute the following commands as root: > ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch ># fetch ># ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch.asc > > Verify the detached PGP signature using your PGP utility. > > This patch has been verified to apply to all FreeBSD 4.x versions. > ># cd /usr/src ># patch -p < /path/to/patch ># cd lib/libz ># make depend && make all install > > Then rebuild and reinstall your kernel as described in > http://www.freebsd.org/handbook/kernelconfig.html and reboot the > system with the new kernel for the changes to take effect. > > [ports] > > Various ports may statically link zlib or contain their own versions > of zlib that have not been corrected by updating the FreeBSD libz. > Efforts are underway to identify and correct these ports. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Path Revision > Branch > - > ------------------------------------------------------------------------- > src/lib/libz/infblock.c > RELENG_4 1.1.1.4.6.1 > RELENG_4_5 1.1.1.4.12.1 > RELENG_4_4 1.1.1.4.10.1 > RELENG_4_3 1.1.1.4.8.1 > src/sys/net/zlib.c > RELENG_4 1.10.2.1 > RELENG_4_5 1.10.8.1 > RELENG_4_4 1.10.6.1 > RELENG_4_3 1.10.4.1 > - > ------------------------------------------------------------------------- > > VII. References > > > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CAN-2002-0059 to this issue. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: FreeBSD: The Power To Serve > > iQCVAwUBPJXXsFUuHi5z0oilAQGjqwP/dozUEpfv3LqUE/uGcG9wzGwmhdAthjKH > vLmKwoHjJE9v69W007cm4KWEYiF67GDkwYa+mBze+tG3lJknFUP7A3+U7ooGlatt > 5wxngLIzl9i5bM9x2xeQmzue1xG3e+6j7xANG8O8a9aO08iDc/oSZN+4O3kkJhzf > 7an7sq5rGQw=3D > =3DP7az > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security-notifications" in the body of the > message --==========2918888573========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) Comment: For info see http://www.gnupg.org iD8DBQE8lhLP01CVlgQ2fAgRAnGPAJ9/0lU5KlA+8MdFMHpwFZVjaCwXDwCgnIG4 N9YkmHsHQ9H8Z2BmzdR6kt8= =v9HD -----END PGP SIGNATURE----- --==========2918888573==========-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 8:20:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 95C8B37B402 for ; Mon, 18 Mar 2002 08:20:35 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 16B5C13667; Mon, 18 Mar 2002 11:20:35 -0500 (EST) Date: Mon, 18 Mar 2002 11:20:34 -0500 From: Chris Faulhaber To: "Jason DiCioccio (reply)" Cc: security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <20020318162034.GA96424@peitho.fxp.org> References: <200203181500.g2IF04W32492@freefall.freebsd.org> <2918868125.1016439371@[192.168.4.56]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline In-Reply-To: <2918868125.1016439371@[192.168.4.56]> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 18, 2002 at 08:16:11AM -0800, Jason DiCioccio wrote: > I'm a bit confused now. So FreeBSD, 4.5-RELEASE is vulnerable? I Yes, any software that uses libz is vulnerable to the double-free bug (but not necessarily exploitable). > am a bit unclear on this as I thought phkmalloc was not vulnerable > to the double-free bug. Or does this only affect binaries > statically linked with older revisions of libc and linux binaries? >=20 Unlike some other malloc(3) implementations, phkmalloc is not believed to be exploitable. However, the side effects of the double-free bug in libz may include an application crashing due to the decompression of invalid data, warnings from phkmalloc, and applications abort(3)'ing if the 'A' malloc option is used. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjyWE9IACgkQObaG4P6BelDBwQCgklAvrRfuOkFq0nOeYZ/KafPL vJIAniEEHArnzUk4X9Sj1MZtBAS05zgM =BXJi -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 8:44:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from surtsey.pausd.palo-alto.ca.us (surtsey.pausd.palo-alto.ca.us [199.80.128.50]) by hub.freebsd.org (Postfix) with ESMTP id 5F91437B405 for ; Mon, 18 Mar 2002 08:44:30 -0800 (PST) Received: from localhost (cgrant@localhost) by surtsey.pausd.palo-alto.ca.us (8.11.1/8.11.1) with ESMTP id g2IGf9A15490 for ; Mon, 18 Mar 2002 08:41:09 -0800 (PST) (envelope-from cgrant@pausd.palo-alto.ca.us) X-Authentication-Warning: surtsey.pausd.palo-alto.ca.us: cgrant owned process doing -bs Date: Mon, 18 Mar 2002 08:41:09 -0800 (PST) From: Christopher Grant To: freebsd-security@freebsd.org Subject: subscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscibe cgrant@pausd.palo-alto.ca.us - Christopher Grant System Administrator cgrant@pausd.palo-alto.ca.us 650-329-3819 Palo-Alto Unified School District www.pausd.palo-alto.ca.us To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 8:52:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 9E4A137B41B for ; Mon, 18 Mar 2002 08:52:45 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1000) id 9579D13668; Mon, 18 Mar 2002 11:52:39 -0500 (EST) Date: Mon, 18 Mar 2002 11:52:39 -0500 From: Chris Faulhaber To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <20020318165239.GA36452@peitho.fxp.org> References: <2918868125.1016439371@[192.168.4.56]> <200203181500.g2IF04W32492@freefall.freebsd.org> <2918868125.1016439371@[192.168.4.56]> <4.3.2.7.2.20020318093713.0325b420@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020318093713.0325b420@localhost> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 18, 2002 at 09:45:16AM -0700, Brett Glass wrote: > It sounds as if, perhaps, there ought to be a FreeBSD 4.5.1 release > that handles the zlib bug, the OpenSSH hole, and anything else that=20 > has come up since 4.5-RELEASE. >=20 You mean like the 4.5 security branch (RELENG_4_5)? Perhaps we could get snapshots.jp.freebsd.org to build a weekly RELENG_4_[345] snapshot... --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjyWG1cACgkQObaG4P6BelC/AwCgjDIhYsTAzYJGM3bjWBxl0ud2 UJsAn0KxmrcnLEw1E/GltGSk0KZK4rHJ =gzsT -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 10:53:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail12.svr.pol.co.uk (mail12.svr.pol.co.uk [195.92.193.215]) by hub.freebsd.org (Postfix) with ESMTP id 85BAB37B404 for ; Mon, 18 Mar 2002 10:53:23 -0800 (PST) Received: from [195.92.67.23] (helo=mail18.svr.pol.co.uk) by mail12.svr.pol.co.uk with esmtp (Exim 3.35 #1) id 16n2G2-0000Wv-00 for freebsd-security@freebsd.org; Mon, 18 Mar 2002 18:53:22 +0000 Received: from modem-3417.bonobo.dialup.pol.co.uk ([217.134.61.89] helo=dedog.argus-systems.co.uk) by mail18.svr.pol.co.uk with esmtp (Exim 3.35 #1) id 16n2FN-0000wl-00 for freebsd-security@freebsd.org; Mon, 18 Mar 2002 18:53:14 +0000 Received: (from fergus@localhost) by dedog.argus-systems.co.uk (8.11.6/8.11.1) id g2IIYhP01567 for freebsd-security@freebsd.org; Mon, 18 Mar 2002 18:34:43 GMT (envelope-from fergus) Date: Mon, 18 Mar 2002 18:34:15 +0000 From: Fergus Cameron To: freebsd-security@freebsd.org Subject: Re: Is PortSentry really safe to use? Message-ID: <20020318183415.E1000@dedog.argus-systems.co.uk> Mail-Followup-To: freebsd-security@freebsd.org References: <2332.213.112.58.232.1016226432.squirrel@phucking.kicks-ass.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2332.213.112.58.232.1016226432.squirrel@phucking.kicks-ass.org>; from z3l3zt@phucking.kicks-ass.org on Fri, Mar 15, 2002 at 10:07:12PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org surely it wouldn't be possible to spoof an attack 'through' a gateway ? would the gateway not reject the traffic as invalid ? otherwise it would pass traffic apparently from itself but recieved on the wrong interface. ? ? i realise the principle of the problem still applies - but would this specific application work ? On 15.03-22:07, Jesper Wallin wrote: > Hey.. > > Lets say I want to hide all my services by changing the standard ports on > all server and run PortSentry.. I used to run my system like that before but > yesterday a friend of mine was talking about a little security issue.. > > Lets say we run a system like that on www.blah.com, what happens if I run a > traceroute on it and fake a portscan from his default gateway? Sure he can > add the default gateway to the portsentry.ignore file but then I just take > the box before that and the one before that and the... and so on.. > > Isn't PortSentry more like a problem then a help then? I'm not sure if all > fo this work but I know it's possible to fake portscans with softwares like > "rain" and other "custom packets" programs. > > > Jesper Wallin (aka Z3l3zT) > "it's better to be a lame hacker than a hacked lamer" > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Fergus Cameron Tel: +447779236010 Fax: +447980681864 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 10:59:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from pike.epylon.com (mail03.epylon.com [63.93.9.99]) by hub.freebsd.org (Postfix) with ESMTP id 7574637B404 for ; Mon, 18 Mar 2002 10:59:24 -0800 (PST) Received: from [192.168.4.56] (sf-gw.epylon.com [63.93.9.98]) by pike.epylon.com (Postfix) with ESMTP id 38C4459211; Mon, 18 Mar 2002 10:59:24 -0800 (PST) Date: Mon, 18 Mar 2002 11:07:58 -0800 From: Jason DiCioccio Reply-To: "Jason DiCioccio (reply)" To: Fergus Cameron , freebsd-security@freebsd.org Subject: Re: Is PortSentry really safe to use? Message-ID: <2929174843.1016449678@[192.168.4.56]> In-Reply-To: <20020318183415.E1000@dedog.argus-systems.co.uk> References: <20020318183415.E1000@dedog.argus-systems.co.uk> X-Mailer: Mulberry/2.1.2 (Win32) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========2929185348==========" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==========2929185348========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline It would probably be safe to block based on established TCP connections=20 however I would be wary of UDP, ICMP and non-established TCP sessions.=20 Sound good? Also generally I wouldn't think the gateway would help for inbound spoofed packets, unless they were spoofing something that was obviously fake like 127.0.0.1, 192.168.*, etc. Cheers, -JD- --On Monday, March 18, 2002 6:34 PM +0000 Fergus Cameron=20 wrote: > surely it wouldn't be possible to spoof an attack 'through' a gateway ? > would the gateway not reject the traffic as invalid ? otherwise it > would pass traffic apparently from itself but recieved on the wrong > interface. > > ? ? > > i realise the principle of the problem still applies - but would this > specific application work ? > > On 15.03-22:07, Jesper Wallin wrote: >> Hey.. >> >> Lets say I want to hide all my services by changing the standard ports = on >> all server and run PortSentry.. I used to run my system like that before >> but yesterday a friend of mine was talking about a little security >> issue.. >> >> Lets say we run a system like that on www.blah.com, what happens if I >> run a traceroute on it and fake a portscan from his default gateway? >> Sure he can add the default gateway to the portsentry.ignore file but >> then I just take the box before that and the one before that and the... >> and so on.. >> >> Isn't PortSentry more like a problem then a help then? I'm not sure if >> all fo this work but I know it's possible to fake portscans with >> softwares like "rain" and other "custom packets" programs. >> >> >> Jesper Wallin (aka Z3l3zT) >> "it's better to be a lame hacker than a hacked lamer" >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > > -- > Fergus Cameron Tel: +447779236010 > Fax: +447980681864 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==========2929185348========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) Comment: For info see http://www.gnupg.org iD8DBQE8ljsO01CVlgQ2fAgRAq1cAKCzYx8q0K/J7/f7y2QnH67Qbh8mWwCghSWf hbN8NFaZfhSFLWzMeekF3yM= =XoOy -----END PGP SIGNATURE----- --==========2929185348==========-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 11:13:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from hawk.dcu.ie (mail.dcu.ie [136.206.1.5]) by hub.freebsd.org (Postfix) with ESMTP id 5FD5E37B400 for ; Mon, 18 Mar 2002 11:13:44 -0800 (PST) Received: from prodigy.redbrick.dcu.ie (136.206.15.10) by hawk.dcu.ie (6.0.040) id 3C8DB81200033100 for freebsd-security@freebsd.org; Mon, 18 Mar 2002 19:13:43 +0000 Received: by prodigy.redbrick.dcu.ie (Postfix, from userid 1023) id 464F7DA3F; Mon, 18 Mar 2002 19:13:43 +0000 (GMT) Date: Mon, 18 Mar 2002 19:13:43 +0000 From: Philip Reynolds To: freebsd-security@freebsd.org Subject: Re: Is PortSentry really safe to use? Message-ID: <20020318191343.B4432@prodigy.Redbrick.DCU.IE> References: <2332.213.112.58.232.1016226432.squirrel@phucking.kicks-ass.org> <20020318183415.E1000@dedog.argus-systems.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020318183415.E1000@dedog.argus-systems.co.uk>; from cameron@argus-systems.com on Mon, Mar 18, 2002 at 06:34:15PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fergus Cameron's [cameron@argus-systems.com] 43 lines of wisdom included: > surely it wouldn't be possible to spoof an attack 'through' a gateway ? > would the gateway not reject the traffic as invalid ? otherwise it > would pass traffic apparently from itself but recieved on the wrong > interface. > > ? ? > > i realise the principle of the problem still applies - but would this > specific application work ? A good comparison of Port Sentry and Snort is at: http://www.linux.ie/articles/portsentryandsnortcompared.php Phil. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 13: 5:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id F0F5837B402 for ; Mon, 18 Mar 2002 13:05:35 -0800 (PST) Received: from lariat.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA26847 for ; Mon, 18 Mar 2002 14:05:29 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms and other "malware." Message-Id: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 18 Mar 2002 14:05:15 -0700 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:20 AM 3/18/2002, Chris Faulhaber wrote: >Yes, any software that uses libz is vulnerable to the double-free >bug (but not necessarily exploitable). Great. This comes just as I'm about to set up some new systems.... Not to mention the fact that I'll have to patch some old ones. And even if I load 4.5-STABLE, my confidence that I'll get a system that's immune to the bug is a bit shaky. Many apps in the ports/packages collection may use zlib, leaving them vulnerable to a DoS at best and exploitation at worst. So, I'm wondering: What's the best way, as I load up the new systems, to ensure that I'm not installing ANY code that was statically linked with the old, buggy zlib? At the same time, I also need to patch or otherwise work around the OpenSSH local root hole (I spent lots of time rebuilding OpenSSH on existing machines). 4.5-STABLE should cover this, but I always dislike loading between-release snapshots. You never know when there's a hidden bug in -STABLE that'll be fixed the next day or week. It sounds as if, perhaps, there ought to be a FreeBSD 4.5.1 release that handles the zlib bug, the OpenSSH hole, and anything else that has come up since 4.5-RELEASE. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 13: 6:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D506837B427 for ; Mon, 18 Mar 2002 13:05:53 -0800 (PST) Received: from lariat.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA26863 for ; Mon, 18 Mar 2002 14:05:49 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms and other "malware." Message-Id: <4.3.2.7.2.20020318140524.00e5bd60@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 18 Mar 2002 14:05:41 -0700 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:52 AM 3/18/2002, Chris Faulhaber wrote: >You mean like the 4.5 security branch (RELENG_4_5)? I don't use CVS on production machines (nor should one do so; it's not a good idea to rebuild a production machine's code nightly). What I really need is a stream of patches -- or, failing that, builds that I can install seamlessly as updates. It'd be nice to track ports and packages, too, as the majority of security holes actually occur there. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 13:25: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id E8FB537B402 for ; Mon, 18 Mar 2002 13:24:49 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id g2ILOjG60682; Mon, 18 Mar 2002 13:24:45 -0800 (PST) (envelope-from emechler) Date: Mon, 18 Mar 2002 13:24:45 -0800 From: Erick Mechler To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <20020318132445.G74681@techometer.net> References: <4.3.2.7.2.20020318140524.00e5bd60@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020318140524.00e5bd60@nospam.lariat.org>; from Brett Glass on Mon, Mar 18, 2002 at 02:05:41PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: >You mean like the 4.5 security branch (RELENG_4_5)? :: :: I don't use CVS on production machines (nor should one :: do so; it's not a good idea to rebuild a production machine's :: code nightly). There used to be binary patches for security releases, at least there were before 4.5-RELEASE. Apparently that's not happening anymore? I didn't see any mention of binary patches in the most recent advisories. Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 13:36: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 9355437B400 for ; Mon, 18 Mar 2002 13:35:19 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA27232; Mon, 18 Mar 2002 14:35:17 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g2ILZHh05055; Mon, 18 Mar 2002 14:35:17 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15510.23957.153589.130354@caddis.yogotech.com> Date: Mon, 18 Mar 2002 14:35:17 -0700 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib In-Reply-To: <4.3.2.7.2.20020318140524.00e5bd60@nospam.lariat.org> References: <4.3.2.7.2.20020318140524.00e5bd60@nospam.lariat.org> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > >You mean like the 4.5 security branch (RELENG_4_5)? > > I don't use CVS on production machines (nor should one > do so; This I disagree with. > it's not a good idea to rebuild a production machine's > code nightly). This I agree with. Please explan why using CVS == building code nightly? > What I really need is a stream of patches -- RELENG_4_5 is a stream of buildable patches. Nothing gets committed to that tree unless it works (barring unforseen errors that even occur in patches from Real (tm) vendors). > or, failing that, builds that I can install seamlessly > as updates. CVsup RELENG_4_5. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 15:24:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 07E3137B405 for ; Mon, 18 Mar 2002 15:24:25 -0800 (PST) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id B10C5FB45C4 for ; Mon, 18 Mar 2002 18:24:23 -0500 (EST) Received: (qmail 66361 invoked by uid 1001); 18 Mar 2002 23:19:17 -0000 Date: Mon, 18 Mar 2002 18:19:17 -0500 From: Steve Shorter To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <20020318181917.B66347@nomad.lets.net> References: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org>; from brett@lariat.org on Mon, Mar 18, 2002 at 02:05:15PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Mar 18, 2002 at 02:05:15PM -0700, Brett Glass wrote: > It sounds as if, perhaps, there ought to be a FreeBSD 4.5.1 release > that handles the zlib bug, the OpenSSH hole, and anything else that > has come up since 4.5-RELEASE. What is lacking inf FreeBSD is a 4.5-RELEASE with security fixes AND bug fixes. -STABLE includes "new material" which can be unstable. And -SECURITY only has "security fixes" but not bug fixes in general, since the last RELEASE. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 15:49:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id EC87B37B416 for ; Mon, 18 Mar 2002 15:49:45 -0800 (PST) Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id D97F724491; Mon, 18 Mar 2002 17:49:43 -0600 (CST) Message-Id: <5.1.0.14.0.20020318173139.0537c438@pop3s.schulte.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 18 Mar 2002 17:48:23 -0600 To: Steve Shorter , Brett Glass From: Christopher Schulte Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Cc: security@FreeBSD.ORG In-Reply-To: <20020318181917.B66347@nomad.lets.net> References: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:19 PM 3/18/2002 -0500, Steve Shorter wrote: > What is lacking inf FreeBSD is a 4.5-RELEASE with >security fixes AND bug fixes. > > -STABLE includes "new material" which can be unstable. >And -SECURITY only has "security fixes" but not bug fixes >in general, since the last RELEASE. RELENG_4_X was (still is) open to critical bug fixes, but generally it's used for critical *security* related bug fixes. The problem is (at least) two folded as I see it: 1) Because bug fixes are generally addressed in -STABLE with the forward looking goal of releasing a new -RELEASE snapshot some time in the future, to backport the same bug fix to a -RELEASE codebase (essentially what RELENG_4_X is) can be a lot of work depending on how much the RELENG_4_X branch differs from the current -STABLE. Kernel dependencies, lib changes, and the like can hinder the process and even introduce unforeseen bugs back into the system. 2) How to draw a line in the sand and decide what will be committed to RELENG_4_X as a fix, and what will require a tracking of -STABLE or the next -RELEASE. The last thing I want is a second -STABLE branch with lots of code updates, thus decreasing the overall stability. With this in mind, only security fixes and the ***most critical*** bugs should be addressed with RELENG_4_X. Minimize code change, maximize stability. > -steve -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 15:59:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 0721437B402 for ; Mon, 18 Mar 2002 15:58:55 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020318235854.QZVP2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Mon, 18 Mar 2002 23:58:54 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2INwsE61060; Mon, 18 Mar 2002 15:58:54 -0800 (PST) (envelope-from cjc) Date: Mon, 18 Mar 2002 15:58:54 -0800 From: "Crist J. Clark" To: Fergus Cameron Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is PortSentry really safe to use? Message-ID: <20020318155854.C60554@blossom.cjclark.org> References: <2332.213.112.58.232.1016226432.squirrel@phucking.kicks-ass.org> <20020318183415.E1000@dedog.argus-systems.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020318183415.E1000@dedog.argus-systems.co.uk>; from cameron@argus-systems.com on Mon, Mar 18, 2002 at 06:34:15PM +0000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Mar 18, 2002 at 06:34:15PM +0000, Fergus Cameron wrote: > surely it wouldn't be possible to spoof an attack 'through' a gateway ? > would the gateway not reject the traffic as invalid ? otherwise it > would pass traffic apparently from itself but recieved on the wrong > interface. Most gateways don't give a hoot about the source address of a packet. If the destination address is one of its own, it passes it up the stack. If the destination address is not one of its own, it forwards it as appropriate. Who cares what the source address is? Yes, access lists (i.e. firewall rules) can easily stop this kind of thing, but if you don't add the rules (and many, many, many people, institutions, and companies do not) the traffic will go right through. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 16: 5:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id CCAB737B405 for ; Mon, 18 Mar 2002 16:05:17 -0800 (PST) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 8AAB5FB45C7 for ; Mon, 18 Mar 2002 19:05:16 -0500 (EST) Received: (qmail 66444 invoked by uid 1001); 19 Mar 2002 00:00:07 -0000 Date: Mon, 18 Mar 2002 19:00:06 -0500 From: Steve Shorter To: Christopher Schulte Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <20020318190006.A66422@nomad.lets.net> References: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <20020318181917.B66347@nomad.lets.net> <5.1.0.14.0.20020318173139.0537c438@pop3s.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20020318173139.0537c438@pop3s.schulte.org>; from schulte+freebsd@nospam.schulte.org on Mon, Mar 18, 2002 at 05:48:23PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Mar 18, 2002 at 05:48:23PM -0600, Christopher Schulte wrote: > At 06:19 PM 3/18/2002 -0500, Steve Shorter wrote: > > What is lacking inf FreeBSD is a 4.5-RELEASE with > >security fixes AND bug fixes. > > > > -STABLE includes "new material" which can be unstable. > >And -SECURITY only has "security fixes" but not bug fixes > >in general, since the last RELEASE. > > RELENG_4_X was (still is) open to critical bug fixes, but generally it's > used for critical *security* related bug fixes. The problem is (at least) > two folded as I see it: > > 2) How to draw a line in the sand and decide what will be committed to > RELENG_4_X as a fix, and what will require a tracking of -STABLE or the > next -RELEASE. The last thing I want is a second -STABLE branch with lots > of code updates, thus decreasing the overall stability. I agree mostly with your points, but is it not possible to 1) Eliminate new code, ie. as in -STABLE development, but have bug fixes for only existing code. 2) Eliminate "bugs in general" as the basis for a secure system. Utherwise your "secure" branch remains buggy and therefore less secure, since many security failures originate in buggy code. 3) A -SECURITY branch that contains buggy filesystem etc ... code is simply less desirable and less usable. For example I intended to stay with 4.3-SECURITY at one time but am continually forced to upgrade becuase of unfixed bugs in -SECURITY, though I don't want to. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 19:27:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DA18D37B402; Mon, 18 Mar 2002 19:27:08 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id E0EA45346; Tue, 19 Mar 2002 04:27:06 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Dirk-Willem van Gulik Cc: "Louis A. Mamakos" , Gunther Schadow , freebsd-security@FreeBSD.ORG, PicoBSD List Subject: Re: Smartcard device support? References: From: Dag-Erling Smorgrav Date: 19 Mar 2002 04:27:06 +0100 In-Reply-To: Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dirk-Willem van Gulik writes: > I found them working just fine. However - the IDE requirers java comm > support - which I could not get to work on FreeBSD (a year ago). Works great, but you need to run it as root (or possibly change some device node permissions) which might not be such a hot idea. I've used it to program a Tini (iButton-based computer with Ethernet & RS232 connectors) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 18 20:56:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from castle.jp.FreeBSD.org (castle.jp.FreeBSD.org [210.226.20.15]) by hub.freebsd.org (Postfix) with ESMTP id 1B74537B402 for ; Mon, 18 Mar 2002 20:56:17 -0800 (PST) Received: from localhost (localhost [::1]) by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet6 id g2J4uFc51006 for ; Tue, 19 Mar 2002 13:56:15 +0900 (JST) (envelope-from matusita@jp.FreeBSD.org) In-Reply-To: <20020318165239.GA36452@peitho.fxp.org> References: <4.3.2.7.2.20020318093713.0325b420@localhost> <4.3.2.7.2.20020318093713.0325b420@localhost> <20020318165239.GA36452@peitho.fxp.org> X-User-Agent: Mew/1.94.2 XEmacs/21.5 (bamboo) X-FaceAnim: (-O_O-)(O_O- )(_O- )(O- )(- -)( -O)( -O_)( -O_O)(-O_O-) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Dispatcher: imput version 20000228(IM140) Lines: 14 From: Makoto Matsushita To: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Date: Tue, 19 Mar 2002 13:56:10 +0900 Message-Id: <20020319135610H.matusita@jp.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org jedgar> You mean like the 4.5 security branch (RELENG_4_5)? Perhaps jedgar> we could get snapshots.jp.freebsd.org to build a weekly jedgar> RELENG_4_[345] snapshot... There is a plan to do that since RELENG_4_3 branch was born, but not yet implemented. Any requests are always welcome, email to the contact address, buildadm@jp.FreeBSD.org. FYI, snapshots.jp.FreeBSD.org was in trouble, services are stopped due to the disk server's failure. I hope it'll back in several hours later. -- - Makoto `MAR' Matsushita To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 2:42:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id DA57137B404 for ; Tue, 19 Mar 2002 02:42:52 -0800 (PST) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id NAA42514 for ; Tue, 19 Mar 2002 13:42:46 +0300 (MSK) Received: from IBMKA.star.spb.ru (217.195.79.241 [217.195.79.241]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GY0AJA2A; Tue, 19 Mar 2002 13:42:40 +0300 Date: Tue, 19 Mar 2002 13:42:31 +0300 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <785082402.20020319134231@internethelp.ru> To: security@FreeBSD.ORG Subject: TCP connections on broadcast address - why no advisory? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, freebsd-security. On the Bugtraq I have read report by Christ J. Clark about TCP connections on broadcast address. It can be found on http://online.securityfocus.com/archive/1/262733 . In this advisories I've read following: I committed changes to FreeBSD 5-CURRENT on Feburary 25th (CVS revision 1.148) and to 4-STABLE on February 28th (revision 1.107.2.21). After discussion with the FreeBSD security-officer@ team, these changes will not be incorporated into the RELENG_4_{3,4,5} security-fix branches nor will an advisory be released. Why no advisory will be released? What if I wasn't subscribed to BUGTRAQ? How would I know about this bug? Maybe I missed something. Sorry then. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 7:10:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from jhs.muc.de (jhs.muc.de [193.149.49.84]) by hub.freebsd.org (Postfix) with ESMTP id 5924337B416 for ; Tue, 19 Mar 2002 07:10:10 -0800 (PST) Received: (from jhs@localhost) by jhs.muc.de (8.11.0/8.11.0) id g2JFBbG55810; Tue, 19 Mar 2002 15:11:37 GMT (envelope-from jhs) Date: Tue, 19 Mar 2002 15:11:37 GMT Message-Id: <200203191511.g2JFBbG55810@jhs.muc.de> To: freebsd-security@freebsd.org Subject: ports 1021 1022 1023 & 587 ? From: "Julian Stacey" Reply-To: "Julian Stacey" Organization: Vector Systems Ltd - Munich Unix & Internet consultancy X-Web: http://bim.bsn.com/~jhs/ http://bsd.bsn.com/~jhs/ Fcc: sent-mail Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On a 4.5-RELEASE firewall ports 1021 1022 1023 are shown open by /usr/ports/security/portscanner, but not listed in /etc/services. Are they daemons doing auto decrement allocation from 1024 ? ( I'm using ipfw firewall, not using diverts (yet), not using X server, am using various other daemons inc. nfs amd lpd timed whod etc) Should I block some 1023 port range with ipfw on non {localhost & local ethernet} interfaces ? What range ? submission=587 is also open. Could someone please remind me the name of a command to back trace the port to whatever's opened it ? Would it be a good idea to add a commented hint at entry 1023 of /etc/services ? Julian Stacey Munich Unix (FreeBSD, Linux etc) Independent Consultant jhs@bim.bsn.com Free software: http://bim.bsn.com/~jhs/free/ Ihr Rauchen = mein allergischer Kopfschmerz ! Schnupftabak probieren ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 7:16:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id BEE7A37B404 for ; Tue, 19 Mar 2002 07:16:21 -0800 (PST) Received: from [192.168.0.56] (helo=DAVE) by chaos.evolve.za.net with smtp (Exim 3.34 #1) id 16nLKP-0009X8-00; Tue, 19 Mar 2002 17:15:09 +0200 Message-ID: <001b01c1cf58$458facc0$3800a8c0@DAVE> From: "Dave Raven" To: "Julian Stacey" , References: <200203191511.g2JFBbG55810@jhs.muc.de> Subject: Re: ports 1021 1022 1023 & 587 ? Date: Tue, 19 Mar 2002 17:10:40 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sockstat ----- Original Message ----- From: "Julian Stacey" To: Sent: Tuesday, March 19, 2002 5:11 PM Subject: ports 1021 1022 1023 & 587 ? > On a 4.5-RELEASE firewall ports 1021 1022 1023 are shown open by > /usr/ports/security/portscanner, but not listed in /etc/services. > > Are they daemons doing auto decrement allocation from 1024 ? > ( I'm using ipfw firewall, not using diverts (yet), not using X server, > am using various other daemons inc. nfs amd lpd timed whod etc) > > Should I block some 1023 port range with ipfw on non {localhost & local > ethernet} interfaces ? What range ? > > submission=587 is also open. > > Could someone please remind me the name of a command to back trace > the port to whatever's opened it ? Would it be a good idea to add > a commented hint at entry 1023 of /etc/services ? > > Julian Stacey Munich Unix (FreeBSD, Linux etc) Independent Consultant > jhs@bim.bsn.com Free software: http://bim.bsn.com/~jhs/free/ > Ihr Rauchen = mein allergischer Kopfschmerz ! Schnupftabak probieren ! > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 7:17:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 4F83737B42C for ; Tue, 19 Mar 2002 07:17:27 -0800 (PST) Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id 5702B244D3; Tue, 19 Mar 2002 09:17:25 -0600 (CST) Message-Id: <5.1.0.14.0.20020319091502.01b33c50@pop3s.schulte.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 19 Mar 2002 09:16:04 -0600 To: "Julian Stacey" , freebsd-security@freebsd.org From: Christopher Schulte Subject: Re: ports 1021 1022 1023 & 587 ? In-Reply-To: <200203191511.g2JFBbG55810@jhs.muc.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:11 PM 3/19/2002 +0000, Julian Stacey wrote: >Could someone please remind me the name of a command to back trace >the port to whatever's opened it ? sockstat or /usr/ports/sysutils/lsof are designed for just that! >Julian Stacey Munich Unix (FreeBSD, Linux etc) Independent >Consultant >jhs@bim.bsn.com Free software: http://bim.bsn.com/~jhs/free/ > Ihr Rauchen = mein allergischer Kopfschmerz ! Schnupftabak > probieren ! -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 7:56:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 0EB2137B404 for ; Tue, 19 Mar 2002 07:56:12 -0800 (PST) Received: by gw.nectar.cc (Postfix, from userid 1001) id 8505E9; Tue, 19 Mar 2002 09:56:11 -0600 (CST) Date: Tue, 19 Mar 2002 09:56:11 -0600 From: "Jacques A. Vidrine" To: "Nickolay A. Kritsky" Cc: security@FreeBSD.ORG Subject: Re: TCP connections on broadcast address - why no advisory? Message-ID: <20020319155611.GB44569@hellblazer.nectar.cc> References: <785082402.20020319134231@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <785082402.20020319134231@internethelp.ru> User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 19, 2002 at 01:42:31PM +0300, Nickolay A. Kritsky wrote: > Hello, freebsd-security. > > On the Bugtraq I have read report by Christ J. Clark about TCP > connections on broadcast address. It can be found on > http://online.securityfocus.com/archive/1/262733 . In this advisories > I've read following: > > > I committed changes to FreeBSD 5-CURRENT on Feburary 25th (CVS > revision 1.148) and to 4-STABLE on February 28th (revision > 1.107.2.21). After discussion with the FreeBSD security-officer@ team, > these changes will not be incorporated into the RELENG_4_{3,4,5} > security-fix branches nor will an advisory be released. > > > Why no advisory will be released? Because the fix will not be incorporated into the security fix branches, and in general we don't make changes to those branches without an advisory. It was not incorporated into the security fix branches, because this is more a theoretical problem rather than a real risk. As with the weak IS versus strong IS debate, it seems that only systems with already broken security policies would be affected. In other words, I believe this bug affects none of our user community. This doesn't mean that Crist's post to BUGTRAQ is not interesting --- it is, and well-written, too! --- it just didn't pass the taste test for an important security fix. > What if I wasn't subscribed to > BUGTRAQ? How would I know about this bug? Maybe I missed something. > Sorry then. How do you know about any bugs? Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 7:57:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id B8B2037B405 for ; Tue, 19 Mar 2002 07:56:48 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g2JFub3u077318; Wed, 20 Mar 2002 03:56:37 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 20 Mar 2002 03:56:37 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Julian Stacey Cc: freebsd-security@FreeBSD.ORG Subject: Re: ports 1021 1022 1023 & 587 ? In-Reply-To: <200203191511.g2JFBbG55810@jhs.muc.de> Message-ID: <20020320035312.G68403-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Mar 2002, Julian Stacey wrote: > On a 4.5-RELEASE firewall ports 1021 1022 1023 are shown open by > /usr/ports/security/portscanner, but not listed in /etc/services. > > Are they daemons doing auto decrement allocation from 1024 ? > ( I'm using ipfw firewall, not using diverts (yet), not using X server, > am using various other daemons inc. nfs amd lpd timed whod etc) > > Should I block some 1023 port range with ipfw on non {localhost & local > ethernet} interfaces ? What range ? If you are not sure what is running on the port, then why on earth is the port allowed through the firewall at present? Block everything coming in by default, and then open up only the ports you need. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 8:31:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C0B6937B400 for ; Tue, 19 Mar 2002 08:31:43 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 8456F5346; Tue, 19 Mar 2002 17:31:41 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Julian Stacey" Cc: freebsd-security@freebsd.org Subject: Re: ports 1021 1022 1023 & 587 ? References: <200203191511.g2JFBbG55810@jhs.muc.de> From: Dag-Erling Smorgrav Date: 19 Mar 2002 17:31:40 +0100 In-Reply-To: <200203191511.g2JFBbG55810@jhs.muc.de> Message-ID: Lines: 17 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Julian Stacey" writes: > On a 4.5-RELEASE firewall ports 1021 1022 1023 are shown open by > /usr/ports/security/portscanner, but not listed in /etc/services. > > Are they daemons doing auto decrement allocation from 1024 ? > ( I'm using ipfw firewall, not using diverts (yet), not using X server, > am using various other daemons inc. nfs amd lpd timed whod etc) The portmapper allocates ports for NFS and other RPC services starting at 1023 and counting downwards. Use 'rpcinfo -p' to get a list of active RPC services and their port allocations. Why on earth are you running nfs, amd and lpd on a firewall? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 8:39:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-239.dsl.lsan03.pacbell.net [64.165.226.239]) by hub.freebsd.org (Postfix) with ESMTP id D4ABD37B419 for ; Tue, 19 Mar 2002 08:39:46 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5A38766C39; Tue, 19 Mar 2002 08:39:46 -0800 (PST) Date: Tue, 19 Mar 2002 08:39:46 -0800 From: Kris Kennaway To: Steve Shorter Cc: Christopher Schulte , Brett Glass , security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <20020319083946.C96243@xor.obsecurity.org> References: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <20020318181917.B66347@nomad.lets.net> <5.1.0.14.0.20020318173139.0537c438@pop3s.schulte.org> <20020318190006.A66422@nomad.lets.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="adJ1OR3c6QgCpb/j" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020318190006.A66422@nomad.lets.net>; from steve@nomad.lets.net on Mon, Mar 18, 2002 at 07:00:06PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --adJ1OR3c6QgCpb/j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Mar 18, 2002 at 07:00:06PM -0500, Steve Shorter wrote: > I agree mostly with your points, but is it not possible to > [...] In theory, but it would be *significantly* more work for the developers, and so we don't do it that way. I don't expect that's going to change in the near future. Kris --adJ1OR3c6QgCpb/j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8l2nRWry0BWjoQKURAi8WAKDSLSbzZmCzc8INWfqhotkWMajaagCeMUMk TodmRpIcr79DECknaDBgvlc= =pY+S -----END PGP SIGNATURE----- --adJ1OR3c6QgCpb/j-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 9:24:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 08A1137B405 for ; Tue, 19 Mar 2002 09:24:10 -0800 (PST) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.3.Beta1/8.12.3.Beta1) with ESMTP id g2JHO44G071026 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 19 Mar 2002 09:24:05 -0800 (PST) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.3.Beta1/8.12.3.Beta1/Submit) id g2JHO4rs071023; Tue, 19 Mar 2002 09:24:04 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15511.29748.267352.263727@horsey.gshapiro.net> Date: Tue, 19 Mar 2002 09:24:04 -0800 From: Gregory Neil Shapiro To: "Julian Stacey" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ports 1021 1022 1023 & 587 ? In-Reply-To: <200203191511.g2JFBbG55810@jhs.muc.de> References: <200203191511.g2JFBbG55810@jhs.muc.de> X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org jhs> submission=587 is also open. sendmail uses this port for initial submission. If you don't want to use it, you can turn it off in your sendmail configuration. If you don't already have your own .mc file, create one with: cd /etc/mail make Then edit it: cd /etc/mail vi `hostname`.mc And add this line in the section with the other FEATURE() lines: FEATURE(`no_default_msa')dnl Then install the new configuration and restart sendmail: cd /etc/mail make install make restart To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 10:31:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.asianet.co.th (mail2.asianet.co.th [203.144.222.230]) by hub.freebsd.org (Postfix) with SMTP id B26FC37B6A5 for ; Tue, 19 Mar 2002 10:25:22 -0800 (PST) Received: (qmail 23140 invoked from network); 20 Mar 2002 01:25:20 +0700 Received: from virscan1.asianet.co.th (HELO mx.asianet.co.th) ([203.144.222.197]) (envelope-sender ) by mail2.asianet.co.th (qmail-ldap-1.03) with SMTP for ; 20 Mar 2002 01:25:20 +0700 Received: (qmail 5892 invoked from network); 20 Mar 2002 01:20:23 +0700 Received: from unknown (HELO stargatetravel.co.th) ([203.144.246.218]) (envelope-sender ) by mx2.asianet.co.th (qmail-ldap-1.03) with SMTP for ; 20 Mar 2002 01:20:23 +0700 From: "Geminai International Travels" To: Subject: ¢èÒÇ´Õ Çѹʧ¡ÃÒ¹µì [virus free] Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="= Multipart Boundary 0320020124" Date: Wed, 20 Mar 2002 01:24:57 +0700 Reply-To: "Geminai International Travels" Content-Transfer-Encoding: 8bit Message-Id: <20020319182522.B26FC37B6A5@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multipart MIME message. --= Multipart Boundary 0320020124 Content-Type: text/html; charset="ISO-8859-11" Content-Transfer-Encoding: 7bit à¨ÁÔä¹Â

à¨ÁÔä¹Â ÍÔ¹àµÍÃì๪Ñè¹á¹Å á·ÃàÇÔÅÊì  286/9 «Í¾Ѳ¹Ò ¶¹¹ÊØÃǧ¤ì ¡ÃØ§à·¾Ï 10500

--= Multipart Boundary 0320020124 Content-Type: application/octet-stream; name="ads.ht1.gif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ads.ht1.gif" R0lGODlhogElAfcAAAAAAGYz/8z/ZtwEJf+ZAP/CZv///wAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAACiASUBAAj+AA0IHEiwoMGD CBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKAcKWMmyJcuU MGPKnEmzpk2SLnPq3Hmzp8+fQIMKfbizqNGjAoYqXcq0qVOHSKNKlfq0qtWr WEFO3cq1a9avYMNa7Uq2rNmVYtOqXTvyrNu3b9nKnUu3INy7ePMmrcu3r1K9 gAMD9ku4ME7BiBNLLcC4seMCPA1LnsxQseXLOh9r3qw5MmWCAUIH+CwWs2nM nFOrVu25sOjXr0kPPU078erbuHND1skXtm/fsmPWHg5Yt/HjxluH/c38t8DR wTMSn44XufXr15U/bc69uQHR0Sv+Ux9vFrv58+h352zavX3377FJk5/fNb39 +/a113TP3z38+GzRJ+BU+BVooIH6odQfbP8t6F9VA0Z41IEUVmhhgiI56FyD BQH4HH83SShiZhaWaOKJ6rkEk4bAgTeQiwYteNiINAqA4o044ohhhiyG9uGL 0HXYY0g1jpfjkUgmuWNIPfr43YdBQtkkkUUGluSVWGbJ2JJMDgkkjFKySGWV W2lp5plnctmlg6A5CWSDXnpEZkto1mnnnWqCJOabX47WJJgcCXjnoIQWuiVv M4EIH2h9+vinmx2hZuiklE6ap56Ktvlco49GuRFcJgJgnKiVlmpqapdimumT i3L650f+E2oJwKy4zUqqarSWmuupaKbqkYY/wtkpcJHuVKeot3Jma7KbLWue s8qmBy2vZvra0apCDutdsSSeuau3jDHrmLjHkdvsauZSmx2iMrW3kKfZvspt TmYiG26upNraGK363lsAvv/mG3C+t/K7b8D3CozwvwwjS3DC+trL8MD9Tgxt xBWrm5u1HLnLIUTDzuuSrA0fXHK4E49rssIEK2wxyjALLPO4LJf8sL0zI4xz wRIvnK7Gm3G80XvCIsRgmHFqVBTJML8c8cA6n1yz1Caf/DLVGcdss8H8ysw1 1FHjXDXQtwmt0XsbskqssElLZ2yWYmtd8MEzT+3w1VfP3bD+xHrHDfDcXaMM +Mphp/wz2Y6ZnRHazP0HJ9LyKv02lgD7vOvN/eKbucMut8xz2Jv7G7XgdK98 OcU3+zw24qiyGxPjzkUZm7aAXrQ067ij9+1jh+OuOEYyvsjql2xH7na3uSdv Xe/Kd+Z6Sv0lBKOjtENq++T1jtr89jn+btGDRsdX/dHH0+vt7sqir5n63Lef 3PMKEv0425CHLDnyJB8+bfrsrx4tknfzn/t0472KyO9oThLf+Kxnkdudj1DM S00EozXBAbIGfifhDtKk9LEFwquB2LsS3ypXsa597m81C6C/SFg3y1GMZgsD 2+7uNriv9a95BaTIttYWI/CAqEX+jftUCAFotZxZrWp2Ix3fVOY0GDZRc6vr md7kVjqbNc2COZxIENPWwwQSTYFBvJ/5KIdEwXEtcH7TWhGp6DT01e1pCaOb wa5oxBFCrYJky6JENsRFDgHLccWrHQjxR0Qpkq5pS1xiG63YRLy10IVXNJwk 6fjCQ5owZVjEoElit7bp1S+MQfKYGEcGN5a1zHSV1BwUA9g5z4lulfuaYgwN SUc4vhBweASaHiOiKAa5KHhtkl/5SGnBYhqzbJokSfTmpzZgBtJDw6QT0HJ5 TGZR0z6yRFAyR9JLMHmxm9jCiAN51bNj1gqT55mj9jh3oW3ySJRddBX5+BS+ Dw5yjOD+us3+blROlV1TgLXKWiKT5bVYImdZ+yzQLh8CPnl+UnYMDKYg70lM c+ouXTfMzT/T508K8mqhDoHnF/sovmdGlKLSpBzmXunCU4Juaw+Lo87YOcuY xrSmEKtpxgI305jhEp2nDJ3oLFdCl6EHpA3x2IO4CJ2SCjOaLMkeLVPISKpV VZJ9QyTh8oa3Iw61nwRVohonCdZJYlWrtOzqeZDKkANCs1Xz/GXtwihEQhaS rFTcWSJXSMPSDdSvK5RbOWmqTs7Nca9Uzao1rWjIwu5tqvdh67s0CEijQUmi 1EtgF0+K0qjKqnNmZGljffpSsaZOrFy1qlb3hkSqqo61jRX+KCNP10qWhjY/ 7lxTHzH7y81+00+tIp7IUkrG1R5WjrisHGzlqEab2g2OYW2p6aal3NNezpY5 NasiDUfdfppHsgqhLG/nCUgg+vat4hyiRdebyfWsSLwmhRcYrecmuo6SuOzN r/vAW8+0TbSHfRpeo+onJ/Xq93+RPPCg+HsQytrzshysrDwz+9/OroRSGb0o Jr2rYEMx+LxvBeVu23ZfzxYqoUzUjQq/tT8O867DSPpwvOK6LfqN15l1xadF XSzBjcK4ne59Lw/jOTxA2W+4Jhbhzjoq0xH2TYU+dS4LlVjQx9r2x9/NrarI 21/50g5WBs4RZONWOMIttopPdKT+JZvLRKNi2ToynvH0aOzN6mklzDiCrGl/ 6jVZiq2Fj1RkCgX95iwHWcjz5eyNjRcoPKOIuqZdLqFXG2nV9TVnrBxdlQsN Zy1vGYG/DeVDpwRmu4p5qlXOXCpXTDMSMlfKfQUdLDnd6UNDb4dNfbAH72xq WvvaTnEG8UQ9tOtS6/jXyK5TsOVMXj6SOkZjOnahfZxsbdr61k+NLzxhMk47 MS+XWVsfOuE27hjqd9mLHrK2uSyTbj8QXd82a49nWO51SrBZ4UaxgXh8JXSn +1FCcXe9Mhru9VF7qNi54cErlOEYe1q3R56Nox8t6a9+FYqoMyi++bo1eF/8 tRc7oW3+eYpTGWYabKlM08M/TeK/TPxEiOWqmwOd4Bcj1s0pNmJXT4dmTFNy iiw+5BrrfSR//7vGY3l5qCxGw78ObrYyNbffDLthnl3a1YULq2KdpfVLXsyM elVrv1fOcvhmReBHsuNxVQtJo2LUlDJEl5plTmZIc5eSQk8i0FlbLbJ/ZNth QfupHWvKmaP1cwiuLdF7CuvA4tTqLo0u4V355NFpyeifrIvgq835ovu9Y+yW y+Y7T/oTGb3Ccxl96VdPIcx/RvWsj31keTMfw8AeTQPI/QByo/vdbyb3BfD9 73WPHOALHz2+B36heTKnIjXk9mfqPe+JP/zja0b5jMH+aqj+b5/dcx/LzG++ +MV/Ku3fx/yc8b71YRz+8bu/SI4xfvK9H/z5Kx/70pd+9udf/+MTv/f2t38C 2H8DKH/Ux33f13/8V38DaEzt934QKCKNIX/7p37qJ4D3t4AMyIAIGIATqH0U yIH4x38WKHwg6H//l4ENWEwPGIEuSB8fuIEpaIEiWIEKKIMhuIEYeIExeH/x t4AqOII/+IMp2IPrt1+094JKOB9G2IAh+IT2p39FuILGR4BN2IEFSIImiIJE CIUr2F4qsoRiSB1NqINeqIJmCIRbOIQaKII8iIP5B4AxOIcVqIb654BJOIZ6 eBqyx2kt2BIe1Cl7OCB9uHx5mBP+gZiIitgdYliIOLJ+R6gkiLITi1iJlniJ LEIWjngjkNgrk6gTmBiKojiK7oF26Icdp5gekYgld5h+9Jca35eAWBIZlEiK tniLoyhwrYiKsqiKd5KKXbiKd7iLs/iJiIiLyJiMiqh0v6clwJh+mxg0xugS yliN1qgtDlSFOSiHQbiFaHiG5meAI8iFCriGdfiBNJiFGHh9B9iB38iDz9g9 0wiI11iP9rgg2WiAOEiA+viO+6iPVEh/rSiE6DiH3UiO3WiF6liGFDiF8agj 80iP9ziRFAkb+UiD/iiOGXiBB5mG2fePXAiPHAmHHrmQXoiORdiPGCmSnuhe RVGRMFn+kfnIkNyohTbYkCppkCDJhjLIj/tYkiC5ksEokODIkenYdy5ZizG5 lNc4kzuojgDIkm74kWiYhiV4gjYYfFmohnS4kVTZhkH4lDU4lVqpckkJikyZ lsoIfdHYPrSolGoZl6TIlm25PZ4Bl3KZl5dIl3WpPHeJlnoZmJXIl32ZO395 jIKZmIFImIXJOodJjYoZmePDmI2ZR+yCl5KZmX/CjJVpmJcJmJoZmj1CmZ1J LY8JmaKZmvjImaVpmUH2kqoZm6XImq2pMacpkbKZm79BmrVZKrfJEroZnL7B m71JKb+5EsKZnKFBnMXpYZ8JmsqZm8zZnITSGpgZnao5ndT+iSeuc53YKZra uZ3K1p3Q+Z2pGZ7iaZYqohLlaZ7g2WvpaZvkiZjumZ31EZ+nYp3eWZ+7JoqI gZ/q2RIEAZv8uYhPEmoeRIYAWiL62Z4FukBwNZjwt6DrcmgE+qCJOGEL1IgU +hgNSp8YmqHrJoiDSJuF+KGoGaIAJ2G5JqElWhZtqRz7qaIiNWyW+KKKUW0y 6qA0ijbMNGcuem04KhgKtqMg2qM/FHoj+ihFMRFDSqTcY6QpeosaiqSM+HlQ 8aTF8VHPM6OBCG0bFCbnxVAA0kkIJKZhuqSbiaUlpqVuAWxdyqPFJj2+lGvh pWjhE6FAqmt+0qL1daOutxBuuqX+phencjo+kzU7dkqnrhJeevqnD7YooVal tNOkpTGoeZEeUjqlihhhvMUoaLopDdandYZZ9CSpmjJgo1apgVoSmJqpq7Gp uBmKwSJRwmOrojqqZhpKZcqrveqrkLqIlhoe7PmqgWEXXoqowXSrleUpv0ps u6qqweVFwvWjgMqmsmGsZIGsh2pnAJarcyatIkY+e8qrwuMo1Uqu13ptxApV mGoQyfpltWqu88opDgU56dqr5wpcEGatQbqe7ZoSOAqv3SqvtZquzLqr0Kqu vvqtHZKvXiasrRqwB/F+BHukIko92dJg9rpBCNqweVpf88pZFJaIw0qxVyEh F8upGUv+qrhKTwqrsTYmYT8isxALYCVrstiKskxxGis7qwYaqgzbsTM7rqbK okB6tJg4sTwrHHfxs8BppYkJXgTQtIGHFFAbtVKrlyfbEQTwtVY7GRe6tXHZ tRoBtmB7EGlbtQ3xtWnrFG8rEWt7dvFKtvdothnhtmyrtm7rEHq7t00RtxGh t18xtnbLlHgbtgQhuAnBuGJbt4fblAuFtmxLuAawtntruZebuX27uZ6LuQNB uJr7twJhuaRbuqbLuZtLuaXruaj7um97uksBuZFbjYlbEWjrurDLuq4Lurq7 up/Lu47Lu78bt30bu1XbuZq7upULusfbvKELuAFXsLVrjbf+SxHIu7jQi7nJ C73M+7q9272oK7jEa7zbK77gy72dy7etG77g+7vTi7HVO5HXOxHKC7jO672+ G72727/a+7+ii7/i+7z6673wy7/3G74GLHHyq5yrKpe7lMDj67++u77Pm77o O8EIfMEbDLwSXMHCO8HC27wLHL8sa48PvEyiulSIu7MGkb3ve7wYzL8YnLrJ +78ArLodHLw0/LcFDMOUm7o07HINfI0p3FBH56cwybRV4bhha7gorKY1Vq5b 1MIuTBrSq7gGAMX1eMTZRqlKLJNMrMWFS7vzi4v1S8ZqvMVm3KkB1q9vfGPC NqYdZL1jvMZJR72VSGTBBaa6Gqn+6EU8MluPaYzHisvFooiqI6tDihbIcBzG yVjIFAEAFUHJhtyzetyp6LrIzQatL9vHC8tskYxUtjLJl4zJRUyr0wqsDKuv aRqssCzGV2wQyxIRpQwRs9IRt7wQliwSuUy3qTyKEBuzf8onxQyurCzL7IoR u+wQtfwQz5wRltzLCkHNHxHNeXzCthjHU2ym+1pkzsqvUozGsywXuWzNCIHO FqHOzmzCQIuL3Dyurnyg4kxf9fxbXryuAsoRlPzLAuHPvRzNpYzNBnDOAV3Q 0zwQz9zM56zQ/5zQCO3QCN3PCT3NAW3RDN3PBS3REy3QIdLGIvoxgUS0NIvM XvYmg0z+yOW80RDd0v9MEBp9ENRs0A79yxD90hzd0Dht0w9d0zB9yxb90jEd 0Qqt0Qe90Q/d0P48E4icyHfqX4rar4varPPcTCpdzjNdEC6t1APt0kh91C3N 0zmN00j91WNN0GQd00Y91D0N0EJt1BP90ZnsxnQK1T7Uohsr1b8qyqOM1RFt zWGt02+d1ma904RN1mXN0mNd1keN2Gf91oLd1mA90Iwt18F8iYlKzHEs0uUK xnbs14pd1G0N06Ld2Got0RRN0Rxd2Yxd0WLd2kSt2kQd2o5t2mw91OwssCB9 xrmYRUD906Od06m91Da90Krt1sIN0EFd3Lts0MWN2Let1cL+ndjDndso0dS8 bbt3fMpNsdvZvbTbzd2zO9ff7Z/hLd4MrM3l3dfLjN5PTN7rDd7t7d5N693x LbHzvc6VTN9Bgd33PZcrXdTWXc38DRT+/d/mHeBozctL3RANzswSMeDSLOH9 bd8IvqG71MwOruEM/uD6bcsjseDjDd8XvpjnXRUUDs37/RMHXuL6vM/SPNuz fdHKPdxaLdssfdNdndQ9PeMNTtM7DeRqfdFJTdxwndYI1djtZuEujo05dNqF fdO0Ld2lfdBiPdM7/te1DdxujeVXXtGwXdqsTeNrXRNM3uQkOstZTdpmzdVC bthjHuQeHtSrHeWEveBWLtRazuX+YK3lqW0TZ47ma6rme47aRU7dse3TcZ7Y jK7na/7YrO3Ydw7ZbP3Xk63Ude60ly3ok4m1MT7lz/3ogp3ncd7csn3qos3m oW3bif7cel7nrJ7VSr7km87pgz4VGvHbqR7ZRI5QwN3Ry93ruh7mq83cyt3R PS7rqn7YhZ7jHM5tJG7r3OEWBa7GgS7oelHtZNzi0i4aiaHtWszt2G4a4P7e 0V7ew1Huh3ztZJvu6m7t7E6j7l4TKb7sE97o786t6n3G834THl7N9Y7LAa/t 8R6dxDEUA4/vMl3pPC7mtPzvF5HwCU/E+96jB+8Uz54QGS/g6fzw6izlGyHx AXLuwnn+8fke2TQx8RpPEwUfmSbfFGEN6sjd8Ka+6zTu46ke5IeN0XRe5g2f 7Jfe6jhf5Crfphj68lYR87ht6Mz+1WAO5rtO7E6/87SM7FA+3TNO3b/N0zpe 9O4qAOaJ9F/R9UNP9oj+6rK+9Wiv6jpO9VS+5W1P6TK99jmu8CYh7lPb72tB 9jMf93VP6o/e5oYt6m5/5KSN8lAf6fgO9Txv967a8tqt93Tx5sze8zVd80hu 84aO5ZAt2ZYe24k/+Iv9+X/f55l+3ZBvi86nFpQf6ZYP3cWe868t9aEe7K3e 1SBP5ERf5aHO5oEP7STP3i+Y78SvEHi/ltq6F8UP7qlfPcn+zxXLf8rNf+vP n+3RT7HTv5rVTx3X/7i1juHEEavbH+Ddz9TBr/3DgR/jn9/l7xPHj/61MXbr /xLtD+jxrqCWMv/0X/9tweT4nzwAIUDgQIIFDR5EmFDhQoYNFRqAGFHiRIoV LV7EmFHjRo4dPX6smDDASJIlTZZ0mFKlgAItXb6EGVPmTJo1bd7E+XLlTp49 fRYEGVToUKJFjUIUeVLpT6Yscz6FGlXq1JtNrV61elTrVq5dkSJUGgBrT6pl zZ5FK3XsWrYNvb6FG9cA2JFtVabFm1fv3pp2/f4VIFfwYIyAd/JFnFjx4paG HV8lHLnrY4WMLV/GrJjy5p6SPW/+5Cww82jSpTWHRu3ws+THpl2/hr049eyH q7X6jZ1b927GtH0btM1xLG/ixY1b/p08cPC5TY8/hx69t/LQrJ1Lx55d+17q ba0vjJhw+3jy5fF23/kdaEiE5t2/Pw4AOXqCngWCbg9ff04A8m36zwzA0voT 0DTamCssv/0WnInAAmN6kLEIA5QOMAQvEo9BDTfkUC+mLrQoww41lA9AAl0q EcUTaVqxgBX7c7FE/2Ck8UUZb2rRxpZgjHHCDcEDkSIRR9zPwRtrbHFHE5eM sckanVSxySifVLLAJ6+c8Ugff0QoSCEVJFI/LE+kkkoIHexxTB6xlBLNl3JE 08g2ZUz+MsyEvJxoyDDfk7NPN82Eyc8048ySTC2lZJHQQQ/lcc8C7sQzvIMc LZLRQweNUkknb0xzzhT9rPPMTecctdE9IY20OYMoZbUsU117tVWcUI0UTFlv xVG3LXGFiVY8beU1WGHd89VLYIdFNtnoukz1q1WVhTZa45ht9lhpr8U2M2pT tTZbb7/l7qBmnS0I3DdjNTfdp7atddJ0d+UvQlMbXRNdTzPFN1B5BaR3yVjr 9VdfURuccN4sVdyXXyYR1RfeR9n91V1z7X3KTRRJrfLggTXtlOMzX+VUS4MD xdhjhjVN+MGQC1343I2vFJVil4o1VuJ38QVYJhpJrlfgk03+Htlkl61sE9F+ ISyZ4X9TjBnpnnFW2cqcdxZY5sYgDlJPcBf+tCaqq4Yz34yhRnhfF3VWGOiC NfbYYrGnJLjjoM9VuFChUYaXZhC1/pbfs89WFG6fzXx6aLZJXfpvl/M9+uW0 8fa56YHLbHlwKAtvOG+s9+4WW79nfBNtwLnmtGQ2lT448dLnNprtxtumM3XR XU+ddrV3vPzI26va/EK+vX298rInF/lwyD2tXfGOF+f4z7UZZ3Jk0IcnftG3 mzcye+WZ76t3BH/Plt7Qj3/b+ZbRDVvt6cu3sXD0dYQ+6ou5px7+u+ts3F6r Z/aeOfDVLZKYHKU333UOgAdEYK/++hec/yXQgQck4PcMqC6HPTBaEfSfzR64 PwtKC4MM1GACTRSvCnaQQx+0zQQnFqoGxU10u3Nbj+pXNxOGS1zVCqEFS7i9 GI7Oh8tL3NCSVsPzLDCFOQQe7i5HN5QpUYg8+9Tj3re4lRHRhuvB4bMoqMSd jRB3sZudC1t3PdblzIpFBM64VAit9RFufX9L0teYBzLj7e5kHDwj79KYxXIB sI2rm5/i5Gc7oT3tdWOkXx6nYsQjavFdIQukFwX5MbPBDlBzfNz1FAkVRq5m jcoqUyQjqb1EdspimMPkDHe4SZl08jOfZGUsieRK+yBRlrc8FS3VQxBc9rJV KGxkH33+OcxZ6pIwDSSmZXqYzLIA85WwHNYyCYbHivHHidsL5Fl8tMoWmkWS 0HFmLW15LWqO7TWARFpatqlObWbzOeHcJS8pyM2fmbN9YTtlz7xoN0KNkGVV Gts9vyjDSRI0YQij5PKmZczBIJONhvqaQNMJuItNz5/uBJ3GmOZOOLaRZHCc XyYHOlKKfrSk2JQkPS8Dz8g4FJTRi2JHAeXPOHGxoiF9EUUtOj65ibKnmFKe vzKasY1ilKMpfSdDBePSZB2ti0yTZk7H59GL2rRrBQWpTRFa0Dde06MlJZpJ nagyny70htwaJzlh6sN/TnSsWa3qSYcqp6m+Fat2/arfuJqmVbm+dZ9lVel8 ztouR66QTXYzpdTMuFOStrWrAJ2SVO2Jz6AJNZuSDRhkg7rRwE5nsBErLDP1 qhhpVpOjsWTpMdPay9LGh4Wo/SxohclM2p5mNuNSFX10u1ve9ta3nVHjb4U7 XOIWlzq4NW5ylbtc5mIFuc2FbnSlO93l8JG618VudrvzXO1217vffQx3wTte 8pbXJ+I1b3rVu976BJe974XveLsSEAA7 --= Multipart Boundary 0320020124-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 11:45:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [216.135.64.135]) by hub.freebsd.org (Postfix) with SMTP id 7D39737B404 for ; Tue, 19 Mar 2002 11:45:39 -0800 (PST) Received: (qmail 43334 invoked by uid 1000); 19 Mar 2002 19:45:38 -0000 Date: Tue, 19 Mar 2002 14:45:38 -0500 From: Chris Johnson To: security@freebsd.org Subject: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319144538.A42969@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This isn't exactly FreeBSD-security-related, but it's certainly security-related, and I think it's likely to be of interest to many of the list members. I spend a lot of time in hotels, and most of them have Internet centers with Windows computers for the use of hotel guests. It's easy enough to download a copy of PuTTY and hide it in the Windows directory so that I can make SSH logins to my various remote servers. I worry, however, about trojans and keyboard sniffers and what-have-you monitoring my keystrokes, so I don't feel particularly safe doing this. So I thought I might stick a DSA key, encrypted with a passphrase used only for that particular key, on a floppy disk, and use that to log in. Without the floppy disk, the passphrase, if sniffed or recorded, would be useless. Question: if I plan on doing any work as root, would I be better off setting PermitRootLogin to without-password and logging in directly as root, instead of following the common practive of logging in as a regular user and then su-ing? su-ing would require that I type the password, and that's what I'm trying to avoid. Does anyone have any comments, or does anyone have a better idea? Thanks. Chris Johnson --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8l5VhyeUEMvtGLWERAjtiAKDFS46unMYQMsXtaFKmvqH6AhAMNACeJEi/ BbyiXKX5+9DhPwJSugoIi0Q= =sIyu -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 11:51:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id A264D37B404 for ; Tue, 19 Mar 2002 11:51:19 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 84BA2AE1EE; Tue, 19 Mar 2002 11:51:19 -0800 (PST) Date: Tue, 19 Mar 2002 11:51:19 -0800 From: Alfred Perlstein To: Chris Johnson Cc: security@freebsd.org Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319195119.GI455@elvis.mu.org> References: <20020319144538.A42969@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020319144538.A42969@palomine.net> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Chris Johnson [020319 11:45] wrote: > This isn't exactly FreeBSD-security-related, but it's certainly > security-related, and I think it's likely to be of interest to many of the list > members. > > I spend a lot of time in hotels, and most of them have Internet centers with > Windows computers for the use of hotel guests. It's easy enough to download a > copy of PuTTY and hide it in the Windows directory so that I can make SSH > logins to my various remote servers. > > I worry, however, about trojans and keyboard sniffers and what-have-you > monitoring my keystrokes, so I don't feel particularly safe doing this. So I > thought I might stick a DSA key, encrypted with a passphrase used only for that [snip] > Does anyone have any comments, or does anyone have a better idea? Once you load the key onto the machine and type your passphrase in you've done as good as just typing your password into it. Don't use untrusted machines or get something like secure-ID that does one-time passwords. Even with one time passwords you never know if someone with control over the machine is sitting there waiting for you to grab a cup of coffee in order to take control of your session and do nasties. :( So I guess it boils down to: "Don't use untrusted machines." -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductible donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 11:53:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from wiggum.isp.nwu.edu (wiggum.isp.nwu.edu [129.105.98.26]) by hub.freebsd.org (Postfix) with ESMTP id 4F28D37B404 for ; Tue, 19 Mar 2002 11:53:40 -0800 (PST) Received: from 8lugu (dhcp089069.res-hall.northwestern.edu [199.74.89.69]) by wiggum.isp.nwu.edu (8.11.6/8.11.0) with SMTP id g2JJrX431176; Tue, 19 Mar 2002 13:53:33 -0600 From: "Laurence Berland" To: "Chris Johnson" , Subject: RE: Safe SSH logins from public, untrusted Windows computers Date: Tue, 19 Mar 2002 13:50:10 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <20020319144538.A42969@palomine.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > This isn't exactly FreeBSD-security-related, but it's certainly > security-related, and I think it's likely to be of interest to > many of the list > members. > > I spend a lot of time in hotels, and most of them have Internet > centers with > Windows computers for the use of hotel guests. It's easy enough > to download a > copy of PuTTY and hide it in the Windows directory so that I can make SSH > logins to my various remote servers. > > I worry, however, about trojans and keyboard sniffers and what-have-you > monitoring my keystrokes, so I don't feel particularly safe doing > this. So I > thought I might stick a DSA key, encrypted with a passphrase used > only for that > particular key, on a floppy disk, and use that to log in. Without > the floppy > disk, the passphrase, if sniffed or recorded, would be useless. > > Question: if I plan on doing any work as root, would I be better > off setting > PermitRootLogin to without-password and logging in directly as > root, instead of > following the common practive of logging in as a regular user and > then su-ing? > su-ing would require that I type the password, and that's what > I'm trying to > avoid. sudo would avoid the password without leaving you open to people trying to hack in as a known username (root). My real suggestion would be skey. It's designed for precisely this sort of situation I think. No disks, no trust mechanisms, just a simple password that you write down on a card. The password is uesless after use, so no problems there... > > Does anyone have any comments, or does anyone have a better idea? > > Thanks. > > Chris Johnson > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12: 5:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 76A9D37B422 for ; Tue, 19 Mar 2002 12:05:02 -0800 (PST) Received: from simoeon.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id g2JK4pj49431; Tue, 19 Mar 2002 15:04:51 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020319144819.022aba50@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 19 Mar 2002 14:58:45 -0500 To: Alfred Perlstein From: Mike Tancsa Subject: Re: Safe SSH logins from public, untrusted Windows computers Cc: security@FreeBSD.ORG In-Reply-To: <20020319195119.GI455@elvis.mu.org> References: <20020319144538.A42969@palomine.net> <20020319144538.A42969@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:51 AM 3/19/02 -0800, Alfred Perlstein wrote: >Once you load the key onto the machine and type your passphrase in you've >done as good as just typing your password into it. > >Don't use untrusted machines or get something like secure-ID that >does one-time passwords. Are there such products that work with FreeBSD ? (e.g. some keychain token generator) CryptoCard and the RSALabs one only seem to work with LINUX/Windows. > Even with one time passwords you never know >if someone with control over the machine is sitting there waiting for >you to grab a cup of coffee in order to take control of your session >and do nasties. :( > >So I guess it boils down to: > "Don't use untrusted machines." Ideally yes. But how can one best limit that risk. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12: 6:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id B228037B417 for ; Tue, 19 Mar 2002 12:06:26 -0800 (PST) Received: from ruby.ccmr.cornell.edu (IDENT:0@ruby.ccmr.cornell.edu [128.84.231.115]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id PAA27155; Tue, 19 Mar 2002 15:08:59 -0500 Received: from localhost (mitch@localhost) by ruby.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id PAA17412; Tue, 19 Mar 2002 15:06:26 -0500 X-Authentication-Warning: ruby.ccmr.cornell.edu: mitch owned process doing -bs Date: Tue, 19 Mar 2002 15:06:26 -0500 (EST) From: Mitch Collinsworth To: Chris Johnson Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <20020319144538.A42969@palomine.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Mar 2002, Chris Johnson wrote: > I worry, however, about trojans and keyboard sniffers and what-have-you > monitoring my keystrokes, so I don't feel particularly safe doing this. Get a laptop. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12:10:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by hub.freebsd.org (Postfix) with ESMTP id 4BF3637B42A for ; Tue, 19 Mar 2002 12:09:48 -0800 (PST) Received: from pittgoth.com (lcl234.zbzoom.net [208.236.36.234]) by pittgoth.com (8.11.6/8.11.6) with ESMTP id g2JKBwq31511; Tue, 19 Mar 2002 15:11:59 -0500 (EST) (envelope-from darklogik@pittgoth.com) Message-ID: <3C979D68.5060609@pittgoth.com> Date: Tue, 19 Mar 2002 15:19:52 -0500 From: Tom Rhodes Reply-To: darklogik@pittgoth.com User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.7) Gecko/20011221 X-Accept-Language: en-us MIME-Version: 1.0 To: Alfred Perlstein Cc: Chris Johnson , security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers References: <20020319144538.A42969@palomine.net> <20020319195119.GI455@elvis.mu.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alfred Perlstein wrote: > * Chris Johnson [020319 11:45] wrote: > [snip] > >>Does anyone have any comments, or does anyone have a better idea? >> > > Once you load the key onto the machine and type your passphrase in you've > done as good as just typing your password into it. > > Don't use untrusted machines or get something like secure-ID that > does one-time passwords. Even with one time passwords you never know > if someone with control over the machine is sitting there waiting for > you to grab a cup of coffee in order to take control of your session > and do nasties. :( don't drink coffee, or logout before getting the coffee, or just bring it to the system with you ;) > > So I guess it boils down to: > "Don't use untrusted machines." > > Thats a good idea though ;) -- Tom (Darklogik) Rhodes www.Pittgoth.com Gothic Liberation Front www.FreeBSD.org The Power To Serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12:14:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from imation.homenetweb.com (noc-p5-3-ky-4.homenetweb.com [216.7.67.90]) by hub.freebsd.org (Postfix) with ESMTP id F317937B4A8 for ; Tue, 19 Mar 2002 12:13:36 -0800 (PST) Received: from noc2 (d2i-dialin-67.kl.terranova.net [216.89.230.67]) by imation.homenetweb.com (8.12.2/8.12.2) with SMTP id g2JKCuhA048103; Tue, 19 Mar 2002 15:13:11 -0500 (EST) Message-ID: <001401c1cf81$b12976e0$0101a8c0@noc2> From: "Richard Ward" To: "Chris Johnson" , References: <20020319144538.A42969@palomine.net> Subject: Re: Safe SSH logins from public, untrusted Windows computers Date: Tue, 19 Mar 2002 15:07:02 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris Johnson, What about using a ICMP or UDP client/server that will authenticate a root login from a "bad" public machine without having to execute a password via your keyboard? Just a crude idea. I'm very skeptical about logging in as root from any machine I don't feel 100% safe about. Although using one-time passwords would be a better solution, it doesn't seem like a feasible answer to me. If I could shoot a really crazy idea your way: What about using the "Character Map" program included with Windows to slowly "type" out your password? Though that would probably be cached long before you overwrite the Clipboard. Good luck. -- Richard Ward, GM Home Net Web, Inc. ----- Original Message ----- From: Chris Johnson To: Sent: Tuesday, March 19, 2002 2:45 PM Subject: Safe SSH logins from public, untrusted Windows computers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12:16:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from ophiuchus.kazrak.com (ophiuchus.kazrak.com [204.152.186.166]) by hub.freebsd.org (Postfix) with ESMTP id 9EF3137B43D for ; Tue, 19 Mar 2002 12:14:08 -0800 (PST) Received: by ophiuchus.kazrak.com (Postfix, from userid 1001) id 56B463478; Tue, 19 Mar 2002 12:14:08 -0800 (PST) Date: Tue, 19 Mar 2002 13:14:08 -0700 From: Brad Jones To: Chris Johnson Cc: security@freebsd.org Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319131408.C324@ophiuchus.kazrak.com> References: <20020319144538.A42969@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020319144538.A42969@palomine.net>; from cjohnson@palomine.net on Tue, Mar 19, 2002 at 02:45:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: > This isn't exactly FreeBSD-security-related, but it's certainly > security-related, and I think it's likely to be of interest to many of the list > members. > > I spend a lot of time in hotels, and most of them have Internet centers with > Windows computers for the use of hotel guests. It's easy enough to download a > copy of PuTTY and hide it in the Windows directory so that I can make SSH > logins to my various remote servers. > > I worry, however, about trojans and keyboard sniffers and what-have-you > monitoring my keystrokes, so I don't feel particularly safe doing this. So I > thought I might stick a DSA key, encrypted with a passphrase used only for that > particular key, on a floppy disk, and use that to log in. Without the floppy > disk, the passphrase, if sniffed or recorded, would be useless. > > Question: if I plan on doing any work as root, would I be better off setting > PermitRootLogin to without-password and logging in directly as root, instead of > following the common practive of logging in as a regular user and then su-ing? > su-ing would require that I type the password, and that's what I'm trying to > avoid. > > Does anyone have any comments, or does anyone have a better idea? S/Key. It's built-in to FreeBSD, doesn't require any special hardware (just a bit of planning ahead), and lets you avoid reusable passwords. Set it up for your account, and set up 'sudo' so you can get to a root shell without typing a reusable password. Then print up 20-30 responses (or however many you think you'll need) and go...you enter the one-time password at the appropriate SSH prompt, and a keystroke sniffer never gets any useful information. (Sure, they got phrase #94...but that one's been used, and won't work anymore.) Recommended man pages: 'keyinit' will get you started, 'key' lets you create a file of keys that you can print and take with you. (If you have a palmtop, most of them have key-generation programs you can use instead.) 'skey' gives an overview. Don't leave home without it. BJ -- Brad Jones -- brad@kazrak.com "The line between good and evil, hope and despair, does not divide the world between 'us' and 'them'. It runs down the middle of each one of us." -- Robert Fulghum To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12:18:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [216.135.64.135]) by hub.freebsd.org (Postfix) with SMTP id 6362237B4B8 for ; Tue, 19 Mar 2002 12:15:13 -0800 (PST) Received: (qmail 44253 invoked by uid 1000); 19 Mar 2002 20:15:12 -0000 Date: Tue, 19 Mar 2002 15:15:12 -0500 From: Chris Johnson To: Mitch Collinsworth Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319151512.E43336@palomine.net> References: <20020319144538.A42969@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kXdP64Ggrk/fb43R" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from mitch@ccmr.cornell.edu on Tue, Mar 19, 2002 at 03:06:26PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --kXdP64Ggrk/fb43R Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 19, 2002 at 03:06:26PM -0500, Mitch Collinsworth wrote: >=20 > On Tue, 19 Mar 2002, Chris Johnson wrote: >=20 > > I worry, however, about trojans and keyboard sniffers and what-have-you > > monitoring my keystrokes, so I don't feel particularly safe doing this. >=20 > Get a laptop. I've travelled with a laptop for years, and that's what I usually use. But = the hotels I stay in are in all parts of the world, and while we take cheap loc= al phone access for granted in the U.S., in many countries it's exorbitantly expensive (the hotels charge a lot for it anyway). And ISPs that have world-wide dialup access charge by the minute. So Internet cafes and hotel business centers are frequently the most economical way of connecting to the Internet. Chris --kXdP64Ggrk/fb43R Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8l5xPyeUEMvtGLWERApv0AKDw4Be/5aCShpVbnghz1a5cW4GnJwCfTlgH 836+yl0zg/6Srsay8GHGVD0= =RjAU -----END PGP SIGNATURE----- --kXdP64Ggrk/fb43R-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12:21:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from duluth.camulus.org (c24.158.24.190.dul.mn.charter.com [24.158.24.190]) by hub.freebsd.org (Postfix) with ESMTP id AA83237B624 for ; Tue, 19 Mar 2002 12:16:11 -0800 (PST) Received: from nihilist.local.net (nihilist.local.net [192.168.100.1]) by duluth.camulus.org (8.11.6/8.11.6) with ESMTP id g2JKFnx21883; Tue, 19 Mar 2002 20:15:49 GMT (envelope-from alex@camulus.com) Date: Tue, 19 Mar 2002 20:15:49 +0000 (GMT) From: "Alex C. Jokela" X-X-Sender: alex@duluth.camulus.org To: Tom Rhodes Cc: Alfred Perlstein , Chris Johnson , Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <3C979D68.5060609@pittgoth.com> Message-ID: <20020319201312.M58891-100000@duluth.camulus.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org if you're that desperate for a caffiene fix, you should always carry with you those caffiene mints you can get from thinkgeek.com - pop three of those into your mouth, WHAM! you have as much caffiene as that of a cup of coffee. problem solved. =) -aj- ---- http://www.camulus.org/ On Tue, 19 Mar 2002, Tom Rhodes wrote: > Alfred Perlstein wrote: > > > * Chris Johnson [020319 11:45] wrote: > > [snip] > > > >>Does anyone have any comments, or does anyone have a better idea? > >> > > > > Once you load the key onto the machine and type your passphrase in you've > > done as good as just typing your password into it. > > > > Don't use untrusted machines or get something like secure-ID that > > does one-time passwords. Even with one time passwords you never know > > if someone with control over the machine is sitting there waiting for > > you to grab a cup of coffee in order to take control of your session > > and do nasties. :( > > > don't drink coffee, or logout before getting the coffee, or just bring > it to the system with you ;) > > > > > > So I guess it boils down to: > > "Don't use untrusted machines." > > > > > > Thats a good idea though ;) > > -- > Tom (Darklogik) Rhodes > www.Pittgoth.com Gothic Liberation Front > www.FreeBSD.org The Power To Serve > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12:26:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [216.135.64.135]) by hub.freebsd.org (Postfix) with SMTP id 4267B37B720 for ; Tue, 19 Mar 2002 12:21:26 -0800 (PST) Received: (qmail 44460 invoked by uid 1000); 19 Mar 2002 20:21:25 -0000 Date: Tue, 19 Mar 2002 15:21:25 -0500 From: Chris Johnson To: security@freebsd.org Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319152125.F43336@palomine.net> References: <20020319144538.A42969@palomine.net> <20020319131408.C324@ophiuchus.kazrak.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8X7/QrJGcKSMr1RN" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020319131408.C324@ophiuchus.kazrak.com>; from brad@kazrak.com on Tue, Mar 19, 2002 at 01:14:08PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8X7/QrJGcKSMr1RN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 19, 2002 at 01:14:08PM -0700, Brad Jones wrote: > On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: > > I spend a lot of time in hotels, and most of them have Internet centers= with > > Windows computers for the use of hotel guests. It's easy enough to down= load a > > copy of PuTTY and hide it in the Windows directory so that I can make S= SH > > logins to my various remote servers. >=20 > S/Key. It's built-in to FreeBSD, doesn't require any special hardware (j= ust > a bit of planning ahead), and lets you avoid reusable passwords. >=20 > Set it up for your account, and set up 'sudo' so you can get to a root sh= ell > without typing a reusable password. Then print up 20-30 responses (or > however many you think you'll need) and go...you enter the one-time passw= ord > at the appropriate SSH prompt, and a keystroke sniffer never gets any use= ful > information. (Sure, they got phrase #94...but that one's been used, and > won't work anymore.) >=20 > Recommended man pages: 'keyinit' will get you started, 'key' lets you > create a file of keys that you can print and take with you. (If you have > a palmtop, most of them have key-generation programs you can use instead.) > 'skey' gives an overview. Thanks very much for this; it seems to be just the ticket. I didn't know anything about S/Key, other than it's the thing I recently turned off in my sshd_config file because sshd was prompting me for things to which I didn't know the answer. Thanks for all the responses. Chris --8X7/QrJGcKSMr1RN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8l53EyeUEMvtGLWERAnj7AJ0dk/ACXlmXoIuuhBQtpdW+lXCNTwCeJcfa q18WIaY89hd21wMX+15IaAQ= =L3Nt -----END PGP SIGNATURE----- --8X7/QrJGcKSMr1RN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12:39:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id 9A39137B402 for ; Tue, 19 Mar 2002 12:39:05 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g2JKd3m57966; Tue, 19 Mar 2002 12:39:03 -0800 (PST) (envelope-from jan@caustic.org) Date: Tue, 19 Mar 2002 12:39:03 -0800 (PST) From: "f.johan.beisser" To: Chris Johnson Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <20020319152125.F43336@palomine.net> Message-ID: <20020319123726.R152-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Mar 2002, Chris Johnson wrote: > Thanks very much for this; it seems to be just the ticket. I didn't know > anything about S/Key, other than it's the thing I recently turned off in my > sshd_config file because sshd was prompting me for things to which I didn't > know the answer. just as an FYI: sudo can be configured to use skey/opie aswell. it'll use the next password in the series, so try to have enough access to do your root level stuff from the one sudo token. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 12:44:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [216.135.64.135]) by hub.freebsd.org (Postfix) with SMTP id ECD5A37B423 for ; Tue, 19 Mar 2002 12:44:21 -0800 (PST) Received: (qmail 45092 invoked by uid 1000); 19 Mar 2002 20:44:15 -0000 Date: Tue, 19 Mar 2002 15:44:15 -0500 From: Chris Johnson To: security@freebsd.org Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020319154415.A44879@palomine.net> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from Thomas.Callaghan@consulting.fujitsu.com on Tue, Mar 19, 2002 at 02:26:36PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Mar 19, 2002 at 02:26:36PM -0600, Thomas.Callaghan@consulting.fujitsu.com wrote: > First of all, why would you su root on a machine from a > hotel/library/etc/etc system? Just a silly thing to do. Because I have things to do which require me to be root--the same reason one would want to log in as root from any other computer. The point of my question was to learn ways that this might be done safely from an untrusted computer. Chris --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8l6MeyeUEMvtGLWERAhqIAKCnAKPoSnnOWLTTJ2NkYo+qNghy2wCg8wS9 pk7SzrzhTvUgUX1+xcp3i18= =BVXT -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 14:29: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id F10F437B400 for ; Tue, 19 Mar 2002 14:28:58 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020319222858.PBHC1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Tue, 19 Mar 2002 22:28:58 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2JMSuF67972; Tue, 19 Mar 2002 14:28:56 -0800 (PST) (envelope-from cjc) Date: Tue, 19 Mar 2002 14:28:56 -0800 From: "Crist J. Clark" To: "Nickolay A. Kritsky" Cc: security@FreeBSD.ORG Subject: Re: TCP connections on broadcast address - why no advisory? Message-ID: <20020319142856.A67739@blossom.cjclark.org> References: <785082402.20020319134231@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <785082402.20020319134231@internethelp.ru>; from nkritsky@internethelp.ru on Tue, Mar 19, 2002 at 01:42:31PM +0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 19, 2002 at 01:42:31PM +0300, Nickolay A. Kritsky wrote: > Hello, freebsd-security. > > On the Bugtraq I have read report by Christ J. Clark about TCP > connections on broadcast address. It can be found on > http://online.securityfocus.com/archive/1/262733 . In this advisories > I've read following: > > > I committed changes to FreeBSD 5-CURRENT on Feburary 25th (CVS > revision 1.148) and to 4-STABLE on February 28th (revision > 1.107.2.21). After discussion with the FreeBSD security-officer@ team, > these changes will not be incorporated into the RELENG_4_{3,4,5} > security-fix branches nor will an advisory be released. > > > Why no advisory will be released? What if I wasn't subscribed to > BUGTRAQ? How would I know about this bug? Maybe I missed something. > Sorry then. There was a fairly long discussion on freebsd-net@. Also there was the original discussion on freebsd-bugs@ when I came across the PR. Obviously, the commit messages went out on cvs-all@ for the pactches to both branches. In addition, there were several side threads in which I was involved that didn't take place on lists (the discussions with security-officer@ for example). What I am saying is that after all of the FreeBSD related email I sent and received on the topic, from my point of view, it seemed like anyone one who follows anything FreeBSD security or network related would have already heard about this issue. But reviewing everything now, I guess there may be an audience on freebsd-security@ that could have managed to miss all of that. I thought one of the threads on the issue had spilled over onto -security, but it looks like that was not an accurate recollection. I should have probably CCed the BugTraq report here. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 14:38:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from frl.nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 61FB237B400 for ; Tue, 19 Mar 2002 14:38:36 -0800 (PST) Received: from nisser.com (roelof.nisser.com [10.0.0.2]) by frl.nisser.com (Postfix) with ESMTP id 07B94EA11; Tue, 19 Mar 2002 23:38:28 +0100 (CET) Message-ID: <3C97BDE4.8040301@nisser.com> Date: Tue, 19 Mar 2002 23:38:28 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311 X-Accept-Language: en,pdf MIME-Version: 1.0 To: Richard Ward Cc: Chris Johnson , security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers References: <20020319144538.A42969@palomine.net> <001401c1cf81$b12976e0$0101a8c0@noc2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Richard Ward wrote: > Chris Johnson, > ... > If I could shoot a really crazy idea your way: What about using the > "Character Map" program included with Windows to slowly "type" out your > password? Though that would probably be cached long before you overwrite the > Clipboard. Since we're talking about wacky ideas, whatever happened to the one I'm about to state: "keypress timing". Well, maybe nobody ever thought of it, could happen, but I remember it as a way to recognize individuals. Like a signature. A hand drawn one, of course. What I mean is, can't a person be identified by having them type in some reasonable, well known, sentence. A simple program should suffice to calc some statistic which could then be used as a key to see if that person is likely to know the password when asked. So you take, say, 'Mary had a little lamb' as test sentence and then both that sentence as well as the timing digest or even the individual samples get transmitted as the "user ID". It could be beaten by a recording device, but not by a paste from the clipboard. Zany enough? Roelof -- _______________________________________________________________________ eBOA® est. 1982 http://eBOA.com/ tel. +31-58-2123014 mailto:info@eBOA.com?subject=Information_request fax. +31-58-2160293 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 15: 2:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-166-7.stny.rr.com [24.169.166.7]) by hub.freebsd.org (Postfix) with ESMTP id 6B13F37B41B for ; Tue, 19 Mar 2002 15:01:02 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.6/8.11.6) with ESMTP id g2JN0T314875; Tue, 19 Mar 2002 18:00:29 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 19 Mar 2002 18:00:29 -0500 (EST) From: Matt Piechota To: Roelof Osinga Cc: Richard Ward , Chris Johnson , Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <3C97BDE4.8040301@nisser.com> Message-ID: <20020319175854.N14039-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Mar 2002, Roelof Osinga wrote: > So you take, say, 'Mary had a little lamb' as test sentence and then both > that sentence as well as the timing digest or even the individual samples > get transmitted as the "user ID". The only problem I see is keyboards being different. I personally type much quicker on IBM101 (the old-school ones) than my laptop. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 17:52:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 04C4D37B404 for ; Tue, 19 Mar 2002 17:52:13 -0800 (PST) Received: (qmail 36331 invoked by uid 1000); 20 Mar 2002 01:52:06 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Mar 2002 01:52:06 -0000 Date: Tue, 19 Mar 2002 17:52:01 -0800 (PST) From: Jason Stone X-X-Sender: To: Chris Johnson Cc: Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <20020319144538.A42969@palomine.net> Message-ID: <20020319171807.O60767-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I spend a lot of time in hotels, and most of them have Internet > centers with Windows computers for the use of hotel guests. It's easy > enough to download a copy of PuTTY and hide it in the Windows > directory so that I can make SSH logins to my various remote servers. You don't have to do this - you can use the appgate mindterm java ssh client: http://support.appgate.com/mindterm/demo/index.php > I worry, however, about trojans and keyboard sniffers and what-have-you > monitoring my keystrokes, so I don't feel particularly safe doing this. As well you should not. Machines installed in places like these have are often very poorly maintained and are very vulnerable to both local attacks from the console and to worms/etc from the net. A solution that I've found to be somewhat viable in these cases is to carry rescue media on you and boot that. Usually machines in cyber-cafes use ethernet and dhcp, and so you can surreptitiously boot a picobsd floppy, grab dhcp, and ssh out - when you're done, reboot back into windows and go home. You're still vulnerable in this case to hardware keyboard sniffers, but that's probablly not a real worry for most people (though if you like to be paranoid, tinfoil-hat linux has some cool support for you: http://tinfoilhat.shmoo.com/). The ultimate evolution of this is something like the linuxcare bootable businesscard (http://lbt.linuxcare.com) - a full-on linux install with X, mozilla, ssh, etc, on a business-card sized CD which you can carry in your wallet. If anyone is interested in doing something like this for FreeBSD, contact me - I'm very interested in getting a project like this going. Finally, if you don't want to carry an extra card in your wallet, you don't feel good about surreptitiously rebooting machines, or the machines in your hotel/cybercafe are too hard to use without windows (weird network drivers, bios locked and configured to not boot external media, etc), at least use opie/skey one-time passwords. You just run opiepasswd on yourself on the server, make sure you're running a recent openssh, and then either print out ten or twenty opiekeys (to a local printer!) with /usr/ports/security/keyprint, or get a palm pilot and one of the many free opie calculators for it. If you use opie, you're still vulnerable to an active attack (the controller of the windows box waits until you've logged in, and then ceases the connection, installs a backdoor, etc), but you'll probablly be pretty resistant to normal keyboard sniffing and trojan clients. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8l+tGswXMWWtptckRApRsAKDOpDlQNIwGfl0le9ep6xLpYSegjQCdEZWy eSdLduhn6uWVEE6HcNfTC4U= =PYOU -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 19: 5:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [212.242.89.130]) by hub.freebsd.org (Postfix) with SMTP id 867D437B404 for ; Tue, 19 Mar 2002 19:05:21 -0800 (PST) Received: (qmail 65359 invoked by uid 1007); 20 Mar 2002 03:05:18 -0000 Date: Wed, 20 Mar 2002 03:05:18 +0000 From: Alex Holst To: freebsd-security@freebsd.org Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020320030518.GB53513@area51.dk> Mail-Followup-To: Alex Holst , freebsd-security@freebsd.org References: <20020319144538.A42969@palomine.net> <20020319131408.C324@ophiuchus.kazrak.com> <20020319152125.F43336@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20020319152125.F43336@palomine.net> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Chris Johnson (cjohnson@palomine.net): > Thanks very much for this; it seems to be just the ticket. I didn't know > anything about S/Key, other than it's the thing I recently turned off in my > sshd_config file because sshd was prompting me for things to which I didn't > know the answer. Note that captured S/Key passphrases can be bruteforced like anything else, so make sure you pick a *strong* secret. Change your secret regularly (e.g. between travels) to avoid a captured S/Key phrase resulting in a lost secret. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 19:11:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from frl.nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 4FA2937B405 for ; Tue, 19 Mar 2002 19:11:49 -0800 (PST) Received: from nisser.com (roelof.nisser.com [10.0.0.2]) by frl.nisser.com (Postfix) with ESMTP id 49EC5EA92; Wed, 20 Mar 2002 04:07:27 +0100 (CET) Message-ID: <3C97FCEF.6050304@nisser.com> Date: Wed, 20 Mar 2002 04:07:27 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311 X-Accept-Language: en,pdf MIME-Version: 1.0 To: Matt Piechota Cc: Richard Ward , Chris Johnson , security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers References: <20020319175854.N14039-100000@cithaeron.argolis.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Piechota wrote: > On Tue, 19 Mar 2002, Roelof Osinga wrote: > >> ... > > The only problem I see is keyboards being different. I personally type > much quicker on IBM101 (the old-school ones) than my laptop. > Maybe, maybe not. I'm thinking candence here. Like an autograph will still be personal because of pressure and relative acceleration and stuff (yep, did not really pay attention that time :), so could typing be thanks to ones rhythm. Too bad keyboards don't come with (gradient) pressure sensitive key ;). Yet. Still... if it ain't got that (i.e. your) swing, it don't mean a thing! The absolute speed might differ wildly, but would the same hold for the relative interkey speed patterns? As long as we're not talking dvorak, german, french or whatever key layouts ones typing rhythm should be more or less equal. Just sped up or slowed down a bit, is all. But if it is feasible then all passwords, or rather usernames as first line of defence, could be one-pass. Just select a random sentence out of some some suitable volume and ask for it to be typed in. Roelof -- _______________________________________________________________________ eBOA® est. 1982 http://eBOA.com/ tel. +31-58-2123014 mailto:info@eBOA.com?subject=Information_request fax. +31-58-2160293 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 19:58:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 2D24A37B405 for ; Tue, 19 Mar 2002 19:58:39 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g2K3wd345366; Tue, 19 Mar 2002 22:58:39 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Tue, 19 Mar 2002 22:58:34 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Cc: FreeBSD Security Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <20020319151512.E43336@palomine.net> Message-ID: <20020319225631.Q45274-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Mar 2002, Chris Johnson wrote: > On Tue, Mar 19, 2002 at 03:06:26PM -0500, Mitch Collinsworth wrote: > > > > On Tue, 19 Mar 2002, Chris Johnson wrote: > > > > > I worry, however, about trojans and keyboard sniffers and what-have-you > > > monitoring my keystrokes, so I don't feel particularly safe doing this. > > > > Get a laptop. > > I've travelled with a laptop for years, and that's what I usually use. But the > hotels I stay in are in all parts of the world, and while we take cheap local > phone access for granted in the U.S., in many countries it's exorbitantly > expensive (the hotels charge a lot for it anyway). And ISPs that have > world-wide dialup access charge by the minute. So Internet cafes and hotel > business centers are frequently the most economical way of connecting to the > Internet. The inet cafés and hotel business centers hook their machines up with a CAT5 cable, do they not? Unless they're smart enough to record the MAC addresses of each NIC in the place, they won't notice your dhclient cycle until you're long gone. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 19 23:36:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from atlantis.dp.ua (atlantis.dp.ua [193.108.46.1]) by hub.freebsd.org (Postfix) with ESMTP id B66D337B400 for ; Tue, 19 Mar 2002 23:36:48 -0800 (PST) Received: from localhost (dmitry@localhost) by atlantis.dp.ua (8.11.1/8.11.1) with ESMTP id g2K7aiu24760 for ; Wed, 20 Mar 2002 09:36:45 +0200 (EET) (envelope-from dmitry@atlantis.dp.ua) Newsgroups: lucky.freebsd.security Date: Tue, 19 Mar 2002 23:16:59 +0200 From: Dmitry Pryanishnikov Subject: HEADS UP: FreeBSD-SA-02:18.zlib vs kern/35969 In-Reply-To: <200203181500.g2IF04C32485@freefall.freebsd.org.lucky.freebsd.security> Message-ID: References: <200203181500.g2IF04C32485@freefall.freebsd.org.lucky.freebsd.security> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! Heads up! The fix given with this advisory seems to be buggy, at least in kernel part (sys/net/zlib.c, see kern/35969). Now, while PR is still open, what would be wise: use patched or non-patched kernel? Patched one could panic with PPP_DEFLATE - what could be done with non-patched one by hackers? Also, has fix for lib/libz/infblock.c been verified for correctness? Sincerely, Dmitry Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 20 6:22:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla1.xs4all.nl (smtpzilla1.xs4all.nl [194.109.127.137]) by hub.freebsd.org (Postfix) with ESMTP id CA1AA37B41D for ; Wed, 20 Mar 2002 06:22:11 -0800 (PST) Received: from list1.xs4all.nl (list1.xs4all.nl [194.109.6.52]) by smtpzilla1.xs4all.nl (8.12.0/8.12.0) with ESMTP id g2KEMAhL002127 for ; Wed, 20 Mar 2002 15:22:10 +0100 (CET) Received: (from root@localhost) by list1.xs4all.nl (8.9.3/8.9.3) id PAA19998; Wed, 20 Mar 2002 15:22:09 +0100 (CET) From: rmeijer@xs4all.nl (Rob J Meijer) To: freebsd-security@freebsd.org X-Via: imploder /usr/local/lib/mail/news2mail/news2mail at list1.xs4all.nl Subject: Re: Safe SSH logins from public, untrusted Windows computers Date: 20 Mar 2002 14:22:02 GMT Organization: XS4ALL Internet BV Message-ID: In-Reply-To: <20020319131408.C324@ophiuchus.kazrak.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org brad@kazrak.COM (Brad Jones) writes: >On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: >> This isn't exactly FreeBSD-security-related, but it's certainly >> security-related, and I think it's likely to be of interest to many of the list >> members. >> >> I spend a lot of time in hotels, and most of them have Internet centers with >> Windows computers for the use of hotel guests. It's easy enough to download a >> copy of PuTTY and hide it in the Windows directory so that I can make SSH >> logins to my various remote servers. >> >> I worry, however, about trojans and keyboard sniffers and what-have-you >> monitoring my keystrokes, so I don't feel particularly safe doing this. So I >> thought I might stick a DSA key, encrypted with a passphrase used only for that >> particular key, on a floppy disk, and use that to log in. Without the floppy >> disk, the passphrase, if sniffed or recorded, would be useless. >> >> Question: if I plan on doing any work as root, would I be better off setting >> PermitRootLogin to without-password and logging in directly as root, instead of >> following the common practive of logging in as a regular user and then su-ing? >> su-ing would require that I type the password, and that's what I'm trying to >> avoid. >> >> Does anyone have any comments, or does anyone have a better idea? >S/Key. It's built-in to FreeBSD, doesn't require any special hardware (just >a bit of planning ahead), and lets you avoid reusable passwords. >Set it up for your account, and set up 'sudo' so you can get to a root shell >without typing a reusable password. Then print up 20-30 responses (or >however many you think you'll need) and go...you enter the one-time password >at the appropriate SSH prompt, and a keystroke sniffer never gets any useful >information. (Sure, they got phrase #94...but that one's been used, and >won't work anymore.) It won't need to work any'more' if the thing you are sudoing to is interactive, as the fact that a phrase has been typed after a sudo call to an interactive shell could propt the keyboard sniffer to go into key-insertion mode. As long as you do sudo calls to non interactive stuff you are fine, just don't do things like 'sudo bash' or even 'sudo vi'. Rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 20 6:38:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from arjun.niksun.com (gwnew.niksun.com [63.148.27.34]) by hub.freebsd.org (Postfix) with ESMTP id E766437B447 for ; Wed, 20 Mar 2002 06:37:56 -0800 (PST) Received: from stiegl.niksun.com (stiegl.niksun.com [10.0.0.44]) by arjun.niksun.com (8.9.3/8.9.3) with ESMTP id JAA51071; Wed, 20 Mar 2002 09:37:56 -0500 (EST) (envelope-from ath@stiegl.niksun.com) Received: (from ath@localhost) by stiegl.niksun.com (8.11.1/8.11.6) id g2KEbup64151; Wed, 20 Mar 2002 09:37:56 -0500 (EST) (envelope-from ath@stiegl.niksun.com) To: Chris Johnson Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers References: <20020319144538.A42969@palomine.net> <20020319131408.C324@ophiuchus.kazrak.com> <20020319152125.F43336@palomine.net> From: Andrew Heybey Date: 20 Mar 2002 09:37:56 -0500 In-Reply-To: <20020319152125.F43336@palomine.net> Message-ID: <85adt3uwxn.fsf@stiegl.niksun.com> Lines: 44 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Tue, Mar 19, 2002 at 01:14:08PM -0700, Brad Jones wrote: > > On Tue, Mar 19, 2002 at 02:45:38PM -0500, Chris Johnson wrote: > > > I spend a lot of time in hotels, and most of them have Internet centers with > > > Windows computers for the use of hotel guests. It's easy enough to download a > > > copy of PuTTY and hide it in the Windows directory so that I can make SSH > > > logins to my various remote servers. > > > > S/Key. It's built-in to FreeBSD, doesn't require any special hardware (just > > a bit of planning ahead), and lets you avoid reusable passwords. > > > > Set it up for your account, and set up 'sudo' so you can get to a root shell > > without typing a reusable password. Then print up 20-30 responses (or > > however many you think you'll need) and go...you enter the one-time password > > at the appropriate SSH prompt, and a keystroke sniffer never gets any useful > > information. (Sure, they got phrase #94...but that one's been used, and > > won't work anymore.) > > > > Recommended man pages: 'keyinit' will get you started, 'key' lets you > > create a file of keys that you can print and take with you. (If you have > > a palmtop, most of them have key-generation programs you can use instead.) > > 'skey' gives an overview. > > Thanks very much for this; it seems to be just the ticket. I didn't know > anything about S/Key, other than it's the thing I recently turned off in my > sshd_config file because sshd was prompting me for things to which I didn't > know the answer. I had thought about doing this (setting up ssh access with s/key, that is), using one of the java applets (mindterm, or maybe http://www.mud.de/se/jta/). This eliminates having to install putty on whatever computer you are using: it just requires a java-capable browser. Put the applet on a web server on my computer, then run it from where ever I am. Has anyone had any success (or problems) with any of the available ssh applets? The only problem is until 4.5 I don't think you can allow s/key while prohibiting regular passwords. Are there any security pitfalls to doing this? You are susceptible to man-in-the-middle attacks but that is pretty much a given if you do not have the host's public key with you... andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 20 7:53: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 8573A37B400 for ; Wed, 20 Mar 2002 07:53:02 -0800 (PST) Received: from office.tor.velocet.net (trooper.velocet.net [216.138.242.2]) by spitfire.velocet.net (Postfix) with ESMTP id 8D98EFB458A; Wed, 20 Mar 2002 10:53:01 -0500 (EST) Received: (from dgilbert@localhost) by office.tor.velocet.net (8.11.6/8.9.3) id g2KFqvt90525; Wed, 20 Mar 2002 10:52:57 -0500 (EST) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15512.45145.604882.548449@trooper.velocet.net> Date: Wed, 20 Mar 2002 10:52:57 -0500 To: Chris Johnson Cc: Mitch Collinsworth , security@FreeBSD.ORG Subject: [security] Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <20020319151512.E43336@palomine.net> References: <20020319144538.A42969@palomine.net> <20020319151512.E43336@palomine.net> X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Chris" == Chris Johnson writes: Chris> I've travelled with a laptop for years, and that's what I Chris> usually use. But the hotels I stay in are in all parts of the Chris> world, and while we take cheap local phone access for granted Chris> in the U.S., in many countries it's exorbitantly expensive (the Chris> hotels charge a lot for it anyway). And ISPs that have Chris> world-wide dialup access charge by the minute. So Internet Chris> cafes and hotel business centers are frequently the most Chris> economical way of connecting to the Internet. You'd probably find that all those hotels are using some form of ethernet to connect their machine. If they're on a single dialup per machine, you can hack the windoze password and then use it. Simply connect the network connection to your laptop when you sit down. You can't to trusted work on an untrusted machine. This is the problem that the music/content industry is facing. There are things you can do that surf the law of averages --- like using s/key. The argument there is that what you're doing is unusual enough that the hacker will pick on easier prey. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 20 11: 2:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 3CACC37B416 for ; Wed, 20 Mar 2002 11:02:16 -0800 (PST) Received: (qmail 17207 invoked by uid 1001); 20 Mar 2002 19:00:38 -0000 Date: Wed, 20 Mar 2002 14:00:38 -0500 From: "Peter C. Lai" To: cjohnson@palomine.net Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020320140038.B17139@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020319144538.A42969@palomine.net> <20020319131408.C324@ophiuchus.kazrak.com> <20020319152125.F43336@palomine.net> <85adt3uwxn.fsf@stiegl.niksun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <85adt3uwxn.fsf@stiegl.niksun.com>; from ath@niksun.com on Wed, Mar 20, 2002 at 09:37:56AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When considering the use of the Java SSH Client on your ssh server, make sure that you use an unsigned applet. Unsigned applets are untrusted by the system, and so, when it is loaded, the JVM sandbox will: 1. prevent any cached copies of your host keys on the filesystem 2. prevent other applications from talking to your applet, and vice-versa 3. prevent the applet from connecting to any ssh server other than the one that served the applet (I dunno if this is a sandbox feature or one that is coded into MindTerm). I haven't seen a trojan for win32 JVMs in nutscrape and IE that defeats the sandboxes (yet), although as has been stated before, you're still screwed if you have a backdoor that takes control of the keyboard DLL and intercepts all keystrokes. -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 20 11:58: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from studsboll.d2g.com (a63.flamman.student.liu.se [130.236.218.63]) by hub.freebsd.org (Postfix) with ESMTP id D2A8A37B405 for ; Wed, 20 Mar 2002 11:57:48 -0800 (PST) Received: from studsboll.realworld.nu (localhost [127.0.0.1]) by studsboll.d2g.com (8.11.6/8.11.6) with SMTP id g2KJvlS06902 for ; Wed, 20 Mar 2002 20:57:47 +0100 (CET) (envelope-from doktorn@realworld.nu) Date: Wed, 20 Mar 2002 20:57:47 +0100 From: Rickard Borgmäster To: freebsd-security@freebsd.org Subject: IPSec tunnel FreeBSD<->OpenBSD using isakmp Message-Id: <20020320205747.4197222b.doktorn@realworld.nu> X-Mailer: Sylpheed version 0.7.2 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dunno if this belongs to net or security but... I've established a tunnel between my home FreeBSD host and a corporate OpenBSD firewall. This works just fine. Well, works, but not good enough. Specs: home: FreeBSD 4.5 IPF pub-ip: 130.236.218.63 priv-net: 192.168.2.0/24 office: OpenBSD 3.0-stable PF pub-ip: 213.88.128.16 priv-net: 10.0.0.0/24 I think I have this somewhat going. If I launch isakmpd at both ends, I can see this at OpenBSD box: # netstat -rn [...] Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.2/24 0 10.0.0/24 0 0 130.236.218.63/50/use/in 10.0.0/24 0 192.168.2/24 0 0 130.236.218.63/50/require/out However, on the FreeBSD side, netstat -rn won't show anything about 10.0.0.0/24. Maybe Encap routes won't show in the ordinary routing table on FreeBSD? Well, anyways, this works just fine. From 192.168.2.0/24 I can ping to 10.0.0.0/24 and vice versa. Both the private networks can communicate just fine. However, there is one thing that won't work. Prooly this is a by-design thing, but I still want it to work =) From either the OpenBSD or FreeBSD box, I am unable to reach the private net behind the other IPSec node. Ie, from FreeBSD box, I cannot reach 10.0.0.0/24. And from OpenBSD box, I cannot reach 192.168.2.0/24. How come? -- Rickard .--. .--. .----------------------------------------. | | | | .-. | Rickard Borgmäster | | | | |/ / | doktorn@sub.nu | .-^ | .--. | < | http://doktorn.sub.nu/ | ( o | ( () ) | |\ \ `----------------------------------------' `-----' `--' `--' `--' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 20 13:22: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11301.mail.yahoo.com (web11301.mail.yahoo.com [216.136.131.204]) by hub.freebsd.org (Postfix) with SMTP id 41C4337B41A for ; Wed, 20 Mar 2002 13:22:03 -0800 (PST) Message-ID: <20020320212203.22489.qmail@web11301.mail.yahoo.com> Received: from [205.175.225.24] by web11301.mail.yahoo.com via HTTP; Wed, 20 Mar 2002 13:22:03 PST Date: Wed, 20 Mar 2002 13:22:03 -0800 (PST) From: Dean Phillips Subject: Re: [security] Re: Safe SSH logins from public, untrusted Windows computers To: David Gilbert , Chris Johnson Cc: Mitch Collinsworth , security@FreeBSD.ORG In-Reply-To: <15512.45145.604882.548449@trooper.velocet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Carefull out there. I don't think David meant to advocate hooking your computer up to someone else's network without the network owner's permission. I don't know anyplace where it is legal to do that. It is better to risk having to fly home early and reload a machine than to have a criminal record. Dean M. Phillips --- David Gilbert wrote: > > You'd probably find that all those hotels are using > some form of > ethernet to connect their machine. If they're on a > single dialup per > machine, you can hack the windoze password and then > use it. Simply > connect the network connection to your laptop when > you sit down. > > You can't to trusted work on an untrusted machine. > This is the > problem that the music/content industry is facing. > There are things > you can do that surf the law of averages --- like > using s/key. The > argument there is that what you're doing is unusual > enough that the > hacker will pick on easier prey. > > Dave. > > -- > ============================================================================ > |David Gilbert, Velocet Communications. | Two > things can only be | > |Mail: dgilbert@velocet.net | > equal if and only if they | > |http://daveg.ca | > are precisely opposite. | > =========================================================GLO================ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 20 15:46:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id BC33037B417 for ; Wed, 20 Mar 2002 15:46:24 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g2KNkG164738; Wed, 20 Mar 2002 15:46:17 -0800 (PST) (envelope-from jan@caustic.org) Date: Wed, 20 Mar 2002 15:46:16 -0800 (PST) From: "f.johan.beisser" To: Andrew Heybey Cc: Chris Johnson , Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <85adt3uwxn.fsf@stiegl.niksun.com> Message-ID: <20020320153914.W152-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 20 Mar 2002, Andrew Heybey wrote: > I had thought about doing this (setting up ssh access with s/key, that > is), using one of the java applets (mindterm, or maybe > http://www.mud.de/se/jta/). This eliminates having to install putty > on whatever computer you are using: it just requires a java-capable > browser. Put the applet on a web server on my computer, then run it > from where ever I am. Has anyone had any success (or problems) with > any of the available ssh applets? i've had some success with all of them. mindterm in particular. while in Tokyo recently, i hit up various cybercafes and places with good network connectivity, and used a couple different java ssh clients with s/key. i have to say it worked very well, just about everywhere. in several cases java could be executed, but you could not download anything to the temp dirs that ended in .exe, or was directly executable.. but teh applet would download and work fairly consistently. > Are there any security pitfalls to doing this? You are susceptible to > man-in-the-middle attacks but that is pretty much a given if you do > not have the host's public key with you... the man in the middle attack can happen between you and the keyboard, for that matter, between you and the network layer on any given machine. it's just difficult. at some point, you have to stop being paranoid, and trust the machine and the environment. s/key and the like can only get you so far. when travelling, my solution has been to use S/Key to get to a gateway machine, and have private keys with passphrases to get from that machine to other locations inside (or outside) that network. while this isn't 100%, it's better than nothing. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 21 18:16:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by hub.freebsd.org (Postfix) with ESMTP id 6E6CB37B417 for ; Thu, 21 Mar 2002 18:16:19 -0800 (PST) Received: from vicor-nb.com (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 35F3D1B22C for ; Thu, 21 Mar 2002 18:16:19 -0800 (PST) Message-ID: <3C9A93F3.570416EA@vicor-nb.com> Date: Thu, 21 Mar 2002 18:16:19 -0800 From: Julian Elischer Organization: VICOR X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: security@freebsd.org Subject: something changed in ssh? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Until recently I used to use ssh to "machine A" to forward X11 sessions out of my office to home, however when we recently upgraded it due to the security announcements, this stopped working. "Machine A" does NOT have X11 loaded as it is a bastion host. sshd now seems to be looking for xauth. But prior to this it used to print out something about "spoofed X11 Athentication", and worked anyhopw without xauth on the machine. We do not want to load xauth onto the bastion host as it's job doesn't require it and we are trying to keep the machine easily auditable. Has something changed in sshd in this regard? I have spend several hours looking through the sources and not found any hints as to how this used to work in the past, or how to make it work now. Any leads appreciated.. Julian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 21 20:10:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.gu.edu.au (kraken.itc.gu.edu.au [132.234.250.31]) by hub.freebsd.org (Postfix) with ESMTP id 8D30237B400 for ; Thu, 21 Mar 2002 20:10:34 -0800 (PST) Received: from kurango.cit.gu.edu.au (daemon@kurango.cit.gu.edu.au [132.234.86.1]) by mailhost.gu.edu.au (8.10.1/8.10.1) with ESMTP id g2M4AMc09406 for ; Fri, 22 Mar 2002 14:10:22 +1000 (EST) Received: from localhost (steve@localhost) by kurango.cit.gu.edu.au (8.12.2/8.12.2) with SMTP id g2M4AT5P006303 for ; Fri, 22 Mar 2002 14:10:29 +1000 (EST) Date: Fri, 22 Mar 2002 14:10:29 +1000 (EST) From: Steven Goodwin To: security@freebsd.org Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <3C97BDE4.8040301@nisser.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Mar 2002, Roelof Osinga wrote: > Richard Ward wrote: > > Chris Johnson, > > ... > > If I could shoot a really crazy idea your way: What about using the > > "Character Map" program included with Windows to slowly "type" out your > > password? Though that would probably be cached long before you overwrite the > > Clipboard. > > Since we're talking about wacky ideas, whatever happened to the one I'm > about to state: "keypress timing". Well, maybe nobody ever thought of it, Without wanting to prolong the wacky ideas thread too much further, how about using the screen port (/usr/ports/misc/screen). Logged on at a secure terminal, you could start a screen session, su to root, then detach (ctrl+a+d). When you are on travels, simply log in (using a particular method described on this thread) to your remote machine as the user that owns the screen session, re-attach the session (screen -r) and viola, root access without passwords. Simple, but useless if the remote machine has been rebooted while you were away. Wacky. Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 21 20:21:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.gu.edu.au (kraken.itc.gu.edu.au [132.234.250.31]) by hub.freebsd.org (Postfix) with ESMTP id 544E937B417 for ; Thu, 21 Mar 2002 20:21:06 -0800 (PST) Received: from kurango.cit.gu.edu.au (daemon@kurango.cit.gu.edu.au [132.234.86.1]) by mailhost.gu.edu.au (8.10.1/8.10.1) with ESMTP id g2M4Ksc06855 for ; Fri, 22 Mar 2002 14:20:55 +1000 (EST) Received: from localhost (steve@localhost) by kurango.cit.gu.edu.au (8.12.2/8.12.2) with SMTP id g2M4L2WT006744 for ; Fri, 22 Mar 2002 14:21:02 +1000 (EST) Date: Fri, 22 Mar 2002 14:21:02 +1000 (EST) From: Steven Goodwin To: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Without wanting to prolong the wacky ideas thread too much further, how > about using the screen port (/usr/ports/misc/screen). Logged on at a > secure terminal, you could start a screen session, su to root, then detach > (ctrl+a+d). When you are on travels, simply log in (using a particular > method described on this thread) to your remote machine as the user that > owns the screen session, re-attach the session (screen -r) and > viola, root access without passwords. Simple, but useless if the remote > machine has been rebooted while you were away. Wacky. > > Steve Oh yeah, you might also have an issue with leaving a root terminal available to those that comprimise your user account. Ouch. Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 21 21:16:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from ephemeron.org (24-205-149-31.riv-dyn.charterpipeline.net [24.205.149.31]) by hub.freebsd.org (Postfix) with ESMTP id 573F437B404 for ; Thu, 21 Mar 2002 21:16:12 -0800 (PST) Received: from localhost (bigby@localhost) by home.fake.net (8.9.3/8.9.3) with ESMTP id PAA47532 for ; Thu, 21 Mar 2002 15:57:17 -0800 (PST) (envelope-from bigby@ephemeron.org) Date: Thu, 21 Mar 2002 15:57:17 -0800 (PST) From: Bigby Findrake X-X-Sender: To: Subject: Re: Safe SSH logins from public, untrusted Windows computers In-Reply-To: <20020319175854.N14039-100000@cithaeron.argolis.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Mar 2002, Matt Piechota wrote: > On Tue, 19 Mar 2002, Roelof Osinga wrote: > > > So you take, say, 'Mary had a little lamb' as test sentence and then both > > that sentence as well as the timing digest or even the individual samples > > get transmitted as the "user ID". > > The only problem I see is keyboards being different. I personally type > much quicker on IBM101 (the old-school ones) than my laptop. I've thought about this, and here is a problem I see. If you're using this across a network, you can't accurately measure time between strokes because of unpredictable network latency. This means that you would have to run special software on the client (java or otherwise) to calculate the "timing signature" and the pass that along to the server. To my thinking, this signature would be succeptable to replay attacks, and so you're back to square one. While not novel, I think it's a wonderful idea, a new twist on biometrics. I'm just not sure how valuable it would be in an untrusted environment. /-------------------------------------------------------------------------/ If all else fails, immortality can always be assured by spectacular error. -- John Kenneth Galbraith https://home.ephemeron.org/~bigby/pgp_key.txt /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 21 22:49: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 89C3D37B404 for ; Thu, 21 Mar 2002 22:48:59 -0800 (PST) Received: (qmail 21521 invoked by uid 1001); 22 Mar 2002 06:47:00 -0000 Date: Fri, 22 Mar 2002 01:47:00 -0500 From: "Peter C. Lai" To: Steven Goodwin Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020322014700.A21504@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from steve@cit.gu.edu.au on Fri, Mar 22, 2002 at 02:21:02PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Then use sudo which requires someone to know your user account's password. On Fri, Mar 22, 2002 at 02:21:02PM +1000, Steven Goodwin wrote: > > Without wanting to prolong the wacky ideas thread too much further, how > > about using the screen port (/usr/ports/misc/screen). Logged on at a > > secure terminal, you could start a screen session, su to root, then detach > > (ctrl+a+d). When you are on travels, simply log in (using a particular > > method described on this thread) to your remote machine as the user that > > owns the screen session, re-attach the session (screen -r) and > > viola, root access without passwords. Simple, but useless if the remote > > machine has been rebooted while you were away. Wacky. > > > > Steve > > Oh yeah, you might also have an issue with leaving a root terminal > available to those that comprimise your user account. Ouch. > > Steve > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 21 23:26:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from ephemeron.org (24-205-149-31.riv-dyn.charterpipeline.net [24.205.149.31]) by hub.freebsd.org (Postfix) with ESMTP id 6F4C437B400 for ; Thu, 21 Mar 2002 23:26:42 -0800 (PST) Received: from localhost (bigby@localhost) by ephemeron.org (8.9.3/8.9.3) with ESMTP id XAA77971; Thu, 21 Mar 2002 23:26:38 -0800 (PST) (envelope-from bigby@ephemeron.org) Date: Thu, 21 Mar 2002 23:26:38 -0800 (PST) From: Bigby Findrake X-X-Sender: To: Florin MANAILA Cc: BSD Subject: Re: !!! Syslog message !!! In-Reply-To: <3C91E020.9CB247E3@softnet.ro> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I always used to get this when I ran console screen saver kernel modules (like firesaver and the like). I noticed that when those were running, the system spent almost all of its time servicing interrupts. If I had to guess, in my particular case, it was so busy servicing whatever interrupts were caused/generated by the running of the screen saver, that it was missing the RTC (real time clock) interrupts. Just a guess based on my experiences. On Fri, 15 Mar 2002, Florin MANAILA wrote: > Hi all, > I receve some strange error on my FreeBSD 4.5 : > > > /kernel: microptime () went backwords (29281.21038151 -> 29281.820797) > /kernel: microptime () went backwords (29281.21038151 -> 29281.639506) > /kernel: microptime () went backwords (29281.21038151 -> 29281.639505) > /kernel: microptime () went backwords (29281.21038151 -> 29281.639507) > > etc. > > ????? What's this strange error ???? > > My system wen I receve this error is work very , very slow , but all > traffic that is make from an ether to anoter (from xl0 to xl1) is OK > This system is a firewall/gateway freebsd-router with 200 CPU Pentium > MMX > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > /-------------------------------------------------------------------------/ "Deep" is a word like "theory" or "semantic" -- it implies all sorts of marvelous things. It's one thing to be able to say "I've got a theory", quite another to say "I've got a semantic theory", but, ah, those who can claim "I've got a deep semantic theory", they are truly blessed. -- Randy Davis https://ephemeron.org:4300/~bigby/pgp_key.txt /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 6:46:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id A6A2D37B404 for ; Fri, 22 Mar 2002 06:46:29 -0800 (PST) Received: (qmail 40281 invoked by uid 501); 22 Mar 2002 14:46:27 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Mar 2002 14:46:27 -0000 Date: Fri, 22 Mar 2002 11:46:27 -0300 (BRT) From: Paulo Fragoso To: security@freebsd.org Subject: Maildrop vs. Procmail Message-ID: <20020322103140.O10588-100000@mirage.nlink.com.br> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, We have a mail server without shell access for all users. We are thinking to use maildrop to implement mail filters (anti-spam) but we guess there is a security problem with maildrop for this case. We didn't found any configure options to restrict its use, like procmail's option: #define RESTRICT_EXEC 1000 So any user could be albe to exec some script by $HOME/.mailfilter. Are we wrong? Now we are restricting .qmail shell by a smrsh patched (qmail-local.c was patched too), this way any user can exec by .qmail. We are using procmail for two administrator, their UID are minor than 1000. Are there any way to restrict mailfilter for our users? Thanks, Paulo. -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 10:24:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from castle.jp.FreeBSD.org (castle.jp.FreeBSD.org [210.226.20.15]) by hub.freebsd.org (Postfix) with ESMTP id B1F2B37B417 for ; Fri, 22 Mar 2002 10:24:41 -0800 (PST) Received: from localhost (localhost [::1]) by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet6 id g2MIOec67328 for ; Sat, 23 Mar 2002 03:24:40 +0900 (JST) (envelope-from matusita@jp.FreeBSD.org) In-Reply-To: <20020319135610H.matusita@jp.FreeBSD.org> References: <4.3.2.7.2.20020318093713.0325b420@localhost> <20020318165239.GA36452@peitho.fxp.org> <20020319135610H.matusita@jp.FreeBSD.org> X-User-Agent: Mew/1.94.2 XEmacs/21.5 (bamboo) X-FaceAnim: (-O_O-)(O_O- )(_O- )(O- )(- -)( -O)( -O_)( -O_O)(-O_O-) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Dispatcher: imput version 20000228(IM140) Lines: 19 From: Makoto Matsushita To: security@FreeBSD.org Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Date: Sat, 23 Mar 2002 03:24:36 +0900 Message-Id: <20020323032436X.matusita@jp.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org matusita> There is a plan to do that since RELENG_4_3 branch was born, matusita> but not yet implemented. Any requests are always welcome, matusita> email to the contact address, buildadm@jp.FreeBSD.org. I've just tried to build FreeBSD/i386 4.5-RELEASE-p2. It is composed of: * Using latest RELENG_4_5's source code to build. * Ports and packages are comes from recent ports (different from 4.5-RELEASE). * Doc and XFree86 3.x distributions are the same of 4.5-RELEASE. * Release documents are comes from bmah's latest RELENG_4_5 snapshots (thanks!) If you have interested in, please visit: ftp://snapshots.jp.FreeBSD.org/pub/FreeBSD/releases/i386/4.5-RELEASE-p2/ No ISO images are not yet created, I'll (hopefully) make it in this weekend. -- - Makoto `MAR' Matsushita To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 11:59: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.unsam.edu.ar (ns2.unsam.edu.ar [170.210.48.2]) by hub.freebsd.org (Postfix) with ESMTP id ECEF737B43C for ; Fri, 22 Mar 2002 11:58:27 -0800 (PST) Received: from pi.iib.unsam.edu.ar (pi.iib.unsam.edu.ar [192.168.10.11]) by www.unsam.edu.ar (8.9.3/8.9.3) with ESMTP id QAA75595 for ; Fri, 22 Mar 2002 16:58:20 -0300 (ART) (envelope-from fernan@pi.iib.unsam.edu.ar) Received: (from fernan@localhost) by pi.iib.unsam.edu.ar (8.11.3/8.11.3) id g2MJwHe27209 for freebsd-security@freebsd.org; Fri, 22 Mar 2002 16:58:17 -0300 (ART) (envelope-from fernan) Date: Fri, 22 Mar 2002 16:58:17 -0300 From: Fernan Aguero To: FreeBSD Security Subject: su -c user command not working Message-ID: <20020322165816.A561@iib.unsam.edu.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-PGP-Key: http://genoma.unsam.edu.ar/~fernan/pubkey.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wonder if this is security related. Basically I'd like to know if this has been disabled for security reasons. According to su(1) you can do something like: su man -c catman Runs the command catman as user man. You will be asked for man's password unless your real UID is 0. However, I am refused to run the example in this way (I am root, of course). root> su man -c catman This account is currently not available. man is listed in /etc/passwd with /sbin/nologin as shell I'd also like to know why my ~/.cshrc is not read when I log in or open an xterm. I have to source it every time. Is this also related to the previous issue (disabled for some reason?) I am running FreeBSD-4.3 (RELENG_4_3), and except for some minor things haven't done major configuration or editing of system base defaults. Thanks in advance for any help or pointers, Fernan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 12:37:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id CF07E37B41A for ; Fri, 22 Mar 2002 12:37:14 -0800 (PST) Received: (from anthony@localhost) by slc.edu (8.11.1/8.11.1) id g2MKav203645; Fri, 22 Mar 2002 15:36:57 -0500 (EST) (envelope-from anthony) Date: Fri, 22 Mar 2002 15:36:57 -0500 From: Anthony Schneider To: Fernan Aguero Cc: FreeBSD Security Subject: Re: su -c user command not working Message-ID: <20020322153657.A3593@mail.slc.edu> References: <20020322165816.A561@iib.unsam.edu.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020322165816.A561@iib.unsam.edu.ar>; from fernan@iib.unsam.edu.ar on Fri, Mar 22, 2002 at 04:58:17PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable the -c flag passes a command to the shell of the user you are su'ing to, so since user man's shell is /sbin/nologin, /sbin/nologin is (according to su) supposed to interpret the command 'catman' and execute it, however /sbin/nologin doesn't interpret commands, it just prints the message "This account is currently unavailable" (just as it did for you) and then exits. for 'su -c' to work, the user you are su'ing to needs something to actually interpret the command. i suggest you either change that user's passwd info to have such a shell, or you to an account that has such a shell. as for xterm reading your .cshrc, you need to pass it the option -ls,=20 which tells it to launch a login shell. -Anthony. On Fri, Mar 22, 2002 at 04:58:17PM -0300, Fernan Aguero wrote: > I wonder if this is security related.=20 >=20 > Basically I'd like to know if this has been disabled for security > reasons. >=20 > According to su(1) you can do something like:=20 > su man -c catman > Runs the command catman as user man. You will be asked for man's > password unless your real UID is 0. > =09 > However, I am refused to run the example in this way (I am root, of=20 > course).=20 >=20 > root> su man -c catman > This account is currently not available. >=20 > man is listed in /etc/passwd with /sbin/nologin as shell >=20 > I'd also like to know why my ~/.cshrc is not read when I log in or > open an xterm. I have to source it every time. Is this also related to > the previous issue (disabled for some reason?) >=20 > I am running FreeBSD-4.3 (RELENG_4_3), and except for some minor > things haven't done major configuration or editing of system base > defaults. >=20 > Thanks in advance for any help or pointers, >=20 > Fernan >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyblekACgkQ+rDjkNht5F0jPQCfXnC3F/2P5GhhJl4Gsqyro8ko qCUAnR+fL4F2CJorzOPZihR5d16ewe3d =7DOs -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 12:49:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from goofy.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id C3A3C37B42F for ; Fri, 22 Mar 2002 12:48:53 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Fri, 22 Mar 2002 12:48:52 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF4C4@goofy.epylon.lan> From: "DiCioccio, Jason" To: 'Anthony Schneider' , Fernan Aguero Cc: FreeBSD Security Subject: RE: su -c user command not working Date: Fri, 22 Mar 2002 12:48:51 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also you can try: su -m man -c catman Cheers, - -JD- - -----Original Message----- From: Anthony Schneider [mailto:aschneid@mail.slc.edu] Sent: Friday, March 22, 2002 12:37 PM To: Fernan Aguero Cc: FreeBSD Security Subject: Re: su -c user command not working the -c flag passes a command to the shell of the user you are su'ing to, so since user man's shell is /sbin/nologin, /sbin/nologin is (according to su) supposed to interpret the command 'catman' and execute it, however /sbin/nologin doesn't interpret commands, it just prints the message "This account is currently unavailable" (just as it did for you) and then exits. for 'su -c' to work, the user you are su'ing to needs something to actually interpret the command. i suggest you either change that user's passwd info to have such a shell, or you to an account that has such a shell. as for xterm reading your .cshrc, you need to pass it the option -ls, which tells it to launch a login shell. - -Anthony. On Fri, Mar 22, 2002 at 04:58:17PM -0300, Fernan Aguero wrote: > I wonder if this is security related. > > Basically I'd like to know if this has been disabled for security > reasons. > > According to su(1) you can do something like: > su man -c catman > Runs the command catman as user man. You will be asked for man's > password unless your real UID is 0. > > However, I am refused to run the example in this way (I am root, of > course). > > root> su man -c catman > This account is currently not available. > > man is listed in /etc/passwd with /sbin/nologin as shell > > I'd also like to know why my ~/.cshrc is not read when I log in or > open an xterm. I have to source it every time. Is this also related to > the previous issue (disabled for some reason?) > > I am running FreeBSD-4.3 (RELENG_4_3), and except for some minor > things haven't done major configuration or editing of system base > defaults. > > Thanks in advance for any help or pointers, > > Fernan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message - ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com - ----------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPJuavL8+wXo6G32BEQK23wCgr5TyDqR9zUajg1uWkPqvQQuh0EAAoJpD dA74dD2l2qZhlsTXVTPaOTHx =U3B4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 12:50:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout06.sul.t-online.com (mailout06.sul.t-online.com [194.25.134.19]) by hub.freebsd.org (Postfix) with ESMTP id 65A9B37B4BF for ; Fri, 22 Mar 2002 12:50:01 -0800 (PST) Received: from fwd04.sul.t-online.de by mailout06.sul.t-online.com with smtp id 16oVz5-0007q9-04; Fri, 22 Mar 2002 21:49:59 +0100 Received: from pc5.abc (520067998749-0001@[217.233.96.143]) by fmrl04.sul.t-online.com with esmtp id 16oVyz-1w74VcC; Fri, 22 Mar 2002 21:49:53 +0100 Received: (from nicolas@localhost) by pc5.abc (8.11.6/8.11.6) id g2MKnqE01801 for freebsd-security@FreeBSD.ORG; Fri, 22 Mar 2002 21:49:52 +0100 (CET) (envelope-from list@rachinsky.de) Date: Fri, 22 Mar 2002 21:49:51 +0100 From: Nicolas Rachinsky To: FreeBSD Security Subject: Re: su -c user command not working Message-ID: <20020322204951.GB529@pc5.abc> Mail-Followup-To: FreeBSD Security References: <20020322165816.A561@iib.unsam.edu.ar> <20020322153657.A3593@mail.slc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020322153657.A3593@mail.slc.edu> User-Agent: Mutt/1.3.28i X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc X-Sender: 520067998749-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Anthony Schneider [2002-03-22 15:36:57 -0500]: > the -c flag passes a command to the shell of the user you are su'ing to, man su ... -c class Use the settings of the specified login class. Only allowed for the super-user. ... > so since user man's shell is /sbin/nologin, /sbin/nologin is (according > to su) supposed to interpret the command 'catman' and execute it, > however /sbin/nologin doesn't interpret commands, it just prints the > message "This account is currently unavailable" (just as it did for you) > and then exits. for 'su -c' to work, the user you are su'ing to needs > something to actually interpret the command. i suggest you either change > that user's passwd info to have such a shell, or you to an account that > has such a shell. I think for 'su -c' to work as expected here, you have to use some linux distri ;-) Nicolas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 12:53:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from goofy.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 8568A37B419 for ; Fri, 22 Mar 2002 12:53:05 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Fri, 22 Mar 2002 12:53:05 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF4C5@goofy.epylon.lan> From: "DiCioccio, Jason" To: 'Nicolas Rachinsky' , FreeBSD Security Subject: RE: su -c user command not working Date: Fri, 22 Mar 2002 12:53:04 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No, the reason this works is because you're passing the -c to the shell which su invokes. Most shells take a -c argument. This is why -c is passed after the username, su -c username would be what you are thinking of :) Cheers, - -JD- - -----Original Message----- From: Nicolas Rachinsky [mailto:list@rachinsky.de] Sent: Friday, March 22, 2002 12:50 PM To: FreeBSD Security Subject: Re: su -c user command not working * Anthony Schneider [2002-03-22 15:36:57 -0500]: > the -c flag passes a command to the shell of the user you are su'ing to, man su ... -c class Use the settings of the specified login class. Only allowed for the super-user. ... > so since user man's shell is /sbin/nologin, /sbin/nologin is (according > to su) supposed to interpret the command 'catman' and execute it, > however /sbin/nologin doesn't interpret commands, it just prints the > message "This account is currently unavailable" (just as it did for you) > and then exits. for 'su -c' to work, the user you are su'ing to needs > something to actually interpret the command. i suggest you either change > that user's passwd info to have such a shell, or you to an account that > has such a shell. I think for 'su -c' to work as expected here, you have to use some linux distri ;-) Nicolas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPJubur8+wXo6G32BEQJtugCfREAjMZVH07wIIqihuF7hpN0mjbgAnAmK bI2JYzZ31IzCAIU4u7PH2oMO =i1Oj -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 12:59:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout03.sul.t-online.com (mailout03.sul.t-online.com [194.25.134.81]) by hub.freebsd.org (Postfix) with ESMTP id 92C3A37B400 for ; Fri, 22 Mar 2002 12:59:34 -0800 (PST) Received: from fwd07.sul.t-online.de by mailout03.sul.t-online.com with smtp id 16oW8L-00063c-03; Fri, 22 Mar 2002 21:59:33 +0100 Received: from pc5.abc (520067998749-0001@[217.233.96.143]) by fmrl07.sul.t-online.com with esmtp id 16oW8I-12F7QGC; Fri, 22 Mar 2002 21:59:30 +0100 Received: (from nicolas@localhost) by pc5.abc (8.11.6/8.11.6) id g2MKxTB01983 for freebsd-security@FreeBSD.ORG; Fri, 22 Mar 2002 21:59:29 +0100 (CET) (envelope-from list@rachinsky.de) Date: Fri, 22 Mar 2002 21:59:29 +0100 From: Nicolas Rachinsky To: FreeBSD Security Subject: Re: su -c user command not working Message-ID: <20020322205929.GC529@pc5.abc> Mail-Followup-To: FreeBSD Security References: <20020322204951.GB529@pc5.abc> <657B20E93E93D4118F9700D0B73CE3EA02FFF4C5@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA02FFF4C5@goofy.epylon.lan> User-Agent: Mutt/1.3.28i X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc X-Sender: 520067998749-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * "DiCioccio, Jason" [2002-03-22 12:53:04 -0800]: > No, the reason this works is because you're passing the -c to the shell > which su invokes. Most shells take a -c argument. This is why -c is passed > after the username, su -c username would be what you are thinking of > :) uh, my mistake sorry. I mixed "su -c blah user" and "su user -c blah". Nicolas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 13: 5:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.unsam.edu.ar (ns2.unsam.edu.ar [170.210.48.2]) by hub.freebsd.org (Postfix) with ESMTP id C2A7737B419 for ; Fri, 22 Mar 2002 13:05:44 -0800 (PST) Received: from pi.iib.unsam.edu.ar (pi.iib.unsam.edu.ar [192.168.10.11]) by www.unsam.edu.ar (8.9.3/8.9.3) with ESMTP id SAA77523; Fri, 22 Mar 2002 18:05:41 -0300 (ART) (envelope-from fernan@pi.iib.unsam.edu.ar) Received: (from fernan@localhost) by pi.iib.unsam.edu.ar (8.11.3/8.11.3) id g2ML5er27541; Fri, 22 Mar 2002 18:05:40 -0300 (ART) (envelope-from fernan) Date: Fri, 22 Mar 2002 18:05:40 -0300 From: Fernan Aguero To: "Dmitry S. Makovey" Cc: Anthony Schneider , "Cameron S. Watters" , FreeBSD Security Subject: Re: su -c user command not working Message-ID: <20020322180540.C561@iib.unsam.edu.ar> References: <20020322165816.A561@iib.unsam.edu.ar> <0GTE005BP5MQBK@local.athabascau.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <0GTE005BP5MQBK@local.athabascau.ca>; from dmitry@athabascau.ca on Fri, Mar 22, 2002 at 01:18:03PM -0700 X-PGP-Key: http://genoma.unsam.edu.ar/~fernan/pubkey.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +----[ Dmitry S. Makovey (dmitry@athabascau.ca) dijo sobre "Re: su -c user command not working": | | On Friday 22 March 2002 12:58, you wrote: | > root> su man -c catman | > This account is currently not available. | > man is listed in /etc/passwd with /sbin/nologin as shell | if you want to run something with user privileges you should use su -m (do | not simulate full login - it will disable new shell invocation) | +----] OK, OK, so now it's clear. But apparently su -m does not work either. It still intrigues me why the examples in the su(1) manpages explicitly mention cases where no shell is available and therefore, the example will not work! What I'm trying to do is to create a new user to make backups (using amanda). But, I'm trying to avoid giving that user a shell. Right now i cannot check how I've configured amanda (since I cannot su) without giving amanda a shell. However, what will happen with cron jobs? I suppose that they will work OK without a shell ... is this so? Thanks also to Cameron and Anthony for their prompt replies. Fernan PD: regarding the ~/.cshrc issue, i had /bin/csh as shell, but even using /bin/tcsh does not make it change. Permissions for ~/.cshrc are set to 644. (Oh, and this also happens with root's own ~/.cshrc) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 13:11:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from goofy.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 8C99F37B404 for ; Fri, 22 Mar 2002 13:11:24 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Fri, 22 Mar 2002 13:11:23 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF4C6@goofy.epylon.lan> From: "DiCioccio, Jason" To: 'Fernan Aguero' , "Dmitry S. Makovey" Cc: Anthony Schneider , "Cameron S. Watters" , FreeBSD Security Subject: RE: su -c user command not working Date: Fri, 22 Mar 2002 13:11:22 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hmm.. that's strange.. Works for me.. It doesn't work though if you're doing it from a non-root user. # su -m man -c id uid=9(man) gid=9(man) groups=9(man) man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin Cheers, - -JD- - -----Original Message----- From: Fernan Aguero [mailto:fernan@iib.unsam.edu.ar] Sent: Friday, March 22, 2002 1:06 PM To: Dmitry S. Makovey Cc: Anthony Schneider; Cameron S. Watters; FreeBSD Security Subject: Re: su -c user command not working +----[ Dmitry S. Makovey (dmitry@athabascau.ca) dijo sobre "Re: su -c user command not working": | | On Friday 22 March 2002 12:58, you wrote: | > root> su man -c catman | > This account is currently not available. | > man is listed in /etc/passwd with /sbin/nologin as shell | if you want to run something with user privileges you should use su -m (do | not simulate full login - it will disable new shell invocation) | +----] OK, OK, so now it's clear. But apparently su -m does not work either. It still intrigues me why the examples in the su(1) manpages explicitly mention cases where no shell is available and therefore, the example will not work! What I'm trying to do is to create a new user to make backups (using amanda). But, I'm trying to avoid giving that user a shell. Right now i cannot check how I've configured amanda (since I cannot su) without giving amanda a shell. However, what will happen with cron jobs? I suppose that they will work OK without a shell ... is this so? Thanks also to Cameron and Anthony for their prompt replies. Fernan PD: regarding the ~/.cshrc issue, i had /bin/csh as shell, but even using /bin/tcsh does not make it change. Permissions for ~/.cshrc are set to 644. (Oh, and this also happens with root's own ~/.cshrc) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPJugBL8+wXo6G32BEQIEUACdE7ayiS9+4pj9LiDCIBHRwFeD3kwAoOku bHbW3LW2HiaWYSxIe5NP9lN6 =BABr -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 22 16:46:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 4EBEF37B417 for ; Fri, 22 Mar 2002 16:46:37 -0800 (PST) Received: (qmail 57991 invoked by uid 1000); 23 Mar 2002 00:46:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 23 Mar 2002 00:46:32 -0000 Date: Fri, 22 Mar 2002 16:46:23 -0800 (PST) From: Jason Stone X-X-Sender: To: Fernan Aguero Cc: FreeBSD Security Subject: RE: su -c user command not working In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA02FFF4C4@goofy.epylon.lan> Message-ID: <20020322162750.T2391-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Also you can try: su -m man -c catman You can also install djb's daemontools from /usr/ports/sysutils/daemontools and then use setuidgid to run stuff as a different user. Alternatively, you could just use some perl: perl -e '$uid = `id -u man`; $gid = `id -g man`;' \ -e '$( = $) = "$gid $gid"; $> = $< = $uid; exec "myscript";' will run "myscript" with real and effective uid/gid set to "man". -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8m9BnswXMWWtptckRAt1rAJ97jxZ5NhpCqyWG2VPFqeYxrMNragCZASZy Ni/OXSjKzsEiDiLH9FGE8W8= =qCgg -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 11:42:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.rdsnet.ro [213.157.163.8]) by hub.freebsd.org (Postfix) with SMTP id E18F037B41B for ; Sat, 23 Mar 2002 11:42:30 -0800 (PST) Received: (qmail 40970 invoked by uid 666); 23 Mar 2002 19:42:27 -0000 Date: Sat, 23 Mar 2002 21:42:27 +0200 From: Alex Popa To: security@freebsd.org Subject: strange behaviour on /tmp Message-ID: <20020323214227.A37349@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have /tmp mode 1777, and mounted like this in fstab: "/dev/something tmp ufs rw,nosuid,nodev 2 2" The thing I am noticing is that all files created under /tmp get to be created as group wheel, no matter of the permissions of the directory they are created in, or the user that creates them. Is this expected behaviour? I am running -STABLE, FreeBSD 4.5-STABLE #0: Thu Mar 7 22:11:39 EET 2002 Cvsup was done two hours before the compilation time. Any ideas? ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 11:46:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from prometheus.vh.laserfence.net (prometheus.laserfence.net [196.44.73.116]) by hub.freebsd.org (Postfix) with ESMTP id 4A43037B400 for ; Sat, 23 Mar 2002 11:46:42 -0800 (PST) Received: from phoenix.vh.laserfence.net ([192.168.0.10]) by prometheus.vh.laserfence.net with esmtp (Exim 3.34 #1) id 16orT2-0002R2-00; Sat, 23 Mar 2002 21:46:20 +0200 Date: Sat, 23 Mar 2002 21:46:20 +0200 (SAST) From: Willie Viljoen X-X-Sender: will@phoenix.vh.laserfence.net To: Alex Popa Cc: security@freebsd.org Subject: Re: strange behaviour on /tmp In-Reply-To: <20020323214227.A37349@ldc.ro> Message-ID: <20020323214535.Y212-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The mode 1777 turns on the sticky bit, hence, any write to /tmp is created as the owner of /tmp. On Sat, 23 Mar 2002, Alex Popa wrote: > I have /tmp mode 1777, and mounted like this in fstab: > "/dev/something tmp ufs rw,nosuid,nodev 2 2" > > The thing I am noticing is that all files created under /tmp get > to be created as group wheel, no matter of the permissions of the > directory they are created in, or the user that creates them. > > Is this expected behaviour? > > I am running -STABLE, FreeBSD 4.5-STABLE #0: Thu Mar 7 22:11:39 EET 2002 > Cvsup was done two hours before the compilation time. > > Any ideas? > > ------------+------------------------------------------ > Alex Popa, | "Artificial Intelligence is > razor@ldc.ro| no match for Natural Stupidity" > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > -- Willie Viljoen Private IT Consultant 214 Paul Kruger Avenue Universitas Bloemfontein 9321 South Africa +27 51 522 15 60, a/h +27 51 522 44 36 +27 82 404 03 27 will@laserfence.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 14: 6:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.unsam.edu.ar (ns2.unsam.edu.ar [170.210.48.2]) by hub.freebsd.org (Postfix) with ESMTP id 891BF37B417 for ; Sat, 23 Mar 2002 14:06:19 -0800 (PST) Received: from pi.iib.unsam.edu.ar (pi.iib.unsam.edu.ar [192.168.10.11]) by www.unsam.edu.ar (8.9.3/8.9.3) with ESMTP id TAA97597 for ; Sat, 23 Mar 2002 19:06:07 -0300 (ART) (envelope-from fernan@pi.iib.unsam.edu.ar) Received: (from fernan@localhost) by pi.iib.unsam.edu.ar (8.11.3/8.11.3) id g2NM66T00613 for freebsd-security@freebsd.org; Sat, 23 Mar 2002 19:06:06 -0300 (ART) (envelope-from fernan) Date: Sat, 23 Mar 2002 19:06:06 -0300 From: Fernan Aguero To: FreeBSD Security Subject: Re: su -c user command not working Message-ID: <20020323190605.B442@iib.unsam.edu.ar> References: <20020322165816.A561@iib.unsam.edu.ar> <0GTE005BP5MQBK@local.athabascau.ca> <20020322180540.C561@iib.unsam.edu.ar> <0GTE00CJ09PDMH@local.athabascau.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <0GTE00CJ09PDMH@local.athabascau.ca>; from dmitry@athabascau.ca on Fri, Mar 22, 2002 at 02:46:03PM -0700 X-PGP-Key: http://genoma.unsam.edu.ar/~fernan/pubkey.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +----[ Dmitry S. Makovey (dmitry@athabascau.ca) dijo sobre "Re: su -c user command not working": | | On Friday 22 March 2002 14:05, you wrote: | > OK, OK, so now it's clear. But apparently su -m does not work either. | > It still intrigues me why the examples in the su(1) manpages | > explicitly mention cases where no shell is available and therefore, | > the example will not work! | | ~ # su -m www | ~ > whoami | www | ~ > grep www /etc/passwd | www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin | ~ > | | maybe you are doing something else? :) | Good luck | +----] Yeah, maybe I was typing something wrong. su amanda -c "amcheck normal" didn't work, but su -m amanda -c "amcheck normal" did it. I was just putting things in the wrong order, like: su amanda -m ... or su -c amanda ... Now it's OK. Thanks to all who replied. Fernan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 14:10:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from pumaman.dyndns.org (rl179.isis.de [195.158.146.179]) by hub.freebsd.org (Postfix) with ESMTP id 6666237B421 for ; Sat, 23 Mar 2002 14:10:51 -0800 (PST) Received: from ws.bnet ([192.168.100.222] helo=there) by pumaman.dyndns.org with smtp (Exim 3.34 #1) id 16otir-000HR6-00 for security@freebsd.org; Sat, 23 Mar 2002 23:10:49 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Bjoern Engels To: security@freebsd.org Subject: Re: strange behaviour on /tmp Date: Sat, 23 Mar 2002 23:10:49 +0100 X-Mailer: KMail [version 1.3.2] References: <20020323214535.Y212-100000@phoenix.vh.laserfence.net> In-Reply-To: <20020323214535.Y212-100000@phoenix.vh.laserfence.net> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday, 23. March 2002 20:46, Willie Viljoen wrote: >> I have /tmp mode 1777, and mounted like this in fstab: >> "/dev/something tmp ufs rw,nosuid,nodev=20 >> 2 2" >> >> The thing I am noticing is that all files created under /tmp get >> to be created as group wheel, no matter of the permissions of the >> directory they are created in, or the user that creates them. > > The mode 1777 turns on the sticky bit, hence, any write to /tmp is > created as the owner of /tmp. 1777 means only the owner of a file can delete it. I bet /tmp has been set up 2777 or 3777 so all new files are being associated with the group /tmp belongs to (wheel). Cheers Bjoern To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 14:38:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 0D9C137B404 for ; Sat, 23 Mar 2002 14:38:42 -0800 (PST) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 118EFFB45B9 for ; Sat, 23 Mar 2002 17:38:40 -0500 (EST) Received: (qmail 76737 invoked by uid 1001); 23 Mar 2002 22:33:31 -0000 Date: Sat, 23 Mar 2002 17:33:31 -0500 From: Steve Shorter To: Bjoern Engels Cc: security@freebsd.org Subject: Re: strange behaviour on /tmp Message-ID: <20020323173331.A76680@nomad.lets.net> References: <20020323214535.Y212-100000@phoenix.vh.laserfence.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bjoern.engels@mail.isis.de on Sat, Mar 23, 2002 at 11:10:49PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Mar 23, 2002 at 11:10:49PM +0100, Bjoern Engels wrote: > > The mode 1777 turns on the sticky bit, hence, any write to /tmp is > > created as the owner of /tmp. > > 1777 means only the owner of a file can delete it. I bet /tmp > has been set up 2777 or 3777 so all new files are being associated > with the group /tmp belongs to (wheel). My experience with FreeBSD is that the "default" behavior of directories is for files to have group ownership the same as the directory they are created in. For example here is a brief example bash-2.05# mkdir testdir bash-2.05# chown root:steve testdir bash-2.05# >testdir/testfile bash-2.05# ls -al total 10 drwxr-xr-x 5 root wheel 512 Mar 23 17:28 . drwxr-xr-x 19 root wheel 512 Jan 19 17:18 .. drwxr-xr-x 2 root steve 512 Mar 23 17:28 testdir bash-2.05# ls -al testdir/ total 2 drwxr-xr-x 2 root steve 512 Mar 23 17:28 . drwxr-xr-x 5 root wheel 512 Mar 23 17:28 .. -rw-r--r-- 1 root steve 0 Mar 23 17:28 testfile Or what am I missing? -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 14:50:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 4619C37B41A for ; Sat, 23 Mar 2002 14:50:04 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.6) id g2NMo2G18635; Sat, 23 Mar 2002 17:50:02 -0500 (EST) (envelope-from wollman) Date: Sat, 23 Mar 2002 17:50:02 -0500 (EST) From: Garrett Wollman Message-Id: <200203232250.g2NMo2G18635@khavrinen.lcs.mit.edu> To: Steve Shorter Cc: security@FreeBSD.ORG Subject: Re: strange behaviour on /tmp In-Reply-To: <20020323173331.A76680@nomad.lets.net> References: <20020323214535.Y212-100000@phoenix.vh.laserfence.net> <20020323173331.A76680@nomad.lets.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > My experience with FreeBSD is that the "default" behavior > of directories is for files to have group ownership the same as > the directory they are created in. > Or what am I missing? That's not just the default behavior -- it's the only behavior. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 15:14: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from pumaman.dyndns.org (rl179.isis.de [195.158.146.179]) by hub.freebsd.org (Postfix) with ESMTP id 62F6B37B419 for ; Sat, 23 Mar 2002 15:13:59 -0800 (PST) Received: from ws.bnet ([192.168.100.222] helo=there) by pumaman.dyndns.org with smtp (Exim 3.34 #1) id 16ouhu-000HZ0-00; Sun, 24 Mar 2002 00:13:54 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Bjoern Engels To: Steve Shorter Subject: Re: strange behaviour on /tmp Date: Sun, 24 Mar 2002 00:13:53 +0100 X-Mailer: KMail [version 1.3.2] Cc: security@freebsd.org References: <20020323214535.Y212-100000@phoenix.vh.laserfence.net> <20020323173331.A76680@nomad.lets.net> In-Reply-To: <20020323173331.A76680@nomad.lets.net> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday, 23. March 2002 23:33, Steve Shorter wrote: > > 1777 means only the owner of a file can delete it. I bet /tmp > > has been set up 2777 or 3777 so all new files are being associated > > with the group /tmp belongs to (wheel). > > =09My experience with FreeBSD is that the "default" behavior > of directories is for files to have group ownership the same as > the directory they are created in. For example here is a brief > example > > > bash-2.05# mkdir testdir > bash-2.05# chown root:steve testdir > bash-2.05# >testdir/testfile > bash-2.05# ls -al > total 10 > drwxr-xr-x 5 root wheel 512 Mar 23 17:28 . > drwxr-xr-x 19 root wheel 512 Jan 19 17:18 .. > drwxr-xr-x 2 root steve 512 Mar 23 17:28 testdir > bash-2.05# ls -al testdir/ > total 2 > drwxr-xr-x 2 root steve 512 Mar 23 17:28 . > drwxr-xr-x 5 root wheel 512 Mar 23 17:28 .. > -rw-r--r-- 1 root steve 0 Mar 23 17:28 testfile Wow. I am pretty perplexed now, I didn't know that. I thought FreeBSD permissions / ownership would behave like those in Linux. Now I took a look at chmod's manpage and I saw that there's at least one more difference: SUID directories in Linux don't do=20 anything special, FreeBSD's do. > =09Or what am I missing? Nothing, I was. Thanks for the update ;) > =09-steve Bjoern To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 15:27:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 94FC537B404 for ; Sat, 23 Mar 2002 15:27:22 -0800 (PST) Received: (qmail 65264 invoked by uid 1000); 23 Mar 2002 23:27:43 -0000 Date: Sun, 24 Mar 2002 00:27:43 +0100 From: "Karsten W. Rohrbach" To: Bigby Findrake Cc: security@FreeBSD.ORG Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <20020324002743.I63272@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Bigby Findrake , security@FreeBSD.ORG References: <20020319175854.N14039-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mrJd9p1Ce66CJMxE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bigby@ephemeron.org on Thu, Mar 21, 2002 at 03:57:17PM -0800 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --mrJd9p1Ce66CJMxE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Bigby Findrake(bigby@ephemeron.org)@2002.03.21 15:57:17 +0000: > While not novel, I think it's a wonderful idea, a new twist on biometrics. > I'm just not sure how valuable it would be in an untrusted environment. there is a software available on BeOS that exactly does this. i used it, it appears to be based on a neural network implementation, and it worked (after one sentence typed it locked the screen in front of my colleagues who thought the workstation was unsecured ;-) lemme check... bebits link: http://www.bebits.com/app/241 the beos version appears to be not supported anymore. http://www.10191.com/inferno/BHand/ is a somewhat newer link, containing the author's email address: kubernan@10191.com this is an implementation for macosx, but the distribution is binary-only. the impression that i get is, that it is still based on braininabox (the author's NN engine) this info for someone who might give it a spin, i don't have a macosx box here. from the architecture it might be possible to implement it for securing console access on xfree86 via xinput. regards, /k --=20 > An open mind, like an open mouth, does have a purpose: and that is, to > close it upon something solid. Otherwise, it could end up like a city > sewer, rejecting nothing. --G. K. Chesterton=20 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --mrJd9p1Ce66CJMxE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8nQ9vM0BPTilkv0YRAqKyAKDBwOMnyG3IgQRDLmo9bzi3nn0QcgCcC84z WToos8IKdOhT8Ix8BKdOvzc= =G3Dt -----END PGP SIGNATURE----- --mrJd9p1Ce66CJMxE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 16:26:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from jhs.muc.de (jhs.muc.de [193.149.49.84]) by hub.freebsd.org (Postfix) with ESMTP id B436237B400 for ; Sat, 23 Mar 2002 16:26:08 -0800 (PST) Received: from park.jhs.private (localhost [127.0.0.1]) by jhs.muc.de (8.11.0/8.11.0) with ESMTP id g2MFXiD64703 for ; Fri, 22 Mar 2002 15:33:44 GMT (envelope-from jhs@park.jhs.private) Message-Id: <200203221533.g2MFXiD64703@jhs.muc.de> To: freebsd-security@freebsd.org Subject: Re: ports 1021 1022 1023 & 587 ? In-Reply-To: Message from Christopher Schulte of "Tue, 19 Mar 2002 16:16:04 +0100." <5.1.0.14.0.20020319091502.01b33c50@pop3s.schulte.org> Date: Fri, 22 Mar 2002 16:33:44 +0100 From: Julian Stacey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to all for useful answers, inc. Dave Raven & Christopher Schulte Re. sockstat /usr/ports/sysutils/lsof Andrew McNaughton: Sorry, my last mail was misleading through ommision; what I didn't say : I'd run portscanner from an internal host or localhost (can't remember which), but not an external host (yet): so although I could see those ports & wanted to know what they were, they are blocked from external access by my last deny rule. (So I'm not offering unknown ports to the world, but thanks.) Dag-Erling Smorgrav: > The portmapper allocates ... Thanks, that's worth documenting in src/etc/services. > Why on earth are you running nfs, amd and lpd on a firewall? [Blush] Temporary arrangement: Only to other equal status alternate hardware fallback firewalls, not to internal hosts, & blocked by ipfw from outside, but yes, know what you mean, that will cease as I transition from mainly off line firewall to permanently connected firewall. lpd has an even less convincing excuse. Gregory Neil Shapiro > FEATURE(`no_default_msa')dnl Thanks, I'll look at that. Diff to 4.5 etc/services if someone wants to commit to help others avoid repeating my question, or would anyone second a submit via send-pr ? ------------ 24a25,26 > > # To find which processes have got ports open: sockstat & ports/sysutils/lsof. 1060c1062 < submission 587/udp --- > submission 587/udp # initial sendmail, unless FEATURE(`no_default_msa') 1233a1236,1240 > > # The portmapper allocates ports for NFS and other RPC services starting > # at 1023 and counting downwards. Use 'rpcinfo -p' to get a list of > # active RPC services and their port allocations. > ------------ (PS I'm re-subscribing security@freebsd.org, I just realised I was off). Julian Stacey Munich Unix (FreeBSD, Linux etc) Independent Consultant jhs@bim.bsn.com Free software: http://bim.bsn.com/~jhs/free/ Ihr Rauchen = mein allergischer Kopfschmerz ! Schnupftabak probieren ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 18: 5:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id B32F337B400 for ; Sat, 23 Mar 2002 18:05:09 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020324020509.IHLL2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Sun, 24 Mar 2002 02:05:09 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2O258Q69751; Sat, 23 Mar 2002 18:05:08 -0800 (PST) (envelope-from cjc) Date: Sat, 23 Mar 2002 18:05:07 -0800 From: "Crist J. Clark" To: Bjoern Engels Cc: Steve Shorter , security@FreeBSD.ORG Subject: Re: strange behaviour on /tmp Message-ID: <20020323180507.D48968@blossom.cjclark.org> References: <20020323214535.Y212-100000@phoenix.vh.laserfence.net> <20020323173331.A76680@nomad.lets.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bjoern.engels@mail.isis.de on Sun, Mar 24, 2002 at 12:13:53AM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Mar 24, 2002 at 12:13:53AM +0100, Bjoern Engels wrote: [snip] > Wow. I am pretty perplexed now, I didn't know that. I thought > FreeBSD permissions / ownership would behave like those in Linux. Nope. FreeBSD, not too surprisingly, assigns the group ownership according to the old BSD model. Linux has a SysV-ish behavior. Note SysVs have newgrp(1) and some other commands related to this behavior and BSDs do not. This thread comes up every few weeks or months on -questions, -security, or when someone files a PR mistakenly believing it is a bug. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 22: 5:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 9B22A37B400 for ; Sat, 23 Mar 2002 22:05:33 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id E61B85346; Sun, 24 Mar 2002 07:05:31 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Bjoern Engels Cc: security@freebsd.org Subject: Re: strange behaviour on /tmp References: <20020323214535.Y212-100000@phoenix.vh.laserfence.net> From: Dag-Erling Smorgrav Date: 24 Mar 2002 07:05:30 +0100 In-Reply-To: Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bjoern Engels writes: > 1777 means only the owner of a file can delete it. I bet /tmp > has been set up 2777 or 3777 so all new files are being associated > with the group /tmp belongs to (wheel). This is BSD, not SysV. Files get their directory's group by default. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 23:26:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from castle.jp.FreeBSD.org (castle.jp.FreeBSD.org [210.226.20.15]) by hub.freebsd.org (Postfix) with ESMTP id E853B37B404 for ; Sat, 23 Mar 2002 23:26:36 -0800 (PST) Received: from localhost (localhost [::1]) by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet6 id g2O7QUc84124; Sun, 24 Mar 2002 16:26:30 +0900 (JST) (envelope-from matusita@jp.FreeBSD.org) Cc: security@FreeBSD.org In-Reply-To: <200203221533.g2MFXiD64703@jhs.muc.de> References: <5.1.0.14.0.20020319091502.01b33c50@pop3s.schulte.org> <200203221533.g2MFXiD64703@jhs.muc.de> X-User-Agent: Mew/1.94.2 XEmacs/21.5 (bamboo) X-FaceAnim: (-O_O-)(O_O- )(_O- )(O- )(- -)( -O)( -O_)( -O_O)(-O_O-) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Dispatcher: imput version 20000228(IM140) Lines: 9 From: Makoto Matsushita To: jhs@jhs.muc.de Subject: Re: ports 1021 1022 1023 & 587 ? Date: Sun, 24 Mar 2002 16:26:25 +0900 Message-Id: <20020324162625P.matusita@jp.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org jhs> Diff to 4.5 etc/services if someone wants to commit to help others avoid jhs> repeating my question, or would anyone second a submit via send-pr ? It may help *you*, but doesn't help other people who belive that good documentations are in the handbooks, manual pages, FAQs, etc. -- - Makoto `MAR' Matsushita To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 23 23:54:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0220637B41A for ; Sat, 23 Mar 2002 23:54:28 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id XAA27634; Sat, 23 Mar 2002 23:53:54 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda27632; Sat Mar 23 23:53:43 2002 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id g2O7rYK29945; Sat, 23 Mar 2002 23:53:34 -0800 (PST) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpds29943; Sat Mar 23 23:53:24 2002 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id g2O7rJL28515; Sat, 23 Mar 2002 23:53:19 -0800 (PST) Message-Id: <200203240753.g2O7rJL28515@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpds28504; Sat Mar 23 23:52:28 2002 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-Sender: schubert To: Alex Popa Cc: security@FreeBSD.ORG Subject: Re: strange behaviour on /tmp In-Reply-To: Message from Alex Popa of "Sat, 23 Mar 2002 21:42:27 +0200." <20020323214227.A37349@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 23 Mar 2002 23:52:28 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20020323214227.A37349@ldc.ro>, Alex Popa writes: > I have /tmp mode 1777, and mounted like this in fstab: > "/dev/something tmp ufs rw,nosuid,nodev 2 2" > > The thing I am noticing is that all files created under /tmp get > to be created as group wheel, no matter of the permissions of the > directory they are created in, or the user that creates them. > > Is this expected behaviour? Yes. It is BSD behavior to have files created within a directory to have the same GID as the directory. SYSV uses the EGID of the process. A US Gov't FIPS standard stated at one time that the BSD standard was to be implemented, which is why SYSV invented the setgid bit for directories (at the time, conforming to the FIPS standards = sales to the US Federal Gov't). The FIPS standard I speak of has been revoked. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message