From owner-freebsd-security@FreeBSD.ORG Mon Aug 15 03:55:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E70116A41F for ; Mon, 15 Aug 2005 03:55:22 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 170DC43D48 for ; Mon, 15 Aug 2005 03:55:21 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id j7F3tCco021568 for ; Mon, 15 Aug 2005 13:55:12 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id j7F3tISY066942 for ; Mon, 15 Aug 2005 13:55:18 +1000 (EST) (envelope-from freebsd-security@auscert.org.au) Message-Id: <200508150355.j7F3tISY066942@app.auscert.org.au> To: freebsd-security@freebsd.org from: freebsd-security@auscert.org.au Date: Mon, 15 Aug 2005 13:55:18 +1000 Subject: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2005 03:55:22 -0000 Hi, I'm having trouble getting an answer to the following problem on -questions - I hope someone here has done something similar and can help. I'd like to compile support for FreeBSD OPIE into sshd. Presently I have to use PAM to achieve one-time password support. On a 4.x system I have in /etc/ssh/sshd_config ChallengeResponseAuthentication yes and in /etc/pam.conf sshd auth sufficient pam_opie.so no_fake_prompts To avoid the extra PAM process on 5.x, I'd prefer to just enable OPIE in the sshd binary, but I'm not sure if this is possible with a commandline option to make. I would like to rebuild it in the usual way: # cd /usr/src/secure/usr.sbin/sshd # make obj && make depend && make all install but somehow define OPIE or, I think, include the configure option --with-skey=PATH, or both. Can this be achieved within the regular system build process, or must I roll my own? thanks, joel -- Joel Hatton -- Security Analyst | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au From owner-freebsd-security@FreeBSD.ORG Mon Aug 15 12:14:21 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4309D16A41F for ; Mon, 15 Aug 2005 12:14:21 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD85643D46 for ; Mon, 15 Aug 2005 12:14:20 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 4431760F7; Mon, 15 Aug 2005 14:14:01 +0200 (CEST) Received: from xps.des.no (des.no [80.203.228.37]) by tim.des.no (Postfix) with ESMTP id C8D0A60F1; Mon, 15 Aug 2005 14:14:00 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id 88CE233D38; Mon, 15 Aug 2005 14:14:12 +0200 (CEST) To: freebsd-security@auscert.org.au References: <200508150355.j7F3tISY066942@app.auscert.org.au> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Mon, 15 Aug 2005 14:14:12 +0200 In-Reply-To: <200508150355.j7F3tISY066942@app.auscert.org.au> (freebsd-security@auscert.org.au's message of "Mon, 15 Aug 2005 13:55:18 +1000") Message-ID: <86wtmnqtwr.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00 X-Spam-Learn: ham X-Spam-Score: -5.2/5.0 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on tim.des.no Cc: freebsd-security@freebsd.org Subject: Re: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2005 12:14:21 -0000 freebsd-security@auscert.org.au writes: > Can this be achieved within the regular system build process, or must I > roll my own? You need to change src/crypto/openssh/config.h so it says /* #undef PAM */ #define SKEY 1 #define OPIE 1 instead of #define PAM 1 /* #undef SKEY */ /* #undef OPIE */ then rebuild world. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Aug 16 01:03:24 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A034E16A41F for ; Tue, 16 Aug 2005 01:03:24 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1487943D48 for ; Tue, 16 Aug 2005 01:03:23 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id j7G13Eco030625 for ; Tue, 16 Aug 2005 11:03:14 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id j7G13MUj057073 for ; Tue, 16 Aug 2005 11:03:22 +1000 (EST) (envelope-from freebsd-security@auscert.org.au) Message-Id: <200508160103.j7G13MUj057073@app.auscert.org.au> To: freebsd-security@freebsd.org from: freebsd-security@auscert.org.au In-Reply-To: Message from des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) of "Mon, 15 Aug 2005 14:14:12 +0200." <86wtmnqtwr.fsf@xps.des.no> Date: Tue, 16 Aug 2005 11:03:22 +1000 Subject: Re: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 01:03:24 -0000 > freebsd-security@auscert.org.au writes: > > Can this be achieved within the regular system build process, or must I > > roll my own? > > You need to change src/crypto/openssh/config.h so it says > > /* #undef PAM */ > #define SKEY 1 > #define OPIE 1 > > instead of > > #define PAM 1 > /* #undef SKEY */ > /* #undef OPIE */ > > then rebuild world. Thanks - that is extremely helpful. Given that this involves modification of CVS files I'll create a localised patch for myself. I believe that I should be able to follow the independent build process for openssh rather than building world; at least, I'll try that first. joel -- Joel Hatton -- Security Analyst | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au From owner-freebsd-security@FreeBSD.ORG Tue Aug 16 03:07:25 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6C4B16A41F for ; Tue, 16 Aug 2005 03:07:25 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D3D443D48 for ; Tue, 16 Aug 2005 03:07:25 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id AD3CD5D18; Mon, 15 Aug 2005 23:07:24 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33184-04; Mon, 15 Aug 2005 23:07:23 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-79-217.ny325.east.verizon.net [68.161.79.217]) by pi.codefab.com (Postfix) with ESMTP id 20F7C5C51; Mon, 15 Aug 2005 23:07:21 -0400 (EDT) Message-ID: <43015869.6020307@mac.com> Date: Mon, 15 Aug 2005 23:07:21 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050801 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= References: <200508150355.j7F3tISY066942@app.auscert.org.au> <86wtmnqtwr.fsf@xps.des.no> In-Reply-To: <86wtmnqtwr.fsf@xps.des.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-security@freebsd.org, freebsd-security@auscert.org.au Subject: Re: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 03:07:25 -0000 Dag-Erling Smørgrav wrote: > freebsd-security@auscert.org.au writes: >>Can this be achieved within the regular system build process, or must I >>roll my own? > > You need to change src/crypto/openssh/config.h so it says > > /* #undef PAM */ > #define SKEY 1 > #define OPIE 1 > > instead of > > #define PAM 1 > /* #undef SKEY */ > /* #undef OPIE */ > > then rebuild world. Aha! I bet ports/security/fwtk would be much happier if SKEY was around. Were these enabled some time ago and since disabled...? -- -Chuck From owner-freebsd-security@FreeBSD.ORG Tue Aug 16 04:32:10 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C95316A41F for ; Tue, 16 Aug 2005 04:32:10 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1CB143D53 for ; Tue, 16 Aug 2005 04:32:09 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id j7G4Vrco031985; Tue, 16 Aug 2005 14:31:53 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id j7G4W0Lk019832; Tue, 16 Aug 2005 14:32:01 +1000 (EST) (envelope-from freebsd-security@auscert.org.au) Message-Id: <200508160432.j7G4W0Lk019832@app.auscert.org.au> To: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) from: freebsd-security@auscert.org.au In-Reply-To: Message from des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) of "Mon, 15 Aug 2005 14:14:12 +0200." <86wtmnqtwr.fsf@xps.des.no> Date: Tue, 16 Aug 2005 14:32:00 +1000 Cc: freebsd-security@freebsd.org, freebsd-security@auscert.org.au Subject: Re: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 04:32:10 -0000 > freebsd-security@auscert.org.au writes: > > Can this be achieved within the regular system build process, or must I > > roll my own? > > You need to change src/crypto/openssh/config.h so it says > > /* #undef PAM */ > #define SKEY 1 > #define OPIE 1 > > instead of > > #define PAM 1 > /* #undef SKEY */ > /* #undef OPIE */ > > then rebuild world. This may sound like a really silly question, but how do I enable it? After performing the changes above, I installed with: cd /usr/src/secure/usr.sbin/sshd make cleandir; make cleandir make obj && make depend && make all install There's no man[5] sshd_config entry, but through trial and error I identified an option that doesn't cause an error: SkeyAuthentication yes I couldn't get any permutation of OpieAuthentication/UseOPIE/... to work. However, attempts to connect to the running server with SkeyAuthentication enabled still gives: Permission denied (publickey). This is after creating an opiekey for the user (works for sudo, so is functional), and with these options enabled (+ defaults where not noted) in sshd_config: Port 22 Protocol 2 ListenAddress 10.0.0.1 LogLevel VERBOSE PermitRootLogin no StrictModes yes HostbasedAuthentication no IgnoreUserKnownHosts yes IgnoreRhosts yes ChallengeResponseAuthentication no SkeyAuthentication yes AllowTcpForwarding no X11Forwarding yes Banner /etc/issue Can you point me in the right direction please? thanks, -- Joel Hatton -- Security Analyst | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au From owner-freebsd-security@FreeBSD.ORG Tue Aug 16 06:48:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CC0216A41F for ; Tue, 16 Aug 2005 06:48:34 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9166643D45 for ; Tue, 16 Aug 2005 06:48:33 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id E18E76195; Tue, 16 Aug 2005 08:46:23 +0200 (CEST) Received: from xps.des.no (des.no [80.203.228.37]) by tim.des.no (Postfix) with ESMTP id CF6D56194; Tue, 16 Aug 2005 08:46:22 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id 8DA7D33D38; Tue, 16 Aug 2005 08:46:34 +0200 (CEST) To: Chuck Swiger References: <200508150355.j7F3tISY066942@app.auscert.org.au> <86wtmnqtwr.fsf@xps.des.no> <43015869.6020307@mac.com> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Tue, 16 Aug 2005 08:46:34 +0200 In-Reply-To: <43015869.6020307@mac.com> (Chuck Swiger's message of "Mon, 15 Aug 2005 23:07:21 -0400") Message-ID: <86d5oepeet.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00 X-Spam-Learn: ham X-Spam-Score: -5.2/5.0 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on tim.des.no Cc: freebsd-security@freebsd.org, freebsd-security@auscert.org.au Subject: Re: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 06:48:34 -0000 Chuck Swiger writes: > Aha! I bet ports/security/fwtk would be much happier if SKEY was around. > Were these enabled some time ago and since disabled...? FreeBSD doesn't have S/Key for the simple reason that OPIE is a drop-in replacement. See the top of src/crypto/openssh/auth-skey.c for an example of how to substitute OPIE for S/Key. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Aug 16 06:49:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CB5216A41F for ; Tue, 16 Aug 2005 06:49:34 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2DB143D48 for ; Tue, 16 Aug 2005 06:49:32 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 8ABDE60F8; Tue, 16 Aug 2005 08:49:16 +0200 (CEST) Received: from xps.des.no (des.no [80.203.228.37]) by tim.des.no (Postfix) with ESMTP id 7AA4560F1; Tue, 16 Aug 2005 08:49:16 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id 3A44433D38; Tue, 16 Aug 2005 08:49:28 +0200 (CEST) To: freebsd-security@auscert.org.au References: <200508160432.j7G4W0Lk019832@app.auscert.org.au> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Tue, 16 Aug 2005 08:49:28 +0200 In-Reply-To: <200508160432.j7G4W0Lk019832@app.auscert.org.au> (freebsd-security@auscert.org.au's message of "Tue, 16 Aug 2005 14:32:00 +1000") Message-ID: <868xz2pe9z.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00 X-Spam-Learn: ham X-Spam-Score: -5.3/5.0 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on tim.des.no Cc: freebsd-security@freebsd.org Subject: Re: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 06:49:34 -0000 freebsd-security@auscert.org.au writes: > This may sound like a really silly question, but how do I enable it?=20 ChallengeResponseAuthentication Yes (which is the default) > There's no man[5] sshd_config entry, Yes, there is. > but through trial and error I > identified an option that doesn't cause an error: SkeyAuthentication yes Which FreeBSD version are you running? There is no such option in any recent OpenSSH version, and unrecognized options should cause a fatal error. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Aug 16 07:04:41 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 867A716A41F for ; Tue, 16 Aug 2005 07:04:41 +0000 (GMT) (envelope-from joel@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAE8143D45 for ; Tue, 16 Aug 2005 07:04:40 +0000 (GMT) (envelope-from joel@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id j7G74Sco032894; Tue, 16 Aug 2005 17:04:28 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id j7G74asm061949; Tue, 16 Aug 2005 17:04:36 +1000 (EST) (envelope-from joel@app.auscert.org.au) Message-Id: <200508160704.j7G74asm061949@app.auscert.org.au> To: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) In-Reply-To: Message from des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) of "Tue, 16 Aug 2005 08:49:28 +0200." <868xz2pe9z.fsf@xps.des.no> Date: Tue, 16 Aug 2005 17:04:36 +1000 From: Joel Hatton X-Mailman-Approved-At: Tue, 16 Aug 2005 12:46:06 +0000 Cc: freebsd-security@freebsd.org, freebsd-security@auscert.org.au Subject: Re: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 07:04:41 -0000 > freebsd-security@auscert.org.au writes: > > This may sound like a really silly question, but how do I enable it? > > ChallengeResponseAuthentication Yes Aah - silly me - I always associated that with PAM. I'll try this asap - holiday tomorrow so in a day or two. > > There's no man[5] sshd_config entry, Sorry, I meant there's no mention of OPIE in man[5] sshd_config - as soon as I read my email I thought it could be misinterpreted :) > > but through trial and error I > > identified an option that doesn't cause an error: SkeyAuthentication yes > > Which FreeBSD version are you running? There is no such option in any > recent OpenSSH version, and unrecognized options should cause a fatal > error. 5.3Rp20 - I found this option just by random guessing, it didn't cause an error and the daemon started ok! Didn't work though... thanks very much, -- Joel Hatton -- Security Analyst | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au From owner-freebsd-security@FreeBSD.ORG Thu Aug 18 12:58:38 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EE6216A41F for ; Thu, 18 Aug 2005 12:58:38 +0000 (GMT) (envelope-from nectar@freebsd.org) Received: from mail.phi23.org (phi23.org [161.58.133.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B27F43D45 for ; Thu, 18 Aug 2005 12:58:38 +0000 (GMT) (envelope-from nectar@freebsd.org) Received: from [172.16.0.171] (46070.wrls.rawl.wy.vcn.com [209.193.88.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client did not present a certificate) by mail.phi23.org (Postfix) with ESMTP id 52D4322E87 for ; Thu, 18 Aug 2005 12:58:37 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v734) Content-Transfer-Encoding: quoted-printable Message-Id: Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed To: freebsd-security@FreeBSD.org From: Jacques Vidrine Date: Thu, 18 Aug 2005 07:58:34 -0500 X-Mailer: Apple Mail (2.734) Cc: Subject: New FreeBSD Security Officer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2005 12:58:38 -0000 Hello Everyone! It has been my pleasure and privilege to serve as the FreeBSD =20 Security Officer for the past 3+ years. With the crucial support of =20 the FreeBSD Security Team members, a lot has been accomplished: =20 hundreds of security issues have been researched and tracked, with =20 some resulting in security advisories and patches; software in the =20 Ports Collection are updated more quickly to remove vulnerabilities; =20= flaws are well-documented in the Vulnerabilities and Exposures Markup =20= Language (VuXML); communication with other software and hardware =20 vendors, security researchers, and emergency response organizations =20 has grown greatly; and the FreeBSD Security Branches are now =20 supported for much longer period of time over a greater number of =20 releases. I'd like to thank the members of the security team over =20 the past few years for these accomplishments: Eivind Eklund, Julian =20 Elischer, Chris Faulhaber, Bill Fumerola, Daniel Harris, Trevor =20 Johnson, Remko Lodder, Simon Nielsen, Christian Peron, Wes Peters, =20 Josef El-Rayes, Tom Rhodes, Gregory Shapiro, Bruce Simpson, Dag-=20 Erling Sm=F8rgrav, and Robert Watson. Several of our previous security =20= officers have also given much help: Kris Kennaway, Warner Losh, and =20 Guido van Rooij. I asked the FreeBSD Core Team to offer the security officer role to =20 Colin Percival, and I am happy to say that they agreed and that Colin =20= accepted. Colin has been a FreeBSD committer since January 2004, and =20= has been an energetic member of the FreeBSD Security Team for most of =20= that time. He is well-known for his software creations "FreeBSD =20 Update", "portsnap", and "bsdiff"; as well as his paper published =20 earlier this year, "Cache Missing for Fun and Profit" . I have no doubt that he will do =20= an outstanding job fulfilling the FreeBSD Security Officer's charter. Thanks for everyone's support over the years, and please extend the =20 same and more for Colin! Cheers, --=20 Jacques Vidrine From owner-freebsd-security@FreeBSD.ORG Thu Aug 18 14:48:28 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19E8A16A41F for ; Thu, 18 Aug 2005 14:48:28 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from people.fsn.hu (people.fsn.hu [195.228.252.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id A228743D48 for ; Thu, 18 Aug 2005 14:48:27 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from localhost (localhost [127.0.0.1]) by people.fsn.hu (Postfix) with ESMTP id E4A4F84418 for ; Thu, 18 Aug 2005 16:48:24 +0200 (CEST) Received: from people.fsn.hu ([127.0.0.1]) by localhost (people.fsn.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 01670-03-6 for ; Thu, 18 Aug 2005 16:48:18 +0200 (CEST) Received: from [172.16.129.72] (japan.t-online.co.hu [195.228.243.99]) by people.fsn.hu (Postfix) with ESMTP id 63EBB84408 for ; Thu, 18 Aug 2005 16:48:18 +0200 (CEST) Message-ID: <43049FB2.1030203@fsn.hu> Date: Thu, 18 Aug 2005 16:48:18 +0200 From: Attila Nagy User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050725) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at fsn.hu Cc: Subject: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2005 14:48:28 -0000 Hello, I'm wondering about closing some information leaks in FreeBSD jails from the "outside world". Not that critical (depends on the application), but a simple user, with restricted devfs in the jail (devfsrules_jail for example from /etc/defaults/devfs.rules) can figure out the following: - network interfaces related data, via ifconfig, which contains everything, but the primary IP address of the interfaces. It seems that alias IPs can be viewed: bge0: flags=8843 mtu 1500 options=1a ether 00:12:79:3d:83:c2 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.2 netmask 0xff000000 - the arp table via arp, which does contain the above interface addresses. This can be used for example to detect other machines on the same subnet, which communicate with the host machine. - full dmesg output after boot and the kernel buffer when it overflows (can contain sensitive information) - information about geom providers (at least geom mirror list works) - the list of the loaded kernel modules via kldstat - some interesting information about the network related stuff via netstat - information about configured swap space via swapinfo - NFS related statistics via nfsstat - a lot of interesting stuff via sysctl and maybe more, I can't think of currently. Are there any ways to close (some of) these? Thanks, -- Attila Nagy e-mail: Attila.Nagy@fsn.hu Adopt a directory on our free software phone @work: +361 371 3536 server! http://www.fsn.hu/?f=brick cell.: +3630 306 6758 From owner-freebsd-security@FreeBSD.ORG Thu Aug 18 15:47:09 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2740B16A41F for ; Thu, 18 Aug 2005 15:47:09 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from people.fsn.hu (people.fsn.hu [195.228.252.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id C356043D48 for ; Thu, 18 Aug 2005 15:47:07 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from localhost (localhost [127.0.0.1]) by people.fsn.hu (Postfix) with ESMTP id 19BD084418; Thu, 18 Aug 2005 17:47:06 +0200 (CEST) Received: from people.fsn.hu ([127.0.0.1]) by localhost (people.fsn.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 05724-05-2; Thu, 18 Aug 2005 17:46:59 +0200 (CEST) Received: from [172.16.129.72] (japan.t-online.co.hu [195.228.243.99]) by people.fsn.hu (Postfix) with ESMTP id D142B84408; Thu, 18 Aug 2005 17:46:58 +0200 (CEST) Message-ID: <4304AD72.2060504@fsn.hu> Date: Thu, 18 Aug 2005 17:46:58 +0200 From: Attila Nagy User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050725) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Benjamin Lutz References: <43049FB2.1030203@fsn.hu> <4304A6C6.6090006@datacomm.ch> In-Reply-To: <4304A6C6.6090006@datacomm.ch> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at fsn.hu Cc: freebsd-security@FreeBSD.org Subject: Re: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2005 15:47:09 -0000 Benjamin Lutz wrote: >>- full dmesg output after boot and the kernel buffer when it overflows >>(can contain sensitive information) > If it's sensitive in so far as it endangers the privacy of local > non-jailed users, I think that's a bug that'd need fixing. There are many points from this issue can be observed. Let's take a shell server, or a CGI server. Take the latter for an example. > I'm not sure why hiding the mentioned information is bad. It only Not bad at all. The bad thing is that they are available and the administrator can't (AFAIK, without any hacking) hide them. :) > contains machine-specific data, and at best the private information a > jailed user will be able to figure out is the machine's usage patterns > (yes, crypto folks don't like that, but c'mon...). Hiding that data > isn't real security. Hmm. Why ifconfig doesn't tell me the main IP address of an interface? BTW, this is not usage pattern, and ARP data (MAC addresses, you can do interesting stuff with them, for example guess what kind of operating system and hardware run the given IP, etc) is not either. And not showing the MAC and IP addresses for all of your users can be real security. > Besides, the user can only gain the data if he can execute the binaries > that provide it. Why not remove, say, the geom programs (and at the same > time make it impossible to execute new programs? Eg only make the > home/tmp dirs writeable, but put those on a noexec partition). That > should make it hard enough to access geom data. As I said there are many different cases. In the case of a CGI server, you must make those executables executable. And the worst part is that your users can modify them without too much control. In another example, when you would like to provide "virtual machines", where the user can manage his jail, this "solution" is also not good. I think it is pointless to ask why would hiding the ARP table, or the system's IP addresses is sane or not, when currently you can't do a netstat -an from inside a jail and also can't do many other things. Oh, and you can do iostat! :) -- Attila Nagy e-mail: Attila.Nagy@fsn.hu Adopt a directory on our free software phone @work: +361 371 3536 server! http://www.fsn.hu/?f=brick cell.: +3630 306 6758 From owner-freebsd-security@FreeBSD.ORG Thu Aug 18 16:21:43 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93BE116A41F; Thu, 18 Aug 2005 16:21:43 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36B2A43D53; Thu, 18 Aug 2005 16:21:43 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr4so.prod.shaw.ca (pd4mr4so-qfe3.prod.shaw.ca [10.0.141.215]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0ILF0068GDVGQGE0@l-daemon>; Thu, 18 Aug 2005 10:02:04 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd4mr4so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0ILF00LWQDVGQLK0@pd4mr4so.prod.shaw.ca>; Thu, 18 Aug 2005 10:02:04 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0ILF00989DVF0H@l-daemon>; Thu, 18 Aug 2005 10:02:03 -0600 (MDT) Date: Thu, 18 Aug 2005 09:02:03 -0700 From: Colin Percival In-reply-to: To: Jacques Vidrine Message-id: <4304B0FB.90100@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en References: User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050724) Cc: freebsd-security@freebsd.org Subject: Re: New FreeBSD Security Officer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2005 16:21:43 -0000 Jacques Vidrine wrote: > I asked the FreeBSD Core Team to offer the security officer role to > Colin Percival, and I am happy to say that they agreed and that Colin > accepted. [...] Thanks, Jacques, for the words of introduction. I'd like to take this opportunity to say a few words to the community about my new role here. First, I'm sure everyone can agree that Jacques has done a wonderful job over the past 43 months; while he is eager to blame the security team for his many accomplishments, it should be remembered that he was the driving force behind all of the changes which were made during his tenure and ultimately he must take credit for them. Second, while I am taking over as Security Officer, I won't be changing very much. There will inevitably be some changes -- including a few which have been discussed for several months now -- but on the whole FreeBSD users should notice very little of difference. This is a change of personnel, not a change of principles. Finally, I'd like to remind the community that FreeBSD is ultimately a volunteer project, and community suppose is essential. If you find a security problem -- or even if you find something which might possibly be a security problem but you're not certain if it is or not -- then please let us know. We can't fix problems which we don't know about, and the FreeBSD user community has far more eyes than the FreeBSD security team. Colin Percival FreeBSD Security Officer From owner-freebsd-security@FreeBSD.ORG Thu Aug 18 22:41:31 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ACC116A41F for ; Thu, 18 Aug 2005 22:41:31 +0000 (GMT) (envelope-from nielsen-list@memberwebs.com) Received: from mail.npubs.com (mail.zoneseven.net [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id E165143D49 for ; Thu, 18 Aug 2005 22:41:30 +0000 (GMT) (envelope-from nielsen-list@memberwebs.com) From: Nate Nielsen User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Attila Nagy References: <43049FB2.1030203@fsn.hu> Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Message-Id: <20050818224438.2084D70DBC6@mail.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Thu, 18 Aug 2005 22:44:42 +0000 (GMT) Cc: freebsd-security@FreeBSD.org Subject: Re: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nielsen@memberwebs.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2005 22:41:31 -0000 Attila Nagy wrote: > Hello, > > I'm wondering about closing some information leaks in FreeBSD jails from > the "outside world". > > Not that critical (depends on the application), but a simple user, with > restricted devfs in the jail (devfsrules_jail for example from > /etc/defaults/devfs.rules) can figure out the following: > > - network interfaces related data, via ifconfig, which contains > everything, but the primary IP address of the interfaces. It seems that > alias IPs can be viewed: > bge0: flags=8843 mtu 1500 > options=1a > ether 00:12:79:3d:83:c2 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 mtu 16384 > inet 127.0.0.2 netmask 0xff000000 For me this only shows the alias assigned to the jail. > - full dmesg output after boot and the kernel buffer when it overflows > (can contain sensitive information) Yes, this is important. Use: sysctl -w security.bsd.unprivileged_read_msgbuf=0 > - information about geom providers (at least geom mirror list works) > - the list of the loaded kernel modules via kldstat > - some interesting information about the network related stuff via netstat netstat works, but it limits itself to the jail pretty well. In particular 'netstat -r' and friends don't work. The normal 'netstat -a' only shows connections to the current jail. It does show the output from 'netstat -m' and those sort of things, but those say nothing over the network load of the current machine. > - information about configured swap space via swapinfo Not sure I see how this could be used against you. > - NFS related statistics via nfsstat Again only statistics. Not sure how this is a problem. > - a lot of interesting stuff via sysctl Yes, there's a lot there, but a lot *is* filtered out in a jail. > Are there any ways to close (some of) these? My suggestion would be to file bugs one by one for each piece of information that causes you concern along with the reasoning of why that information is dangerous or sensitive. The FreeBSD developers have been atentive to these things, and have added functionality in almost each release to minimize information available in a jail. So pointing specific issues out will probably get good results. Cheers, Nate From owner-freebsd-security@FreeBSD.ORG Fri Aug 19 08:20:33 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F4FC16A421 for ; Fri, 19 Aug 2005 08:20:33 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from people.fsn.hu (people.fsn.hu [195.228.252.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A45A43D46 for ; Fri, 19 Aug 2005 08:20:27 +0000 (GMT) (envelope-from bra@fsn.hu) Received: from localhost (localhost [127.0.0.1]) by people.fsn.hu (Postfix) with ESMTP id 0CCD084418; Fri, 19 Aug 2005 10:20:24 +0200 (CEST) Received: from people.fsn.hu ([127.0.0.1]) by localhost (people.fsn.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 79858-02; Fri, 19 Aug 2005 10:20:15 +0200 (CEST) Received: from [172.16.129.72] (japan.t-online.co.hu [195.228.243.99]) by people.fsn.hu (Postfix) with ESMTP id DC79284408; Fri, 19 Aug 2005 10:20:14 +0200 (CEST) Message-ID: <4305963E.8070404@fsn.hu> Date: Fri, 19 Aug 2005 10:20:14 +0200 From: Attila Nagy User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050725) X-Accept-Language: en-us, en MIME-Version: 1.0 To: nielsen@memberwebs.com References: <43049FB2.1030203@fsn.hu> <20050818224438.2084D70DBC6@mail.npubs.com> In-Reply-To: <20050818224438.2084D70DBC6@mail.npubs.com> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at fsn.hu Cc: freebsd-security@FreeBSD.org Subject: Re: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2005 08:20:33 -0000 Nate Nielsen wrote: > For me this only shows the alias assigned to the jail. You are right. >>- full dmesg output after boot and the kernel buffer when it overflows >>(can contain sensitive information) > Yes, this is important. Use: > sysctl -w security.bsd.unprivileged_read_msgbuf=0 Hmm, thanks, that was a new info for me. > only shows connections to the current jail. It does show the output from > 'netstat -m' and those sort of things, but those say nothing over the > network load of the current machine. Yes, they are not that critical. >>- information about configured swap space via swapinfo > Not sure I see how this could be used against you. Nothing bad, but I can imagine a situation where the operator of the host machine wants to hide everything about the real specifications. For example if the machine is overbooked and the swap is lightly or heavily used, etc. >>- NFS related statistics via nfsstat > Again only statistics. Not sure how this is a problem. For me, they are not, just another thing, which could be guessed about the host and not the jail (if I am right). >>- a lot of interesting stuff via sysctl > Yes, there's a lot there, but a lot *is* filtered out in a jail. Yep. > My suggestion would be to file bugs one by one for each piece of > information that causes you concern along with the reasoning of why that > information is dangerous or sensitive. The biggest issue for me was dmesg and the ARP table. All of the others were there, because I wanted to know, what else could an unprivileged user guess about the host. I will open a PR with the ARP table issue. > The FreeBSD developers have been atentive to these things, and have > added functionality in almost each release to minimize information > available in a jail. So pointing specific issues out will probably get > good results. Yes, last time I checked these, the user in a jail could list all of the mounted file systems. Now it is less chatty. :) Thanks, -- Attila Nagy e-mail: Attila.Nagy@fsn.hu Adopt a directory on our free software phone @work: +361 371 3536 server! http://www.fsn.hu/?f=brick cell.: +3630 306 6758 From owner-freebsd-security@FreeBSD.ORG Fri Aug 19 08:48:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E67C16A41F for ; Fri, 19 Aug 2005 08:48:22 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39AFB43D48 for ; Fri, 19 Aug 2005 08:48:21 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 0BA0E347E0B; Fri, 19 Aug 2005 10:46:47 +0200 (CEST) Date: Fri, 19 Aug 2005 10:46:47 +0200 From: Pawel Malachowski To: freebsd-security@freebsd.org Message-ID: <20050819084647.GA53116@shellma.zin.lublin.pl> References: <43049FB2.1030203@fsn.hu> <20050818224438.2084D70DBC6@mail.npubs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20050818224438.2084D70DBC6@mail.npubs.com> User-Agent: Mutt/1.4.2i Subject: Re: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2005 08:48:22 -0000 On Thu, Aug 18, 2005 at 10:44:42PM +0000, Nate Nielsen wrote: > netstat works, but it limits itself to the jail pretty well. In > particular 'netstat -r' and friends don't work. The normal 'netstat -a' > only shows connections to the current jail. It does show the output from > 'netstat -m' and those sort of things, but those say nothing over the > network load of the current machine. One can use bmon application in jail to graph network activity in real time, for example: % sysctl -a | grep jail security.jail.set_hostname_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.sysvipc_allowed: 0 security.jail.getfsstatroot_only: 1 security.jail.allow_raw_sockets: 0 security.jail.chflags_allowed: 0 security.jail.jailed: 1 % id uid=11226(pawmal) gid=10999(pawmal) groups=10999(pawmal) % bmon # Interface RX Rate RX # TX Rate TX # .................................................................................... xxx (source: local) 0 fxp0 1.29KiB 23 32.51KiB 34 1 lo0 442.00B 2 442.00B 2 2 vlan3 660.00B 11 32.40KiB 27 3 vlan4 419.00B 5 0.00B 0 4 vlan6 0.00B 0 0.00B 0 5 vlan9 0.00B 0 0.00B 0 -- Pawe³ Ma³achowski From owner-freebsd-security@FreeBSD.ORG Fri Aug 19 09:42:52 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AD7716A41F for ; Fri, 19 Aug 2005 09:42:52 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1537C43D45 for ; Fri, 19 Aug 2005 09:42:51 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-2.free.fr (Postfix) with ESMTP id E8B77C15E; Fri, 19 Aug 2005 11:42:50 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 13B4A405A; Fri, 19 Aug 2005 11:43:20 +0200 (CEST) Date: Fri, 19 Aug 2005 11:43:19 +0200 From: Jeremie Le Hen To: Attila Nagy Message-ID: <20050819094319.GW659@obiwan.tataz.chchile.org> References: <43049FB2.1030203@fsn.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43049FB2.1030203@fsn.hu> User-Agent: Mutt/1.5.9i Cc: freebsd-security@FreeBSD.org Subject: Re: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2005 09:42:52 -0000 Hi Attila, > I'm wondering about closing some information leaks in FreeBSD jails from > the "outside world". > > Not that critical (depends on the application), but a simple user, with > restricted devfs in the jail (devfsrules_jail for example from > /etc/defaults/devfs.rules) can figure out the following: > > - network interfaces related data, via ifconfig, which contains > everything, but the primary IP address of the interfaces. It seems that > alias IPs can be viewed: > bge0: flags=8843 mtu 1500 > options=1a > ether 00:12:79:3d:83:c2 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 mtu 16384 > inet 127.0.0.2 netmask 0xff000000 > > - the arp table via arp, which does contain the above interface > addresses. This can be used for example to detect other machines on the > same subnet, which communicate with the host machine. > - full dmesg output after boot and the kernel buffer when it overflows > (can contain sensitive information) > - information about geom providers (at least geom mirror list works) > - the list of the loaded kernel modules via kldstat > - some interesting information about the network related stuff via netstat > - information about configured swap space via swapinfo > - NFS related statistics via nfsstat > - a lot of interesting stuff via sysctl > > and maybe more, I can't think of currently. > > Are there any ways to close (some of) these? The original paper from phk@ and rwatson@ presenting jails let us sound this is a very neat concept. While I agree this is worth adding restrictions or features where they are really needed, the jail framework tends towards being fairly intrusive in the system. Therefore, I think ``hacking'' the source for all the above situations is not a good idea, although I agree there may be a need for them. What I'm going to say is obvious for most people, but saying it may spur on people imagination :-). BSD solutions are known to be smart, setting a bandage everywhere we seem to need one is not the appropriate way to go. For example, it has been recently dicussed that it would be worth having virtual network stacks, in order to have the ability to multiplex M jails over N virtual network stacks. The developpement of this doesn't even started on newer FreeBSD systems, but it seems the new upcoming routing code is going to be modified to handle multiple routing tables, in the same way as Linux does it. Andre Oppermann is going to publish a paper about its intention towards FreeBSD routing code. If you are interested in this, you may want to have a look at this (long) subthread [1]. The problem is actually there are many ways to access kernel informations, and this is therefore a hard task to get a common security framework which would be simple to use for jail. At the moment, you might want to look at the MAC framework from the TrustedBSD project. I've never used it but I think it may overcome at least some of your concerns. Regards, [1] http://lists.freebsd.org/pipermail/freebsd-net/2005-August/008027.html -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Thu Aug 18 15:18:36 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 785D416A41F for ; Thu, 18 Aug 2005 15:18:36 +0000 (GMT) (envelope-from benlutz@datacomm.ch) Received: from maxlor.mine.nu (c-213-160-32-54.customer.ggaweb.ch [213.160.32.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA29A43D45 for ; Thu, 18 Aug 2005 15:18:35 +0000 (GMT) (envelope-from benlutz@datacomm.ch) Received: from localhost (localhost [127.0.0.1]) by maxlor.mine.nu (Postfix) with ESMTP id 6F63D593; Thu, 18 Aug 2005 17:18:34 +0200 (CEST) Received: from maxlor.mine.nu ([127.0.0.1]) by localhost (midgard [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52383-10; Thu, 18 Aug 2005 17:18:32 +0200 (CEST) Received: from [10.0.0.23] (mini.intranet [10.0.0.23]) by maxlor.mine.nu (Postfix) with ESMTP id BCCC7C4; Thu, 18 Aug 2005 17:18:32 +0200 (CEST) Message-ID: <4304A6C6.6090006@datacomm.ch> Date: Thu, 18 Aug 2005 17:18:30 +0200 From: Benjamin Lutz User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Attila Nagy References: <43049FB2.1030203@fsn.hu> In-Reply-To: <43049FB2.1030203@fsn.hu> X-Enigmail-Version: 0.92.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigBCB6E73722D46EBC03262C02" X-Virus-Scanned: by amavisd-new at maxlor.mine.nu X-Mailman-Approved-At: Fri, 19 Aug 2005 12:33:35 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2005 15:18:36 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBCB6E73722D46EBC03262C02 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Attila Nagy wrote: > Hello, > > I'm wondering about closing some information leaks in FreeBSD jails from > the "outside world". > > Not that critical (depends on the application), but a simple user, with > restricted devfs in the jail (devfsrules_jail for example from > /etc/defaults/devfs.rules) can figure out the following: [...] > - full dmesg output after boot and the kernel buffer when it overflows > (can contain sensitive information) If it's sensitive in so far as it endangers the privacy of local non-jailed users, I think that's a bug that'd need fixing. > - information about geom providers (at least geom mirror list works) > - the list of the loaded kernel modules via kldstat > - some interesting information about the network related stuff via netstat > - information about configured swap space via swapinfo > - NFS related statistics via nfsstat > - a lot of interesting stuff via sysctl I'm not sure why hiding the mentioned information is bad. It only contains machine-specific data, and at best the private information a jailed user will be able to figure out is the machine's usage patterns (yes, crypto folks don't like that, but c'mon...). Hiding that data isn't real security. Besides, the user can only gain the data if he can execute the binaries that provide it. Why not remove, say, the geom programs (and at the same time make it impossible to execute new programs? Eg only make the home/tmp dirs writeable, but put those on a noexec partition). That should make it hard enough to access geom data. Cheers Benjamin --------------enigBCB6E73722D46EBC03262C02 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iD8DBQFDBKbJgShs4qbRdeQRAqZxAJ4gqQ+8Q8hbAiSCyGlleD6yBA/owgCeO8A6 Bbdm1tuPFd25sMgJPCFapIA= =boxf -----END PGP SIGNATURE----- --------------enigBCB6E73722D46EBC03262C02-- From owner-freebsd-security@FreeBSD.ORG Fri Aug 19 13:10:39 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81CFE16A41F for ; Fri, 19 Aug 2005 13:10:39 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9A3A43D48 for ; Fri, 19 Aug 2005 13:10:38 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 7B00E52C84; Fri, 19 Aug 2005 15:10:36 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id A6CBB52BC4; Fri, 19 Aug 2005 15:10:29 +0200 (CEST) Date: Fri, 19 Aug 2005 15:10:15 +0200 From: Pawel Jakub Dawidek To: Benjamin Lutz Message-ID: <20050819131015.GD21893@garage.freebsd.pl> References: <43049FB2.1030203@fsn.hu> <4304A6C6.6090006@datacomm.ch> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IDYEmSnFhs3mNXr+" Content-Disposition: inline In-Reply-To: <4304A6C6.6090006@datacomm.ch> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng devel (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@FreeBSD.org Subject: Re: Closing information leaks in jails? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2005 13:10:39 -0000 --IDYEmSnFhs3mNXr+ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 18, 2005 at 05:18:30PM +0200, Benjamin Lutz wrote: +> > - full dmesg output after boot and the kernel buffer when it overflows +> > (can contain sensitive information) +>=20 +> If it's sensitive in so far as it endangers the privacy of local +> non-jailed users, I think that's a bug that'd need fixing. sysctl security.bsd.unprivileged_read_msgbuf=3D0 --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --IDYEmSnFhs3mNXr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDBdo3ForvXbEpPzQRAjtBAJ9HyWFQme9OEANjWqFQ9smsdszBEQCfUIHk gONi4+qlH8AhGrGWiMNZNBI= =Q76R -----END PGP SIGNATURE----- --IDYEmSnFhs3mNXr+-- From owner-freebsd-security@FreeBSD.ORG Fri Aug 19 22:15:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80FAB16A420 for ; Fri, 19 Aug 2005 22:15:14 +0000 (GMT) (envelope-from smalone@udallas.edu) Received: from mail.udallas.edu (mail.udallas.edu [192.91.253.73]) by mx1.FreeBSD.org (Postfix) with SMTP id 23F3743D46 for ; Fri, 19 Aug 2005 22:15:13 +0000 (GMT) (envelope-from smalone@udallas.edu) Received: (qmail 1714 invoked from network); 19 Aug 2005 22:17:49 -0000 Received: from unknown (HELO ?10.3.20.101?) (10.3.20.101) by 0 with SMTP; 19 Aug 2005 22:17:49 -0000 Message-ID: <430659EF.2060202@udallas.edu> Date: Fri, 19 Aug 2005 17:15:11 -0500 From: "Sean P. Malone" User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Security Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Subject: pam_radius fail open? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: smalone@udallas.edu List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2005 22:15:14 -0000 Okay, I guess I’ll be the first to take Colin Percival up in that the following statement applies to me: “If you find a security problem -- or even if you find something which might possibly be a security problem but you're not certain if it is or not -- then please let us know.” I recently installed pam_radius according to the instructions located at the following address: https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern The instructions were very helpful. However, I’m not sure if I’ve mistakenly stumbled onto a fail open situation in that I’m fairly new to FreeBSD. Namely, while configuring /etc/pam.conf to validate SSH login credentials via radius against our existing Active Directory, I mistakenly typed the line for ssh as follows: ssh auth required pam_radius.so -update -/usr/local/etc/radius mistakenly thinking that one specifies the protocol as opposed to the daemon. Here is the result when I ssh in to the server from another host: login as: smalone Last login: Fri Aug 19 16:34:16 2005 from 10.3.20.101 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Mar 25 20:58:42 CST 2005 $ The thing to note is that the system did not prompt me for a password. I got right in to a shell prompt. Frightened, I then corrected the line to read: sshd auth required pam_radius.so -update -/usr/local/etc/radius and all worked as it should. I could ssh into the system using my AD password and the log file on the IAS server recorded a successful radius auth from the host. However, I then went back to the /etc/pam.conf file and commented out the ssh line all together resulting in a pam.conf that reads exactly as below: $ cat /etc/pam.conf # # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the "sshd" service # # auth #sshd auth required pam_radius.so -update -/usr/local/etc/radius #auth required pam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so #account required pam_login_access.so #account required pam_unix.so # session #session optional pam_ssh.so #session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass #password required pam_unix.so no_warn try_first_pass $ Basically, it’s an empty file as far as pam_radius knows. Then I tried once more to ssh in to the server and was, once again, let in without being prompted for a password. Thus, would it not only require someone to merely know the name of one of your users (such as an email username on an email host) to get a shell? Is this a fail open? Regards, Sean Malone From owner-freebsd-security@FreeBSD.ORG Fri Aug 19 22:32:39 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D98E16A41F for ; Fri, 19 Aug 2005 22:32:39 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0538C43D48 for ; Fri, 19 Aug 2005 22:32:38 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: by wproxy.gmail.com with SMTP id i4so657851wra for ; Fri, 19 Aug 2005 15:32:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UjTaulRIXlrxgj/fB2iEEEBiuqDVFg7lzsCvt/VJGDBInn/GjXVdYaAxSzn+aNLwo0pah7IUBkbFr7P3KuAaVkBzXi53I51NKeqbqqgubYIB62x99+osdPHT5FgsNnQknzYRAoad5mQCMxEjt/qeTcrYW7Pg9fHbfAS1zayKBac= Received: by 10.54.151.9 with SMTP id y9mr2239141wrd; Fri, 19 Aug 2005 15:32:37 -0700 (PDT) Received: by 10.54.29.26 with HTTP; Fri, 19 Aug 2005 15:32:37 -0700 (PDT) Message-ID: <790a9fff05081915323dc45ac6@mail.gmail.com> Date: Fri, 19 Aug 2005 17:32:37 -0500 From: Scot Hetzel To: smalone@udallas.edu In-Reply-To: <430659EF.2060202@udallas.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <430659EF.2060202@udallas.edu> Cc: FreeBSD Security Subject: Re: pam_radius fail open? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2005 22:32:39 -0000 On 8/19/05, Sean P. Malone wrote: > $ cat /etc/pam.conf > # > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ > # > # PAM configuration for the "sshd" service > # >=20 > # auth >=20 > #sshd auth required pam_radius.so -update -/usr/local/etc/radius > #auth required pam_nologin.so no_warn > Basically, it's an empty file as far as pam_radius knows. >=20 I think you incorrectly configured your system, you should have edited the /etc/pam.d/sshd file and added the pam_radius in there as: auth required pam_radius.so -update -/usr/local/etc/radius When you created the /etc/pam.conf file, you told PAM to not look in the /etc/pam.d directory for config info for any of the services listed in /etc/pam.d. This caused it to not know how to authenticate any logins, which resulted in it allowing all logins. I believe this is also why you were able to log into your system with just = a: ssh auth required pam_radius.so -update -/usr/local/etc/radius in your /etc/pam.conf, as there was no entry for sshd in pam.conf. Scot --=20 DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised. From owner-freebsd-security@FreeBSD.ORG Sat Aug 20 22:48:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF0B216A41F for ; Sat, 20 Aug 2005 22:48:48 +0000 (GMT) (envelope-from stb@lassitu.de) Received: from rohrpostix.tallence.de (rohrpostix.tallence.de [212.12.62.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C9DB43D46 for ; Sat, 20 Aug 2005 22:48:48 +0000 (GMT) (envelope-from stb@lassitu.de) Received: from [44.128.40.11] (janus.spock.tallence.de [44.128.40.11]) by rohrpostix.tallence.de (Postfix) with ESMTP id 4EE8F1AD919; Sun, 21 Aug 2005 00:48:46 +0200 (CEST) In-Reply-To: <790a9fff05081915323dc45ac6@mail.gmail.com> References: <430659EF.2060202@udallas.edu> <790a9fff05081915323dc45ac6@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v733) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Stefan Bethke Date: Sun, 21 Aug 2005 00:47:54 +0200 To: Scot Hetzel X-Mailer: Apple Mail (2.733) Cc: FreeBSD Security , smalone@udallas.edu Subject: Re: pam_radius fail open? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Aug 2005 22:48:49 -0000 Am 20.08.2005 um 00:32 schrieb Scot Hetzel: > On 8/19/05, Sean P. Malone wrote: > >> $ cat /etc/pam.conf >> # >> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ >> # >> # PAM configuration for the "sshd" service >> # >> >> # auth >> >> #sshd auth required pam_radius.so -update -/usr/local/etc/radius >> #auth required pam_nologin.so no_warn >> > > >> Basically, it's an empty file as far as pam_radius knows. >> >> > > I think you incorrectly configured your system, you should have edited > the /etc/pam.d/sshd file and added the pam_radius in there as: > > auth required pam_radius.so -update -/usr/local/etc/radius > > When you created the /etc/pam.conf file, you told PAM to not look in > the /etc/pam.d directory for config info for any of the services > listed in /etc/pam.d. This caused it to not know how to authenticate > any logins, which resulted in it allowing all logins. I don't now what's wrong, but this explanation is not correct (on 6.0- BETA2). The man page states that /etc/pam.d/* information is consulted before /etc/pam.conf, and creating an empty /etc/pam.conf won't let me log in unless I enter a correct password. Mz experience with pam has been too confusing to add any real insight. I'd hope that des@ would be able to comment properly... Stefan -- Stefan Bethke Fon +49 170 346 0140