From owner-freebsd-security@FreeBSD.ORG Sun Dec 7 09:15:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 101D816A4D4 for ; Sun, 7 Dec 2003 09:15:06 -0800 (PST) Received: from george.he.net (george.he.net [216.218.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79A9D43FCB for ; Sun, 7 Dec 2003 09:15:03 -0800 (PST) (envelope-from criter@riter.com) Received: from EOS (adsl-63-205-74-174.dsl.snfc21.pacbell.net [63.205.74.174]) by george.he.net (8.8.6p2003-03-31/8.8.2) with ESMTP id JAA11879 for ; Sun, 7 Dec 2003 09:15:02 -0800 From: "Craig Riter" To: Date: Sun, 7 Dec 2003 09:14:56 -0800 Message-ID: <000b01c3bce5$a411f9c0$65ffa8c0@EOS> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 17:15:12 -0000 I am not sure if I had a compromise but I am not sure I wanted some other input. I noticed in this in my daily security run output: pc1 setuid diffs: 19c19 < 365635 -rwsr-xr-x 1 root wheel 204232 Sep 27 21:23:19 2003 /usr/X11R6/bin/xscreensaver --- > 365781 -rwsr-xr-x 1 root wheel 205320 Dec 4 07:55:59 2003 /usr/X11R6/bin/xscreensaver It was the only file listed and I didn't remember changing anything on my pc having to do with the screensaver and can't even remember for sure if I was on my computer at that time. I also noticed this message on my screen (I still have syslogd write some messages there): Dec 4 07:54:13 pc1 /kernel: pid 62069 (msgfmt), uid 0: exited on signal 6 (core dumped) Dec 4 07:57:04 pc1 /kernel: pid 64543 (msgfmt), uid 0: exited on signal 6 (core dumped) When looking in the /usr/X11/R6/bin I saw some other files that were modified around this time. I didn't have a reason to modify these other files so I don't think it was me. drwxr-xr-x 3 root wheel 10752 Dec 4 09:18 ./ -r--r--r-- 1 root wheel 5324 Dec 4 09:18 qtrename140 -r--r--r-- 1 root wheel 8065 Dec 4 09:18 qt20fix -r--r--r-- 1 root wheel 218708 Dec 4 09:18 moc2 -r--r--r-- 1 root wheel 4160 Dec 4 09:18 findtr -r--r--r-- 1 root wheel 206044 Dec 4 09:18 uic -r--r--r-- 1 root wheel 41964 Dec 4 07:57 xscreensaver-gl-helper dr--r--r-- 2 root wheel 3584 Dec 4 07:57 xscreensaver-hacks/ -r--r--r-- 1 root wheel 988 Dec 4 07:56 screensaver-properties-capplet -r--r--r-- 1 root wheel 4790 Dec 4 07:56 xscreensaver-getimage-video -r--r--r-- 1 root wheel 116916 Dec 4 07:56 xscreensaver-getimage -r--r--r-- 1 root wheel 7271 Dec 4 07:56 xscreensaver-getimage-file -r--r--r-- 1 root wheel 168360 Dec 4 07:56 xscreensaver-demo -r--r--r-- 1 root wheel 205320 Dec 4 07:55 xscreensaver -r--r--r-- 1 root wheel 17624 Dec 4 07:55 xscreensaver-command I have since made them all read only since I didn't want to run them in case they had a trojan. So, my question is did I have a break-in? This machine is accessable only as a web server through NAT and ipfw (if I configed my ipfw correctly). I had just installed the Apache 1.3.29. Second, what are people using for intrusion detection? This is something I have thought about but never really thought I needed until now. Thanks, Craig From owner-freebsd-security@FreeBSD.ORG Sun Dec 7 09:25:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 168FB16A4CE for ; Sun, 7 Dec 2003 09:25:41 -0800 (PST) Received: from mordrede.visionsix.com (mordrede.visionsix.com [65.202.119.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB15943FAF for ; Sun, 7 Dec 2003 09:25:37 -0800 (PST) (envelope-from lists@visionsix.com) Received: from vsis169 (unverified [65.202.119.169]) by mordrede.visionsix.com (Vircom SMTPRS 3.0.273) with SMTP id ; Sun, 7 Dec 2003 11:25:36 -0600 Message-ID: <001301c3bce7$217419b0$df0a0a0a@visionsix.net> From: "Lewis Watson" To: "Craig Riter" , References: <000b01c3bce5$a411f9c0$65ffa8c0@EOS> Date: Sun, 7 Dec 2003 11:25:38 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 17:25:41 -0000 > So, my question is did I have a break-in? This machine is accessable only > as a web server through NAT and ipfw (if I configed my ipfw correctly). I > had just installed the Apache 1.3.29. > > Second, what are people using for intrusion detection? This is something I > have thought about but never really thought I needed until now. Hi Craig, Are you sure that you did not install any of the ports around this time? Usually you would see this type activity when a program is installed. You should probably do a ps aux and sockstat -4 to see what is running and open. There are two programs that I am familiar with to monitor changes.. chkrootkit and tripwire. Chkrootkit is trivial to install but tripwire is a much more complete package. I am sure there are others here that can provide much more insight to this. Thanks. Lewis From owner-freebsd-security@FreeBSD.ORG Sun Dec 7 12:45:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17C1416A4CE for ; Sun, 7 Dec 2003 12:45:22 -0800 (PST) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 872B043F93 for ; Sun, 7 Dec 2003 12:45:21 -0800 (PST) (envelope-from marquis@roble.com) Date: Sun, 7 Dec 2003 12:45:21 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20031207200130.C4B1216A4E0@hub.freebsd.org> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20031207204521.195E9DAC92@mx7.roble.com> Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 20:45:22 -0000 > Second, what are people using for intrusion detection? This is something I > have thought about but never really thought I needed until now. No production environment should be without Tripwire (1.3 is my favorite version). With the right wrapper script and off-line backups it's impossible to compromise a system without being detected. Nothing beats the relief you'll feel when tripwire gives your system a clean bill of health after after finding some suspicious logs. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 02:51:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F269B16A4CF for ; Mon, 8 Dec 2003 02:51:44 -0800 (PST) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id B5EF543FE9 for ; Mon, 8 Dec 2003 02:51:39 -0800 (PST) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Mon, 8 Dec 2003 10:51:29 +0000 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 1ATIxm-0003Mg-00; Mon, 08 Dec 2003 10:50:02 +0000 Date: Mon, 8 Dec 2003 10:50:02 +0000 (GMT) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Roger Marquis In-Reply-To: <20031207204521.195E9DAC92@mx7.roble.com> Message-ID: References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031207204521.195E9DAC92@mx7.roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 10:51:45 -0000 On Sun, 7 Dec 2003, Roger Marquis wrote: > No production environment should be without Tripwire (1.3 is my > favorite version). With the right wrapper script > and off-line backups it's > impossible to compromise a system without being detected. Unless there's another step you're not mentioning (eg, rebooting to an OS installed on a physically write-protected device, or remounting your drive on another machine with a trusted OS) "impossible" is probably too strong a term here. There's an implicit trust in using a system to integrity-hceck itself. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ We thought time travel was impossible. But that was now and this is then. From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 03:01:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BA3F16A4CE for ; Mon, 8 Dec 2003 03:01:51 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CA0943FA3 for ; Mon, 8 Dec 2003 03:01:46 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1ATJ96-000O5S-Fi for freebsd-security@freebsd.org; Mon, 08 Dec 2003 11:01:44 +0000 Date: Mon, 8 Dec 2003 11:01:44 +0000 From: Jez Hancock To: freebsd-security@freebsd.org Message-ID: <20031208110144.GA92321@users.munk.nu> Mail-Followup-To: freebsd-security@freebsd.org References: <000b01c3bce5$a411f9c0$65ffa8c0@EOS> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000b01c3bce5$a411f9c0$65ffa8c0@EOS> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 11:01:51 -0000 On Sun, Dec 07, 2003 at 09:14:56AM -0800, Craig Riter wrote: > It was the only file listed and I didn't remember changing anything on my pc > having to do with the screensaver and can't even remember for sure if I was > on my computer at that time. Try: ls -l /var/db/pkg and see if any ports were modified at that time. You can also use 'last' to check if you were logged in around that time. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 04:37:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6393B16A4CE for ; Mon, 8 Dec 2003 04:37:24 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id D184443FDD for ; Mon, 8 Dec 2003 04:37:22 -0800 (PST) (envelope-from jan.muenther@nruns.com) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ATKdc-0007uf-00; Mon, 08 Dec 2003 13:37:20 +0100 Received: from [212.202.65.240] (helo=ergo.nruns.com) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1ATKdY-0006dL-00; Mon, 08 Dec 2003 13:37:16 +0100 Received: by ergo.nruns.com (Postfix, from userid 1001) id 2262434E; Mon, 8 Dec 2003 13:35:03 +0100 (CET) Date: Mon, 8 Dec 2003 13:35:01 +0100 From: jan.muenther@nruns.com To: Jan Grant Message-ID: <20031208123501.GA87554@ergo.nruns.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031207204521.195E9DAC92@mx7.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:9a8a46f2b40f7808f7699def63624ac2 cc: freebsd-security@freebsd.org cc: Roger Marquis Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 12:37:24 -0000 Hello, > > No production environment should be without Tripwire (1.3 is my > > favorite version). With the right wrapper script > > and off-line backups it's > > impossible to compromise a system without being detected. > > Unless there's another step you're not mentioning (eg, rebooting to an > OS installed on a physically write-protected device, or remounting your > drive on another machine with a trusted OS) "impossible" is probably too > strong a term here. Too strong? It's simply incorrect. It is very well possible to compromise a box and backdoor it without even touching the file system. To use an example from the Win32 world, a lot of the recent worms entirely lived in memory, and as of backdoors/rootkits, think of the now famous suckit... Apart from that, there are even tools (LKM based) which spoof MD5 checksums. Moral of the story: Don't ever assume you're invincible due to some product or piece of software you run. Of course it makes sense to check the integrity of the system, but it's just one layer of security. And also, Tripwire's not the only product out there, you may want to look at AIDE for an open source alternative. Tripwire sort of made me shake my head anyway, since their $$$ client/server suite transfers data from the client to the server in plain text... which is, erm, not exactly state of the art for a security product in 2003. > There's an implicit trust in using a system to integrity-hceck itself. Indeed. Cheers, Jan From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 08:04:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F04B416A4CE for ; Mon, 8 Dec 2003 08:04:29 -0800 (PST) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38CF343F93 for ; Mon, 8 Dec 2003 08:04:29 -0800 (PST) (envelope-from marquis@roble.com) Date: Mon, 8 Dec 2003 08:04:28 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20031208123501.GA87554@ergo.nruns.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20031208160428.DDF8FDAE9A@mx7.roble.com> Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 16:04:30 -0000 > > > No production environment should be without Tripwire (1.3 is my > > > favorite version). With the right wrapper script > > > and off-line backups it's > > > impossible to compromise a system without being detected. > > > > Unless there's another step you're not mentioning (eg, rebooting to an > > OS installed on a physically write-protected device, or remounting your > > drive on another machine with a trusted OS) "impossible" is probably too > > strong a term here. > > Too strong? It's simply incorrect. It is very well possible to compromise a > box and backdoor it without even touching the file system. To use an example > from the Win32 world, a lot of the recent worms entirely lived in memory, > and as of backdoors/rootkits, think of the now famous suckit... Sure, unless you're running an Orange book A level system it's impossible to secure anything. But that's a rhetorical argument. We're talking about filesystems here. > Apart from that, there are even tools (LKM based) which spoof MD5 checksums. Wouldn't effect tripwire. In addition to MD5 you'd need to spoof snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to spoof them for, at a minimum, the tripwire binary and its database file(s). -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 08:50:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D87EF16A4CE for ; Mon, 8 Dec 2003 08:50:22 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id D752743FCB for ; Mon, 8 Dec 2003 08:50:20 -0800 (PST) (envelope-from jan.muenther@nruns.com) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ATOaS-0003IW-00; Mon, 08 Dec 2003 17:50:20 +0100 Received: from [212.202.65.240] (helo=ergo.nruns.com) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1ATOaS-0003TL-00; Mon, 08 Dec 2003 17:50:20 +0100 Received: by ergo.nruns.com (Postfix, from userid 1001) id DF8F2CF; Mon, 8 Dec 2003 17:48:05 +0100 (CET) Date: Mon, 8 Dec 2003 17:48:04 +0100 From: jan.muenther@nruns.com To: Roger Marquis Message-ID: <20031208164804.GA92121@ergo.nruns.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031208160428.DDF8FDAE9A@mx7.roble.com> User-Agent: Mutt/1.4i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:9a8a46f2b40f7808f7699def63624ac2 cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 16:50:23 -0000 > Sure, unless you're running an Orange book A level system it's > impossible to secure anything. But that's a rhetorical argument. I guess you misunderstood me here. I wasn't arguing that any system can be broken into - true, but not the point here - but that it's possible to do it without getting noticed, even if you run Tripwire or a similar product. > We're talking about filesystems here. Well, okay - if we focus on that point alone, Tripwire surely does a good job. I was just opposing the apodictic statement that it's impossible to break into a system without Tripwire triggering an alert. I wasn't saying that it's superfluous to run, just that you shouldn't neglect all other possible and necessary security measures around it. Again, don't get wrong, I'm not one of the bigots who likes to slag off any security safeguard by saying it can be circumvented. All I was stating is that even when you have all that in place, you should still stick to best practices in every other regard. > > Apart from that, there are even tools (LKM based) which spoof MD5 checksums. > Wouldn't effect tripwire. In addition to MD5 you'd need to spoof > snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to > spoof them for, at a minimum, the tripwire binary and its database > file(s). Guess that depends on the Tripwire version, too... see http://www.phrack.com/show.php?p=43&a=14 Cheers, J. From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 09:26:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11BA816A4CE for ; Mon, 8 Dec 2003 09:26:07 -0800 (PST) Received: from csmail.commserv.ucsb.edu (cspdc.commserv.ucsb.edu [128.111.251.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C4C943FBD for ; Mon, 8 Dec 2003 09:26:02 -0800 (PST) (envelope-from steve@expertcity.com) Received: from expertcity.com ([68.6.35.15]) by csmail.commserv.ucsb.edu (Netscape Messaging Server 3.62) with ESMTP id 315; Mon, 8 Dec 2003 09:26:00 -0800 Message-ID: <3FD4B58B.9020308@expertcity.com> Date: Mon, 08 Dec 2003 09:31:55 -0800 From: Steve Francis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: jan.muenther@nruns.com References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <20031208164804.GA92121@ergo.nruns.com> In-Reply-To: <20031208164804.GA92121@ergo.nruns.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: Roger Marquis Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 17:26:07 -0000 jan.muenther@nruns.com wrote: >>>Apart from that, there are even tools (LKM based) which spoof MD5 checksums. >>> >>> >>Wouldn't effect tripwire. In addition to MD5 you'd need to spoof >>snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to >>spoof them for, at a minimum, the tripwire binary and its database >>file(s). >> >> > > > And just adding my voice to the "tripwire is good to run, but not a panacea" argument - if a machine gets a KLM loaded in a compromise, there is no way tripwire can be assured it is verifying the binary it asks the kernel for information about. Nothing to stop the compromised kernel returning the original binary for all requests, except for those needed to do Evil. If you get a root compromise so that a KLM can be loaded, all bets are off. Short of that, I think tripwire makes it very very hard to change files on a system w/o being detected. As long as that is all the faith you put in tripwire, and use to verify just that purpose and no more, its great, and it (or something like it, like AIDE) is essential. From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 09:36:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BB0116A4CE for ; Mon, 8 Dec 2003 09:36:47 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id E921A43FDF for ; Mon, 8 Dec 2003 09:36:41 -0800 (PST) (envelope-from jan.muenther@nruns.com) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ATPIm-00022X-00; Mon, 08 Dec 2003 18:36:08 +0100 Received: from [212.202.65.240] (helo=ergo.nruns.com) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1ATPIm-0002MS-00; Mon, 08 Dec 2003 18:36:08 +0100 Received: by ergo.nruns.com (Postfix, from userid 1001) id 13163CF; Mon, 8 Dec 2003 18:33:54 +0100 (CET) Date: Mon, 8 Dec 2003 18:33:53 +0100 From: jan.muenther@nruns.com To: Steve Francis Message-ID: <20031208173353.GA92368@ergo.nruns.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <20031208164804.GA92121@ergo.nruns.com> <3FD4B58B.9020308@expertcity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3FD4B58B.9020308@expertcity.com> User-Agent: Mutt/1.4i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:9a8a46f2b40f7808f7699def63624ac2 cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 17:36:47 -0000 Thanks Steve, that's precisely the statement I wanted to make :) Those types of integrity checkers should naturally be combined with a raised securelevel setting. Cheers, Jan From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 09:37:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10E5616A4CE for ; Mon, 8 Dec 2003 09:37:39 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 095EF43F85 for ; Mon, 8 Dec 2003 09:37:37 -0800 (PST) (envelope-from damian@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.10/8.12.10) with ESMTP id hB8HbXxT066129 for ; Mon, 8 Dec 2003 12:37:33 -0500 (EST) (envelope-from damian@sentex.net) Received: from pegmatite.sentex.ca (pegmatite.sentex.ca [192.168.42.92]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hB8HbaUq037426 for ; Mon, 8 Dec 2003 12:37:36 -0500 (EST) (envelope-from damian@sentex.net) Received: by pegmatite.sentex.ca (Postfix, from userid 1001) id 9C8401716A; Mon, 8 Dec 2003 12:37:15 -0500 (EST) Date: Mon, 8 Dec 2003 12:37:15 -0500 From: Damian Gerow To: freebsd-security@freebsd.org Message-ID: <20031208173715.GH82104@sentex.net> Mail-Followup-To: freebsd-security@freebsd.org References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <20031208164804.GA92121@ergo.nruns.com> <3FD4B58B.9020308@expertcity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3FD4B58B.9020308@expertcity.com> X-GPG-Key-Id: 0xB841F142 X-GPG-Fingerprint: C7C1 E1D1 EC06 7C86 AF7C 57E6 173D 9CF6 B841 F142 X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-new Subject: LKM support (Was: Re: possible compromise or just misreading logs) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 17:37:39 -0000 Thus spake Steve Francis (steve@expertcity.com) [08/12/03 12:30]: > And just adding my voice to the "tripwire is good to run, but not a > panacea" argument - if a machine gets a KLM loaded in a compromise, > there is no way tripwire can be assured it is verifying the binary it > asks the kernel for information about. Nothing to stop the compromised > kernel returning the original binary for all requests, except for those > needed to do Evil. If you get a root compromise so that a KLM can be > loaded, all bets are off. Short of that, I think tripwire makes it very > very hard to change files on a system w/o being detected. As long as > that is all the faith you put in tripwire, and use to verify just that > purpose and no more, its great, and it (or something like it, like AIDE) > is essential. On that note, is there any way to disable LKM support in FreeBSD? Or is that what NO_MODULES does? From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 11:30:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8163D16A4CE for ; Mon, 8 Dec 2003 11:30:19 -0800 (PST) Received: from web12609.mail.yahoo.com (web12609.mail.yahoo.com [216.136.173.179]) by mx1.FreeBSD.org (Postfix) with SMTP id B5AC643D09 for ; Mon, 8 Dec 2003 11:30:15 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20031208192335.59444.qmail@web12609.mail.yahoo.com> Received: from [128.226.68.47] by web12609.mail.yahoo.com via HTTP; Mon, 08 Dec 2003 11:23:35 PST Date: Mon, 8 Dec 2003 11:23:35 -0800 (PST) From: Dorin H To: Craig Riter In-Reply-To: <000b01c3bce5$a411f9c0$65ffa8c0@EOS> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 19:30:19 -0000 Hi there, About file integrity check (only one piece of the puzzle, but a necessary one): Use aide (last tripwire is yet to be updated -do not compile-, see maintainer work). To prevent the mentioned attacks, keep your hashes OFF your box. To compute/verify hashes, always boot from a secure live cd. Downside: you have to do this at each update. To maintain the level of security, try something like: 1. boot secure cd 2. verify the hashes by comparing to the last version from the external source (use a log, better than override previous hashes). 3. If ok, do the update (have your sources downloaded locally before and verified; the FreeBSD online update system is yet to be secured: see list discussion) [Paranoia: 4.boot again your safe cd and recompute & save the new hashes] 4. Recompute the new hashes and save them externally. Add-on. You should do this offline to remove the window of opportunity in step 3, while updating the tracked files. Hope this helps, /Dorin. PS. If you have a Web server, I'd rather start by add at least some kind of firewall and an external syslog before thinking og the file integrity check anyway. > Second, what are people using for intrusion > detection? This is something I > have thought about but never really thought I > needed until now. > __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 12:39:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1934216A4CE for ; Mon, 8 Dec 2003 12:39:14 -0800 (PST) Received: from smtp3.pp.htv.fi (smtp3.pp.htv.fi [213.243.153.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78E6243D3A for ; Mon, 8 Dec 2003 12:39:08 -0800 (PST) (envelope-from petri.riihikallio@metis.fi) Received: from posti.pp.htv.fi (posti.pp.htv.fi [212.90.64.50]) by smtp3.pp.htv.fi (Postfix) with ESMTP id D425927BD6E; Mon, 8 Dec 2003 22:39:07 +0200 (EET) Received: from [192.168.0.2] (cs67042.pp.htv.fi [212.90.67.42]) /8.11.1) with ESMTP id hB8Kd7T18040; Mon, 8 Dec 2003 22:39:07 +0200 (EET) Mime-Version: 1.0 X-Sender: pera@raimo.metis.fi Message-Id: In-Reply-To: <20031208173715.GH82104@sentex.net> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <3FD4B58B.9020308@expertcity.com> <20031208173715.GH82104@sentex.net> Date: Mon, 8 Dec 2003 22:39:05 +0200 To: Damian Gerow , freebsd-security@freebsd.org From: Petri Riihikallio Content-Type: text/plain; charset="us-ascii" ; format="flowed" Subject: Re: LKM support (Was: Re: possible compromise or just misreading logs) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 20:39:14 -0000 >On that note, is there any way to disable LKM support in FreeBSD? Or is >that what NO_MODULES does? Set the security level to one or above in rc.conf. -- Cheers Petri GSM: (+358400 | 0400) 505 939 From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 20:01:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BE9416A4CE for ; Mon, 8 Dec 2003 20:01:47 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF95743D1D for ; Mon, 8 Dec 2003 20:01:45 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-186-224.client.comcast.net[24.6.186.224]) by comcast.net (rwcrmhc11) with ESMTP id <2003120904014501300mrf2re>; Tue, 9 Dec 2003 04:01:45 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hB941i43045865 for ; Mon, 8 Dec 2003 20:01:44 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hB941h4U045864 for freebsd-security@freebsd.org; Mon, 8 Dec 2003 20:01:43 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Mon, 8 Dec 2003 20:01:43 -0800 From: "Crist J. Clark" To: freebsd-security@freebsd.org Message-ID: <20031209040143.GA45736@blossom.cjclark.org> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> <20031208164804.GA92121@ergo.nruns.com> <3FD4B58B.9020308@expertcity.com> <20031208173715.GH82104@sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031208173715.GH82104@sentex.net> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ Subject: Re: LKM support (Was: Re: possible compromise or just misreading logs) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2003 04:01:47 -0000 On Mon, Dec 08, 2003 at 12:37:15PM -0500, Damian Gerow wrote: > Thus spake Steve Francis (steve@expertcity.com) [08/12/03 12:30]: > > And just adding my voice to the "tripwire is good to run, but not a > > panacea" argument - if a machine gets a KLM loaded in a compromise, > > there is no way tripwire can be assured it is verifying the binary it > > asks the kernel for information about. Nothing to stop the compromised > > kernel returning the original binary for all requests, except for those > > needed to do Evil. If you get a root compromise so that a KLM can be > > loaded, all bets are off. Short of that, I think tripwire makes it very > > very hard to change files on a system w/o being detected. As long as > > that is all the faith you put in tripwire, and use to verify just that > > purpose and no more, its great, and it (or something like it, like AIDE) > > is essential. > > On that note, is there any way to disable LKM support in FreeBSD? Or is > that what NO_MODULES does? No, it doesn't. I have some really, really old patches that do this. Check the URL in the .sig. Let me know if they no longer work. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Mon Dec 8 08:46:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 880DE16A4CE for ; Mon, 8 Dec 2003 08:46:40 -0800 (PST) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC42143FEC for ; Mon, 8 Dec 2003 08:46:27 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost.nic.fr [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id hB8GkQDa035170 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Mon, 8 Dec 2003 11:46:26 -0500 (EST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id hB8GkQIX035167; Mon, 8 Dec 2003 11:46:26 -0500 (EST) (envelope-from wollman) Date: Mon, 8 Dec 2003 11:46:26 -0500 (EST) From: Garrett Wollman Message-Id: <200312081646.hB8GkQIX035167@khavrinen.lcs.mit.edu> To: Roger Marquis In-Reply-To: <20031208160428.DDF8FDAE9A@mx7.roble.com> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> <20031208123501.GA87554@ergo.nruns.com> <20031208160428.DDF8FDAE9A@mx7.roble.com> X-Spam-Score: -19.8 () IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES X-Scanned-By: MIMEDefang 2.37 X-Mailman-Approved-At: Tue, 09 Dec 2003 07:43:38 -0800 cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 16:46:40 -0000 < said: > Wouldn't effect tripwire. In addition to MD5 you'd need to spoof > snefru, crc32, crc16, md4, md2, sha, and haval, and you''d have to > spoof them for, at a minimum, the tripwire binary and its database > file(s). Trivial -- all you have to do is keep backup copies of all the files replaced, and have the kernel redirect tripwire's access to the originals. -GAWollman From owner-freebsd-security@FreeBSD.ORG Tue Dec 9 11:32:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DF6C16A4CE for ; Tue, 9 Dec 2003 11:32:02 -0800 (PST) Received: from web12605.mail.yahoo.com (web12605.mail.yahoo.com [216.136.173.228]) by mx1.FreeBSD.org (Postfix) with SMTP id 7592B43D1D for ; Tue, 9 Dec 2003 11:32:01 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20031209193201.1585.qmail@web12605.mail.yahoo.com> Received: from [128.226.68.47] by web12605.mail.yahoo.com via HTTP; Tue, 09 Dec 2003 11:32:01 PST Date: Tue, 9 Dec 2003 11:32:01 -0800 (PST) From: Dorin H To: Garrett Wollman In-Reply-To: <200312081646.hB8GkQIX035167@khavrinen.lcs.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2003 19:32:02 -0000 --- Garrett Wollman wrote: > < Marquis said: > > > Wouldn't effect tripwire. In addition to MD5 > you'd need to spoof > > snefru, crc32, crc16, md4, md2, sha, and haval, > and you''d have to > > spoof them for, at a minimum, the tripwire binary > and its database > > file(s). > > Trivial -- all you have to do is keep backup copies > of all the files > replaced, and have the kernel redirect tripwire's > access to the > originals. > > -GAWollman > Of course, once somebody modifies your kernel, you don't own the machine anymore . Boot a safe kernel:) /Dorin. __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 11:05:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 652D516A4CE for ; Wed, 10 Dec 2003 11:05:49 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 123B043D21 for ; Wed, 10 Dec 2003 11:05:48 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA18743 for ; Wed, 10 Dec 2003 12:05:44 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031210115335.04c2fc50@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 10 Dec 2003 12:05:39 -0700 To: security@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 19:05:49 -0000 I'm constructing a Web server which may require restricted areas of the site to be used from public places where a password might be sniffed. The damage that could be done by taking snapshots of the content from one session with a spy program is minimal. What the owner of the server does NOT want, though, is to allow unauthorized parties to gain unfettered access by stealing the password via a key sniffer. After considering the readily available alternatives, I'd like to try using s/key one-time passwords with "basic" authentication (which works on most browsers). But how do I lash Apache and s/key together under FreeBSD, and get Apache to require s/key passwords from all IP addresses outside the owner's home network? (Apache doesn't have a mod_auth_skey module, so I'd probably have to cobble this together with mod_perl -- or via PAM, with which I have virtually no experience.) All suggestions as to the most efficient way to construct a solution will be most welcome. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 11:30:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C74A416A5E7 for ; Wed, 10 Dec 2003 11:30:15 -0800 (PST) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD01043D1D for ; Wed, 10 Dec 2003 11:30:11 -0800 (PST) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) hBAJUAnp042682; Wed, 10 Dec 2003 19:30:10 GMT (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)hBAJU9te042681; Wed, 10 Dec 2003 19:30:09 GMT (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])hBAJPADw003666; Wed, 10 Dec 2003 19:25:11 GMT (envelope-from mark@grondar.org) Message-Id: <200312101925.hBAJPADw003666@grimreaper.grondar.org> To: Brett Glass From: Mark Murray In-Reply-To: Your message of "Wed, 10 Dec 2003 12:05:39 MST." <6.0.0.22.2.20031210115335.04c2fc50@localhost> Date: Wed, 10 Dec 2003 19:25:10 +0000 Sender: mark@grondar.org X-Spam-Status: No, hits=-0.5 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,NO_EXPERIENCE, QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 19:30:15 -0000 Brett Glass writes: > After considering the readily available alternatives, I'd like to > try using s/key one-time passwords with "basic" authentication (which > works on most browsers). But how do I lash Apache and s/key together > under FreeBSD, and get Apache to require s/key passwords from all > IP addresses outside the owner's home network? (Apache doesn't have > a mod_auth_skey module, so I'd probably have to cobble this together > with mod_perl -- or via PAM, with which I have virtually no experience.) > All suggestions as to the most efficient way to construct a solution > will be most welcome. PAM is the most sensible. Once set up, it hands over a whole lot of policy to one set of config files, and this makes sysadmins jons much easier. Learning PAM is well worth your while. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 11:49:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 475C216A4CE for ; Wed, 10 Dec 2003 11:49:14 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2D1143D1D for ; Wed, 10 Dec 2003 11:49:12 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA19461; Wed, 10 Dec 2003 12:48:29 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031210124332.04e94ac0@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 10 Dec 2003 12:48:24 -0700 To: Kyle Amon From: Brett Glass In-Reply-To: <20031210093927.70c87960.amonk@gnutec.com> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 19:49:14 -0000 At 07:39 AM 12/10/2003, Kyle Amon wrote: >It sounds like you're going all crazy here. It does? > Unfortunately, what you've >written to describe your requirement is not very precise. Assuming you >are not concerned about "keystroke loggers" You must have misunderstood my message: This is EXACTLY what the owner is concerned about. Encrypting the content is not as important as preventing unfettered future access via a password stolen by sniffing either the network or the keyboard. Thus, SSL -- while it might be nice -- is optional. What's needed is one-time passwords for "basic" authentication in Apache. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 12:26:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADFCA16A4CF for ; Wed, 10 Dec 2003 12:26:27 -0800 (PST) Received: from raven.bjn.net (raven.bjn.net [193.73.230.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id E103643D2D for ; Wed, 10 Dec 2003 12:26:25 -0800 (PST) (envelope-from bruce@nikkel.com) Received: (from bruce@localhost) by raven.bjn.net (8.11.7p1+Sun/8.11.7) id hBAKQNn02868 for security@freebsd.org; Wed, 10 Dec 2003 21:26:23 +0100 (MET) From: bruce@nikkel.com Date: Wed, 10 Dec 2003 21:26:23 +0100 To: security@freebsd.org Message-ID: <20031210202623.GC1458@nikkel.com> Mail-Followup-To: security@freebsd.org References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031210124332.04e94ac0@localhost> User-Agent: Mutt/1.5.3i Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 20:26:27 -0000 > What's needed is one-time passwords for "basic" authentication in > Apache. The problem with using s/key (or opie) together with http basic auth is the repetive nature of http requests. The webserver would expect see the basic authentication string with every single request. You would be promtped for your next onetime password for every single gif or link on the page requested. I don't know how practical that would be. Bruce Nikkel -- From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 12:29:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8976116A4CE for ; Wed, 10 Dec 2003 12:29:39 -0800 (PST) Received: from grover.buszard-welcher.com (grover.buszard-welcher.com [209.133.111.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6AFD43D1F for ; Wed, 10 Dec 2003 12:29:33 -0800 (PST) (envelope-from james@oscar.buszard-welcher.com) Received: from oscar.buszard-welcher.com (nic-29-c98-29.twmi.rr.com [65.29.98.29])hBAKXfpe062998; Wed, 10 Dec 2003 15:33:41 -0500 (EST) (envelope-from james@oscar.buszard-welcher.com) Received: from oscar.buszard-welcher.com (localhost [127.0.0.1]) hBAKTTEO073764; Wed, 10 Dec 2003 15:29:29 -0500 (EST) (envelope-from james@oscar.buszard-welcher.com) Received: (from james@localhost)hBAKTTvw073761; Wed, 10 Dec 2003 15:29:29 -0500 (EST) (envelope-from james) From: James Welcher MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16343.33321.632599.190251@oscar.buszard-welcher.com> Date: Wed, 10 Dec 2003 15:29:29 -0500 To: Brett Glass In-Reply-To: <6.0.0.22.2.20031210124332.04e94ac0@localhost> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> X-Mailer: VM 7.14 under 21.4 (patch 12) "Portable Code" XEmacs Lucid Precedence: special-delivery X-Face: QxvMDEbk6bgcZl77ymq+a.Y; ['7-d@I|![:i^y[c)@|_(b!z. cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 20:29:39 -0000 >>>>> "Brett" == Brett Glass writes: Brett> You must have misunderstood my message: This is EXACTLY Brett> what the owner is concerned about. Encrypting the content Brett> is not as important as preventing unfettered future access Brett> via a password stolen by sniffing either the network or the Brett> keyboard. Thus, SSL -- while it might be nice -- is Brett> optional. What's needed is one-time passwords for "basic" Brett> authentication in Apache. Maybe not the solution you are looking for, but I wouldn't write a one-time password solution as an apache module. It seems to me like it would be rather complex to implement and you would still have to have manage users keys and generate the "little slips of paper" or educate the users to employ some kind of s/key or opie algorithm on their PDA or via some other host. I have seen some websites employ (don't shudder) a JavaScript "mini-keyboard" where you can click on letters to "type in" a passphrase. This avoids local keyboard sniffers users and admins don't have to mess with one time passwords. It should also work with any browser, assuming you do the JavaScript right. Far be it from me to recommend JavaScript for anything but then again, I think you would have a more portable solution with less headaches (barring the initial JavaScript development) and if a user is on a "trusted" machine, they can just type in the passphrase without using the JavaScript widget. Of course, SSL is no longer optional in this case. James From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 13:30:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD28216A4CE for ; Wed, 10 Dec 2003 13:30:07 -0800 (PST) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id C82A643D2C for ; Wed, 10 Dec 2003 13:30:02 -0800 (PST) (envelope-from freebsd-security@dfmm.org) Received: (qmail 33228 invoked by uid 1000); 10 Dec 2003 21:30:02 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Dec 2003 21:30:02 -0000 Date: Wed, 10 Dec 2003 13:30:02 -0800 (PST) From: Jason Stone X-X-Sender: jason@walter To: security@freebsd.org In-Reply-To: <20031210202623.GC1458@nikkel.com> Message-ID: <20031210132049.D3696@walter> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <20031210202623.GC1458@nikkel.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 21:30:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > What's needed is one-time passwords for "basic" authentication in > > Apache. > > The problem with using s/key (or opie) together with http basic auth is > the repetive nature of http requests. The webserver would expect see > the basic authentication string with every single request. You would be > promtped for your next onetime password for every single gif or link on > the page requested. I don't know how practical that would be. Good point. You'd have to implement your own sessioning and authentication entirely within your app, which always sucks. An additional issue with http basic auth and an opie calculator is that opie is challenge based - you compute the response based on the iteration count and a salt string. So the user's browser is going to have to be convinced to show him the challenge so he can enter it into the calculator, but most browsers won't show you the html returned by the initial 401 request until _after_ the user has failed or bailed out of the authentication process. You could possibly coerce apache into dynamically inserting the challenge into the authentication "realm," but that probably precludes using a standard mod_auth_pam type of thing. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/15BaswXMWWtptckRAg/GAJ98SUI6OKPgzpkgPtprY1ZZcOQsHgCgnHTn Ie+hQDmdVGC/6umkttdYMV4= =3acd -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 14:54:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2FCC16A4CE for ; Wed, 10 Dec 2003 14:54:39 -0800 (PST) Received: from mail.telsatgp.com.pl (pa79.pleszew.sdi.tpnet.pl [217.96.180.79]) by mx1.FreeBSD.org (Postfix) with SMTP id 5EA8243D49 for ; Wed, 10 Dec 2003 14:54:24 -0800 (PST) (envelope-from sgp@telsatgp.com.pl) Received: (qmail 43200 invoked from network); 10 Dec 2003 22:54:31 -0000 Received: from slawek.telsatgp.com.pl (HELO Slawek) (192.168.5.5) by pa79.pleszew.sdi.tpnet.pl with SMTP; 10 Dec 2003 22:54:31 -0000 Message-ID: <003401c3bf70$c4b90cd0$0505a8c0@Slawek> From: "Slawek" To: References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> Date: Wed, 10 Dec 2003 23:55:55 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 22:54:40 -0000 Brett Glass wrote: > I'm constructing a Web server which may require restricted areas > of the site to be used from public places where a password might > be sniffed. The damage that could be done by taking snapshots of > the content from one session with a spy program is minimal. What > the owner of the server does NOT want, though, is to allow unauthorized > parties to gain unfettered access by stealing the password via > a key sniffer. Be warned that an attacker would probably be able to issue more commands after user thinks he has logged out (when user used compromised machine). Slawek From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 16:50:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27AA916A4CF for ; Wed, 10 Dec 2003 16:50:08 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4573543D2E for ; Wed, 10 Dec 2003 16:50:06 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA23304; Wed, 10 Dec 2003 17:49:56 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031210173916.04f57be8@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 10 Dec 2003 17:47:00 -0700 To: James Welcher From: Brett Glass In-Reply-To: <16343.33321.632599.190251@oscar.buszard-welcher.com> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: Kyle Amon cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 00:50:08 -0000 At 01:29 PM 12/10/2003, James Welcher wrote: >Maybe not the solution you are looking for, but I wouldn't write a >one-time password solution as an apache module. It seems to me like it >would be rather complex to implement and you would still have to have >manage users keys and generate the "little slips of paper" or educate >the users to employ some kind of s/key or opie algorithm on their PDA >or via some other host. The people in question have Palm Pilots. And, yes, in a pinch slips of paper could be generated. The key thing is to be able to get in from a public kiosk without the risk of compromised passwords. Bruce Nikkel writes: >The problem with using s/key (or opie) together with http basic auth is >the repetive nature of http requests. The webserver would expect see >the basic authentication string with every single request. You would be >promtped for your next onetime password for every single gif or link on >the page requested. I don't know how practical that would be. If this is true, then I'd have to write a Perl authentication module that called s/key once and authorized an IP until the user clicked a "logout" button or a certain amount of time elapsed. So, I'd be using mod_perl *and* PAM. A bit more complex, but I can do it if I must. Are you sure that Apache will try to authorize again on every hit? --Brett From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 17:02:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2E7016A4CE for ; Wed, 10 Dec 2003 17:02:58 -0800 (PST) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id B2ED343D30 for ; Wed, 10 Dec 2003 17:02:57 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 13890 invoked from network); 11 Dec 2003 01:02:57 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 11 Dec 2003 01:02:57 -0000 Message-ID: <3FD7C240.4030005@tenebras.com> Date: Wed, 10 Dec 2003 17:02:56 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Brett Glass References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> In-Reply-To: <6.0.0.22.2.20031210173916.04f57be8@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Kyle Amon cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 01:02:58 -0000 Brett Glass wrote: > The people in question have Palm Pilots. And, yes, in a pinch > slips of paper could be generated. The key thing is to be able > to get in from a public kiosk without the risk of compromised > passwords. The problem with S/key or OPIE authentication is that it is sadly subject to a MITM attack, and relies on blind trust in the server. The challenge is not a random challenge, it is unfortunately a sequence number and salt -- if I trick you into typing in the one-time password with a lower sequence number than the current one you are proper fucked. I can then generate all of the subsequent "one-time" passwords. If you have a half-authenticated SSL connection, and are conducting the exchange over it, then it should be fine. From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 17:08:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C96E16A4CE; Wed, 10 Dec 2003 17:08:12 -0800 (PST) Received: from ftp.bjpu.edu.cn (ftp.bjpu.edu.cn [202.112.78.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 461B243D31; Wed, 10 Dec 2003 17:08:11 -0800 (PST) (envelope-from delphij@frontfree.net) Received: by ftp.bjpu.edu.cn (Postfix, from userid 426) id 8467152D3; Thu, 11 Dec 2003 09:08:04 +0800 (CST) Received: from srv (beastie.frontfree.net [218.107.145.7]) by ftp.bjpu.edu.cn (Postfix) with ESMTP id 371685299; Thu, 11 Dec 2003 09:08:04 +0800 (CST) From: "=?gb2312?B?WGluIExJL8Du9s4=?=" To: Date: Thu, 11 Dec 2003 09:08:24 +0800 Organization: Frontfree Technology Network MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 Thread-Index: AcO/g0bPx37wmnRDSKSmY3kJGD5VCA== Message-Id: <20031211010804.371685299@ftp.bjpu.edu.cn> cc: peter@freebsd.org Subject: cvs version 1.11.10 import? [security fix] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 01:08:12 -0000 On a recent NetBSD commit I saw that they have imported cvs 1.11.10 as a security fix yesterday: http://mail-index.netbsd.org/source-changes/2003/12/10/0025.html http://mail-index.netbsd.org/source-changes/2003/12/10/0026.html itojun has clairfied the commit in a mail sent to tech-userlevel list of NetBSD: http://mail-index.netbsd.org/tech-userlevel/2003/12/10/0003.html Will this affect FreeBSD's version 1.11.5 cvs, too? If so, is it possible to import the 1.11.10 before 5.2-RELEASE is released? Thanks! Xin LI Frontfree Technology Network From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 17:15:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1756D16A4CE for ; Wed, 10 Dec 2003 17:15:01 -0800 (PST) Received: from tx0.oucs.ox.ac.uk (tx0.oucs.ox.ac.uk [129.67.1.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C62843D2D for ; Wed, 10 Dec 2003 17:14:59 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan0.oucs.ox.ac.uk ([129.67.1.162] helo=localhost) by tx0.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1AUFPu-0001cl-Dl for freebsd-security@freebsd.org; Thu, 11 Dec 2003 01:14:58 +0000 Received: from rx0.oucs.ox.ac.uk ([129.67.1.161]) by localhost (scan0.oucs.ox.ac.uk [129.67.1.162]) (amavisd-new, port 25) with ESMTP id 05734-10 for ; Thu, 11 Dec 2003 01:14:58 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx0.oucs.ox.ac.uk with smtp (Exim 4.20) id 1AUFPu-0001cd-0N for freebsd-security@freebsd.org; Thu, 11 Dec 2003 01:14:58 +0000 Received: (qmail 22716 invoked by uid 0); 11 Dec 2003 01:14:58 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.484533 secs); 11 Dec 2003 01:14:58 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.484533 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 11 Dec 2003 01:14:56 -0000 Message-Id: <5.0.2.1.1.20031211011207.01cb9d60@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 11 Dec 2003 01:14:52 +0000 To: "=?gb2312?B?WGluIExJL8Du9s4=?=" , From: Colin Percival In-Reply-To: <20031211010804.371685299@ftp.bjpu.edu.cn> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: cvs version 1.11.10 import? [security fix] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 01:15:01 -0000 At 09:08 11/12/2003 +0800, =?gb2312?B?WGluIExJL8Du9s4=?= wrote: >Will this affect FreeBSD's version 1.11.5 cvs, too? If so, is it possible to >import the 1.11.10 before 5.2-RELEASE is released? Thanks! If it affects FreeBSD, I'm sure the new version will be imported before 5.2-RELEASE escapes. The release engineering and security teams talk to each other occasionally, and especially prior to releases. :) Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 18:41:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6E1D16A4CE for ; Wed, 10 Dec 2003 18:41:07 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C46A43D13 for ; Wed, 10 Dec 2003 18:41:06 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA24503; Wed, 10 Dec 2003 19:40:53 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031210193940.04f82c20@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 10 Dec 2003 19:40:50 -0700 To: Michael Sierchio From: Brett Glass In-Reply-To: <3FD7C240.4030005@tenebras.com> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <3FD7C240.4030005@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: Kyle Amon cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 02:41:07 -0000 An excellent reason to use SSL together with S/key. --Brett At 06:02 PM 12/10/2003, Michael Sierchio wrote: >The problem with S/key or OPIE authentication is that it >is sadly subject to a MITM attack, and relies on >blind trust in the server. > >The challenge is not a random challenge, it is unfortunately >a sequence number and salt -- if I trick you into typing in >the one-time password with a lower sequence number than the >current one you are proper fucked. I can then generate all of >the subsequent "one-time" passwords. > >If you have a half-authenticated SSL connection, and are >conducting the exchange over it, then it should be fine. From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 23:33:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA40416A4CE for ; Wed, 10 Dec 2003 23:33:47 -0800 (PST) Received: from theinternet.com.au (c211-30-103-113.carlnfd1.nsw.optusnet.com.au [211.30.103.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3D3443D2F for ; Wed, 10 Dec 2003 23:33:44 -0800 (PST) (envelope-from akm@theinternet.com.au) Received: from theinternet.com.au (akm@localhost [127.0.0.1]) by theinternet.com.au (8.12.9/8.12.9) with ESMTP id hBB7XgtN078625; Thu, 11 Dec 2003 18:33:42 +1100 (EST) (envelope-from akm@theinternet.com.au) Received: (from akm@localhost) by theinternet.com.au (8.12.9/8.12.9/Submit) id hBB7XbWR078624; Thu, 11 Dec 2003 18:33:37 +1100 (EST) Date: Thu, 11 Dec 2003 18:33:37 +1100 From: Andrew Kenneth Milton To: Brett Glass Message-ID: <20031211073336.GO57995@zeus.theinternet.com.au> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <3FD7C240.4030005@tenebras.com> <6.0.0.22.2.20031210193940.04f82c20@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031210193940.04f82c20@localhost> User-Agent: Mutt/1.4.1i cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 07:33:47 -0000 +-------[ Brett Glass ]---------------------- | An excellent reason to use SSL together with S/key. I'm not sure about the physical setup you have, but, here goes. Why don't you issue certificates to each user, that have a fixed life span, say a week (or day or a few hours), and avoid the password thing altogether? If you can generate pieces of paper to hand out, you can generate a certificate per user that get assigned / refreshed before they leave. You could even just revoke the certificate if/when lost, if the assignment of a new certificate is overly burdensome. Once the certificate is revoked even having physical possession of the palm pilot won't give you access. There's no passwords to write down, and there's no user interactions to sniff/log. You should be able to use a certificate at a cafe via floppy/cd/USB key (I guess, I've never been to one), if this is the normal usage pattern, I'd be making the lifespan of the certs very small. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon From owner-freebsd-security@FreeBSD.ORG Thu Dec 11 02:16:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 932EB16A4CE for ; Thu, 11 Dec 2003 02:16:18 -0800 (PST) Received: from raven.bjn.net (raven.bjn.net [193.73.230.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85A7E43D2B for ; Thu, 11 Dec 2003 02:16:14 -0800 (PST) (envelope-from bruce@nikkel.com) Received: (from bruce@localhost) by raven.bjn.net (8.11.7p1+Sun/8.11.7) id hBBAFpH28385; Thu, 11 Dec 2003 11:15:51 +0100 (MET) From: bruce@nikkel.com Date: Thu, 11 Dec 2003 11:15:51 +0100 To: Brett Glass Message-ID: <20031211101551.GA27435@nikkel.com> Mail-Followup-To: Brett Glass , James Welcher , Kyle Amon , security@freebsd.org References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031210173916.04f57be8@localhost> User-Agent: Mutt/1.5.3i cc: Kyle Amon cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 10:16:18 -0000 On Wed, Dec 10, 2003 at 05:47:00PM -0700, Brett Glass wrote: > >The problem with using s/key (or opie) together with http basic auth is > >the repetive nature of http requests. The webserver would expect see > >the basic authentication string with every single request. You would be > >promtped for your next onetime password for every single gif or link on > >the page requested. I don't know how practical that would be. > > If this is true, then I'd have to write a Perl authentication module > that called s/key once and authorized an IP until the user clicked > a "logout" button or a certain amount of time elapsed. So, I'd be > using mod_perl *and* PAM. A bit more complex, but I can do it if I must. > Are you sure that Apache will try to authorize again on every hit? If the basic auth string was not included in an http request, the webserver would generate a error 401 (Unauthorized). Check out RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication). Bruce Nikkel -- From owner-freebsd-security@FreeBSD.ORG Thu Dec 11 09:25:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 746A216A4CF for ; Thu, 11 Dec 2003 09:25:46 -0800 (PST) Received: from mail.fmi.unibuc.ro (fmi.unibuc.ro [193.226.51.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94CB843D2C for ; Thu, 11 Dec 2003 09:25:44 -0800 (PST) (envelope-from radu@fmi.unibuc.ro) Received: from localhost (localhost [127.0.0.1]) by mail.fmi.unibuc.ro (Postfix) with ESMTP id DCF62E268; Thu, 11 Dec 2003 19:27:23 +0200 (EET) Received: from mail.fmi.unibuc.ro ([127.0.0.1]) by localhost (mail.fmi.unibuc.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08677-02; Thu, 11 Dec 2003 19:27:23 +0200 (EET) Received: from fmi.unibuc.ro (unknown [192.168.0.1]) by mail.fmi.unibuc.ro (Postfix) with SMTP id DBFBDE266; Thu, 11 Dec 2003 19:27:22 +0200 (EET) Received: from 193.226.51.11 (SquirrelMail authenticated user radu) by fmi.unibuc.ro with HTTP; Thu, 11 Dec 2003 19:26:30 +0200 (EET) Message-ID: <33200.193.226.51.11.1071163590.squirrel@fmi.unibuc.ro> In-Reply-To: <20031211073336.GO57995@zeus.theinternet.com.au> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost><20031210093927.70c87960 .amonk@gnutec.com><6.0.0.22.2.20031210124332.04e94ac0@localhost><16343 .33321.632599.190251@oscar.buszard-welcher.com><6.0.0.22.2.20031210173 916.04f57be8@localhost> <3FD7C240.4030005@tenebras.com><6.0.0.22.2.20031210193940.04f82c20@loc alhost> <20031211073336.GO57995@zeus.theinternet.com.au> Date: Thu, 11 Dec 2003 19:26:30 +0200 (EET) From: "Radu-Mihail Obada" To: "Andrew Kenneth Milton" User-Agent: SquirrelMail/1.4.0 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 Importance: Normal X-Virus-Scanned: by amavisd-new at fmi.unibuc.ro cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: radu@fmi.unibuc.ro List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 17:25:46 -0000 It sounds like an excellent idea to me. And you get the added bonus of encryption. Nice thinking, Brett. > Why don't you issue certificates to each user, that have a fixed life > span, > say a week (or day or a few hours), and avoid the password thing > altogether? -- Radu "Daemon" Obada, Faculty of Mathematics and Computer Science, University of Bucharest From owner-freebsd-security@FreeBSD.ORG Sat Dec 13 18:36:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEFD016A4CF for ; Sat, 13 Dec 2003 18:36:11 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EB0743D31 for ; Sat, 13 Dec 2003 18:36:08 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA06772; Sat, 13 Dec 2003 19:35:51 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031213193204.04e81d10@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Sat, 13 Dec 2003 19:33:48 -0700 To: Andrew Kenneth Milton From: Brett Glass In-Reply-To: <20031211073336.GO57995@zeus.theinternet.com.au> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <3FD7C240.4030005@tenebras.com> <6.0.0.22.2.20031210193940.04f82c20@localhost> <20031211073336.GO57995@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 02:36:11 -0000 At 12:33 AM 12/11/2003, Andrew Kenneth Milton wrote: >You should be able to use a certificate at a cafe via floppy/cd/USB key (I >guess, I've never been to one) Alas, many cybercafes -- especially those in Europe -- give you access to a screen and a keyboard... and nothing else. They're worried that if you can put media in the machine you can infect it or Trojan it. --Brett From owner-freebsd-security@FreeBSD.ORG Sat Dec 13 18:36:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A257816A4CF for ; Sat, 13 Dec 2003 18:36:14 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 587FF43D31 for ; Sat, 13 Dec 2003 18:36:13 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA06775; Sat, 13 Dec 2003 19:35:55 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031213193447.04e80930@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Sat, 13 Dec 2003 19:35:43 -0700 To: bruce@nikkel.com From: Brett Glass In-Reply-To: <20031211101551.GA27435@nikkel.com> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <20031211101551.GA27435@nikkel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: Kyle Amon cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 02:36:14 -0000 At 03:15 AM 12/11/2003, bruce@nikkel.com wrote: >If the basic auth string was not included in an http request, the >webserver would generate a error 401 (Unauthorized). Check out RFC 2617 >(HTTP Authentication: Basic and Digest Access Authentication). True. But does it authenticate again? Or merely recognize that you're the same person you were before and let you through? --Brett From owner-freebsd-security@FreeBSD.ORG Sat Dec 13 18:47:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1137116A4CE for ; Sat, 13 Dec 2003 18:47:00 -0800 (PST) Received: from tx0.oucs.ox.ac.uk (tx0.oucs.ox.ac.uk [129.67.1.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87A2E43D36 for ; Sat, 13 Dec 2003 18:46:56 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan0.oucs.ox.ac.uk ([129.67.1.162] helo=localhost) by tx0.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1AVMHX-0002e3-EU for security@freebsd.org; Sun, 14 Dec 2003 02:46:55 +0000 Received: from rx0.oucs.ox.ac.uk ([129.67.1.161]) by localhost (scan0.oucs.ox.ac.uk [129.67.1.162]) (amavisd-new, port 25) with ESMTP id 09779-08 for ; Sun, 14 Dec 2003 02:46:55 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx0.oucs.ox.ac.uk with smtp (Exim 4.20) id 1AVMHX-0002dx-15 for security@freebsd.org; Sun, 14 Dec 2003 02:46:55 +0000 Received: (qmail 25083 invoked by uid 0); 14 Dec 2003 02:46:55 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.444152 secs); 14 Dec 2003 02:46:55 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.444152 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 14 Dec 2003 02:46:53 -0000 Message-Id: <5.0.2.1.1.20031214024127.01ce91e0@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sun, 14 Dec 2003 02:46:52 +0000 To: Brett Glass From: Colin Percival In-Reply-To: <6.0.0.22.2.20031213193204.04e81d10@localhost> References: <20031211073336.GO57995@zeus.theinternet.com.au> <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <3FD7C240.4030005@tenebras.com> <6.0.0.22.2.20031210193940.04f82c20@localhost> <20031211073336.GO57995@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: chat@freebsd.org cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 02:47:00 -0000 At 19:33 13/12/2003 -0700, Brett Glass wrote: >Alas, many cybercafes -- especially those in Europe -- give you access to >a screen and a keyboard... and nothing else. They're worried that if >you can put media in the machine you can infect it or Trojan it. Based on what I've seen here in .uk, I suspect that the lack of drives has more to do with wanting to avoiding physical damage. Food and computers don't mix very well. Colin Percival [Followup-to: chat] From owner-freebsd-security@FreeBSD.ORG Sat Dec 13 21:45:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ABF716A4CE for ; Sat, 13 Dec 2003 21:45:25 -0800 (PST) Received: from praetor.linc-it.com (adsl-068-157-070-217.sip.jan.bellsouth.net [68.157.70.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA56843D2D for ; Sat, 13 Dec 2003 21:45:23 -0800 (PST) (envelope-from fullermd@over-yonder.net) Received: from mortis.over-yonder.net (adsl-19-137-169.jan.bellsouth.net [68.19.137.169]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by praetor.linc-it.com (Postfix) with ESMTP id 415041521C; Sat, 13 Dec 2003 23:45:22 -0600 (CST) Received: by mortis.over-yonder.net (Postfix, from userid 100) id 1828B20F26; Sat, 13 Dec 2003 23:45:20 -0600 (CST) Date: Sat, 13 Dec 2003 23:45:19 -0600 From: "Matthew D. Fuller" To: Brett Glass Message-ID: <20031214054519.GD78055@over-yonder.net> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <20031211101551.GA27435@nikkel.com> <6.0.0.22.2.20031213193447.04e80930@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031213193447.04e80930@localhost> User-Agent: Mutt/1.4.1i-fullermd.1 X-Editor: vi X-OS: FreeBSD cc: Kyle Amon cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 05:45:25 -0000 On Sat, Dec 13, 2003 at 07:35:43PM -0700 I heard the voice of Brett Glass, and lo! it spake thus: > At 03:15 AM 12/11/2003, bruce@nikkel.com wrote: > > >If the basic auth string was not included in an http request, the > >webserver would generate a error 401 (Unauthorized). Check out RFC 2617 > >(HTTP Authentication: Basic and Digest Access Authentication). > > True. But does it authenticate again? Or merely recognize that you're > the same person you were before and let you through? HTTP AUTH sends the user/pass strings with every request (more precisely, the browser caches what you put in, and sends it every time the server returns a 401 with the same realm name.) -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" From owner-freebsd-security@FreeBSD.ORG Sat Dec 13 23:59:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1360416A4CE for ; Sat, 13 Dec 2003 23:59:01 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BD3743D36 for ; Sat, 13 Dec 2003 23:58:56 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id AAA08848; Sun, 14 Dec 2003 00:57:28 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031214005309.04ba9528@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Sun, 14 Dec 2003 00:57:04 -0700 To: "Matthew D. Fuller" From: Brett Glass In-Reply-To: <20031214054519.GD78055@over-yonder.net> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <20031211101551.GA27435@nikkel.com> <6.0.0.22.2.20031213193447.04e80930@localhost> <20031214054519.GD78055@over-yonder.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: Kyle Amon cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 07:59:01 -0000 At 10:45 PM 12/13/2003, Matthew D. Fuller wrote: >HTTP AUTH sends the user/pass strings with every request (more precisely, >the browser caches what you put in, and sends it every time the server >returns a 401 with the same realm name.) I apologize; I wasn't being clear. My question was, does the Apache server then send the user name and password on to the library that is doing authentication every time? Or does it recognize that the user and password (and/or IP) are the same as before and allow subsequent hits? --Brett