From owner-freebsd-security@FreeBSD.ORG Sun Jul 13 09:49:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B87D737B401 for ; Sun, 13 Jul 2003 09:49:14 -0700 (PDT) Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5125143F3F for ; Sun, 13 Jul 2003 09:49:14 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from skeeter.psp.pas.earthlink.net ([207.217.78.186]) by harrier.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19bk2E-0002a4-00 for freebsd-security@freebsd.org; Sun, 13 Jul 2003 09:49:14 -0700 Received: from [207.217.78.203] by EarthlinkWAM via HTTP; Sun Jul 13 09:49:13 PDT 2003 Message-ID: <4346655.1058114953973.JavaMail.nobody@skeeter.psp.pas.earthlink.net> Date: Sun, 13 Jul 2003 12:46:39 -0700 (PDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2003 16:49:15 -0000 > You don't have to have multiple IP aliases for multiple jails. Or at > least there is no technical necessity for this (in FreeBSD 4.x, that is, > don't kown about 5.x). If it's just about running server processes in > their own jail (no port number conflicts) you can have all jails on the > same IP address and do the IP filtering (if necessary at all in this > scenario) based on port numbers. > Okay, I didn't realize I could run more than one jail on one ip address. I guess if I needed ssh on each jailed server I could just make sure the port number is unique. > > Finally, I'd like to use SSL to offer secure web connections & secure > email > > without having to buy two certificates. Am I getting too cute if I > accept > > ssl connections on one ip address and use stunnel to route them to the > > appropriate jailed server? > > In case of all jails on one IP address this problem goes away, too. You > could define a generic domain name for the SSL stuff, for instance > 'secure.domain.tld', get a certificate for that and use it for web as > well as email and other purposes. > > Uwe > This counfuses me - doesn't the host name have to match the certificate? Can two jails have the same host name too? -- Valen Jones > From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 02:45:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A461037B401 for ; Mon, 14 Jul 2003 02:45:06 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4558043F85 for ; Mon, 14 Jul 2003 02:45:05 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F127B99.7040700@geminix.org> Date: Mon, 14 Jul 2003 11:44:57 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <4346655.1058114953973.JavaMail.nobody@skeeter.psp.pas.earthlink.net> In-Reply-To: <4346655.1058114953973.JavaMail.nobody@skeeter.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19bztE-0007Rd-00; Mon, 14 Jul 2003 11:45:00 +0200 cc: freebsd-security@freebsd.org Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 09:45:06 -0000 V. Jones wrote: >>You don't have to have multiple IP aliases for multiple jails. Or at >>least there is no technical necessity for this (in FreeBSD 4.x, that is, >>don't kown about 5.x). If it's just about running server processes in >>their own jail (no port number conflicts) you can have all jails on the >>same IP address and do the IP filtering (if necessary at all in this >>scenario) based on port numbers. > > Okay, I didn't realize I could run more than one jail on one ip address. I guess if I needed ssh on each jailed server I could just make sure the port number is unique. True, sshd would cause a port conflict. Since you cannot inject processes into already running jails in FreeBSD 4.x you better have an sshd in each of them. I agree that different port numbers would be the way to go here. >>>Finally, I'd like to use SSL to offer secure web connections & secure >> >>email >> >>>without having to buy two certificates. Am I getting too cute if I >> >>accept >> >>>ssl connections on one ip address and use stunnel to route them to > > the > >>>appropriate jailed server? >> >>In case of all jails on one IP address this problem goes away, too. You >>could define a generic domain name for the SSL stuff, for instance >>'secure.domain.tld', get a certificate for that and use it for web as >>well as email and other purposes. >> >> Uwe >> > > This counfuses me - doesn't the host name have to match the certificate? Can two jails have the same host name too? Two jails can have the same name. With sysctl jail.set_hostname_allowed=[01] you can even configure whether you can set the host names from the inside, to whatever you want. Apart from this, a server's host name isn't really important for most services and daemons. You can usually set the names under which they are supposed to operate in their respective config files. This is certainly true for Apache, while POP3/IMAP4 daemons usually don't care about the host name they get contacted with. There it is just important that you use 'secure.domain.tld' on the client side, in order to match the certificate's domain name. And for SMTP you can point the DNS MX records to 'secure.domain.tld'. All this has nothing to do with the host name used for the respective jail. Hope this wasn't too confusing. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 04:03:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C986C37B401 for ; Mon, 14 Jul 2003 04:03:01 -0700 (PDT) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 055E043F93 for ; Mon, 14 Jul 2003 04:03:01 -0700 (PDT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id CAB9E959F8; Mon, 14 Jul 2003 13:02:59 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id 97C2F959A5; Mon, 14 Jul 2003 13:02:57 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 72628B822; Mon, 14 Jul 2003 13:02:57 +0200 (CEST) To: Scott Gerhardt References: From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Mon, 14 Jul 2003 13:02:56 +0200 In-Reply-To: (Scott Gerhardt's message of "Sat, 12 Jul 2003 10:56:18 -0600") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-2.5 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: Login.Access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 11:03:02 -0000 Scott Gerhardt writes: > I was using the default sshd config which has "UseLogin no". I changed it > to "yes, restarted sshd and logins are now denied/allowd as defined in my > /etc/login.access. That is not the correct solution. What FreeBSD version are you using? DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 04:38:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E18B537B401 for ; Mon, 14 Jul 2003 04:38:41 -0700 (PDT) Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id E459543F75 for ; Mon, 14 Jul 2003 04:38:40 -0700 (PDT) (envelope-from mike@sentex.net) Received: from house.sentex.net (fcage [192.168.0.2])h6EBcZlD065352; Mon, 14 Jul 2003 07:38:35 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030714073542.05d587b0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 14 Jul 2003 07:36:38 -0400 To: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= ) From: Mike Tancsa In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: amavis-20020220 cc: freebsd-security@freebsd.org cc: Scott Gerhardt Subject: Re: Login.Access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 11:38:42 -0000 4.8 STABLE. So, how do you get sshd to listen to login.access ? i.e. what= =20 is the correct solution ---Mike At 01:02 PM 7/14/2003 +0200, Dag-Erling Sm=F8rgrav wrote: >Scott Gerhardt writes: > > I was using the default sshd config which has "UseLogin no". I changed= it > > to "yes, restarted sshd and logins are now denied/allowd as defined in= my > > /etc/login.access. > >That is not the correct solution. > >What FreeBSD version are you using? > >DES >-- >Dag-Erling Sm=F8rgrav - des@des.no -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 04:45:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E095E37B401 for ; Mon, 14 Jul 2003 04:45:46 -0700 (PDT) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F4C143F85 for ; Mon, 14 Jul 2003 04:45:46 -0700 (PDT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 39401959F7; Mon, 14 Jul 2003 13:45:45 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id 10E78959F8; Mon, 14 Jul 2003 13:45:43 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id D4BACB822; Mon, 14 Jul 2003 13:45:42 +0200 (CEST) To: Mike Tancsa References: <5.2.0.9.0.20030714073542.05d587b0@192.168.0.12> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Mon, 14 Jul 2003 13:45:42 +0200 In-Reply-To: <5.2.0.9.0.20030714073542.05d587b0@192.168.0.12> (Mike Tancsa's message of "Mon, 14 Jul 2003 07:36:38 -0400") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-3.0 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org cc: Scott Gerhardt Subject: Re: Login.Access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 11:45:47 -0000 Mike Tancsa writes: > 4.8 STABLE. So, how do you get sshd to listen to login.access ? > i.e. what is the correct solution What does 'grep sshd /etc/pam.conf' say? DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 04:58:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22F3537B401 for ; Mon, 14 Jul 2003 04:58:01 -0700 (PDT) Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id F38A743F85 for ; Mon, 14 Jul 2003 04:57:59 -0700 (PDT) (envelope-from mike@sentex.net) Received: from house.sentex.net (fcage [192.168.0.2])h6EBvtlD065506; Mon, 14 Jul 2003 07:57:56 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030714075530.0642be10@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 14 Jul 2003 07:55:58 -0400 To: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= ) From: Mike Tancsa In-Reply-To: References: <5.2.0.9.0.20030714073542.05d587b0@192.168.0.12> <5.2.0.9.0.20030714073542.05d587b0@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: amavis-20020220 cc: freebsd-security@freebsd.org cc: Scott Gerhardt Subject: Re: Login.Access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 11:58:01 -0000 At 01:45 PM 7/14/2003 +0200, Dag-Erling Sm=F8rgrav wrote: >Mike Tancsa writes: > > 4.8 STABLE. So, how do you get sshd to listen to login.access ? > > i.e. what is the correct solution > >What does 'grep sshd /etc/pam.conf' say? Its the default thats in the current cvs tree shell2% uname -a FreeBSD shell2.sentex.ca 4.8-STABLE FreeBSD 4.8-STABLE #0: Fri Jul 4=20 05:47:48 EDT=20 2003 mdtancsa@shell2.sentex.ca:/usr/obj/usr/src/sys/shell2 i386 shell2% diff /etc/pam.conf /usr/src/etc/pam.conf shell2% grep -i sshd /etc/pam.conf | grep -v ^# sshd auth sufficient pam_skey.so sshd auth sufficient pam_opie.so = no_fake_prompts sshd auth required pam_unix.so = try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so shell2% ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 05:04:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7689437B401 for ; Mon, 14 Jul 2003 05:04:53 -0700 (PDT) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81EEC43FBD for ; Mon, 14 Jul 2003 05:04:52 -0700 (PDT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id B62AF959F7; Mon, 14 Jul 2003 14:04:51 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id 8FCF8959A5; Mon, 14 Jul 2003 14:04:49 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 71825B822; Mon, 14 Jul 2003 14:04:49 +0200 (CEST) To: Mike Tancsa References: <5.2.0.9.0.20030714073542.05d587b0@192.168.0.12> <5.2.0.9.0.20030714073542.05d587b0@192.168.0.12> <5.2.0.9.0.20030714075530.0642be10@192.168.0.12> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Mon, 14 Jul 2003 14:04:49 +0200 In-Reply-To: <5.2.0.9.0.20030714075530.0642be10@192.168.0.12> (Mike Tancsa's message of "Mon, 14 Jul 2003 07:55:58 -0400") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-2.5 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org cc: Scott Gerhardt Subject: Re: Login.Access X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 12:04:53 -0000 Mike Tancsa writes: > At 01:45 PM 7/14/2003 +0200, Dag-Erling Sm=F8rgrav wrote: > > What does 'grep sshd /etc/pam.conf' say? > Its the default thats in the current cvs tree Ah, I forgot that -STABLE doesn't have pam_login_access... Until you upgrade to 5.x, UseLogin is probably the best solution. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 07:16:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A72137B401 for ; Mon, 14 Jul 2003 07:16:24 -0700 (PDT) Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id C333343F93 for ; Mon, 14 Jul 2003 07:16:23 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from rowlf.psp.pas.earthlink.net ([207.217.78.187]) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19c47r-0000Wj-00 for freebsd-security@freebsd.org; Mon, 14 Jul 2003 07:16:23 -0700 Received: from [207.217.78.203] by EarthlinkWAM via HTTP; Mon Jul 14 07:16:23 PDT 2003 Message-ID: <4654247.1058192183103.JavaMail.nobody@rowlf.psp.pas.earthlink.net> Date: Mon, 14 Jul 2003 10:13:46 -0700 (PDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: Re: Re: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 14:16:24 -0000 > >>You don't have to have multiple IP aliases for multiple jails. Or at > >>least there is no technical necessity for this (in FreeBSD 4.x, that is, > >>don't kown about 5.x). If it's just about running server processes in > >>their own jail (no port number conflicts) you can have all jails on the > >>same IP address and do the IP filtering (if necessary at all in this > >>scenario) based on port numbers. > > > > Okay, I didn't realize I could run more than one jail on one ip address. > I guess if I needed ssh on each jailed server I could just make sure the > port number is unique. > > True, sshd would cause a port conflict. Since you cannot inject > processes into already running jails in FreeBSD 4.x you better have an > sshd in each of them. I agree that different port numbers would be the > way to go here. > > >>>Finally, I'd like to use SSL to offer secure web connections & secure > >> > >>email > >> > >>>without having to buy two certificates. Am I getting too cute if I > >> > >>accept > >> > >>>ssl connections on one ip address and use stunnel to route them to > > > > the > > > >>>appropriate jailed server? > >> > >>In case of all jails on one IP address this problem goes away, too. You > >>could define a generic domain name for the SSL stuff, for instance > >>'secure.domain.tld', get a certificate for that and use it for web as > >>well as email and other purposes. > >> > >> Uwe > >> > > > > This counfuses me - doesn't the host name have to match the certificate? > Can two jails have the same host name too? > > Two jails can have the same name. With > > sysctl jail.set_hostname_allowed=[01] > > you can even configure whether you can set the host names from the > inside, to whatever you want. > > Apart from this, a server's host name isn't really important for most > services and daemons. You can usually set the names under which they > are supposed to operate in their respective config files. This is > certainly true for Apache, while POP3/IMAP4 daemons usually don't care > about the host name they get contacted with. There it is just important > that you use 'secure.domain.tld' on the client side, in order to match > the certificate's domain name. And for SMTP you can point the DNS MX > records to 'secure.domain.tld'. All this has nothing to do with the > host name used for the respective jail. > > Hope this wasn't too confusing. > > Uwe > Okay, thanks. I'll have to do some experimenting and see how it works. From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 08:38:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C865437B401 for ; Mon, 14 Jul 2003 08:38:13 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D73343FDD for ; Mon, 14 Jul 2003 08:38:12 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 2E5775482B for ; Mon, 14 Jul 2003 10:38:12 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id BFC366FBF8; Mon, 14 Jul 2003 10:38:11 -0500 (CDT) Date: Mon, 14 Jul 2003 10:38:11 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20030714153811.GB78930@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: Security Officer-supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 15:38:14 -0000 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent releases and EoL (end-of-life) events. The new list is below (and should appear at soon). In particular, FreeBSD 4.6 and FreeBSD 5.0 have `expired'. If you wish to be certain to get critical bug fixes, it is recommended that you upgrade to one of the newer security branches. [Excerpt from http://www.freebsd.org/security/] The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * There is usually only a single -STABLE branch, although during the transition from one major development line to another (such as from FreeBSD 4.x to 5.x), there is a time span in which there are two -STABLE branches. The -STABLE branch tags have names like RELENG_4. The corresponding builds have names like FreeBSD 4.6-STABLE. * Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_4_6. The corresponding builds have names like FreeBSD 4.6-RELEASE-p7. Each branch is supported by the Security Officer for a limited time only, typically through 12 months after the release. The estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed. +-----------------------------------------+ | Branch | Release | Estimated EoL | |----------+-----------+------------------| |RELENG_4 |n/a |December 31, 2003 | |----------+-----------+------------------| |RELENG_4_7|4.7-RELEASE|September 30, 2003| |----------+-----------+------------------| |RELENG_4_8|4.8-RELEASE|March 31, 2004 | |----------+-----------+------------------| |RELENG_5_1|5.1-RELEASE|December 31, 2003 | +-----------------------------------------+ Older releases are not maintained and users are strongly encouraged to upgrade to one of the supported releases mentioned above. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se ----- Forwarded message from Jacques Vidrine ----- Date: Mon, 14 Jul 2003 08:13:43 -0700 (PDT) From: Jacques Vidrine To: doc-committers@FreeBSD.org, cvs-doc@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: www/en/security security.sgml Message-Id: <200307141513.h6EFDhAI067098@repoman.freebsd.org> nectar 2003/07/14 08:13:43 PDT FreeBSD doc repository Modified files: en/security security.sgml Log: Security Officer-supported branches updated: FreeBSD 4.6, FreeBSD 5.0 removed: they have passed the published EoL. FreeBSD 5.1 added. Revision Changes Path 1.135 +5 -10 www/en/security/security.sgml http://cvsweb.FreeBSD.org/www/en/security/security.sgml.diff?r1=1.134&r2=1.135&f=c ----- End forwarded message ----- From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 11:24:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AAE737B405 for ; Mon, 14 Jul 2003 11:24:04 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0ADF243FF2 for ; Mon, 14 Jul 2003 11:23:55 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 066C43ABB4C; Mon, 14 Jul 2003 20:29:23 +0200 (CEST) Date: Mon, 14 Jul 2003 20:29:23 +0200 From: Pawel Jakub Dawidek To: Uwe Doering Message-ID: <20030714182923.GB4973@garage.freebsd.pl> References: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> <3F110290.5060902@geminix.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pGYtDnN23/Duo+Aj" Content-Disposition: inline In-Reply-To: <3F110290.5060902@geminix.org> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 18:24:04 -0000 --pGYtDnN23/Duo+Aj Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 13, 2003 at 08:56:16AM +0200, Uwe Doering wrote: +> >I'm setting up a server where I plan to use Jails to improve security +> >I also have installed and am configuring ipfilter. Here are my=20 +> >questions: +> > +> >Because I'm using Jails, I will have to have multiple ip aliases on the +> >network interface. I will use ipfilter to specify what can go to each= =20 +> >of the addresses. (e.g., allow only incoming to port 80 on the jail=20 +> >running apache). =20 +>=20 +> You don't have to have multiple IP aliases for multiple jails. Or at=20 +> least there is no technical necessity for this (in FreeBSD 4.x, that is,= =20 +> don't kown about 5.x). If it's just about running server processes in= =20 +> their own jail (no port number conflicts) you can have all jails on the= =20 +> same IP address and do the IP filtering (if necessary at all in this=20 +> scenario) based on port numbers. No, no, no! You first need to realize how kernel will choose listen socket. If you bind to port 22 on main host with INADDR_ANY, you get this INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY it will be translated to jail's ip. Now if there is open port outside jail and inside some jail it is opened as well, guess which socket will be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel translate them to jail's ip). So from security point of view if someone will break into your jail, he is able to spoof your sshd (let's forget for a moment about server keys), your mail server or anything else and get your password for example. You can check my patch for multiple ips in jails which also fix sockets ordering behaviour. For FreeBSD 4.x: http://garage.freebsd.pl/mijail.tbz http://garage.freebsd.pl/mijail.README For FreeBSD 5.1-CURRENT: http://garage.freebsd.pl/mijail5.tbz http://garage.freebsd.pl/mijail5.README http://garage.freebsd.pl/patches/mijail5.patch +> >Another jailed server will run mail services (pop, smtp, imap). If=20 +> >I want to allow users to use web based email(over ssl of course), the= =20 +> >web server will have to communicate with the mail server. Is there= =20 +> >a chance of "information leakage" in this type of setup? +>=20 +> Only the information you transmit will leak. That is, you define the=20 +> information interchange between the jails, so pondering over the=20 +> consequences is on your plate, too. Just assume that each jail has been= =20 +> broken into by an intruder with evil intentions and ask yourself what=20 +> damage he can do with the data he can gather from the other jails.=20 +> Paranoia in action, as it were. ;-) If www pages don't have dynamic elements you can mount them as read-only with mount_null(8) for example. Only logs should be writable, but you need only one directory with 'schg' flag and touch(1)'ed log files inside with 'sappnd' flag. Note, that 'schg' and 'sappnd' can't be removed in jail even if securelevel is <=3D 0. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --pGYtDnN23/Duo+Aj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxL2gz/PhmMH/Mf1AQHqEgP/dHhLsNtTEOTzKP9htmn7FjrymIisJi6n BktY7hj3/hxXKMNq/tou48ajhkgmxndqbTlNDKgNsZAEQGlNe7IGTrtfLnvsMjMj Nm4mxLuJtP/V7j/fNCSuQTYKh/6BzG1ZTnX6hAoIcJKYrP+NreN0Ojsrvy8xP+Ii mOWzqRcSocM= =X3bO -----END PGP SIGNATURE----- --pGYtDnN23/Duo+Aj-- From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 12:41:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B20F037B405 for ; Mon, 14 Jul 2003 12:41:18 -0700 (PDT) Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id 590D343FAF for ; Mon, 14 Jul 2003 12:41:17 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from beaker.psp.pas.earthlink.net ([207.217.78.247]) by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19c9CG-0001dx-00 for freebsd-security@freebsd.org; Mon, 14 Jul 2003 12:41:16 -0700 Received: from [207.217.78.201] by EarthlinkWAM via HTTP; Mon Jul 14 12:41:16 PDT 2003 Message-ID: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> Date: Mon, 14 Jul 2003 12:39:50 -0400 (EDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: Re: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 19:41:19 -0000 >No, no, no! >You first need to realize how kernel will choose listen socket. >If you bind to port 22 on main host with INADDR_ANY, you get this >INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY >it will be translated to jail's ip. Now if there is open port outside >jail and inside some jail it is opened as well, guess which socket will >be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel >translate them to jail's ip). So from security point of view if someone >will break into your jail, he is able to spoof your sshd (let's forget >for a moment about server keys), your mail server or anything >and get your password for example. >You can check my patch for multiple ips in jails which also fix >sockets ordering behaviour. > For FreeBSD 4.x: > http://garage.freebsd.pl/mijail.tbz > http://garage.freebsd.pl/mijail.README > For FreeBSD 5.1-CURRENT: > http://garage.freebsd.pl/mijail5.tbz > http://garage.freebsd.pl/mijail5.README > http://garage.freebsd.pl/patches/mijail5.patch I have a feeling you're trying to tell me something important but I'm not understanding. Is this a problem only with ssh or with any server listening on a port? Does this problem occur when you share an ip address between two jailed servers or does it happen any time you use a jail? Would having ssh on a different port on each jail avoid the problem? From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 13:18:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA2BD37B4B8 for ; Mon, 14 Jul 2003 13:18:04 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8027443FA3 for ; Mon, 14 Jul 2003 13:18:01 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F130FE1.1080308@geminix.org> Date: Mon, 14 Jul 2003 22:17:37 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> <3F110290.5060902@geminix.org> <20030714182923.GB4973@garage.freebsd.pl> In-Reply-To: <20030714182923.GB4973@garage.freebsd.pl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19c9lU-000JUR-00; Mon, 14 Jul 2003 22:17:40 +0200 cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 20:18:05 -0000 Pawel Jakub Dawidek wrote: > On Sun, Jul 13, 2003 at 08:56:16AM +0200, Uwe Doering wrote: > +> >I'm setting up a server where I plan to use Jails to improve security > +> >I also have installed and am configuring ipfilter. Here are my > +> >questions: > +> > > +> >Because I'm using Jails, I will have to have multiple ip aliases on the > +> >network interface. I will use ipfilter to specify what can go to each > +> >of the addresses. (e.g., allow only incoming to port 80 on the jail > +> >running apache). > +> > +> You don't have to have multiple IP aliases for multiple jails. Or at > +> least there is no technical necessity for this (in FreeBSD 4.x, that is, > +> don't kown about 5.x). If it's just about running server processes in > +> their own jail (no port number conflicts) you can have all jails on the > +> same IP address and do the IP filtering (if necessary at all in this > +> scenario) based on port numbers. > > No, no, no! > > You first need to realize how kernel will choose listen socket. > If you bind to port 22 on main host with INADDR_ANY, you get this > INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY > it will be translated to jail's ip. Now if there is open port outside > jail and inside some jail it is opened as well, guess which socket will > be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel > translate them to jail's ip). So from security point of view if someone > will break into your jail, he is able to spoof your sshd (let's forget > for a moment about server keys), your mail server or anything else > and get your password for example. Good point. I forgot to mention that you should bind daemons running outside the jails explicitly to the server's IP address. This circumvents the problem you've pointed out. But I agree with you that people would be less likely to shoot themselves in the foot if the kernel took care of things in this situation. > You can check my patch for multiple ips in jails which also fix > sockets ordering behaviour. > > For FreeBSD 4.x: > http://garage.freebsd.pl/mijail.tbz > http://garage.freebsd.pl/mijail.README > For FreeBSD 5.1-CURRENT: > http://garage.freebsd.pl/mijail5.tbz > http://garage.freebsd.pl/mijail5.README > http://garage.freebsd.pl/patches/mijail5.patch Thanks for the patches. Did you try to contribute them to the FreeBSD project? If so, any reaction so far? > +> >Another jailed server will run mail services (pop, smtp, imap). If > +> >I want to allow users to use web based email(over ssl of course), the > +> >web server will have to communicate with the mail server. Is there > +> >a chance of "information leakage" in this type of setup? > +> > +> Only the information you transmit will leak. That is, you define the > +> information interchange between the jails, so pondering over the > +> consequences is on your plate, too. Just assume that each jail has been > +> broken into by an intruder with evil intentions and ask yourself what > +> damage he can do with the data he can gather from the other jails. > +> Paranoia in action, as it were. ;-) > > If www pages don't have dynamic elements you can mount them as read-only > with mount_null(8) for example. Only logs should be writable, but you > need only one directory with 'schg' flag and touch(1)'ed log files > inside with 'sappnd' flag. Note, that 'schg' and 'sappnd' can't be removed > in jail even if securelevel is <= 0. Just be careful with mount_null(8). You might get away with it unscathed if you use it read-only, but you shouldn't try anything else with it. Last time I checked I managed to panic the kernel with it even faster than with mount_union(8), which is badly broken as well (look at the comment at the end of the man pages). I wouldn't recommend using either in a production system. My two cents. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 13:47:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE4337B401 for ; Mon, 14 Jul 2003 13:47:00 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id F060743F93 for ; Mon, 14 Jul 2003 13:46:57 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 590E43ABB4C; Mon, 14 Jul 2003 22:52:31 +0200 (CEST) Date: Mon, 14 Jul 2003 22:52:31 +0200 From: Pawel Jakub Dawidek To: Uwe Doering Message-ID: <20030714205231.GC4973@garage.freebsd.pl> References: <3083978.1058049961635.JavaMail.nobody@scooter.psp.pas.earthlink.net> <3F110290.5060902@geminix.org> <20030714182923.GB4973@garage.freebsd.pl> <3F130FE1.1080308@geminix.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2LWaEC9akcLlisSC" Content-Disposition: inline In-Reply-To: <3F130FE1.1080308@geminix.org> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 20:47:00 -0000 --2LWaEC9akcLlisSC Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 14, 2003 at 10:17:37PM +0200, Uwe Doering wrote: +> >You can check my patch for multiple ips in jails which also fix +> >sockets ordering behaviour. +> > +> > For FreeBSD 4.x: +> > http://garage.freebsd.pl/mijail.tbz +> > http://garage.freebsd.pl/mijail.README +> > For FreeBSD 5.1-CURRENT: +> > http://garage.freebsd.pl/mijail5.tbz +> > http://garage.freebsd.pl/mijail5.README +> > http://garage.freebsd.pl/patches/mijail5.patch +>=20 +> Thanks for the patches. Did you try to contribute them to the FreeBSD= =20 +> project? If so, any reaction so far? Of course I've tried, but as you can see...:) +> >If www pages don't have dynamic elements you can mount them as read-only +> >with mount_null(8) for example. Only logs should be writable, but you +> >need only one directory with 'schg' flag and touch(1)'ed log files +> >inside with 'sappnd' flag. Note, that 'schg' and 'sappnd' can't be remo= ved +> >in jail even if securelevel is <=3D 0. +>=20 +> Just be careful with mount_null(8). You might get away with it=20 +> unscathed if you use it read-only, but you shouldn't try anything else= =20 +> with it. Last time I checked I managed to panic the kernel with it even= =20 +> faster than with mount_union(8), which is badly broken as well (look at= =20 +> the comment at the end of the man pages). I wouldn't recommend using=20 +> either in a production system. You could always try to use NFS on local machine, but those comments from the manual page's end should be removed in 5.x (for unionfs as well). There are developers that work on this - tjr@ on nullfs and das@ on unionfs. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --2LWaEC9akcLlisSC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxMYDz/PhmMH/Mf1AQGVmgP9Hk5oFQGYTMs0NOS9HlVB7XzBOaP831Sb SNEW30tWRfgl0vFrpTRyuY9Ll7fVtJdyAVo84P0fF7hz67KNxwWc6SGuwEfN+PVw pSL0Tof3+y8StM+KcEeTUEEoD2B1zlOQ1frz5Y8a9lpa01xZo7UQVfywcbp+xJ+x 1nbCfwxKxts= =c9LR -----END PGP SIGNATURE----- --2LWaEC9akcLlisSC-- From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 13:50:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29CAC37B401 for ; Mon, 14 Jul 2003 13:50:48 -0700 (PDT) Received: from conure.mail.pas.earthlink.net (conure.mail.pas.earthlink.net [207.217.120.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DC6443FB1 for ; Mon, 14 Jul 2003 13:50:47 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from beaker.psp.pas.earthlink.net ([207.217.78.247]) by conure.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19cAHX-00047p-00 for freebsd-security@freebsd.org; Mon, 14 Jul 2003 13:50:47 -0700 Received: from [207.217.78.201] by EarthlinkWAM via HTTP; Mon Jul 14 13:50:45 PDT 2003 Message-ID: <1868570.1058215847119.JavaMail.nobody@beaker.psp.pas.earthlink.net> Date: Mon, 14 Jul 2003 13:49:20 -0400 (EDT) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Web Access Mail version 3.0 Subject: Re: Re: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 20:50:48 -0000 > > > No, no, no! > > > > You first need to realize how kernel will choose listen socket. > > If you bind to port 22 on main host with INADDR_ANY, you get this > > INADDR_ANY, but if you bind to 22 port in jail even with INADDR_ANY > > it will be translated to jail's ip. Now if there is open port outside > > jail and inside some jail it is opened as well, guess which socket will > > be chosen. Socket in jail, because it isn't INADDR_ANY (as I said kernel > > translate them to jail's ip). So from security point of view if someone > > will break into your jail, he is able to spoof your sshd (let's forget > > for a moment about server keys), your mail server or anything else > > and get your password for example. > > Good point. I forgot to mention that you should bind daemons running > outside the jails explicitly to the server's IP address. This > circumvents the problem you've pointed out. But I agree with you that > people would be less likely to shoot themselves in the foot if the > kernel took care of things in this situation. > Oh - okay. The directions I followed in "Absolute BSD" had me configure all Daemons so that they only listened on the main ip address. Is this what you guys are talking about it? Actually, the book said the jailed server wouldn't even start if this wasn't done. For example, in my /etc/ssh/sshd_config: ListenAddress x.x.x.8 > From owner-freebsd-security@FreeBSD.ORG Mon Jul 14 14:09:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9ECC537B401 for ; Mon, 14 Jul 2003 14:09:45 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id B216F43F93 for ; Mon, 14 Jul 2003 14:09:44 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id B72913ABB4C; Mon, 14 Jul 2003 23:15:18 +0200 (CEST) Date: Mon, 14 Jul 2003 23:15:18 +0200 From: Pawel Jakub Dawidek To: "V. Jones" Message-ID: <20030714211518.GD4973@garage.freebsd.pl> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qGW1X6pRZ+lkBpGQ" Content-Disposition: inline In-Reply-To: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org Subject: Re: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 21:09:45 -0000 --qGW1X6pRZ+lkBpGQ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 14, 2003 at 12:39:50PM -0400, V. Jones wrote: +> >You can check my patch for multiple ips in jails which also fix +> >sockets ordering behaviour. +>=20 +> > For FreeBSD 4.x: +> > http://garage.freebsd.pl/mijail.tbz +> > http://garage.freebsd.pl/mijail.README +> > For FreeBSD 5.1-CURRENT: +> > http://garage.freebsd.pl/mijail5.tbz +> > http://garage.freebsd.pl/mijail5.README +> > http://garage.freebsd.pl/patches/mijail5.patch +>=20 +> I have a feeling you're trying to tell me something important +> but I'm not understanding. Is this a problem only with ssh or=20 +> with any server listening on a port? Does this problem occur=20 +> when you share an ip address between two jailed servers or does=20 +> it happen any time you use a jail? Would having ssh on a=20 +> different port on each jail avoid the problem? No, because an attacker is able to spoof your daemons from main host or other jails. Even if you're binded to a valid IP (not INADDR_ANY) there could be always a chance to DoS existing daemon and reuse its port. My advice is simple: every jail and main host should have its own IP addres= s. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --qGW1X6pRZ+lkBpGQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxMdZj/PhmMH/Mf1AQE4EQP9H1Q1ylhKJ+lPi8S7kZcI9jE1jK8Hneb0 4+MsrM/QEV0oKTnITtSqPwTGAJZsZrqDyWyeUAiErUeVJ8/m+KmfmCKvPq0c/B+T w/aEs2lLIA/jfZJfHbLr5vbD5RDTMV5jpkDdq4TDCJLYAlOs21OgEmpuyKocihtE WvAunBmJ3pY= =V02Q -----END PGP SIGNATURE----- --qGW1X6pRZ+lkBpGQ-- From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 00:13:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B133537B401 for ; Tue, 15 Jul 2003 00:13:34 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4BE243FB1 for ; Tue, 15 Jul 2003 00:13:33 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F13A975.7020508@geminix.org> Date: Tue, 15 Jul 2003 09:12:53 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: mlists.freebsd.security To: Pawel Jakub Dawidek References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> In-Reply-To: <20030714211518.GD4973@garage.freebsd.pl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19cK09-0006ig-00; Tue, 15 Jul 2003 09:13:29 +0200 cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 07:13:35 -0000 Pawel Jakub Dawidek wrote: > On Mon, Jul 14, 2003 at 12:39:50PM -0400, V. Jones wrote: > +> >You can check my patch for multiple ips in jails which also fix > +> >sockets ordering behaviour. > +> > +> > For FreeBSD 4.x: > +> > http://garage.freebsd.pl/mijail.tbz > +> > http://garage.freebsd.pl/mijail.README > +> > For FreeBSD 5.1-CURRENT: > +> > http://garage.freebsd.pl/mijail5.tbz > +> > http://garage.freebsd.pl/mijail5.README > +> > http://garage.freebsd.pl/patches/mijail5.patch > +> > +> I have a feeling you're trying to tell me something important > +> but I'm not understanding. Is this a problem only with ssh or > +> with any server listening on a port? Does this problem occur > +> when you share an ip address between two jailed servers or does > +> it happen any time you use a jail? Would having ssh on a > +> different port on each jail avoid the problem? > > No, because an attacker is able to spoof your daemons from main host or > other jails. Even if you're binded to a valid IP (not INADDR_ANY) there > could be always a chance to DoS existing daemon and reuse its port. > > My advice is simple: every jail and main host should have its own IP address. This is certainly the best solution, if you have multiple IP addresses at your disposal. What I was trying to point out is that there is no _technical_ reason for separate IP addresses with regard to FreeBSD's jail implementation. In cases where you cannot easily get additional IP addresses, on a rented server in a data center, for instance, running multiple jails on the same IP address (with the necessary safety precautions like binding daemons to IP addresses explicitly) is still far better than no jails at all. The difference is that it takes at least some skill and insight into FreeBSD internals to compromise the system as a whole in the former case, while in the latter each and every script kiddy can take over your entire server in no time. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 00:19:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF98537B401 for ; Tue, 15 Jul 2003 00:19:04 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36D7D43F93 for ; Tue, 15 Jul 2003 00:19:04 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F13AAE4.9020506@geminix.org> Date: Tue, 15 Jul 2003 09:19:00 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <1868570.1058215847119.JavaMail.nobody@beaker.psp.pas.earthlink.net> In-Reply-To: <1868570.1058215847119.JavaMail.nobody@beaker.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19cK5V-0006oq-00; Tue, 15 Jul 2003 09:19:01 +0200 cc: freebsd-security@freebsd.org Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 07:19:05 -0000 V. Jones wrote: >>Good point. I forgot to mention that you should bind daemons running >>outside the jails explicitly to the server's IP address. This >>circumvents the problem you've pointed out. But I agree with you that >>people would be less likely to shoot themselves in the foot if the >>kernel took care of things in this situation. > > Oh - okay. The directions I followed in "Absolute BSD" had me configure > all Daemons so that they only listened on the main ip address. Is this > what you guys are talking about it? Actually, the book said the jailed > server wouldn't even start if this wasn't done. > > For example, in my /etc/ssh/sshd_config: > > ListenAddress x.x.x.8 Yes, this is the way to do it. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 02:06:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BB8D37B401 for ; Tue, 15 Jul 2003 02:06:36 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8568B43FAF for ; Tue, 15 Jul 2003 02:06:35 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id B28883ABB4C; Tue, 15 Jul 2003 11:12:11 +0200 (CEST) Date: Tue, 15 Jul 2003 11:12:11 +0200 From: Pawel Jakub Dawidek To: Uwe Doering Message-ID: <20030715091211.GK4973@garage.freebsd.pl> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ETswQ+e7erZ5sQB1" Content-Disposition: inline In-Reply-To: <3F13A975.7020508@geminix.org> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 09:06:36 -0000 --ETswQ+e7erZ5sQB1 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 15, 2003 at 09:12:53AM +0200, Uwe Doering wrote: +> >My advice is simple: every jail and main host should have its own IP=20 +> >address. +>=20 +> This is certainly the best solution, if you have multiple IP addresses= =20 +> at your disposal. What I was trying to point out is that there is no=20 +> _technical_ reason for separate IP addresses with regard to FreeBSD's=20 +> jail implementation. In cases where you cannot easily get additional IP= =20 +> addresses, on a rented server in a data center, for instance, running=20 +> multiple jails on the same IP address (with the necessary safety=20 +> precautions like binding daemons to IP addresses explicitly) is still=20 +> far better than no jails at all. The difference is that it takes at=20 +> least some skill and insight into FreeBSD internals to compromise the=20 +> system as a whole in the former case, while in the latter each and every= =20 +> script kiddy can take over your entire server in no time. IMHO security solutions that are "harder to break", aren't security solutions. There is secure method, you can always use CerbNG:) http://cerber.sourceforge.net Now you need to create such policy: if (syscall =3D=3D SYS_bind && isjailed() && (getfamily(arg[1]) =3D=3D AF_INET || getfamily(arg[1]) =3D=3D AF_INET6)= ) { permit =3D 1; port =3D getport(arg[1]); host =3D getjailhost(); if (host =3D=3D "apache" && port !=3D 80 && port !=3D 443) { permit =3D 0; } if (host =3D=3D "smtp" && port !=3D 25) { permit =3D 0; } if (host =3D=3D "pop3" && port !=3D 110 && port !=3D 995) { permit =3D 0; } if (!permit) { log(LOG_WARNING, "CerbNG: Process %s [pid=3D%u] from jail %s " "is trying to bind to port %u!", pname, pid, host, port); return EPERM; } } Now processes jailed in prison with hostname "apache" could bind only to port 80 or 443, etc. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --ETswQ+e7erZ5sQB1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxPFaz/PhmMH/Mf1AQEDXwP9GqApjaNXuG8u5WeWIjTyjrQKjYjh6R0g g2zCwmmaVKoYLmgT6cSNPzbrLiBqtWlVuzwLKhK0F/gDhZ3LknWQtaMUWKgl3V5R aEZ/N4TavzvJnPoTDV37NHBXRkPNrOnhZTgnNqCJF7VX5v6RhGfcj67oYkfcQUO7 dvKPG5c4xgk= =rPX1 -----END PGP SIGNATURE----- --ETswQ+e7erZ5sQB1-- From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 02:23:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3D0D37B401 for ; Tue, 15 Jul 2003 02:23:26 -0700 (PDT) Received: from timmy.inbox.lv (timmy.inbox.lv [81.94.227.7]) by mx1.FreeBSD.org (Postfix) with SMTP id BD18F43F75 for ; Tue, 15 Jul 2003 02:23:13 -0700 (PDT) (envelope-from bonifaktuura@inbox.lv) Received: (qmail 11547 invoked by uid 1005); 15 Jul 2003 09:23:01 -0000 Received: from unknown (HELO spampd.localdomain) (10.0.1.7) by 10.0.1.7 with SMTP; 15 Jul 2003 09:23:01 -0000 Received: from 159.148.190.31 ( [159.148.190.31]) as user bonifaktuura@10.0.1.1 by www1.inbox.lv with HTTP; Tue, 15 Jul 2003 12:23:03 +0300 Message-ID: <1058260983.3f13c7f786469@www1.inbox.lv> Date: Tue, 15 Jul 2003 12:23:03 +0300 From: peter dunaskin To: gemini@geminix.org References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> <20030715091211.GK4973@garage.freebsd.pl> In-Reply-To: <20030715091211.GK4973@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1257 Content-Transfer-Encoding: 8bit User-Agent: inbox.lv 4.0 cc: freebsd-security@freebsd.org Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 09:23:27 -0000 did i miss something or why noone mentioned of using private [unreal, localhost, whatever..] addresses for all jails? for example you can bind nat ips for your second nic [or loopback], different ip's for different jails. then you can portforward whatever you want to jails. in my case, all jails are firewalled out and i let in only traffic i need to get in/out. i can send config files [jail scripts, firewall rules..] p. --- This message contains no viruses. Guaranteed by Kaspersky Anti-Virus. www.antivirus.lv From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 03:28:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64F3F37B401 for ; Tue, 15 Jul 2003 03:28:22 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94E0443F85 for ; Tue, 15 Jul 2003 03:28:21 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F13D73E.1020506@geminix.org> Date: Tue, 15 Jul 2003 12:28:14 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> <20030715091211.GK4973@garage.freebsd.pl> In-Reply-To: <20030715091211.GK4973@garage.freebsd.pl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19cN2f-000AFC-00; Tue, 15 Jul 2003 12:28:17 +0200 cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 10:28:23 -0000 Pawel Jakub Dawidek wrote: > On Tue, Jul 15, 2003 at 09:12:53AM +0200, Uwe Doering wrote: > +> >My advice is simple: every jail and main host should have its own IP > +> >address. > +> > +> This is certainly the best solution, if you have multiple IP addresses > +> at your disposal. What I was trying to point out is that there is no > +> _technical_ reason for separate IP addresses with regard to FreeBSD's > +> jail implementation. In cases where you cannot easily get additional IP > +> addresses, on a rented server in a data center, for instance, running > +> multiple jails on the same IP address (with the necessary safety > +> precautions like binding daemons to IP addresses explicitly) is still > +> far better than no jails at all. The difference is that it takes at > +> least some skill and insight into FreeBSD internals to compromise the > +> system as a whole in the former case, while in the latter each and every > +> script kiddy can take over your entire server in no time. > > IMHO security solutions that are "harder to break", aren't security > solutions. Sure, everybody should afford an opinion. However, as you are certainly aware there is no absolute security, no magic bullet. Security is like an onion, with multiple layers. You grab as many layers as you can under the given circumstances and try to make the best of it. If the person responsible for server security is willing to add third party code to the kernel (as you suggest) he might be rewarded with an additional layer. I say "might" because there is always the risk of introducing instability with changes like these. If he would rather not touch the kernel he has to put up with a lower degree of security. In the end it boils down to an assessment of how much security you really need with regard to what you are trying to protect. Otherwise you quickly end up in overkill (to the delight of the security industry, undoubtedly). Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 03:53:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 101D137B401 for ; Tue, 15 Jul 2003 03:53:44 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E9B643FD7 for ; Tue, 15 Jul 2003 03:53:43 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 99CCB3ABB4C; Tue, 15 Jul 2003 12:59:19 +0200 (CEST) Date: Tue, 15 Jul 2003 12:59:19 +0200 From: Pawel Jakub Dawidek To: Uwe Doering Message-ID: <20030715105919.GM4973@garage.freebsd.pl> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> <20030715091211.GK4973@garage.freebsd.pl> <3F13D73E.1020506@geminix.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZIEl/wF0/VSlIdtv" Content-Disposition: inline In-Reply-To: <3F13D73E.1020506@geminix.org> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 10:53:44 -0000 --ZIEl/wF0/VSlIdtv Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 15, 2003 at 12:28:14PM +0200, Uwe Doering wrote: +> >IMHO security solutions that are "harder to break", aren't security +> >solutions. +>=20 +> Sure, everybody should afford an opinion. However, as you are certainly= =20 +> aware there is no absolute security, no magic bullet. Security is like= =20 +> an onion, with multiple layers. You grab as many layers as you can=20 +> under the given circumstances and try to make the best of it. Yes, you're right, but I'm not talking about this. For example: You want to denied users to see other users processes. What can you do: 1. chmod a-x /bin/ps. 2. sysctl security.bsd.see_other_uids=3D0 1st solution isn't to secure:) and I'm talking about this. You're aware of its "incompletness". It is "harder to break", because someone have to run top(1) or his own ps(1), but please... 2nd soultion is the right one, because it is complete and it isn't against lazy "attackers". Of course there could be bug in implementation, but you aren't aware of it and we aren't talking about this here. Important thing is that it is tight. Risk calculation problem is another topic. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --ZIEl/wF0/VSlIdtv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxPehz/PhmMH/Mf1AQHIiwP/acXsXUKOmy9f8MlsK+9ug6y7irmE01US D0mwzm6xDbPk9vouPNF5oJBWVDM9KZya/yYdBUMcG0V6t5Tv/3mX45S0g4pJqieO vJt6u4qe8a2BN5Mr0uI7ZEaNY1NHN16pUcG8uGHanbmcypNkCRW37G4knD3Phwbw y92VncZVS40= =CJOh -----END PGP SIGNATURE----- --ZIEl/wF0/VSlIdtv-- From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 09:17:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF97137B401 for ; Tue, 15 Jul 2003 09:17:45 -0700 (PDT) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1597643F3F for ; Tue, 15 Jul 2003 09:17:43 -0700 (PDT) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id 4839917114; Tue, 15 Jul 2003 09:19:09 -0700 (PDT) Date: Tue, 15 Jul 2003 09:19:09 -0700 From: Nicholas Esborn To: Uwe Doering Message-ID: <20030715161909.GA6394@carbon.berkeley.netdot.net> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F13A975.7020508@geminix.org> User-Agent: Mutt/1.5.4i cc: "V. Jones" cc: freebsd-security@freebsd.org Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 16:17:46 -0000 On Tue, Jul 15, 2003 at 09:12:53AM +0200, Uwe Doering wrote: > Pawel Jakub Dawidek wrote: > >No, because an attacker is able to spoof your daemons from main host or > >other jails. Even if you're binded to a valid IP (not INADDR_ANY) there > >could be always a chance to DoS existing daemon and reuse its port. > > > >My advice is simple: every jail and main host should have its own IP > >address. > > This is certainly the best solution, if you have multiple IP addresses > at your disposal. What I was trying to point out is that there is no > _technical_ reason for separate IP addresses with regard to FreeBSD's > jail implementation. In cases where you cannot easily get additional IP > addresses, on a rented server in a data center, for instance, running > multiple jails on the same IP address (with the necessary safety > precautions like binding daemons to IP addresses explicitly) is still > far better than no jails at all. The difference is that it takes at > least some skill and insight into FreeBSD internals to compromise the > system as a whole in the former case, while in the latter each and every > script kiddy can take over your entire server in no time. Would it be useful to create multiple IP aliases on lo0, i.e. 127.0.0.2, 127.0.0.3, bind the jails to those, then use ipfw, ipf/ipnat, or a TCP proxy to connect ports on the server's real IP to services bound to the lo0 aliases? I can imagine that this technique might not work for services which identify the IP address to which they bind, but surely it could work in some cases? -nick From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 10:34:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C049337B401 for ; Tue, 15 Jul 2003 10:34:53 -0700 (PDT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49EE643FB1 for ; Tue, 15 Jul 2003 10:34:53 -0700 (PDT) (envelope-from diz@linuxpowered.com) Received: from linuxpowered.com (12-238-50-170.client.attbi.com[12.238.50.170](untrusted sender)) by comcast.net (rwcrmhc11) with SMTP id <2003071517345201300pe4iie> (Authid: jdisnard); Tue, 15 Jul 2003 17:34:52 +0000 Message-ID: <3F143B2C.30706@linuxpowered.com> Date: Tue, 15 Jul 2003 12:34:36 -0500 From: Jon Disnard User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: filesystem firewall rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 17:34:54 -0000 Hello all, I am attempting to install and test the MAC framework. I will start with ugidfw(8) to NOT allow a group of users to access a certain filesystem object. However, I cannot get it to work, and I wish that if anybody reading this would send me a snippet of their ugidfw rules, and associated mac.conf settings. I've read all the docs I can find, and googled to no avail. I hope that one of the MAC developers could spare a moment to help me here. Thanks in advance. -Jon From owner-freebsd-security@FreeBSD.ORG Tue Jul 15 18:06:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28FCB37B401 for ; Tue, 15 Jul 2003 18:06:34 -0700 (PDT) Received: from vista.netmemetic.com (bb-203-125-42-79.singnet.com.sg [203.125.42.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52DAE43F93 for ; Tue, 15 Jul 2003 18:06:33 -0700 (PDT) (envelope-from ngps@netmemetic.com) Received: by vista.netmemetic.com (Postfix, from userid 100) id EF7BC7F1; Wed, 16 Jul 2003 09:09:09 +0800 (SGT) Date: Wed, 16 Jul 2003 09:09:09 +0800 From: Ng Pheng Siong To: Nicholas Esborn Message-ID: <20030716010909.GD832@vista.netmemetic.com> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> <20030715161909.GA6394@carbon.berkeley.netdot.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030715161909.GA6394@carbon.berkeley.netdot.net> User-Agent: Mutt/1.4i cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: jails, ipfilter & stunnel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2003 01:06:34 -0000 On Tue, Jul 15, 2003 at 09:19:09AM -0700, Nicholas Esborn wrote: > Would it be useful to create multiple IP aliases on lo0, i.e. 127.0.0.2, > 127.0.0.3, bind the jails to those, then use ipfw, ipf/ipnat, or a TCP > proxy to connect ports on the server's real IP to services bound to the > lo0 aliases? Yup, I do that on some of my machines. Mostly works. Easy to experiment with, too. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 09:01:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5674337B401 for ; Fri, 18 Jul 2003 09:01:32 -0700 (PDT) Received: from ms-smtp-03.texas.rr.com (ms-smtp-03.texas.rr.com [24.93.36.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FF9843F75 for ; Fri, 18 Jul 2003 09:01:29 -0700 (PDT) (envelope-from cboyd@gizmopartners.com) Received: from gizmopartners.com (cs24359-109.austin.rr.com [24.243.59.109]) h6IG1R0p023845 for ; Fri, 18 Jul 2003 11:01:28 -0500 (CDT) Date: Fri, 18 Jul 2003 11:01:27 -0500 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Chris Boyd To: freebsd-security@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <16AB7B3E-B939-11D7-A73C-00039375B178@gizmopartners.com> X-Mailer: Apple Mail (2.552) Subject: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 16:01:32 -0000 Hello, I'm trying to set up a sendmail server on 4.8 that supports auth-based relaying. I followed the procedures at http://puresimplicity.net/~hemi/freebsd/sendmail.html, and aside from having to run makes manually in the library directories, I had no difficulty. I did not use the rebuild world recommendation, though. Everything is up and running, but whenever I try to send mail through it, I always get a mismatch on the user/pass, even though they are correct. Any recommendations? Thanks! From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 09:28:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E039C37B401 for ; Fri, 18 Jul 2003 09:28:31 -0700 (PDT) Received: from cheer.mahoroba.org (flets19-022.kamome.or.jp [218.45.19.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id F28AD43F85 for ; Fri, 18 Jul 2003 09:28:29 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from lyrics.mahoroba.org (IDENT:I6PIhAqeirKrbzuYAZaEU5t0Qlfu0KMfv5P3qXM5uHGNNhq2li//axW+VCaLpxH1@lyrics.mahoroba.org [IPv6:3ffe:501:185b:8010:280:88ff:fe03:4841]) (user=ume mech=CRAM-MD5 bits=0)h6IGSNRM029424 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Jul 2003 01:28:24 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sat, 19 Jul 2003 01:28:23 +0900 Message-ID: From: Hajimu UMEMOTO To: Chris Boyd In-Reply-To: <16AB7B3E-B939-11D7-A73C-00039375B178@gizmopartners.com> References: <16AB7B3E-B939-11D7-A73C-00039375B178@gizmopartners.com> User-Agent: xcite1.38> Wanderlust/2.11.3 (Wonderwall) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.5 Emacs/21.3 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 5.1-CURRENT MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=-1.0 required=5.0 tests=IN_REP_TO,REFERENCES,USER_AGENT version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 16:28:32 -0000 Hi, >>>>> On Fri, 18 Jul 2003 11:01:27 -0500 >>>>> Chris Boyd said: cboyd> I'm trying to set up a sendmail server on 4.8 that supports auth-based cboyd> relaying. I followed the procedures at cboyd> http://puresimplicity.net/~hemi/freebsd/sendmail.html, and aside from cboyd> having to run makes manually in the library directories, I had no cboyd> difficulty. I did not use the rebuild world recommendation, though. cboyd> Everything is up and running, but whenever I try to send mail through cboyd> it, I always get a mismatch on the user/pass, even though they are cboyd> correct. Any recommendations? The page explains the setup of using saslauthd. Recently, saslauthd was separated from cyrus-sasl2 port for some reason. If you don't have /usr/local/sbin/saslauthd installed in your system, you need to install it from ports/security/cyrus-sasl2-saslauthd, too. In addition, you need to change /usr/local/lib/sasl2/Sendmail.conf to use saslauthd like: pwcheck_method: saslauthd Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 10:26:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDDCE37B401 for ; Fri, 18 Jul 2003 10:26:11 -0700 (PDT) Received: from ms-smtp-01.texas.rr.com (ms-smtp-01.texas.rr.com [24.93.36.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC4B943F85 for ; Fri, 18 Jul 2003 10:26:10 -0700 (PDT) (envelope-from cboyd@gizmopartners.com) Received: from gizmopartners.com (cs24359-109.austin.rr.com [24.243.59.109]) h6IHPlxH025311; Fri, 18 Jul 2003 12:25:51 -0500 (CDT) Date: Fri, 18 Jul 2003 12:25:47 -0500 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: Hajimu UMEMOTO From: Chris Boyd In-Reply-To: Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 17:26:12 -0000 Thanks! This and adding sasl_saslauthd_flags="-a getpwent" to /etc/rc.conf fixes the problem. --Chris On Friday, July 18, 2003, at 11:28 AM, Hajimu UMEMOTO wrote: > Hi, > >>>>>> On Fri, 18 Jul 2003 11:01:27 -0500 >>>>>> Chris Boyd said: > > cboyd> I'm trying to set up a sendmail server on 4.8 that supports > auth-based > cboyd> relaying. I followed the procedures at > cboyd> http://puresimplicity.net/~hemi/freebsd/sendmail.html, and > aside from > cboyd> having to run makes manually in the library directories, I had > no > cboyd> difficulty. I did not use the rebuild world recommendation, > though. > > cboyd> Everything is up and running, but whenever I try to send mail > through > cboyd> it, I always get a mismatch on the user/pass, even though they > are > cboyd> correct. Any recommendations? > > The page explains the setup of using saslauthd. Recently, saslauthd > was separated from cyrus-sasl2 port for some reason. If you don't > have /usr/local/sbin/saslauthd installed in your system, you need to > install it from ports/security/cyrus-sasl2-saslauthd, too. In > addition, you need to change /usr/local/lib/sasl2/Sendmail.conf to use > saslauthd like: > > pwcheck_method: saslauthd > > Sincerely, > > -- > Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan > ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org > http://www.imasy.org/~ume/ > From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 11:39:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B07E37B401 for ; Fri, 18 Jul 2003 11:39:56 -0700 (PDT) Received: from cheer.mahoroba.org (flets19-022.kamome.or.jp [218.45.19.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7556843F93 for ; Fri, 18 Jul 2003 11:39:54 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from lyrics.mahoroba.org (IDENT:Bp3er511RM7elzK/FisCO9fn/nJaQkqNv5wwoJGocVz/l53+3YqiJJzsyDN5xHbt@lyrics.mahoroba.org [IPv6:3ffe:501:185b:8010:280:88ff:fe03:4841]) (user=ume mech=CRAM-MD5 bits=0)h6IIdnRM011422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Jul 2003 03:39:49 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sat, 19 Jul 2003 03:39:49 +0900 Message-ID: From: Hajimu UMEMOTO To: Chris Boyd In-Reply-To: References: User-Agent: xcite1.38> Wanderlust/2.11.3 (Wonderwall) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.5 Emacs/21.3 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 5.1-CURRENT MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=-1.0 required=5.0 tests=IN_REP_TO,REFERENCES,USER_AGENT version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 18:39:56 -0000 Hi, >>>>> On Fri, 18 Jul 2003 12:25:47 -0500 >>>>> Chris Boyd said: cboyd> Thanks! You are welcome. cboyd> This and adding cboyd> sasl_saslauthd_flags="-a getpwent" cboyd> to /etc/rc.conf fixes the problem. Are you mean that PAM was not work for you? I've just test it and saw saslauthd is working with PAM here on my 4.8-RELEASE box. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 12:14:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9B9337B401 for ; Fri, 18 Jul 2003 12:14:10 -0700 (PDT) Received: from blacklamb.mykitchentable.net (209-63-47-141.br1.elk.ca.frontiernet.net [209.63.47.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19A7A43F3F for ; Fri, 18 Jul 2003 12:14:10 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 4B6CC3BF5A1; Fri, 18 Jul 2003 12:14:09 -0700 (PDT) Message-ID: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Hajimu UMEMOTO" , "Chris Boyd" References: Date: Fri, 18 Jul 2003 12:14:08 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 19:14:11 -0000 ----- Original Message ----- From: "Hajimu UMEMOTO" To: "Chris Boyd" Cc: Sent: Friday, July 18, 2003 11:39 AM Subject: Re: ASMTP setup on 4.8 > Hi, > > >>>>> On Fri, 18 Jul 2003 12:25:47 -0500 > >>>>> Chris Boyd said: > > cboyd> Thanks! > > You are welcome. > > cboyd> This and adding > cboyd> sasl_saslauthd_flags="-a getpwent" > cboyd> to /etc/rc.conf fixes the problem. > > Are you mean that PAM was not work for you? I've just test it and saw > saslauthd is working with PAM here on my 4.8-RELEASE box. I've been trying to get saslauthd working with PAM on my 4.8-RELEASE but have been unsuccessful. I installed saslauthd from the ports. One of the problems is that the man page is unreadable. Is there some way to fix it? It's been a few weeks since I looked at it but I recall having to create a /usr/local/lib/sasl2/smtpd.conf file. What should the correct contents be? And what might I need to put in /etc/pam.conf to make it all work. Thank you, Drew From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 13:11:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D31737B401 for ; Fri, 18 Jul 2003 13:11:02 -0700 (PDT) Received: from cheer.mahoroba.org (flets19-022.kamome.or.jp [218.45.19.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF57843F93 for ; Fri, 18 Jul 2003 13:11:00 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from lyrics.mahoroba.org (IDENT:JhjYI40H6mBTNiz5+sNmxXmrTaS7vNDvVicn3APwAUp9tsQtl23Vo0iSSDnoOl0A@lyrics.mahoroba.org [IPv6:3ffe:501:185b:8010:280:88ff:fe03:4841]) (user=ume mech=CRAM-MD5 bits=0)h6IKAsRM090006 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Jul 2003 05:10:54 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sat, 19 Jul 2003 05:10:53 +0900 Message-ID: From: Hajimu UMEMOTO To: "Drew Tomlinson" In-Reply-To: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov> References: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov> User-Agent: xcite1.38> Wanderlust/2.11.3 (Wonderwall) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.5 Emacs/21.3 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 5.1-CURRENT MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.5 required=5.0 tests=IN_REP_TO,NO_EXPERIENCE,REFERENCES,USER_AGENT version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: Chris Boyd cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 20:11:02 -0000 Hi, >>>>> On Fri, 18 Jul 2003 12:14:08 -0700 >>>>> "Drew Tomlinson" said: drew> I've been trying to get saslauthd working with PAM on my 4.8-RELEASE but drew> have been unsuccessful. Umm, it's strange. Actually, I didn't change any PAM related settings, and it is working here. drew> I installed saslauthd from the ports. One of the problems is drew> that the man page is unreadable. Is there some way to fix it? Okay, I found the problem, and I've just committed the fix. Please re-cvsup and try it. drew> It's been a few weeks since I looked at it but I recall having to create drew> a /usr/local/lib/sasl2/smtpd.conf file. What should the correct drew> contents be? Though I have no experience with postfix, I heared that /usr/local/lib/sasl2/smtpd.conf is for postfix. Are you using sendmail? If so, it should be /usr/local/lib/sasl2/Sendmail.conf. drew> And what might I need to put in /etc/pam.conf to make it all work. The `other' entries which are provided as default sould be sufficient for saslauthd. I didn't make any change into my /etc/pam.conf. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 13:27:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02BB037B404 for ; Fri, 18 Jul 2003 13:27:06 -0700 (PDT) Received: from blacklamb.mykitchentable.net (209-63-47-141.br1.elk.ca.frontiernet.net [209.63.47.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1392743FBF for ; Fri, 18 Jul 2003 13:27:04 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 317F53BF400; Fri, 18 Jul 2003 13:27:03 -0700 (PDT) Message-ID: <03cf01c34d6a$f3002150$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Hajimu UMEMOTO" References: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov> Date: Fri, 18 Jul 2003 13:26:56 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: Chris Boyd cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 20:27:06 -0000 ----- Original Message ----- From: "Hajimu UMEMOTO" To: "Drew Tomlinson" Cc: "Chris Boyd" ; Sent: Friday, July 18, 2003 1:10 PM Subject: Re: ASMTP setup on 4.8 > Hi, > > >>>>> On Fri, 18 Jul 2003 12:14:08 -0700 > >>>>> "Drew Tomlinson" said: > > drew> I've been trying to get saslauthd working with PAM on my 4.8-RELEASE but > drew> have been unsuccessful. > > Umm, it's strange. Actually, I didn't change any PAM related > settings, and it is working here. > > drew> I installed saslauthd from the ports. One of the problems is > drew> that the man page is unreadable. Is there some way to fix it? > > Okay, I found the problem, and I've just committed the fix. Please > re-cvsup and try it. Thanks!!! > drew> It's been a few weeks since I looked at it but I recall having to create > drew> a /usr/local/lib/sasl2/smtpd.conf file. What should the correct > drew> contents be? > > Though I have no experience with postfix, I heared that > /usr/local/lib/sasl2/smtpd.conf is for postfix. Are you using > sendmail? If so, it should be /usr/local/lib/sasl2/Sendmail.conf. Yes, I'm using Postfix. > drew> And what might I need to put in /etc/pam.conf to make it all work. > > The `other' entries which are provided as default sould be sufficient > for saslauthd. I didn't make any change into my /etc/pam.conf. OK, thanks. I'll verify my pam.conf with the default. I don't know what I may have added trying to get it all working. I'll let you know the results. Cheers, Drew From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 13:57:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86C1537B407 for ; Fri, 18 Jul 2003 13:57:49 -0700 (PDT) Received: from cheer.mahoroba.org (flets19-022.kamome.or.jp [218.45.19.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B91D43FBD for ; Fri, 18 Jul 2003 13:57:47 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from lyrics.mahoroba.org (IDENT:kcqabO7a71U+6Pl0UDImFD/YAaaFhaCPjiWmFlz4SirIyRZ9vgrzPnFb6QFtl+Ns@lyrics.mahoroba.org [IPv6:3ffe:501:185b:8010:280:88ff:fe03:4841]) (user=ume mech=CRAM-MD5 bits=0)h6IKvgRM070586 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Jul 2003 05:57:42 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sat, 19 Jul 2003 05:57:42 +0900 Message-ID: From: Hajimu UMEMOTO To: "Drew Tomlinson" In-Reply-To: <03cf01c34d6a$f3002150$6e2a6ba5@lc.ca.gov> References: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov> <03cf01c34d6a$f3002150$6e2a6ba5@lc.ca.gov> User-Agent: xcite1.38> Wanderlust/2.11.3 (Wonderwall) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.5 Emacs/21.3 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 5.1-CURRENT MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=-0.5 required=5.0 tests=IN_REP_TO,NO_EXPERIENCE,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: Chris Boyd cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2003 20:57:49 -0000 Hi, >>>>> On Fri, 18 Jul 2003 13:26:56 -0700 >>>>> "Drew Tomlinson" said: > Okay, I found the problem, and I've just committed the fix. Please > re-cvsup and try it. drew> Thanks!!! You are welcome. > drew> It's been a few weeks since I looked at it but I recall having drew> to create > drew> a /usr/local/lib/sasl2/smtpd.conf file. What should the correct > drew> contents be? > > Though I have no experience with postfix, I heared that > /usr/local/lib/sasl2/smtpd.conf is for postfix. Are you using > sendmail? If so, it should be /usr/local/lib/sasl2/Sendmail.conf. drew> Yes, I'm using Postfix. I see. Is your postfix able to access /var/state/saslauthd? It should be: drwxrwx--- 2 cyrus mail 512 Jul 19 04:52 saslauthd Old cyrus-sasl2 port made the directory with wrong permission, and postfix couldn't access it. This problem was corrected. I believe postfix user belongs to mail group, so that postfix can access the directory. Oops, I didn't answer your question. If you want to use saslauthd for plain text password, the correct contents of smtpd.conf should be: pwcheck_method: saslauthd Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-security@FreeBSD.ORG Sat Jul 19 16:51:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E5C337B401 for ; Sat, 19 Jul 2003 16:51:50 -0700 (PDT) Received: from ms-smtp-02.texas.rr.com (ms-smtp-02.texas.rr.com [24.93.36.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28F4C43FA3 for ; Sat, 19 Jul 2003 16:51:49 -0700 (PDT) (envelope-from cboyd@gizmopartners.com) Received: from gizmopartners.com (cs24359-109.austin.rr.com [24.243.59.109]) h6JNpgef000650; Sat, 19 Jul 2003 18:51:46 -0500 (CDT) Date: Sat, 19 Jul 2003 18:51:42 -0500 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) From: Chris Boyd To: freebsd-security@freebsd.org Content-Transfer-Encoding: 7bit In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.552) Subject: Re: ASMTP setup on 4.8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jul 2003 23:51:50 -0000 Thanks to Hajimu UMEMOTO, Sergey Dorokhov and Josh Tolbert for helping me get this figured out. What follows is a very terse procedure for getting ASMTP, IMAP and POP over SSL running. --Chris See http://puresimplicity.net/~hemi/freebsd/sendmail.html for original procedures. cd /usr/ports/mail/cclient make -DWITH_SSL_AND_PLAINTEXT=yes install cd /usr/ports/mail/imap-uw make -DWITH_SSL_AND_PLAINTEXT=yes install Put these in /etc/inetd.conf imaps stream tcp nowait root /usr/local/libexec/imapd imapd pop3s stream tcp nowait root /usr/local/libexec/ipop3d ipop3d kill -HUP cd /usr/ports/security/cyrus-sasl2 make install cd /usr/ports/security/cyrus-sasl2-saslauthd/ make install Add these lines to /etc/rc.conf ########## Start SASLAUTHD and look at local passwds sasl_saslauthd_enable="YES" sasl_saslauthd_flags="-a getpwent" Add these line to /etc/make.conf # SASL (cyrus-sasl v2) sendmail build flags... SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 # Adding to enable alternate port (smtps) for sendmail... SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL Build sendmail from the source tree. (Does /etc/make.conf work if building from ports?) cd /usr/src/usr.sbin/sendmail make clean make depend make (My make stopped at cc: /usr/src/usr.sbin/sendmail/../../lib/libsmutil/libsmutil.a: No such file or directory cc: /usr/src/usr.sbin/sendmail/../../lib/libsm/libsm.a: No such file or directory I remedied by doing cd ../../lib/libsmutil/ make cd /usr/src/usr.sbin/sendmail cd ../../lib/libsm make and then continuing cd /usr/src/usr.sbin/sendmail make ) make install Do the SSL cert creation. Don't forget to put the hostname in when it asks for the common name. mkdir /etc/mail/certs cd /etc/mail/certs openssl dsaparam 1024 -out dsa1024.pem openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout mykey.pem rm dsa1024.pem chmod -R 600 /etc/mail/certs/* Tell sendmail to use saslauthd to check passwords vi /usr/local/lib/sasl2/Sendmail.conf and change the line to read pwcheck_method: saslauthd Set up sendmail by editing the host's mc file and adding these just above the MAILER(local) line define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl define(`CERT_DIR', `/etc/mail/certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl Rebuild the cf files make all install restart Probably ought to do a good reboot about now to make sure everything gets started correctly (mainly saslauthd).