From owner-freebsd-security Sun Aug 11 1:39:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B065337B400 for ; Sun, 11 Aug 2002 01:39:24 -0700 (PDT) Received: from bsdbox.homeunix.com (pc-80-194-17-33-bn.blueyonder.co.uk [80.194.17.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B0C043E42 for ; Sun, 11 Aug 2002 01:39:23 -0700 (PDT) (envelope-from winstonsmith@bsdbox.homeunix.com) Received: from masonr (masonr.bsdbox.homeunix.com. [192.168.200.12]) by bsdbox.homeunix.com (8.12.5/8.12.5) with SMTP id g7B8eTTE016348 for ; Sun, 11 Aug 2002 09:40:31 +0100 (BST) (envelope-from winstonsmith@bsdbox.homeunix.com) Message-ID: <000b01c24113$78d60070$0cc8a8c0@masonr> From: "Winston Smith" To: Subject: OpenSSl make is still crashing Date: Sun, 11 Aug 2002 09:45:39 +0100 Organization: http://bsdbox.homeunix.com MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm still trying unsuccessfully to upgrade OpenSSL. Here's the error when I do a make install:- ------------------------------------------------------------ Can't locate Pod/Man.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.005/i386-freebsd /usr/local/lib/perl5/site_perl/5.005 . /usr/libdata/perl/5.00503/mach /usr/libdata/perl/5.00503) at /usr/bin/pod2man line 16. BEGIN failed--compilation aborted at /usr/bin/pod2man line 16. *** Error code 2 Stop in /usr/ports/security/openssl/work/openssl-0.9.6e. *** Error code 1 Stop in /usr/ports/security/openssl. ------------------------------------------------------------ I'm running a fairly standard 4.6 (upgraded frpm 4.5) install. I've double checked the install of the perl modules that the error message quotes and can't see anything wrong. Any help would be greatly appreciated. Regards, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 11 1:59:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60ECE37B400 for ; Sun, 11 Aug 2002 01:59:42 -0700 (PDT) Received: from mile.nevermind.kiev.ua (office.netstyle.com.ua [213.186.199.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id E26C543E5E for ; Sun, 11 Aug 2002 01:59:36 -0700 (PDT) (envelope-from never@mile.nevermind.kiev.ua) Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1]) by mile.nevermind.kiev.ua (8.12.3/8.12.3) with ESMTP id g7B8xQMe036463; Sun, 11 Aug 2002 11:59:27 +0300 (EEST) (envelope-from never@mile.nevermind.kiev.ua) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.12.3/8.12.3/Submit) id g7B8xPSq036462; Sun, 11 Aug 2002 11:59:25 +0300 (EEST) Date: Sun, 11 Aug 2002 11:59:24 +0300 From: Alexandr Kovalenko To: Aleksandr Kuzminsky Cc: -=r4hm4n=- , freebsd-security@FreeBSD.ORG Subject: Re: mail anti virus Message-ID: <20020811085924.GA21329@nevermind.kiev.ua> References: <001a01c23fbc$8c2dab80$cd01a8c0@revenge> <20020810143115.D51600-100000@diablo.nbi.com.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20020810143115.D51600-100000@diablo.nbi.com.ua> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Aleksandr Kuzminsky! On Sat, Aug 10, 2002 at 02:39:00PM +0300, you wrote: > > any body can tell me what is best mail antivirus for freebsd ? > As for me, DrWEB(http://www.sald.com/) is the best one. > It wokrs with Sendmail, Exim, QMail Postfix, Communigate Pro, Samba and > ZMailer. > Under free licence it just check mail for viruses and quarantines > infected. Full-licenced version can cure mail. It support customised It cannot _cure mail_ even under full license. This feature is in development. > reports. Good update-script is included in distribution. And yes, my choice is DrWeb for now. -- NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 11 5:24:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AD4C37B400 for ; Sun, 11 Aug 2002 05:24:33 -0700 (PDT) Received: from chiark.greenend.org.uk (chiark.greenend.org.uk [212.135.138.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDA7743E4A for ; Sun, 11 Aug 2002 05:24:32 -0700 (PDT) (envelope-from mbm@chiark.greenend.org.uk) Received: from mbm by chiark.greenend.org.uk with local (Exim 3.12 #1) id 17drlm-0003dS-00 (Debian); Sun, 11 Aug 2002 13:24:30 +0100 From: mbm@colondot.net (Matthew Byng-Maddick) To: freebsd-security@freebsd.org Subject: Re: OpenSSl make is still crashing In-Reply-To: <000b01c24113$78d60070$0cc8a8c0@masonr> Organization: Linux Unlimited Cc: Message-Id: Date: Sun, 11 Aug 2002 13:24:30 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <000b01c24113$78d60070$0cc8a8c0@masonr> you write: >I'm still trying unsuccessfully to upgrade OpenSSL. Here's the error when I >do a make install:- > >------------------------------------------------------------ >Can't locate Pod/Man.pm in @INC (@INC contains: >/usr/local/lib/perl5/site_perl/5.005/i386-freebsd >/usr/local/lib/perl5/site_perl/5.005 . /usr/libdata/perl/5.00503/mach >/usr/libdata/perl/5.00503) at /usr/bin/pod2man line 16. >BEGIN failed--compilation aborted at /usr/bin/pod2man line 16. >*** Error code 2 > >Stop in /usr/ports/security/openssl/work/openssl-0.9.6e. >*** Error code 1 > >Stop in /usr/ports/security/openssl. >------------------------------------------------------------ > >I'm running a fairly standard 4.6 (upgraded frpm 4.5) install. I've double >checked the install of the perl modules that the error message quotes and >can't see anything wrong. Any help would be greatly appreciated. Are you running with perl-5.6.1 and the modules installed there? What is the output of $ perl5 -MPod::Man -e 1 If nothing, then you're fine, if not, that's why you're breaking. Also try: $ perl5 -e 'print join"\n",@INC,""' and $ perl -e 'print join"\n",@INC,""' And: $ perl5 -v and $ perl -v OpenSSL's build process is a fairly ugly set of hacks, but tries to use perl5 in preference to perl, (searching through the path). This is somewhere down the bottom of the openssl-/Configure file. Given when you're posting this, I wouldn't touch e if you can actually move to 0.9.6g (yup, there were two releases within 14h of each other) Also, having just really suffered when trying to remove the OpenSSL port, I'd suggest that you use the base system wherever possible. Then you're pretty much guaranteed that it will work. (This was due to the random library version bump, and trying to be clever by compiling everything in a pure-ish chroot). Let's now hope they start fixing some of the unchecked malloc()s, unchecked fdopen()s, unchecked realloc()s etc. Yuck MBM -- Matthew Byng-Maddick http://colondot.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 11 5:54: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 982F237B400 for ; Sun, 11 Aug 2002 05:53:56 -0700 (PDT) Received: from hplh.metrocom.ru (relay2.metrocom.ru [195.5.128.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE2C743E3B for ; Sun, 11 Aug 2002 05:53:33 -0700 (PDT) (envelope-from ak@gc.ru) Received: from solo.gammainvest.ru (relay.gammainvest.ru [195.5.134.228]) by hplh.metrocom.ru (8.9.3/8.9.3) with ESMTP id QAA09941 for ; Sun, 11 Aug 2002 16:53:16 +0400 (MSD) From: ak@gc.ru Received: by solo.gc.ru with Internet Mail Service (5.5.2653.19) id ; Sun, 11 Aug 2002 16:53:15 +0400 Message-ID: To: freebsd-security@freebsd.org Subject: RE: OpenSSl make is still crashing Date: Sun, 11 Aug 2002 16:53:12 +0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C24136.0D36A680" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C24136.0D36A680 Content-Type: text/plain resolved by Stas Kuchiev for perl 5.005: $ perl -MCPAN -e shell > install File::Spec > install Pod::Parser > install Term::ANSIColor > install Pod::Man > exit $ cd /usr/ports/security/openssl $ make install Anatoly Korobkin CIO Gamma Group ak@gc.ru +7 (812) 118 3445 > -----Original Message----- > From: Winston Smith [SMTP:winstonsmith@bsdbox.homeunix.com] > Sent: Sunday, August 11, 2002 12:46 PM > To: freebsd-security@freebsd.org > Subject: OpenSSl make is still crashing > > I'm still trying unsuccessfully to upgrade OpenSSL. Here's the error when > I > do a make install:- > > ------------------------------------------------------------ > Can't locate Pod/Man.pm in @INC (@INC contains: > /usr/local/lib/perl5/site_perl/5.005/i386-freebsd > /usr/local/lib/perl5/site_perl/5.005 . /usr/libdata/perl/5.00503/mach > /usr/libdata/perl/5.00503) at /usr/bin/pod2man line 16. > BEGIN failed--compilation aborted at /usr/bin/pod2man line 16. > *** Error code 2 > > Stop in /usr/ports/security/openssl/work/openssl-0.9.6e. > *** Error code 1 > > Stop in /usr/ports/security/openssl. > ------------------------------------------------------------ > > I'm running a fairly standard 4.6 (upgraded frpm 4.5) install. I've > double > checked the install of the perl modules that the error message quotes and > can't see anything wrong. Any help would be greatly appreciated. > > Regards, > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01C24136.0D36A680 Content-Type: text/html Content-Transfer-Encoding: quoted-printable RE: OpenSSl make is still crashing

resolved by Stas = Kuchiev for perl 5.005:

$ perl -MCPAN -e = shell

> install File::Spec
> install = Pod::Parser
> install = Term::ANSIColor
> install = Pod::Man
> exit

$ cd = /usr/ports/security/openssl
$ make = install=20

Anatoly Korobkin
CIO
Gamma Group
ak@gc.ru
+7 (812) 118 3445


    -----Original Message-----
    From:   Winston Smith = [SMTP:winstonsmith@bsdbox.homeunix.com]
    Sent:   Sunday, August 11, 2002 12:46 PM
    To:     freebsd-security@freebsd.org
    Subject:       = OpenSSl make is still = crashing

    I'm still trying unsuccessfully to = upgrade OpenSSL.  Here's the error when I
    do a make install:-

    ---------------------------------------------------------= ---
    Can't locate Pod/Man.pm in @INC (@INC = contains:
    /usr/local/lib/perl5/site_perl/5.005/i386-freebsd
    /usr/local/lib/perl5/site_perl/5.005 = . /usr/libdata/perl/5.00503/mach
    /usr/libdata/perl/5.00503) at = /usr/bin/pod2man line 16.
    BEGIN failed--compilation aborted at = /usr/bin/pod2man line 16.
    *** Error code 2

    Stop in = /usr/ports/security/openssl/work/openssl-0.9.6e.
    *** Error code 1

    Stop in = /usr/ports/security/openssl.
    ---------------------------------------------------------= ---

    I'm running a fairly standard 4.6 = (upgraded frpm 4.5) install.  I've double
    checked the install of the perl = modules that the error message quotes and
    can't see anything wrong.  Any = help would be greatly appreciated.

    Regards,




    To Unsubscribe: send mail to = majordomo@FreeBSD.org
    with "unsubscribe = freebsd-security" in the body of the message

------_=_NextPart_001_01C24136.0D36A680-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 11 10:42:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C14237B400 for ; Sun, 11 Aug 2002 10:42:47 -0700 (PDT) Received: from bsdbox.homeunix.com (pc-80-194-17-33-bn.blueyonder.co.uk [80.194.17.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F26843E3B for ; Sun, 11 Aug 2002 10:42:46 -0700 (PDT) (envelope-from winstonsmith@bsdbox.homeunix.com) Received: from masonr (masonr.bsdbox.homeunix.com. [192.168.200.12]) by bsdbox.homeunix.com (8.12.5/8.12.5) with SMTP id g7BHhvTE027523 for ; Sun, 11 Aug 2002 18:43:58 +0100 (BST) (envelope-from winstonsmith@bsdbox.homeunix.com) Message-ID: <004d01c2415f$6382f2e0$0cc8a8c0@masonr> From: "Winston Smith" To: References: Subject: Re: OpenSSl make is still crashing Date: Sun, 11 Aug 2002 18:49:05 +0100 Organization: http://bsdbox.homeunix.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_004A_01C24167.C4991980" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_004A_01C24167.C4991980 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable RE: OpenSSl make is still crashingThanks to all - OpenSSL is now = upgraded. Had to do 'force install Pod::Parser' - it also complained about = pod2man!!! ----- Original Message -----=20 From: ak@gc.ru=20 To: freebsd-security@FreeBSD.ORG=20 Sent: Sunday, August 11, 2002 1:53 PM Subject: RE: OpenSSl make is still crashing resolved by Stas Kuchiev for perl 5.005:=20 $ perl -MCPAN -e shell=20 > install File::Spec=20 > install Pod::Parser=20 > install Term::ANSIColor=20 > install Pod::Man=20 > exit=20 $ cd /usr/ports/security/openssl=20 $ make install=20 Anatoly Korobkin=20 CIO=20 Gamma Group=20 ak@gc.ru=20 +7 (812) 118 3445=20 -----Original Message-----=20 From: Winston Smith [SMTP:winstonsmith@bsdbox.homeunix.com]=20 Sent: Sunday, August 11, 2002 12:46 PM=20 To: freebsd-security@freebsd.org=20 Subject: OpenSSl make is still crashing=20 I'm still trying unsuccessfully to upgrade OpenSSL. Here's the = error when I=20 do a make install:-=20 ------------------------------------------------------------=20 Can't locate Pod/Man.pm in @INC (@INC contains:=20 /usr/local/lib/perl5/site_perl/5.005/i386-freebsd=20 /usr/local/lib/perl5/site_perl/5.005 . = /usr/libdata/perl/5.00503/mach=20 /usr/libdata/perl/5.00503) at /usr/bin/pod2man line 16.=20 BEGIN failed--compilation aborted at /usr/bin/pod2man line 16.=20 *** Error code 2=20 Stop in /usr/ports/security/openssl/work/openssl-0.9.6e.=20 *** Error code 1=20 Stop in /usr/ports/security/openssl.=20 ------------------------------------------------------------=20 I'm running a fairly standard 4.6 (upgraded frpm 4.5) install. I've = double=20 checked the install of the perl modules that the error message = quotes and=20 can't see anything wrong. Any help would be greatly appreciated.=20 Regards,=20 To Unsubscribe: send mail to majordomo@FreeBSD.org=20 with "unsubscribe freebsd-security" in the body of the message=20 ------=_NextPart_000_004A_01C24167.C4991980 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable RE: OpenSSl make is still crashing
Thanks to all - OpenSSL is now=20 upgraded.
 
Had to do 'force install Pod::Parser' - = it also=20 complained about pod2man!!!
----- Original Message -----
From:=20 ak@gc.ru
Sent: Sunday, August 11, 2002 = 1:53=20 PM
Subject: RE: OpenSSl make is = still=20 crashing

resolved by Stas = Kuchiev for perl=20 5.005:

$ perl -MCPAN -e = shell

> install File::Spec
> install Pod::Parser
> install Term::ANSIColor
> install Pod::Man
> exit

$ cd=20 /usr/ports/security/openssl
$=20 make install

Anatoly Korobkin
CIO
Gamma=20 Group
ak@gc.ru
+7 (812) 118 3445


    -----Original Message----- =
    From:   Winston Smith = [SMTP:winstonsmith@bsdbox.homeunix.com]=20
    Sent:   = Sunday, August 11, 2002 12:46 PM
    To:     freebsd-security@freebsd.org
    Subject:        = OpenSSl make is still crashing

    I'm still trying unsuccessfully to = upgrade=20 OpenSSL.  Here's the error when I
    do=20 a make install:-

    ------------------------------------------------------------=20
    Can't locate Pod/Man.pm in @INC = (@INC=20 contains:
    /usr/local/lib/perl5/site_perl/5.005/i386-freebsd =
    /usr/local/lib/perl5/site_perl/5.005 .=20 /usr/libdata/perl/5.00503/mach
    /usr/libdata/perl/5.00503) at /usr/bin/pod2man line = 16.=20
    BEGIN failed--compilation aborted at = /usr/bin/pod2man line 16.
    *** = Error code=20 2

    Stop in=20 /usr/ports/security/openssl/work/openssl-0.9.6e.
    *** Error code 1

    Stop in = /usr/ports/security/openssl.=20
    ------------------------------------------------------------=20

    I'm running a fairly standard 4.6 = (upgraded frpm=20 4.5) install.  I've double
    checked=20 the install of the perl modules that the error message quotes = and=20
    can't see anything wrong.  Any = help would=20 be greatly appreciated.

    Regards,




    To Unsubscribe: send mail to=20 majordomo@FreeBSD.org
    with = "unsubscribe=20 freebsd-security" in the body of the message=20

------=_NextPart_000_004A_01C24167.C4991980-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 11 14:47:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39D8337B400 for ; Sun, 11 Aug 2002 14:47:26 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-67-115-73-77.dsl.lsan03.pacbell.net [67.115.73.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A0B643E5E for ; Sun, 11 Aug 2002 14:47:25 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3E60566DDD; Sun, 11 Aug 2002 14:47:24 -0700 (PDT) Date: Sun, 11 Aug 2002 14:47:23 -0700 From: Kris Kennaway To: security@freebsd.org Subject: [provos@citi.umich.edu: OpenBSD Security Advisory: Select Boundary Condition] Message-ID: <20020811214723.GA76470@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In case anyone is wondering, it looks like FreeBSD fixed this security hole 6 years ago, in the following commit: --- Revision 1.19 / (download) - annotate - [select for diffs], Tue Aug 20 07:17:48 1996 UTC (5 years, 11 months ago) by smpatel Branch: MAIN Changes since 1.18: +43 -15 lines Diff to previous 1.18 (colored) Remove the kernel FD_SETSIZE limit for select(). Make select()'s first argument 'int' not 'u_int'. Reviewed by: bde --- Kris ----- Forwarded message from Niels Provos ----- OpenBSD Security Advisory (adv.select) Original Release Date: 2002-08-11 1. Systems affected: All versions of OpenBSD. 2. Overview: Insufficient boundary checks in the select call allow an attacker to overwrite kernel memory and execute arbitrary code in kernel context. Traditionally, the size parameter for the select system call is a signed integer. As a result, the kernel evaluates the upper boundary checks in a signed context, so that an attacker can circumvent when using certain negative values. When the kernel copies the data for the select system call from userland the size is used as an unsigned integer which causes kernel memory to be overwritten with arbitrary data. 2. Impact: Local users can obtain complete system privileges and circumvent the extra security measures provided by the securelevel system. 3. Solution: Apply one of the supplied kernel patches or update to 3.0-stable or 3.1-stable from 2002-08-11 17:00 EDT or later. 4. Patch: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/014_scarg.patch ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 11 21:54: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21B4937B401 for ; Sun, 11 Aug 2002 21:54:01 -0700 (PDT) Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DDB243E42 for ; Sun, 11 Aug 2002 21:54:00 -0700 (PDT) (envelope-from provos@citi.umich.edu) Received: by citi.umich.edu (Postfix, from userid 104123) id 539AE207CA; Sun, 11 Aug 2002 18:31:45 -0400 (EDT) Date: Sun, 11 Aug 2002 18:31:45 -0400 From: Niels Provos To: Kris Kennaway Cc: security@freebsd.org Subject: Re: [provos@citi.umich.edu: OpenBSD Security Advisory: Select Boundary Condition] Message-ID: <20020811223145.GQ22399@citi.citi.umich.edu> References: <20020811214723.GA76470@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020811214723.GA76470@xor.obsecurity.org> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Aug 11, 2002 at 02:47:23PM -0700, Kris Kennaway wrote: > In case anyone is wondering, it looks like FreeBSD fixed this security > hole 6 years ago, in the following commit: > > --- > Revision 1.19 / (download) - annotate - [select for diffs], Tue Aug 20 07:17:48 1996 UTC (5 years, 11 months ago) by smpatel > Branch: MAIN > Changes since 1.18: +43 -15 lines > Diff to previous 1.18 (colored) > > Remove the kernel FD_SETSIZE limit for select(). > Make select()'s first argument 'int' not 'u_int'. > > Reviewed by: bde > --- Read that commit message carefully. That problem was introduced into FreeBSD six years ago. It was fixed last year. revision 1.74 date: 2001/02/27 00:50:20; author: jlemon; state: Exp; lines: +3 -2 Cast nfds to u_int before range checking it in order to catch negative values. PR: 25393 NetBSD fixed it somewhat later. I did not contact anyone at FreeBSD or NetBSD because it was not a problem there in case you were wondering. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Aug 11 22:15:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA40137B400 for ; Sun, 11 Aug 2002 22:15:54 -0700 (PDT) Received: from papa.tanu.org (kame195.kame.net [203.178.141.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F5FF43E3B for ; Sun, 11 Aug 2002 22:15:54 -0700 (PDT) (envelope-from sakane@kame.net) Received: from localhost ([3ffe:501:4819:cafe:260:1dff:fe21:f766]) by papa.tanu.org (8.11.6/8.11.6) with ESMTP id g7C5JhC50489; Mon, 12 Aug 2002 14:19:45 +0900 (JST) (envelope-from sakane@kame.net) To: trish@egobsd.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: racoon and weirdness.... In-Reply-To: Your message of "Mon, 29 Jul 2002 10:46:30 -0400 (EDT)" <20020729103029.R484-100000@trish.dyn.magenet.com> References: <20020729103029.R484-100000@trish.dyn.magenet.com> X-Mailer: Cue version 0.6 (020620-1817/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20020812141538H.sakane@kame.net> Date: Mon, 12 Aug 2002 14:15:38 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 39 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I'm working on setting up IPSEC tunnels between a > KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's > > WHat is happening with the one tunnel is this: > > after a couple days, it times out, and neither side can reestablish > traffic between, the log in /var/log/daemon for racoon tells me the tunnel > *is* established, but I can;t ping through it. If I restart racoon, it all > starts working fine again. could you see the difference of netstat during the problem happened ? could you compare your *SAD* and SPIs in the packets on the network ? there might be a mismatch of SAD on both sides. > The second issue is a second machine, with a cut/pasted config into > racoon.conf, with simply the endpoints changed, does not work at all. > > I can ping the external interface of the Ravlin, but it doesn;t even > *begin* phase 1. because your spd entry is configured for only your public network. when the kernel sends a packet with the outernal addresss, the kernel decides not to use ipsec. > the gif interface is set up as such: > > BSD2 == my machine BSD5 == Ravlin > > $IFCONFIG $GIF3 plumb > $IFCONFIG $GIF3 mtu 1500 > $IFCONFIG $GIF3 inet $BSD2_IP $BSD5_IP netmask $NETMASK > /usr/sbin/setkey -FP > /usr/sbin/setkey -F > /usr/sbin/setkey -c << EOF > spdadd $BSD2_PUB_NET $BSD5_PUB_NET any -P out ipsec > esp/tunnel/${BSD2_PUB_IP}-${BSD5_PUB_IP}/require; > spdadd $BSD5_PUB_NET $BSD2_PUB_NET any -P in ipsec > esp/tunnel/${BSD5_PUB_IP}-${BSD2_PUB_IP}/require; > EOF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 12 2:34: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18DD737B400 for ; Mon, 12 Aug 2002 02:34:05 -0700 (PDT) Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3D7E43E6A for ; Mon, 12 Aug 2002 02:34:03 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id TAA28541; Mon, 12 Aug 2002 19:33:50 +1000 Date: Mon, 12 Aug 2002 19:38:51 +1000 (EST) From: Bruce Evans X-X-Sender: bde@gamplex.bde.org To: Niels Provos Cc: Kris Kennaway , Subject: Re: [provos@citi.umich.edu: OpenBSD Security Advisory: Select Boundary Condition] In-Reply-To: <20020811223145.GQ22399@citi.citi.umich.edu> Message-ID: <20020812183610.I23649-100000@gamplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 11 Aug 2002, Niels Provos wrote: > On Sun, Aug 11, 2002 at 02:47:23PM -0700, Kris Kennaway wrote: > > In case anyone is wondering, it looks like FreeBSD fixed this security > > hole 6 years ago, in the following commit: > > > > --- > > Revision 1.19 / (download) - annotate - [select for diffs], Tue Aug 20 07:17:48 1996 UTC (5 years, 11 months ago) by smpatel > > Branch: MAIN > > Changes since 1.18: +43 -15 lines > > Diff to previous 1.18 (colored) > > > > Remove the kernel FD_SETSIZE limit for select(). > > Make select()'s first argument 'int' not 'u_int'. > > > > Reviewed by: bde > > --- > Read that commit message carefully. That problem was introduced into > FreeBSD six years ago. It was fixed last year. > > revision 1.74 > date: 2001/02/27 00:50:20; author: jlemon; state: Exp; lines: +3 -2 > Cast nfds to u_int before range checking it in order to catch negative > values. > > PR: 25393 > > NetBSD fixed it somewhat later. It is necessary to read all of the patches and the originally code carefully to understand the history of this bug :-). FreeBSD doesn't seem to have ever had it for select(), but it had it for poll(): (1) There was no actual problem in rev.1.18, since uap->nd was (bogusly) u_int and is compared with FD_SETSIZE. If userland passes a small negative value, then it gets converted to a large unsigned one via a type pun. The type pun even works the same as a cast would since all supported machines are 2's complement. E.g., -1 gets converted to UINT_MAX which is > FD_SETSIZE so select() fails. The possible values for the bogus conversion of non- small negative values are also clear on all supported machines, since they all have 32-bit ints -- the values are (u_int)INT_MAX + 1 through UINT_MAX. Anyway, the value of uip->nd is guaranteed to be between 0 and FD_SETSIZE. (2) Rev.1.19 did not introduce a problem. The relevant part of it just removed the type puns by changing uap->nd to int and adding an explicit check that uap->nd >= 0. This also improves the error handling -- we return EINVAL immediately if uap-nd < 0 instead of treating it as a too-large value and using the "forgiving; slightly wrong" code. The hack of optimizing the check for negative values together with checking for small positive values by casting to u_int should not be used in code written in the last 15 years or so, since compilers have been doing it automatically if possible, and its correctness is time-consuming to check especially if the types are typedefed types instead of just plain int/u_int. (3) poll() was obtained from NetBSD in rev.1.29. This version was correct since the corresponding variable uap->nfds actually has type u_int (at least in -current where it has type nfds_t = u_int) it is compared early with p->p_fd->fd_nfiles. Omitting the explicit comparison with 0 is non-bogus here since u_int's are inherently nonnegative. However the proving the correctness of the comparision of a u_int with the signed (int) p->p_fd_fd_nfiles involves the same considerations. (4) poll() was broken in rev.1.71 by clobbering uap->nfds by converting it to a a variable of the wrong type (int nfds) without checking that it fits first. (5) poll() was "fixed" in rev.1.74 (20 days after it was broken) by casting nfds back to u_int. The casts back and forth don't change the value on 2's complement machines but are obfuscations. (6) I complained about the bogus types and casts in rev.1.74 and they were fixed a few hours later in rev.1.75. > I did not contact anyone at FreeBSD or NetBSD because it was not a > problem there in case you were wondering. No problem. 014_scarg.patch seems to be correct and non-bogus except it uses the cast-to-u_int hack for select(). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 12 11: 2:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C942037B400 for ; Mon, 12 Aug 2002 11:02:26 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4863643EC5 for ; Mon, 12 Aug 2002 11:02:20 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g7CI2KJU072708 for ; Mon, 12 Aug 2002 11:02:20 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g7CI2J07072704 for security@freebsd.org; Mon, 12 Aug 2002 11:02:19 -0700 (PDT) Date: Mon, 12 Aug 2002 11:02:19 -0700 (PDT) Message-Id: <200208121802.g7CI2J07072704@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 12 11:32:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3256737B400; Mon, 12 Aug 2002 11:32:43 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92F5A43E42; Mon, 12 Aug 2002 11:32:42 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.5/8.12.5) with ESMTP id g7CIWdmC002770; Mon, 12 Aug 2002 14:32:40 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20020812142654.0525a938@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 12 Aug 2002 14:35:44 -0400 To: ports@FreeBSD.org From: Mike Tancsa Subject: hylaxfax security issue (from the ports) Cc: security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020220) X-Spam-Status: No, hits=1.1 required=7.0 tests=DOUBLE_CAPSWORD version=2.31 X-Spam-Level: * Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Looks like the current version of HylaFax in the ports once again has security issues (remote and local). From the web page http://www.hylafax.org/4.1.3.html 4.1.3 includes fixes for a remote format string vulnerability which could be abused in a denial of service attack. Also fixed is a buffer overflow condition when receiving fax image data which potentially could be exploited to execute arbitrary code as root. Also present in 4.1.3 are fixes for several other local remote format string vulnerabilities which, in some installations, could lead to elevated privileges by abuse. Everyone is advised to upgrade. ------------------------------ I am not a heavy user of HylaFax (only outbound), but removing the two patch files and making the following changes lets it build with the new source code. The md5 is also on the webpage. % diff -u Makefile.old Makefile --- Makefile.old Mon Aug 12 14:25:33 2002 +++ Makefile Mon Aug 12 14:25:47 2002 @@ -6,7 +6,7 @@ # PORTNAME= hylafax -PORTVERSION= 4.1 +PORTVERSION= 4.1.3 PORTREVISION= 1 CATEGORIES= comms MASTER_SITES= ftp://ftp.hylafax.org/source/ % diff -u distinfo.old distinfo --- distinfo.old Mon Aug 12 14:26:37 2002 +++ distinfo Mon Aug 12 14:27:25 2002 @@ -1,4 +1,4 @@ -MD5 (hylafax/hylafax-4.1.3.tar.gz) = d8a60dcddb4bcfd67c494aee89d036e7 +MD5 (hylafax/hylafax-4.1.3.tar.gz) = b3e95810a7fc99685f92faa8ff59114e MD5 (hylafax/tiff-3.5-interfaces.patch) = c1d2847c9967a10961bb7fe123ecd8e6 MD5 (hylafax/cvtDateTime.patch) = 57b2d1218e83504c85cf31c1e3746e4e MD5 (hylafax/rings-cid-passing.patch) = ade1d9adc9dd236e45176b7a0e3b5d78 % ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 12 12: 7: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD91737B400; Mon, 12 Aug 2002 12:07:02 -0700 (PDT) Received: from mgr5.xmission.com (mgr5.xmission.com [198.60.22.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5352843E81; Mon, 12 Aug 2002 12:07:02 -0700 (PDT) (envelope-from glewis@misty.eyesbeyond.com) Received: from mail by mgr5.xmission.com with spam-scanned (Exim 3.35 #1) id 17eKWr-0000pU-00; Mon, 12 Aug 2002 13:07:01 -0600 Received: from [207.135.128.145] (helo=misty.eyesbeyond.com) by mgr5.xmission.com with esmtp (Exim 3.35 #1) id 17eKWo-0000nz-00; Mon, 12 Aug 2002 13:07:01 -0600 Received: (from glewis@localhost) by misty.eyesbeyond.com (8.11.6/8.11.6) id g7CJ6XP19481; Tue, 13 Aug 2002 04:36:33 +0930 (CST) (envelope-from glewis) Date: Tue, 13 Aug 2002 04:36:31 +0930 From: Greg Lewis To: Mike Tancsa Cc: ports@FreeBSD.ORG, security@FreeBSD.ORG, so@FreeBSD.ORG Subject: Re: hylaxfax security issue (from the ports) Message-ID: <20020813043631.A19449@misty.eyesbeyond.com> References: <5.1.1.6.0.20020812142654.0525a938@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.1.6.0.20020812142654.0525a938@marble.sentex.ca>; from mike@sentex.net on Mon, Aug 12, 2002 at 02:35:44PM -0400 X-Spam-Status: No, hits=-3.4 required=8.0 tests=IN_REP_TO version=2.31 X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Aug 12, 2002 at 02:35:44PM -0400, Mike Tancsa wrote: > > Looks like the current version of HylaFax in the ports once again has > security issues (remote and local). > > From the web page http://www.hylafax.org/4.1.3.html > > 4.1.3 includes fixes for a remote format string vulnerability which could > be abused in a denial of service attack. Also fixed is a buffer overflow > condition when receiving fax image data which potentially could be > exploited to execute arbitrary code as root. Also present in 4.1.3 are > fixes for several other local remote format string vulnerabilities which, > in some installations, could lead to elevated privileges by abuse. Everyone > is advised to upgrade. > > ------------------------------ > I am not a heavy user of HylaFax (only outbound), but removing the two > patch files and making the following changes lets it build with the new > source code. The md5 is also on the webpage. Ouch. Upgrade committed, security-officer may want to send out an advisory on this though. I only needed to modify one of the patch files to get thing to build correctly. I also updated the package list to match the files 4.1.3 installs. Thanks, Mike! -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 13 0:30:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9968E37B400; Tue, 13 Aug 2002 00:30:44 -0700 (PDT) Received: from addr-mx02.addr.com (addr-mx02.addr.com [209.249.147.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1022F43E8A; Tue, 13 Aug 2002 00:30:29 -0700 (PDT) (envelope-from torvalds@addr.com) Received: from proxy1.addr.com (proxy1.addr.com [209.249.147.28]) by addr-mx02.addr.com (8.12.5/8.12.2) with ESMTP id g7D7USjG003330; Tue, 13 Aug 2002 00:30:28 -0700 (PDT) Received: from TS22 ([202.71.153.170]) by proxy1.addr.com (8.11.6/8.9.1) with ESMTP id g7D7UOx03910; Tue, 13 Aug 2002 00:30:24 -0700 (PDT) (envelope-from torvalds@addr.com)(envelope-to ) Message-ID: <003f01c2429b$356daf20$9600a8c0@blraddrcom> From: "Naga Suresh B" To: Cc: Subject: Problem in port forwarding Date: Tue, 13 Aug 2002 12:59:47 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hai, I am having a Gateway configured with two network cards one with external and another with internal ip. On this gateway I am having ipfw rules enabled. I am doing portforwarding for the following ports 5800 5500 5900 using natd I redirected the ports, by using external ip from my internal network I am not able to access that application But externally I am able to access that application by using external IP. Please give me some solution for this problem. Please tell me whether I have to change anything on my firewall scripts. Waiting for u r reply, Suresh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 13 1:36:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD24137B400 for ; Tue, 13 Aug 2002 01:36:44 -0700 (PDT) Received: from addr-mx01.addr.com (addr-mx01.addr.com [209.249.147.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 544B343E77 for ; Tue, 13 Aug 2002 01:36:44 -0700 (PDT) (envelope-from torvalds@addr.com) Received: from proxy1.addr.com (proxy1.addr.com [209.249.147.28]) by addr-mx01.addr.com (8.12.5/8.12.2) with ESMTP id g7D87gXl085134; Tue, 13 Aug 2002 01:07:42 -0700 (PDT) Received: from TS22 ([202.71.153.170]) by proxy1.addr.com (8.11.6/8.9.1) with ESMTP id g7D87Nx41935; Tue, 13 Aug 2002 01:07:40 -0700 (PDT) (envelope-from torvalds@addr.com)(envelope-to ) Message-ID: <006d01c242a0$6a775040$9600a8c0@blraddrcom> From: "Naga Suresh B" To: "Peter Kadau" Cc: References: <8163E6FE-AE90-11D6-B184-000393903B80@tuebingen.mpg.de> Subject: Re: Problem in port forwarding Date: Tue, 13 Aug 2002 13:36:30 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hai, Thanks for u r info, This is the output of my ipfw list command, Plz check this and help me out in solving my problem. 00050 divert 8668 ip from any to any via rl1 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 64.4.12.0/22 via rl1 65000 allow ip from any to any 65100 allow tcp from any to any 5802 via rl1 65200 allow tcp from any to any 5502 via rl1 65300 allow tcp from any to any 5902 via rl1 65500 divert 8668 ip from any to any via rl1 65500 allow udp from any to any 33434-33523 out xmit rl1 65500 allow udp from any to any 33434-33523 via rl1 65535 deny ip from any to any Regards, B.Naga Suresh. ----- Original Message ----- From: "Peter Kadau" To: "Naga Suresh B" Sent: Tuesday, August 13, 2002 1:14 PM Subject: Re: Problem in port forwarding > Hi ! > > Sorry for the private answer, but this question > doesn't belong to that list AFAIK. > > > rules enabled. I am doing portforwarding for the following ports 5800 > > 5500 > > 5900 using natd I redirected the ports, by using external ip from my > > internal network I am not able to access that application But > > externally I > > am able to access that application by using external IP. > > That's exactly as it should behave. > Change your DNS, not your rules. > Make your service from inside resolve to another IP than from outside. > It works perfectly at our site. > You will need an internal DNS though... > > HTH > Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 13 5: 4:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58D9437B400 for ; Tue, 13 Aug 2002 05:04:33 -0700 (PDT) Received: from mail.euroscript-ls.de (mail.euroscript-ls.de [213.68.26.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 487F743E70 for ; Tue, 13 Aug 2002 05:04:32 -0700 (PDT) (envelope-from pavlov@euroscript-ls.de) Received: from there (testbox.euroscript-ls.de [10.18.10.4]) by mail.euroscript-ls.de (8.12.4/8.12.3) with SMTP id g7DC4TDS060093 for ; Tue, 13 Aug 2002 14:04:30 +0200 (CEST) (envelope-from pavlov@euroscript-ls.de) Message-Id: <200208131204.g7DC4TDS060093@mail.euroscript-ls.de> Content-Type: text/plain; charset="iso-8859-1" From: Radoy Pavlov Organization: euroscript Language Services GmbH To: security@FreeBSD.ORG Subject: openssh 3.4p1 issue ? Date: Tue, 13 Aug 2002 14:03:06 +0200 X-Mailer: KMail [version 1.3] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, i'm expiriencing something interesting here. PC1: OpenSSH_2.9 FreeBSD localisations 20010713, SSH protocols 1.5/2.0, OpenSSL 0x0090601f PC2: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f PC1: ssh -v PC2 debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/id_rsa debug1: try privkey: /root/.ssh/id_dsa debug1: next auth method to try is password PC2's password: everything is just fine. PC2: ssh -v PC1 debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/identity debug1: try privkey: /root/.ssh/id_rsa debug1: try pubkey: /root/.ssh/id_dsa debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is keyboard-interactive keyboard-interactive infront of password auth ? Both PC use same sshd_config and ssh_config. Ideas ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 13 6:29:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38B0737B400 for ; Tue, 13 Aug 2002 06:29:16 -0700 (PDT) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF3CC43E4A for ; Tue, 13 Aug 2002 06:29:15 -0700 (PDT) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id CA2C4FB45CA for ; Tue, 13 Aug 2002 13:29:13 +0000 (GMT) Received: (qmail 6636 invoked by uid 1001); 13 Aug 2002 13:24:33 -0000 Date: Tue, 13 Aug 2002 09:24:33 -0400 From: Steve Shorter To: Radoy Pavlov Cc: security@FreeBSD.ORG Subject: Re: openssh 3.4p1 issue ? Message-ID: <20020813092433.A6613@nomad.lets.net> References: <200208131204.g7DC4TDS060093@mail.euroscript-ls.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200208131204.g7DC4TDS060093@mail.euroscript-ls.de>; from pavlov@euroscript-ls.de on Tue, Aug 13, 2002 at 02:03:06PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 13, 2002 at 02:03:06PM +0200, Radoy Pavlov wrote: > Hello, > > i'm expiriencing something interesting here. > > PC1: OpenSSH_2.9 FreeBSD localisations 20010713, SSH protocols > 1.5/2.0, OpenSSL 0x0090601f > > PC2: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f > > PC1: ssh -v PC2 > > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug1: next auth method to try is publickey > debug1: try privkey: /root/.ssh/id_rsa > debug1: try privkey: /root/.ssh/id_dsa > debug1: next auth method to try is password > PC2's password: > > everything is just fine. > > PC2: ssh -v PC1 > > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug1: next auth method to try is publickey > debug1: try privkey: /root/.ssh/identity > debug1: try privkey: /root/.ssh/id_rsa > debug1: try pubkey: /root/.ssh/id_dsa > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug1: next auth method to try is keyboard-interactive > > keyboard-interactive infront of password auth ? > > Both PC use same sshd_config and ssh_config. > > Ideas ? You need to specifically configure the auth method you wish to use in ssh_config for ssh 3.4. or it defaults to something that you are not expecting. How to do this is documented in the man page man (1) ssh. Some things have changed in 3.4 -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 13 6:51:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02FFC37B400 for ; Tue, 13 Aug 2002 06:51:32 -0700 (PDT) Received: from mail.euroscript-ls.de (mail.euroscript-ls.de [213.68.26.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17F5A43E6E for ; Tue, 13 Aug 2002 06:51:31 -0700 (PDT) (envelope-from pavlov@euroscript-ls.de) Received: from there (testbox.euroscript-ls.de [10.18.10.4]) by mail.euroscript-ls.de (8.12.4/8.12.3) with SMTP id g7DDpTDS066145; Tue, 13 Aug 2002 15:51:29 +0200 (CEST) (envelope-from pavlov@euroscript-ls.de) Message-Id: <200208131351.g7DDpTDS066145@mail.euroscript-ls.de> Content-Type: text/plain; charset="iso-8859-1" From: Radoy Pavlov Organization: euroscript Language Services GmbH To: Steve Shorter Subject: Re: openssh 3.4p1 issue ? Date: Tue, 13 Aug 2002 15:50:06 +0200 X-Mailer: KMail [version 1.3] References: <200208131204.g7DC4TDS060093@mail.euroscript-ls.de> <20020813092433.A6613@nomad.lets.net> In-Reply-To: <20020813092433.A6613@nomad.lets.net> Cc: security@FreeBSD.ORG MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 13 August 2002 03:24 pm, you wrote: > On Tue, Aug 13, 2002 at 02:03:06PM +0200, Radoy Pavlov wrote: > > Hello, [snip] > You need to specifically configure the auth method > you wish to use in ssh_config for ssh 3.4. or it defaults to > something that you are not expecting. How to do this is documented > in the man page man (1) ssh. My fault. I was tricked by the old ssh man page. Should I manualy update them ? The 3.4 port did not do this for me. > Some things have changed in 3.4 Indeed. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 13 7:35:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9ADE37B400 for ; Tue, 13 Aug 2002 07:35:12 -0700 (PDT) Received: from femme.sapphite.org (pcp02268182pcs.longhl01.md.comcast.net [68.50.99.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79CF643E6A for ; Tue, 13 Aug 2002 07:35:08 -0700 (PDT) (envelope-from trish@egobsd.org) Received: from localhost (trish@localhost [127.0.0.1]) by femme.sapphite.org (8.12.5/8.12.5) with ESMTP id g7DEYxVD037194; Tue, 13 Aug 2002 10:35:00 -0400 (EDT) (envelope-from trish@egobsd.org) Date: Tue, 13 Aug 2002 10:34:59 -0400 (EDT) From: Trish Lynch X-X-Sender: To: Shoichi Sakane Cc: Subject: Re: racoon and weirdness.... In-Reply-To: <20020812141538H.sakane@kame.net> Message-ID: <20020813103026.S637-100000@femme.sapphite.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 12 Aug 2002, Shoichi Sakane wrote: > > I'm working on setting up IPSEC tunnels between a > > KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's > > > > WHat is happening with the one tunnel is this: > > > > after a couple days, it times out, and neither side can reestablish > > traffic between, the log in /var/log/daemon for racoon tells me the tunnel > > *is* established, but I can;t ping through it. If I restart racoon, it all > > starts working fine again. > > could you see the difference of netstat during the problem happened ? > could you compare your *SAD* and SPIs in the packets on the network ? > there might be a mismatch of SAD on both sides. > *nod* figured that out already. > > The second issue is a second machine, with a cut/pasted config into > > racoon.conf, with simply the endpoints changed, does not work at all. > > > > I can ping the external interface of the Ravlin, but it doesn;t even > > *begin* phase 1. > > because your spd entry is configured for only your public network. > when the kernel sends a packet with the outernal addresss, > the kernel decides not to use ipsec. > *nod* got that too, they've all worked pretty stably over the past couple weeks. The big problem here is trying to troubleshoot something when you have no clue what the other endpoint is doing :) However I will document step by step KAME/racoon <-> Ravlin setup as soon as I actually have time :) If anyone has an extra couple hours one day they can lend me, let me know :) :) -Trish -- Trish Lynch trish@egobsd.org Ecartis Core Team Key fingerprint = B04E 67CA 3A12 9930 E91C 7730 4606 3618 B74A 2493 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 13 11:14:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BCBD37B401 for ; Tue, 13 Aug 2002 11:14:39 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-67-115-73-77.dsl.lsan03.pacbell.net [67.115.73.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73B5943E6A for ; Tue, 13 Aug 2002 11:14:38 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D203C66E10; Tue, 13 Aug 2002 11:14:37 -0700 (PDT) Date: Tue, 13 Aug 2002 11:14:37 -0700 From: Kris Kennaway To: Niels Provos Cc: Kris Kennaway , security@freebsd.org Subject: Re: [provos@citi.umich.edu: OpenBSD Security Advisory: Select Boundary Condition] Message-ID: <20020813181437.GA21196@xor.obsecurity.org> References: <20020811214723.GA76470@xor.obsecurity.org> <20020811223145.GQ22399@citi.citi.umich.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020811223145.GQ22399@citi.citi.umich.edu> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Aug 11, 2002 at 06:31:45PM -0400, Niels Provos wrote: > Read that commit message carefully. That problem was introduced into > FreeBSD six years ago. It was fixed last year. > Yes, sorry, you're right. Thanks for correcting me. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 13 11:23: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CB9237B400 for ; Tue, 13 Aug 2002 11:23:07 -0700 (PDT) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E4A943E65 for ; Tue, 13 Aug 2002 11:23:06 -0700 (PDT) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 093D5FB45C1 for ; Tue, 13 Aug 2002 18:23:05 +0000 (GMT) Received: (qmail 6784 invoked by uid 1001); 13 Aug 2002 18:18:24 -0000 Date: Tue, 13 Aug 2002 14:18:24 -0400 From: Steve Shorter To: Radoy Pavlov Cc: security@FreeBSD.ORG Subject: Re: openssh 3.4p1 issue ? Message-ID: <20020813141824.A6756@nomad.lets.net> References: <200208131204.g7DC4TDS060093@mail.euroscript-ls.de> <20020813092433.A6613@nomad.lets.net> <200208131351.g7DDpTDS066145@mail.euroscript-ls.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200208131351.g7DDpTDS066145@mail.euroscript-ls.de>; from pavlov@euroscript-ls.de on Tue, Aug 13, 2002 at 03:50:06PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 13, 2002 at 03:50:06PM +0200, Radoy Pavlov wrote: > > My fault. I was tricked by the old ssh man page. Should I manualy > update them ? The 3.4 port did not do this for me. > Well I never have installed ssh from ports, but I think the issue is whether during the build/install you configured things so that it goes in the base system otherwise it will be in /usr/local. So the new man pages may already be somewhere in /usr/local, but if man looks in /usr/share/man first then it will read the old ones in the base system. But I suspect if you installed from ports the man pages should be somewhere. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 6:43:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF3D737B400 for ; Thu, 15 Aug 2002 06:43:43 -0700 (PDT) Received: from horkos.telenet-ops.be (horkos.telenet-ops.be [195.130.132.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1876D43E4A for ; Thu, 15 Aug 2002 06:43:43 -0700 (PDT) (envelope-from philip@paeps.cx) Received: from localhost (localhost.localdomain [127.0.0.1]) by horkos.telenet-ops.be (Postfix) with SMTP id D112E84098 for ; Thu, 15 Aug 2002 15:43:41 +0200 (CEST) Received: from fortuna.home.paeps.cx (D5768732.kabel.telenet.be [213.118.135.50]) by horkos.telenet-ops.be (Postfix) with ESMTP id 9A54083CB0 for ; Thu, 15 Aug 2002 15:43:41 +0200 (CEST) Received: from juno.home.paeps.cx (juno [10.0.0.2]) by fortuna.home.paeps.cx (Postfix) with ESMTP id 73B50784 for ; Thu, 15 Aug 2002 15:43:41 +0200 (CEST) Received: by juno.home.paeps.cx (Postfix, from userid 1001) id 555A9676; Thu, 15 Aug 2002 15:43:41 +0200 (CEST) Date: Thu, 15 Aug 2002 15:43:41 +0200 From: Philip Paeps To: security@freebsd.org Subject: Chroot environment for ssh Message-ID: <20020815134341.GO1144@juno.paeps.cx> Mail-Followup-To: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline X-Message-Flag: Get yourself a real mail client. Try Mutt: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi guys - I'm in the process of setting up a form of fileserver, and I'd like for my users to be able to work only in their home directories, not anywhere else. I would like to use SSH for the connections, as opposed to FTP, but I don't want users to be able to log into an interactive shell (only SCP/SFTP) and I don't want them to 'escape' out of their home directories. Anyone have any ideas on how I'd go about doing this? I've been fiddling with chrsh (a 'chroot shell') but it's not really what I want. (I was debating with myself whether to post this on -questions of -security, I hope I chose wisely in the end). Thanks! - Philip -- Philip Paeps philip@paeps.cx http://www.paeps.cx/ +32 486 114 720 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 7: 1: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8E7A37B400 for ; Thu, 15 Aug 2002 07:01:06 -0700 (PDT) Received: from argus.volker.de (pD9504DB0.dip.t-dialin.net [217.80.77.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A4A343E6A for ; Thu, 15 Aug 2002 07:01:05 -0700 (PDT) (envelope-from freebsd@secspace.de) Received: from argus.volker.de (localhost [127.0.0.1]) by argus.volker.de (8.12.5/8.12.5) with SMTP id g7FE12db082116 for ; Thu, 15 Aug 2002 16:01:03 +0200 (CEST) (envelope-from freebsd@secspace.de) Date: Thu, 15 Aug 2002 16:01:02 +0200 From: Volker Kindermann To: security@freebsd.org Subject: Re: Chroot environment for ssh Message-Id: <20020815160102.11f7c27b.freebsd@secspace.de> In-Reply-To: <20020815134341.GO1144@juno.paeps.cx> References: <20020815134341.GO1144@juno.paeps.cx> X-Mailer: Sylpheed version 0.8.1claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Philip, > I'm in the process of setting up a form of fileserver, and I'd like > for my users to be able to work only in their home directories, not > anywhere else. I would like to use SSH for the connections, as > opposed to FTP, but I don't want users to be able to log into an > interactive shell (only SCP/SFTP) and I don't want them to 'escape' > out of their home directories. take a look at http://www.sublimation.org/scponly scponly has a chroot-Mode but the setup is a little tricky. -volker -- Please don't cc me: I read the lists and don't need your message twice :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 9: 8:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5014137B41E for ; Thu, 15 Aug 2002 09:08:10 -0700 (PDT) Received: from daemon.cyberdoom.org (ip212-226-145-19.adsl.kpnqwest.fi [212.226.145.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 5C1F143E8A for ; Thu, 15 Aug 2002 09:07:04 -0700 (PDT) (envelope-from dan.airinen@cyberdoom.org) Received: (qmail 7969 invoked by uid 1005); 15 Aug 2002 16:05:49 -0000 Received: from localhost (127.0.0.1) by 0 with SMTP; 15 Aug 2002 16:05:46 -0000 Date: Thu, 15 Aug 2002 19:05:46 +0300 (EEST) From: Dan Airinen X-X-Sender: dan@daemon.cyberdoom.org To: Philip Paeps Cc: security@freebsd.org Subject: Re: Chroot environment for ssh In-Reply-To: <20020815134341.GO1144@juno.paeps.cx> Message-ID: <20020815190221.M7905-100000@daemon.cyberdoom.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Philip, You could give a try to http://chrootssh.sourceforge.net/ -------------------------------- Dan Airinen System Administrator Email: dan.airinen@cyberdoom.org -------------------------------- "Qvid me anxivs svm?" On Thu, 15 Aug 2002, Philip Paeps wrote: > Hi guys - > > I'm in the process of setting up a form of fileserver, and I'd like for my > users to be able to work only in their home directories, not anywhere else. I > would like to use SSH for the connections, as opposed to FTP, but I don't want > users to be able to log into an interactive shell (only SCP/SFTP) and I don't > want them to 'escape' out of their home directories. > > Anyone have any ideas on how I'd go about doing this? I've been fiddling with > chrsh (a 'chroot shell') but it's not really what I want. > > (I was debating with myself whether to post this on -questions of -security, I > hope I chose wisely in the end). > > Thanks! > > - Philip > > -- > Philip Paeps > philip@paeps.cx > http://www.paeps.cx/ > > +32 486 114 720 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 9:24:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE92937B400 for ; Thu, 15 Aug 2002 09:24:19 -0700 (PDT) Received: from deevil.homeunix.org (adsl-34-216-123.bct.bellsouth.net [67.34.216.123]) by mx1.FreeBSD.org (Postfix) with SMTP id 4619243E4A for ; Thu, 15 Aug 2002 09:24:15 -0700 (PDT) (envelope-from deevil@deevil.homeunix.org) Received: (qmail 5526 invoked by uid 1001); 15 Aug 2002 16:24:13 -0000 Date: Thu, 15 Aug 2002 12:24:13 -0400 From: Ken Ebling To: Philip Paeps Cc: freebsd-security@freebsd.org Subject: Re: Chroot environment for ssh Message-ID: <20020815162413.GA5510@deevil.homeunix.org> References: <20020815134341.GO1144@juno.paeps.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020815134341.GO1144@juno.paeps.cx> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Philip, I've found CHRSH to be very useful for chrooting shell accounts. The setup is very picky (for obvious reasons) but it's not complicated. http://www.aarongifford.com/computers/chrsh.html Ken Ebling On Thu, Aug 15, 2002 at 03:43:41PM +0200, Philip Paeps wrote: > Hi guys - > > I'm in the process of setting up a form of fileserver, and I'd like for my > users to be able to work only in their home directories, not anywhere else. I > would like to use SSH for the connections, as opposed to FTP, but I don't want > users to be able to log into an interactive shell (only SCP/SFTP) and I don't > want them to 'escape' out of their home directories. > > Anyone have any ideas on how I'd go about doing this? I've been fiddling with > chrsh (a 'chroot shell') but it's not really what I want. > > (I was debating with myself whether to post this on -questions of -security, I > hope I chose wisely in the end). > > Thanks! > > - Philip > > -- > Philip Paeps > philip@paeps.cx > http://www.paeps.cx/ > > +32 486 114 720 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 9:28: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16D3437B405 for ; Thu, 15 Aug 2002 09:27:57 -0700 (PDT) Received: from deevil.homeunix.org (adsl-34-216-123.bct.bellsouth.net [67.34.216.123]) by mx1.FreeBSD.org (Postfix) with SMTP id 7013143E70 for ; Thu, 15 Aug 2002 09:27:56 -0700 (PDT) (envelope-from deevil@deevil.homeunix.org) Received: (qmail 5546 invoked by uid 1001); 15 Aug 2002 16:27:55 -0000 Date: Thu, 15 Aug 2002 12:27:55 -0400 From: Ken Ebling To: Philip Paeps Cc: freebsd-security@freebsd.org Subject: Re: Chroot environment for ssh Message-ID: <20020815162755.GB5510@deevil.homeunix.org> References: <20020815134341.GO1144@juno.paeps.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020815134341.GO1144@juno.paeps.cx> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My apologies, I didn't read the entire message. =) Why are you dis-satisfied with chrsh? Having to create /etc & /bin dirs for each user, etc? Ken Ebling On Thu, Aug 15, 2002 at 03:43:41PM +0200, Philip Paeps wrote: > Hi guys - > > Anyone have any ideas on how I'd go about doing this? I've been fiddling with > chrsh (a 'chroot shell') but it's not really what I want. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 10:33:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AF8337B400 for ; Thu, 15 Aug 2002 10:33:22 -0700 (PDT) Received: from horkos.telenet-ops.be (horkos.telenet-ops.be [195.130.132.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9AE243E70 for ; Thu, 15 Aug 2002 10:33:21 -0700 (PDT) (envelope-from philip@paeps.cx) Received: from localhost (localhost.localdomain [127.0.0.1]) by horkos.telenet-ops.be (Postfix) with SMTP id 7149184155; Thu, 15 Aug 2002 19:33:20 +0200 (CEST) Received: from fortuna.home.paeps.cx (D5768732.kabel.telenet.be [213.118.135.50]) by horkos.telenet-ops.be (Postfix) with ESMTP id 0C73283DAD; Thu, 15 Aug 2002 19:33:20 +0200 (CEST) Received: from juno.home.paeps.cx (juno [10.0.0.2]) by fortuna.home.paeps.cx (Postfix) with ESMTP id D3A2DA7C; Thu, 15 Aug 2002 19:33:19 +0200 (CEST) Received: by juno.home.paeps.cx (Postfix, from userid 1001) id 732647EA; Thu, 15 Aug 2002 19:33:19 +0200 (CEST) Date: Thu, 15 Aug 2002 19:33:19 +0200 From: Philip Paeps To: Ken Ebling Cc: freebsd-security@freebsd.org Subject: Re: Chroot environment for ssh Message-ID: <20020815173319.GA91830@juno.paeps.cx> Mail-Followup-To: Ken Ebling , freebsd-security@freebsd.org References: <20020815134341.GO1144@juno.paeps.cx> <20020815162755.GB5510@deevil.homeunix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20020815162755.GB5510@deevil.homeunix.org> X-Message-Flag: Get yourself a real mail client. Try Mutt: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-08-15 18:27:58, Ken Ebling wrote: > On Thu, Aug 15, 2002 at 03:43:41PM +0200, Philip Paeps wrote: > > Anyone have any ideas on how I'd go about doing this? I've been fiddling > > with chrsh (a 'chroot shell') but it's not really what I want. > > My apologies, I didn't read the entire message. =) Why are you > dis-satisfied with chrsh? Having to create /etc & /bin dirs for each user, > etc? Precisely. The users won't ever be getting shell access (they don't need it), so it's pretty much pointless to give them a bin, etc, and home directory. Additionally, it makes it particularly burdensome to create new users quickly. Of course, I could work with an adduser script and have all sorts of skeletons, but it's a bit of overkill simply for uploading. - Philip -- Philip Paeps philip@paeps.cx http://www.paeps.cx/ +32 486 114 720 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 10:35:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3651C37B400 for ; Thu, 15 Aug 2002 10:35:42 -0700 (PDT) Received: from eos.telenet-ops.be (eos.telenet-ops.be [195.130.132.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8BA643E7B for ; Thu, 15 Aug 2002 10:35:41 -0700 (PDT) (envelope-from philip@paeps.cx) Received: from localhost (localhost.localdomain [127.0.0.1]) by eos.telenet-ops.be (Postfix) with SMTP id C491D203F0 for ; Thu, 15 Aug 2002 19:35:40 +0200 (CEST) Received: from fortuna.home.paeps.cx (D5768732.kabel.telenet.be [213.118.135.50]) by eos.telenet-ops.be (Postfix) with ESMTP id B4D89202DC for ; Thu, 15 Aug 2002 19:35:40 +0200 (CEST) Received: from juno.home.paeps.cx (juno [10.0.0.2]) by fortuna.home.paeps.cx (Postfix) with ESMTP id 94CB0784 for ; Thu, 15 Aug 2002 19:35:40 +0200 (CEST) Received: by juno.home.paeps.cx (Postfix, from userid 1001) id 7EE897EA; Thu, 15 Aug 2002 19:35:40 +0200 (CEST) Date: Thu, 15 Aug 2002 19:35:40 +0200 From: Philip Paeps To: security@freebsd.org Subject: Re: Chroot environment for ssh Message-ID: <20020815173540.GB91830@juno.paeps.cx> Mail-Followup-To: security@freebsd.org References: <20020815134341.GO1144@juno.paeps.cx> <20020815160102.11f7c27b.freebsd@secspace.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20020815160102.11f7c27b.freebsd@secspace.de> X-Message-Flag: Get yourself a real mail client. Try Mutt: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-08-15 17:15:01, Volker Kindermann wrote: > > I'm in the process of setting up a form of fileserver, and I'd like for my > > users to be able to work only in their home directories, not anywhere > > else. I would like to use SSH for the connections, as opposed to FTP, but > > I don't want users to be able to log into an interactive shell (only > > SCP/SFTP) and I don't want them to 'escape' out of their home directories. > > take a look at http://www.sublimation.org/scponly The name of it sounds just like what I want! I'll give this a go, thanks! > scponly has a chroot-Mode but the setup is a little tricky. As long as it's not too burdensome to create new chrooted users, I'm perfectly happy with it :-) Thanks for the tip! - Philip -- Philip Paeps philip@paeps.cx http://www.paeps.cx/ +32 486 114 720 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 11: 2:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A69437B400 for ; Thu, 15 Aug 2002 11:02:13 -0700 (PDT) Received: from horkos.telenet-ops.be (horkos.telenet-ops.be [195.130.132.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3AA843E72 for ; Thu, 15 Aug 2002 11:02:12 -0700 (PDT) (envelope-from philip@paeps.cx) Received: from localhost (localhost.localdomain [127.0.0.1]) by horkos.telenet-ops.be (Postfix) with SMTP id E42478434B for ; Thu, 15 Aug 2002 20:02:11 +0200 (CEST) Received: from fortuna.home.paeps.cx (D5768732.kabel.telenet.be [213.118.135.50]) by horkos.telenet-ops.be (Postfix) with ESMTP id D5DAF83CF8 for ; Thu, 15 Aug 2002 20:02:11 +0200 (CEST) Received: from juno.home.paeps.cx (juno [10.0.0.2]) by fortuna.home.paeps.cx (Postfix) with ESMTP id BBEF8784 for ; Thu, 15 Aug 2002 20:02:11 +0200 (CEST) Received: by juno.home.paeps.cx (Postfix, from userid 1001) id 9BFF37EA; Thu, 15 Aug 2002 20:02:11 +0200 (CEST) Date: Thu, 15 Aug 2002 20:02:11 +0200 From: Philip Paeps To: security@freebsd.org Subject: Re: Chroot environment for ssh Message-ID: <20020815180211.GC91830@juno.paeps.cx> Mail-Followup-To: security@freebsd.org References: <20020815134341.GO1144@juno.paeps.cx> <20020815160102.11f7c27b.freebsd@secspace.de> <20020815173540.GB91830@juno.paeps.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20020815173540.GB91830@juno.paeps.cx> X-Message-Flag: Get yourself a real mail client. Try Mutt: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-08-15 19:36:10, Philip Paeps wrote: > On 2002-08-15 17:15:01, Volker Kindermann wrote: > > > I'm in the process of setting up a form of fileserver, and I'd like for > > > my users to be able to work only in their home directories, not anywhere > > > else. I would like to use SSH for the connections, as opposed to FTP, > > > but I don't want users to be able to log into an interactive shell (only > > > SCP/SFTP) and I don't want them to 'escape' out of their home > > > directories. > > > > take a look at http://www.sublimation.org/scponly > > The name of it sounds just like what I want! I'll give this a go, thanks! Okay, I've set it up, and my users are happily scp-only. That's most of the problem solved. > > scponly has a chroot-Mode but the setup is a little tricky. > > As long as it's not too burdensome to create new chrooted users, I'm > perfectly happy with it :-) This bit is still causing me a minor headache. The chroot script needs a bit of hacking before it a) works properly on FreeBSD, b) works good enough to be called from adduser or similar. When I'm done with that fix I think I might as well submit it as a port. I think it would do well in the ports collection! - Philip -- Philip Paeps philip@paeps.cx http://www.paeps.cx/ +32 486 114 720 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 11:15:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EDFD37B401 for ; Thu, 15 Aug 2002 11:15:21 -0700 (PDT) Received: from goofy.epylon.com (ip216-203-220-162.z220-203-216.customer.algx.net [216.203.220.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2752B43E4A for ; Thu, 15 Aug 2002 11:15:21 -0700 (PDT) (envelope-from jdicioccio@epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Thu, 15 Aug 2002 11:15:20 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF67C@goofy.epylon.lan> From: "DiCioccio, Jason" To: 'Philip Paeps' , security@freebsd.org Subject: RE: Chroot environment for ssh Date: Thu, 15 Aug 2002 11:15:19 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-15" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Philip Paeps [mailto:philip@paeps.cx] > Sent: Thursday, August 15, 2002 11:02 AM > To: security@freebsd.org > Subject: Re: Chroot environment for ssh > > > > take a look at http://www.sublimation.org/scponly I wish I knew this existed sooner. I wrote my own under the same name . . I guess that name just comes naturally :) -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPVvv7zKUHizV76d/EQIlmACeMhTwCe7Fp/F8aNnw5k1XPQ1jTFIAoOXu zCXVUuvMJ4g1rEgdhtoKu2cH =227h -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 11:59:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9C4D37B400 for ; Thu, 15 Aug 2002 11:59:54 -0700 (PDT) Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14CAF43E6E for ; Thu, 15 Aug 2002 11:59:54 -0700 (PDT) (envelope-from baldur@foo.is) Received: from there (eniac.foo.is [192.168.1.25]) by tesla.foo.is (Postfix) with SMTP id 540AE27A0; Thu, 15 Aug 2002 18:59:47 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-15" From: Baldur Gislason To: Philip Paeps Subject: Re: Chroot environment for ssh Date: Thu, 15 Aug 2002 18:58:54 +0000 X-Mailer: KMail [version 1.3.2] References: <20020815134341.GO1144@juno.paeps.cx> In-Reply-To: <20020815134341.GO1144@juno.paeps.cx> Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020815185947.540AE27A0@tesla.foo.is> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org /usr/ports/security/ssh2 has that feature built in, it can chroot certain users or users that are members of certain groups. Baldur On Thursday 15 August 2002 13:43, you wrote: > Hi guys - > > I'm in the process of setting up a form of fileserver, and I'd like for my > users to be able to work only in their home directories, not anywhere else. > I would like to use SSH for the connections, as opposed to FTP, but I > don't want users to be able to log into an interactive shell (only > SCP/SFTP) and I don't want them to 'escape' out of their home directories. > > Anyone have any ideas on how I'd go about doing this? I've been fiddling > with chrsh (a 'chroot shell') but it's not really what I want. > > (I was debating with myself whether to post this on -questions of > -security, I hope I chose wisely in the end). > > Thanks! > > - Philip To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 12:23: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B024E37B400 for ; Thu, 15 Aug 2002 12:22:53 -0700 (PDT) Received: from colossus.namba1.com (namba10.ST.HMC.Edu [134.173.63.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24D0C43EDC for ; Thu, 15 Aug 2002 12:22:47 -0700 (PDT) (envelope-from aaron@namba1.com) Received: from cable.namba1.com (namba2.ST.HMC.Edu [134.173.63.41]) by colossus.namba1.com (8.12.5/8.12.5) with ESMTP id g7FJMk3m042183 for ; Thu, 15 Aug 2002 12:22:47 -0700 (PDT) (envelope-from aaron@namba1.com) Received: from [134.173.63.67] by cable.namba1.com (NTMail 5.02.0001/JI9154.18.9fe44f61) with ESMTP id tyreaaaa for security@freebsd.org; Thu, 15 Aug 2002 12:24:54 -0700 From: "Aaron Namba" To: Subject: binary patchkits? Date: Thu, 15 Aug 2002 12:22:42 -0700 MIME-Version: 1.0 Message-ID: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0000_01C24456.700F91E0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-VirusScanned: Scanned by NTMail's Virus Scanner at freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C24456.700F91E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi guys: This has probably been asked many times before, but I can't seem to locate any info, so I thought I'd ask the list for some pointers. The Handbook mentions the availability of binary patchkits for releases that fix security problems and major bugs. I understand fully that the Handbook can be out of date at times, but this would be really helpful, as I manage a fleet of FreeBSD appliances scattered across the country. Each appliance includes an auto-update utility that brings my software up to date, and it would be great if I could send along a package that would also bring FreeBSD up to date simultaneously. Does anyone currently maintain such patchkits, or can someone suggest an easy way of creating them? I've thought of many ways of doing this, but they are all pretty difficult and cumbersome. This is the one thing Windows has over FreeBSD... Thanks in advance for your help. --Aaron Namba ------=_NextPart_000_0000_01C24456.700F91E0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFujCCAnow ggHjoAMCAQICAwf4TTANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAyMDcyNTE4MDg0N1oXDTAzMDcyNTE4MDg0N1owQjEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEfMB0GCSqGSIb3DQEJARYQYWFyb25AbmFtYmExLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEAuIHASXr7mhsnJ76/wCkJALF7ySQyPQ4QPenycysDfQpiQ1XP 6l5GS2VCThFMjERmDCVsxU7evL/y1Bro+W9+hufvzIVwkgAVgfHUMrcmpyYYim+N/hxPH4tAohpr GiWUIlCn+mIVEmC3qhDZlOUk+brHhbS+e3QMghqRCb53zEMCAwEAAaMtMCswGwYDVR0RBBQwEoEQ YWFyb25AbmFtYmExLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAKtLF/3fT1s8 pNaeHOKvs8eNX+298T/NfpT10acAwJHKW2iua4vr2HVn7a22zePNVgi8CzRrIClZHDEjawzQO9Ri Z/hffG/exznX7ub78ri0UsQjr3VncNC6KGqd0poQ/qdg97T5elONDlZZIdLW3qiM6x2ZeBpAHq2Z GzTcIyXjMIIDODCCAqGgAwIBAgIQZkVyt8x09c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRow GAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl cyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZI hvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0 MDgyNzIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV BAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50 bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOo fENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQD AgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF151j2YwCYTYoEipxL4IpXoG0m3J3sE Obr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59sogxYjTFCCRFssBpp0SsSskBdavl50Oou Jd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TYyWJirQXGMYICqjCCAqYCAQEwgZowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0G A1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVy c29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDB/hNMAkGBSsOAwIaBQCgggFlMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAyMDgxNTE5MjIzNVowIwYJKoZIhvcN AQkEMRYEFJGomvouA/9R6tHo724CCL1IoGHPMFgGCSqGSIb3DQEJDzFLMEkwCgYIKoZIhvcNAwcw DgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3 DQIFMIGrBgkrBgEEAYI3EAQxgZ0wgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJu IENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0 aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4z MAIDB/hNMA0GCSqGSIb3DQEBAQUABIGAY/4p5kJDh22G7wJkIjlM1YIvmc3RQyV9s9vRdKrjAKSb EE5WlNO7T+5nA6Q9xAZuFnHf6nZ27dBb+PfrQto3xCYMvmx9jSK855C2R4rFFe5FERk63tWQPglU 6jmfuAznT7JmdvX2ZsBh5jeMJ32JBBtkBWhiD2Ea0mNFESBtDIUAAAAAAAA= ------=_NextPart_000_0000_01C24456.700F91E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 15 23:35:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 714C337B400 for ; Thu, 15 Aug 2002 23:35:22 -0700 (PDT) Received: from argus.volker.de (pD9504DC4.dip.t-dialin.net [217.80.77.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBC2643E65 for ; Thu, 15 Aug 2002 23:35:15 -0700 (PDT) (envelope-from freebsd@secspace.de) Received: from argus.volker.de (localhost [127.0.0.1]) by argus.volker.de (8.12.5/8.12.5) with SMTP id g7G6Z4fx000260 for ; Fri, 16 Aug 2002 08:35:05 +0200 (CEST) (envelope-from freebsd@secspace.de) Date: Fri, 16 Aug 2002 08:35:04 +0200 From: Volker Kindermann To: security@freebsd.org Subject: Re: Chroot environment for ssh Message-Id: <20020816083504.4b6906eb.freebsd@secspace.de> In-Reply-To: <20020815180211.GC91830@juno.paeps.cx> References: <20020815134341.GO1144@juno.paeps.cx> <20020815160102.11f7c27b.freebsd@secspace.de> <20020815173540.GB91830@juno.paeps.cx> <20020815180211.GC91830@juno.paeps.cx> X-Mailer: Sylpheed version 0.8.1claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > scponly has a chroot-Mode but the setup is a little tricky. > > > > As long as it's not too burdensome to create new chrooted users, I'm > > perfectly happy with it :-) > > This bit is still causing me a minor headache. The chroot script > needs a bit of hacking before it a) works properly on FreeBSD, b) > works good enough to be called from adduser or similar. > > When I'm done with that fix I think I might as well submit it as a > port. I think it would do well in the ports collection! I had some contact with the author some time ago and I think he'll be glad to help you if you get problems. He develops on OpenBSD. A scponly-port is a great idea. -volker -- Please don't cc me: I read the lists and don't need your message twice :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 16 7:53:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E108337B400; Fri, 16 Aug 2002 07:53:39 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4316843E70; Fri, 16 Aug 2002 07:53:39 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.5/8.12.5) with ESMTP id g7GErbCo087954; Fri, 16 Aug 2002 10:53:37 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20020816104955.03cdcc98@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Fri, 16 Aug 2002 10:53:52 -0400 To: stable@freebsd.org From: Mike Tancsa Subject: login.access no longer works with default sshd Cc: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I noticed that /etc/login.access is no longer consulted with sshd by default. Are there any dangers/caveats of turning on UseLogin yes ? As the default behavior has changed, perhaps a note in UPDATING ? I am cross posting as I think this issue is relevant to both lists. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 17 14:36:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E2D837B493; Sat, 17 Aug 2002 14:36:41 -0700 (PDT) Received: from emmi.physik.TU-Berlin.DE (emmi.physik.TU-Berlin.DE [130.149.160.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2ED6C43E42; Sat, 17 Aug 2002 14:36:40 -0700 (PDT) (envelope-from jschlesn@emmi.physik.TU-Berlin.DE) Received: from emmi.physik.TU-Berlin.DE (localhost.physik.TU-Berlin.DE [127.0.0.1]) by emmi.physik.TU-Berlin.DE (8.12.5/8.11.6) with ESMTP id g7HLacuo092646; Sat, 17 Aug 2002 23:36:38 +0200 (CEST) (envelope-from jschlesn@emmi.physik.TU-Berlin.DE) Received: (from jschlesn@localhost) by emmi.physik.TU-Berlin.DE (8.12.5/8.12.3/Submit) id g7HLacYO092645; Sat, 17 Aug 2002 23:36:38 +0200 (CEST) Date: Sat, 17 Aug 2002 23:36:38 +0200 From: Jan Schlesner To: Mike Tancsa Cc: stable@freebsd.org, security@freebsd.org Subject: Re: login.access no longer works with default sshd Message-ID: <20020817213638.GA92398@physik.TU-Berlin.DE> References: <5.1.1.6.0.20020816104955.03cdcc98@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20020816104955.03cdcc98@marble.sentex.ca> User-Agent: Mutt/1.4i X-PGP-Key: X-Operating-System: FreeBSD 4.6-STABLE, i386 X-Mailer: Mutt 1.4i ( i386 FreeBSD 4.6-STABLE ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 16, 2002 at 10:53:52AM -0400, Mike Tancsa wrote: > I noticed that /etc/login.access is no longer consulted with sshd by > default. Are there any dangers/caveats of turning on UseLogin yes ? As Login don't know how to handel xauth cookies. With "UseLogin yes" X11-forwarding do not work. But with the options AllowGroups, AllowUsers, DennyGroups and DennyUsers you can control the sshd-login. Jan -- [ gpg key: http://wwwnlds.physik.tu-berlin.de/~schlesner/jschlesn.gpg ] [ key fingerprint: 4236 3497 C4CF 4F3A 274F B6E2 C4F6 B639 1DF4 CF0A ] -- It's better to reign in hell, than to serve in heaven... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 17 15:10:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8B6937B400; Sat, 17 Aug 2002 15:10:29 -0700 (PDT) Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B860843E42; Sat, 17 Aug 2002 15:10:28 -0700 (PDT) (envelope-from ache@pobrecita.freebsd.ru) Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.12.5/8.12.5) with ESMTP id g7HMALvs015046; Sun, 18 Aug 2002 02:10:24 +0400 (MSD) (envelope-from ache@pobrecita.freebsd.ru) Received: (from ache@localhost) by pobrecita.freebsd.ru (8.12.5/8.12.5/Submit) id g7HMAING015045; Sun, 18 Aug 2002 02:10:18 +0400 (MSD) (envelope-from ache) Date: Sun, 18 Aug 2002 02:10:16 +0400 From: "Andrey A. Chernov" To: Jan Schlesner Cc: Mike Tancsa , stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: login.access no longer works with default sshd Message-ID: <20020817221015.GA14994@nagual.pp.ru> References: <5.1.1.6.0.20020816104955.03cdcc98@marble.sentex.ca> <20020817213638.GA92398@physik.TU-Berlin.DE> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020817213638.GA92398@physik.TU-Berlin.DE> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Aug 17, 2002 at 23:36:38 +0200, Jan Schlesner wrote: > On Fri, Aug 16, 2002 at 10:53:52AM -0400, Mike Tancsa wrote: > > I noticed that /etc/login.access is no longer consulted with sshd by > > default. Are there any dangers/caveats of turning on UseLogin yes ? As > > Login don't know how to handel xauth cookies. With "UseLogin yes" > X11-forwarding do not work. But with the options AllowGroups, > AllowUsers, DennyGroups and DennyUsers you can control the sshd-login. There was login.access patch which is lost in the merging of new openssh version. It still applies almost cleanly and restore login.access functionality. Ask DES to revive it, if you want. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message