From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 00:27:57 2010 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12F6B106566B for ; Mon, 1 Feb 2010 00:27:57 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.freebsd.org (Postfix) with ESMTP id 8CEA78FC13 for ; Mon, 1 Feb 2010 00:27:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.3/8.14.3) with ESMTP id o110DdtK067508 for ; Mon, 1 Feb 2010 03:13:39 +0300 (MSK) (envelope-from marck@rinet.ru) Date: Mon, 1 Feb 2010 03:13:39 +0300 (MSK) From: Dmitry Morozovsky To: freebsd-security@FreeBSD.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (woozle.rinet.ru [0.0.0.0]); Mon, 01 Feb 2010 03:13:39 +0300 (MSK) Cc: Subject: security scripts diff X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 00:27:57 -0000 Dear colleagues, looking at regular security mails I found that foloowing patch would greatly desreases amount of false positive reports; it's totally possible I'm missing some vital areas, but my current look at security scripts did not reveal any. What do you think? Thank you in advance. marck@woozle:/lh/src.current/etc/periodic/security> cvs -R diff Index: security.functions =================================================================== RCS file: /home/ncvs/src/etc/periodic/security/security.functions,v retrieving revision 1.5 diff -u -r1.5 security.functions --- security.functions 22 Aug 2005 09:33:36 -0000 1.5 +++ security.functions 1 Feb 2010 00:09:59 -0000 @@ -67,7 +67,7 @@ [ $rc -lt 1 ] && rc=1 echo "" echo "${msg}" - diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \ + diff -w ${daily_status_security_diff_flags} ${LOG}/${label}.today \ ${tmpf} | eval "${filter}" mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3 -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 00:40:04 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 635DC106568B for ; Mon, 1 Feb 2010 00:40:04 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 3493D8FC0A for ; Mon, 1 Feb 2010 00:40:03 +0000 (UTC) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id o110e3Pa016872; Sun, 31 Jan 2010 16:40:03 -0800 (PST) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.3/Submit) id o110e3l1016871; Sun, 31 Jan 2010 16:40:03 -0800 (PST) (envelope-from david) Date: Sun, 31 Jan 2010 16:40:03 -0800 From: David Wolfskill To: Dmitry Morozovsky Message-ID: <20100201004003.GE12157@bunrab.catwhisker.org> Mail-Followup-To: David Wolfskill , Dmitry Morozovsky , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Q8BnQc91gJZX4vDc" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org Subject: Re: security scripts diff X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 00:40:04 -0000 --Q8BnQc91gJZX4vDc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 01, 2010 at 03:13:39AM +0300, Dmitry Morozovsky wrote: > Dear colleagues, >=20 > looking at regular security mails I found that foloowing patch would grea= tly=20 > desreases amount of false positive reports; it's totally possible I'm mis= sing=20 > some vital areas, but my current look at security scripts did not reveal = any. >=20 > What do you think? Thank you in advance. > ... I think maybe -b ("Ignore changes in the amount of white space.") might be better than -w ("Ignore all white space."), as the presence or absence of *some* white space can be a signifant difference (e.g., to a non-FORTRAN IV parser). = =20 Peace, = =20 david = =20 --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --Q8BnQc91gJZX4vDc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAktmIuIACgkQmprOCmdXAD1feQCeMeOiFninPLwayWXVpOFE8UEm LygAn0dPlrswgjgrJxm31Qq0zSvGmq3g =n+/P -----END PGP SIGNATURE----- --Q8BnQc91gJZX4vDc-- From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 00:54:20 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A021E106568F for ; Mon, 1 Feb 2010 00:54:20 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.freebsd.org (Postfix) with ESMTP id 2415A8FC18 for ; Mon, 1 Feb 2010 00:54:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.3/8.14.3) with ESMTP id o110rMwW068253; Mon, 1 Feb 2010 03:53:22 +0300 (MSK) (envelope-from marck@rinet.ru) Date: Mon, 1 Feb 2010 03:53:22 +0300 (MSK) From: Dmitry Morozovsky To: David Wolfskill In-Reply-To: <20100201004003.GE12157@bunrab.catwhisker.org> Message-ID: References: <20100201004003.GE12157@bunrab.catwhisker.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (woozle.rinet.ru [0.0.0.0]); Mon, 01 Feb 2010 03:53:22 +0300 (MSK) Cc: freebsd-security@freebsd.org Subject: Re: security scripts diff X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 00:54:20 -0000 On Sun, 31 Jan 2010, David Wolfskill wrote: DW> > looking at regular security mails I found that foloowing patch would greatly DW> > desreases amount of false positive reports; it's totally possible I'm missing DW> > some vital areas, but my current look at security scripts did not reveal any. DW> > DW> > What do you think? Thank you in advance. DW> > ... DW> DW> I think maybe -b ("Ignore changes in the amount of white space.") might DW> be better than -w ("Ignore all white space."), as the presence or DW> absence of *some* white space can be a signifant difference (e.g., to a DW> non-FORTRAN IV parser). Agreed. -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 13:25:51 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA0111065676 for ; Mon, 1 Feb 2010 13:25:51 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 87F1D8FC0A for ; Mon, 1 Feb 2010 13:25:51 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 953681FFC22; Mon, 1 Feb 2010 13:25:50 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 6EF1384498; Mon, 1 Feb 2010 14:25:50 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Dan Lukes References: <20100128182413.GI892@noncombatant.org> <20100128135410.7b6fe154.wmoran@collaborativefusion.com> <20100128193941.GK892@noncombatant.org> <20100128151026.5738b6c1.wmoran@collaborativefusion.com> <20100128201857.GP892@noncombatant.org> <4B620DAC.4080608@bit0.com> <4B621EC5.3030400@obluda.cz> Date: Mon, 01 Feb 2010 14:25:50 +0100 In-Reply-To: <4B621EC5.3030400@obluda.cz> (Dan Lukes's message of "Fri, 29 Jan 2010 00:33:25 +0100") Message-ID: <86sk9l5bq9.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 13:25:51 -0000 Dan Lukes writes: > Mike Andrews writes: > > There is probably a login.conf knob to raise the default number of > > rounds beyond 2^4. > No. The standard way of password change flow trough pam_unix.c. > > It call crypt(new_pass, salt) where salt is pseudo-random sequence. As > such salt doesn't start with a magic, the default algorithm is > selected. If it si blowfish, then crypt_blowfish(key, salt) is called. Mike is mostly right and you are mostly wrong. The default algorithm is indeed controlled by login.conf and auth.conf, although there is no way to specify the number of rounds. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 13:28:33 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52F08106568D for ; Mon, 1 Feb 2010 13:28:33 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 12B468FC3A for ; Mon, 1 Feb 2010 13:28:32 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 13A9B1FFC58; Mon, 1 Feb 2010 13:28:32 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id E9C7B84498; Mon, 1 Feb 2010 14:28:31 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Matthew Dillon References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> Date: Mon, 01 Feb 2010 14:28:31 +0100 In-Reply-To: <201001282311.o0SNBWp4003678@apollo.backplane.com> (Matthew Dillon's message of "Thu, 28 Jan 2010 15:11:32 -0800 (PST)") Message-ID: <86ock95bls.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 13:28:33 -0000 Matthew Dillon writes: > Just give up and turn off tunneled plaintext passwords over the > network. No (non-kerberos) telnetd, rlogind, (non anonymous) ftpd, e= tc. > Just run sshd and put this in your sshd_config: > > # To disable tunneled clear text passwords, change to no here! > PasswordAuthentication no This does not do what you think it does. RTFM. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 18:25:00 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E97371065672 for ; Mon, 1 Feb 2010 18:25:00 +0000 (UTC) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.freebsd.org (Postfix) with ESMTP id A2F928FC13 for ; Mon, 1 Feb 2010 18:25:00 +0000 (UTC) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.14.4/8.14.1) with ESMTP id o11IOxwX045907 for ; Mon, 1 Feb 2010 10:24:59 -0800 (PST) Received: (from dillon@localhost) by apollo.backplane.com (8.14.4/8.13.4/Submit) id o11IOxjQ045906; Mon, 1 Feb 2010 10:24:59 -0800 (PST) Date: Mon, 1 Feb 2010 10:24:59 -0800 (PST) From: Matthew Dillon Message-Id: <201002011824.o11IOxjQ045906@apollo.backplane.com> To: freebsd-security@freebsd.org References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 18:25:01 -0000 : :Matthew Dillon writes: :> Just give up and turn off tunneled plaintext passwords over the :> network. No (non-kerberos) telnetd, rlogind, (non anonymous) ftpd, etc. :> Just run sshd and put this in your sshd_config: :> :> # To disable tunneled clear text passwords, change to no here! :> PasswordAuthentication no : :This does not do what you think it does. RTFM. : :DES :-- :Dag-Erling Smørgrav - des@des.no Here's a thought, DES. Try acting like the professional you profess to be instead of the 5-year-old you clearly are. It looks like the defaults in FreeBSD are different, so shoot me. Ah, I see, YOU were the one who changed the FreeBSD defaults to be less secure. Now I understand. The OpenSSH folks give you a nice default-secure setting and an easy way to change it in sshd_config and your answer is to actually modify the base code in the contrib instead and turn things all around? Shame on you. So, FreeBSD users, it looks like you have to play russian roulette with your sshd_config options if you want the directives to actually work. But hey, I'm sure DES will be happy to flip you off instead of tell you which options will work with FreeBSD. So I guess I'll have to instead. If you don't need PAM's extra features for your sshd access (which is most people) then turn PAM off in your sshd_config to work around the base code change that DES made. Then the other options will work as intended. And, just to be safe, also turn off the challenge-response option. UsePAM no ChallengeResponseAuthentication no PasswordAuthentication no There, all better. PAM has its advantages, but only for a very small percentage of users. Its disadvantage is in its complexity and the ease of which a mis-configuration can result in a security hole. If there is no need for ssh to use it in your configuration then it should be turned off. -Matt Matthew Dillon From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 16:59:10 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE7831065672 for ; Mon, 1 Feb 2010 16:59:10 +0000 (UTC) (envelope-from ekarkkai@pp.htv.fi) Received: from filtteri1.pp.htv.fi (filtteri1.pp.htv.fi [213.243.153.184]) by mx1.freebsd.org (Postfix) with ESMTP id 872A58FC16 for ; Mon, 1 Feb 2010 16:59:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by filtteri1.pp.htv.fi (Postfix) with ESMTP id A79448BC17; Mon, 1 Feb 2010 18:42:49 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at pp.htv.fi Received: from smtp5.welho.com ([213.243.153.39]) by localhost (filtteri1.pp.htv.fi [213.243.153.184]) (amavisd-new, port 10024) with ESMTP id wJjNYtAM9VWH; Mon, 1 Feb 2010 18:42:49 +0200 (EET) Received: from zero.my.domain (cs95087.pp.htv.fi [212.90.95.87]) by smtp5.welho.com (Postfix) with ESMTP id 658D25BC002; Mon, 1 Feb 2010 18:42:49 +0200 (EET) Received: from thunderbolt.my.domain (thunderbolt.my.domain [10.192.168.30]) by zero.my.domain (8.14.3/8.14.3) with ESMTP id o11Ggnbw036119; Mon, 1 Feb 2010 18:42:49 +0200 (EET) (envelope-from ekarkkai@pp.htv.fi) Received: from thunderbolt.my.domain (localhost [127.0.0.1]) by thunderbolt.my.domain (8.14.3/8.14.3) with ESMTP id o11GgQL3019285; Mon, 1 Feb 2010 18:42:26 +0200 (EET) (envelope-from ejk@thunderbolt.my.domain) Received: (from ejk@localhost) by thunderbolt.my.domain (8.14.3/8.14.3/Submit) id o11GgQQS019284; Mon, 1 Feb 2010 18:42:26 +0200 (EET) (envelope-from ejk) Date: Mon, 1 Feb 2010 18:42:26 +0200 From: Esa Karkkainen To: freebsd-security@freebsd.org Message-ID: <20100201164226.GA4715@pp.htv.fi> Mail-Followup-To: Esa Karkkainen , freebsd-security@freebsd.org, David Wolfskill , Dmitry Morozovsky References: <20100201004003.GE12157@bunrab.catwhisker.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100201004003.GE12157@bunrab.catwhisker.org> User-Agent: Mutt/1.4.2.3i X-Mailman-Approved-At: Mon, 01 Feb 2010 19:02:14 +0000 Cc: Dmitry Morozovsky Subject: Re: security scripts diff X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 16:59:10 -0000 On Sun, Jan 31, 2010 at 04:40:03PM -0800, David Wolfskill wrote: > On Mon, Feb 01, 2010 at 03:13:39AM +0300, Dmitry Morozovsky wrote: > > Dear colleagues, > > > > looking at regular security mails I found that foloowing patch would greatly > > desreases amount of false positive reports; it's totally possible I'm missing > > some vital areas, but my current look at security scripts did not reveal any. > > > > What do you think? Thank you in advance. > > ... > > I think maybe -b ("Ignore changes in the amount of white space.") might > be better than -w ("Ignore all white space."), as the presence or > absence of *some* white space can be a signifant difference (e.g., to a > non-FORTRAN IV parser). I've always disliked the feature which lists unchanged files on security emails (100.chksetuid). I've created a patch some time ago. http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/119464 -- "In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move." -- Douglas Adams 1952 - 2001 From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 20:29:51 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 046AC1065672 for ; Mon, 1 Feb 2010 20:29:51 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 86E388FC16 for ; Mon, 1 Feb 2010 20:29:50 +0000 (UTC) Received: (qmail 1931 invoked by uid 399); 1 Feb 2010 20:29:49 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 1 Feb 2010 20:29:49 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4B6739C5.9040807@FreeBSD.org> Date: Mon, 01 Feb 2010 12:29:57 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.7) Gecko/20100123 Thunderbird/3.0.1 MIME-Version: 1.0 To: Matthew Dillon References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> In-Reply-To: <201002011824.o11IOxjQ045906@apollo.backplane.com> X-Enigmail-Version: 1.0 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 20:29:51 -0000 On 02/01/10 10:24, Matthew Dillon wrote: > If you don't need PAM's extra features for your sshd access (which is > most people) then turn PAM off in your sshd_config to work around the > base code change that DES made. Then the other options will work as > intended. And, just to be safe, also turn off the challenge-response > option. > > UsePAM no > ChallengeResponseAuthentication no > PasswordAuthentication no I agree that turning PAM off whenever possible is a good thing. It should also be noted that regardless of what appears in the default config file those options should be uncommented so that you can be sure they will be effective across updates. For the old-school paranoids (like me) the following options are also of interest "just in case": RhostsRSAAuthentication no HostbasedAuthentication no IgnoreRhosts yes hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From owner-freebsd-security@FreeBSD.ORG Tue Feb 2 11:25:32 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88CA9106566C for ; Tue, 2 Feb 2010 11:25:32 +0000 (UTC) (envelope-from jespasac@minibofh.org) Received: from smtp01.cdmon.com (smtp01.cdmon.com [212.36.75.230]) by mx1.freebsd.org (Postfix) with ESMTP id 4C1E48FC15 for ; Tue, 2 Feb 2010 11:25:31 +0000 (UTC) Received: from jespasac.cdmon.com (62.Red-217-126-43.staticIP.rima-tde.net [217.126.43.62]) (Authenticated sender: jespasac@noverificar) by smtp01.cdmon.com (Postfix) with ESMTP id 631F2FCB22 for ; Tue, 2 Feb 2010 12:09:51 +0100 (CET) Message-ID: <4B6807FE.30106@minibofh.org> Date: Tue, 02 Feb 2010 12:09:50 +0100 From: Jordi Espasa Clofent User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091209 Fedora/3.0-4.fc12 Lightning/1.0b1 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Tue, 02 Feb 2010 14:46:37 +0000 Subject: kern.randompid sysctl value X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 11:25:32 -0000 HI, 1. ¿What's the real value (in terms of security) of the random PIDs feature? According to this book http://books.google.es/books?id=gqKwaHmXp4YC&pg=PA50&lpg=PA50&dq=random+pids+security&source=bl&ots=jimAeOQK2Q&sig=WrsBiMAxU-lUCM3pdCjtIYfmiIo&hl=es&ei=OwVoS4nwGMeOjAek5ZCvCQ&sa=X&oi=book_result&ct=result&resnum=9&ved=0CCsQ6AEwCA#v=onepage&q=random%20pids%20security&f=false I understand that the random PIDs wil be a good security measure against some exploits (books says "race conditions"). OpenBSD folks (focused on security) have the random PIDs by defaul, so ¿why Freebsd don't use it by default? 2. ¿What will be a real secure value for sysctl parameter? I mean 'kern.randompid' isn't a boolean, but a large number which determines the numeric range to generate de random PIDs. ¿1000, 10000, 100000? Thanks in advance for aclarations. PD. I've real this old post http://marc.info/?l=freebsd-security&m=99495048923300&w=2. Interesting. -- I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain. Bene Gesserit Litany Against Fear. From owner-freebsd-security@FreeBSD.ORG Tue Feb 2 18:34:16 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52E641065676 for ; Tue, 2 Feb 2010 18:34:16 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id F29B38FC19 for ; Tue, 2 Feb 2010 18:34:15 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id A127FA66E9C; Wed, 3 Feb 2010 02:34:14 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id rYglj7HDAoYU; Wed, 3 Feb 2010 02:34:08 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id D04A0A66EA3; Wed, 3 Feb 2010 02:34:06 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp: content-type:content-transfer-encoding; b=IzLGb5zK0WQorcyly+5gwK9/cC/hoXx3RuazMVjlAucPjKFmkSHLvZbMY80/QEmN7 XZBhM3t8EqkLJwEPTdACg== Message-ID: <4B687019.2040008@delphij.net> Date: Tue, 02 Feb 2010 10:34:01 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.7) Gecko/20100122 Thunderbird/3.0.1 ThunderBrowse/3.2.8.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4B6807FE.30106@minibofh.org> In-Reply-To: <4B6807FE.30106@minibofh.org> X-Enigmail-Version: 1.0 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: kern.randompid sysctl value X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 18:34:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Jordi, On 2010/02/02 03:09, Jordi Espasa Clofent wrote: > HI, > > 1. ¿What's the real value (in terms of security) of the random PIDs > feature? > > According to this book > > http://books.google.es/books?id=gqKwaHmXp4YC&pg=PA50&lpg=PA50&dq=random+pids+security&source=bl&ots=jimAeOQK2Q&sig=WrsBiMAxU-lUCM3pdCjtIYfmiIo&hl=es&ei=OwVoS4nwGMeOjAek5ZCvCQ&sa=X&oi=book_result&ct=result&resnum=9&ved=0CCsQ6AEwCA#v=onepage&q=random%20pids%20security&f=false > > > I understand that the random PIDs wil be a good security measure against > some exploits (books says "race conditions"). OpenBSD folks (focused on > security) have the random PIDs by defaul, so > > ¿why Freebsd don't use it by default? Hmm... My personal impression is that random PID won't help much, and management scripts may expect the PID won't be recycled too early, say, on a busy server. If PIDs are allocated sequentially, we can expect long time before one given PID will be used; with randomized allocation, we can never tell since it is expensive to have kernel tell whether the PID is being used, say, 1000 processes before. > 2. ¿What will be a real secure value for sysctl parameter? I mean > 'kern.randompid' isn't a boolean, but a large number which determines > the numeric range to generate de random PIDs. ¿1000, 10000, 100000? It's a modules number. The kernel will adjust it for you if you specify a too large number, e.g. 100k. > Thanks in advance for aclarations. > > PD. I've real this old post > http://marc.info/?l=freebsd-security&m=99495048923300&w=2. Interesting. I think Peter's reply still apply... Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLaHAZAAoJEATO+BI/yjfB9c4H/An0Zpxh6ZNaKO1RvYfC9dBb zTKKND9TBvFIzgIrfI7bTjdoSoFeJumpDRJ9MBrHcc5bwEfFD7yC8FFmdJKVEAna u6uvu3ZR1wsaPRy4AVFPTGWrclFA7mTdB2nehJwMbXLAWclpoydG6gm1oxFKAOYi epw3bwnjMLzkKuax84LVKtawF/0jr4fn/w3YpqZudCOYdD1LCtiFm/o0h6yhP8SN dYAEUQ8h6WpcJOsqgbTB1SK+3eoK/7upwheEt0TLkbp2XX+0I35O0mJrBvn+Fbzy VEEpSj6qoqLv6Pa3zfjM4YTc4ldgmqheCzDH57dZ7juDrveF2lOwSXG5tXtjc4o= =IMZA -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Feb 3 11:59:47 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 788FE1065696 for ; Wed, 3 Feb 2010 11:59:47 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 365D98FC0C for ; Wed, 3 Feb 2010 11:59:47 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 50EAC1FFC53; Wed, 3 Feb 2010 11:59:45 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 08CFE8449F; Wed, 3 Feb 2010 12:59:45 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Matthew Dillon References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> Date: Wed, 03 Feb 2010 12:59:44 +0100 In-Reply-To: <201002011824.o11IOxjQ045906@apollo.backplane.com> (Matthew Dillon's message of "Mon, 1 Feb 2010 10:24:59 -0800 (PST)") Message-ID: <86y6jacyxb.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2010 11:59:47 -0000 Matthew Dillon writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > Matthew Dillon writes: > > > Just run sshd and put this in your sshd_config: > > > > > > # To disable tunneled clear text passwords, change to no here! > > > PasswordAuthentication no > > This does not do what you think it does. RTFM. > It looks like the defaults in FreeBSD are different, so shoot me. Nope. > Ah, I see, YOU were the one who changed the FreeBSD defaults to be > less secure. Nope. "PasswordAuthentication no" *is* the default. It does not disable password authentication. It disables the SSH "password" authentication method. Password authentication is still possible via PAM. > Now I understand. No, you don't, you're just making it up as you go along. > So, FreeBSD users, it looks like you have to play russian roulette > with your sshd_config options if you want the directives to actually > work. No Russian roulette, no sshd_config tweaking. All you need is a one-line change to /etc/pam.d/sshd. See pam.conf(5) and pam_unix(8) for further deatils. > But hey, I'm sure DES will be happy to flip you off instead of tell > you which options will work with FreeBSD. I don't flip off users with valid concerns. You don't fall into that category. > So I guess I'll have to instead. I'm sure users will be eternally grateful to you for giving them incorrect information which weakens the security of their systems. > If you don't need PAM's extra features for your sshd access (which is > most people) Wrong; most people *do* need PAM. > then turn PAM off in your sshd_config to work around the base code > change that DES made. UsePAM is on by default in OpenSSH-portable. Yes, I wrote the original PAM support code for OpenSSH; so shoot me. It was necessary. > Then the other options will work as > intended. And, just to be safe, also turn off the challenge-response > option. > > UsePAM no > ChallengeResponseAuthentication no > PasswordAuthentication no > > There, all better. Yeah, now you turned off *all* authentication methods except keys, and by turning off PAM, you also turned off session management, accounting, utmpx logging, lockout of expired accounts, etc. If you're serious about strong authentication, use time-synchronized OTP tokens. Oh wait, you can't, because you need PAM and ChallengeResponse to mediate between the user and the backend, which usually acts like a Radius server. Too bad. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Feb 3 18:14:40 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1585E1065672 for ; Wed, 3 Feb 2010 18:14:40 +0000 (UTC) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.freebsd.org (Postfix) with ESMTP id AA4408FC1D for ; Wed, 3 Feb 2010 18:14:39 +0000 (UTC) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.14.4/8.14.1) with ESMTP id o13IEZie081413; Wed, 3 Feb 2010 10:14:35 -0800 (PST) Received: (from dillon@localhost) by apollo.backplane.com (8.14.4/8.13.4/Submit) id o13IEYqk081411; Wed, 3 Feb 2010 10:14:34 -0800 (PST) Date: Wed, 3 Feb 2010 10:14:34 -0800 (PST) From: Matthew Dillon Message-Id: <201002031814.o13IEYqk081411@apollo.backplane.com> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> <86y6jacyxb.fsf@ds4.des.no> Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2010 18:14:40 -0000 :If you're serious about strong authentication, use time-synchronized OTP :tokens. Oh wait, you can't, because you need PAM and ChallengeResponse :to mediate between the user and the backend, which usually acts like a :Radius server. Too bad. : :DES :-- :Dag-Erling Smørgrav - des@des.no The default PAM setting in OpenSSH is 0. Line 138 servconf.c in openssh-5.3p1 (that's the portable version). The default comment in sshd_config in openssh-5.3.p1 from ftp.openssh.com and is condusive to the state of the code, which is the reverse of what FreeBSD has done. I didn't bother to go check earlier releases to see if it was different in the past, but that seems to be the current state. Frankly I'm a bit surprised that you are even trying to defend the FreeBSD changes. They are clearly less secure. All you had to do was adjust the default sshd_config. PAM is black-magic for most users, the last thing you want to do is suggest that the general user base make changes to PAM configuration files verses the far more user friendly sshd_config. The vast majority of BSD users don't need PAMs capabilities when it comes to ssh. Having it disabled by default is more appropriate. For that matter, your suggestion that all users use some esoteric feature and mess with PAM configuration files as a solution instead of changing the far more user-friendly sshd_config is just bad advise to users. It seems to me that you are setting defaults for the convenience of a minority of people when they should be set for the convenience of the majority. And if you are really going to insist on changing the option around the least you could have done was uncomment the related options and set them to a definitive 'no' value (that would be ChallengeResponse at the very least) when you made the other changes. The whole point of my original posting was to provide an alternative to users concerned with password attacks on ssh and you basically turned it into a personal attack. You need to grow up. -- In anycase, I think Mr Barton's posting was excellent. We already ship with PasswordAuthentication set to 'no' and, of course, PAM is disabled by default, but I am going to make further adjustments to our sshd_config based on Doug's suggestions plus I will also uncomment ChallengeResponseAuthentication and set that to 'no' too as a further safety measure. The plain fact of the matter is that allowing short user passwords over-the-wire for a shell login, whether in the clear or tunneled, can no longer be considered a reasonable default in this day and age. -Matt Matthew Dillon From owner-freebsd-security@FreeBSD.ORG Wed Feb 3 22:27:58 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1680106566B for ; Wed, 3 Feb 2010 22:27:58 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 7F7AA8FC08 for ; Wed, 3 Feb 2010 22:27:58 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 87E0B1FFC51; Wed, 3 Feb 2010 22:27:57 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 59BE1844A0; Wed, 3 Feb 2010 23:27:57 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Matthew Dillon References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> <86y6jacyxb.fsf@ds4.des.no> <201002031814.o13IEYqk081411@apollo.backplane.com> Date: Wed, 03 Feb 2010 23:27:57 +0100 In-Reply-To: <201002031814.o13IEYqk081411@apollo.backplane.com> (Matthew Dillon's message of "Wed, 3 Feb 2010 10:14:34 -0800 (PST)") Message-ID: <86ljfac5ua.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2010 22:27:58 -0000 Matthew Dillon writes: > The vast majority of BSD users don't need PAMs capabilities when it > comes to ssh. You clearly don't understand what PAM does. > And if you are really going to insist on changing the option around > the least you could have done was uncomment the related options and > set them to a definitive 'no' value (that would be ChallengeResponse > at the very least) when you made the other changes. You clearly don't understand what the ChallengeResponse option does. > In anycase, I think Mr Barton's posting was excellent. We already > ship with PasswordAuthentication set to 'no' and, of course, PAM is > disabled by default, but I am going to make further adjustments to > our sshd_config based on Doug's suggestions plus I will also > uncomment ChallengeResponseAuthentication and set that to 'no' too > as a further safety measure. ...leaving your users with no other option than keys. No OPIE, no Radius, no nothing - just keys. You do realize that users have the option to store their keys unencrypted, and there is nothing you can do on the server side do to prevent them? That's even *less* secure than passwords. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Feb 4 02:19:47 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D7021065672 for ; Thu, 4 Feb 2010 02:19:47 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id EF1428FC1D for ; Thu, 4 Feb 2010 02:19:46 +0000 (UTC) Received: by strawberry.noncombatant.org (Postfix, from userid 1002) id 8569F31E89F3; Wed, 3 Feb 2010 18:20:10 -0800 (PST) Date: Wed, 3 Feb 2010 18:20:10 -0800 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20100204022010.GL26286@noncombatant.org> References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> <86y6jacyxb.fsf@ds4.des.no> <201002031814.o13IEYqk081411@apollo.backplane.com> <86ljfac5ua.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86ljfac5ua.fsf@ds4.des.no> User-Agent: Mutt/1.4.2.3i Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 02:19:47 -0000 Dag-Erling Sm??rgrav writes: > option to store their keys unencrypted, and there is nothing you can do on > the server side do to prevent them? That's even *less* secure than > passwords. Less secure in certain, but not all, attack scenarios. An attacker with code running on the client (i.e. any code author at all with code on the client running as the user who wants to use the SSH client... sigh) can log right in -- but that class of attacker could also keylog the SSH key passphrase, too. (The problem is worse if you consider local privilege escalaton vulnerabilities, and if the prevalence of those vulnerabilities leads you believe that the fundamental guarantee of a multi-user system cannot hold in practice.) The true value of a passphrase is to stymie attackers who steal the key (perhaps by stealing the laptop) but who don't have their own code running on the client at the time the legitimate owner is using the machine. Full disk encryption is a better, more general approach to that class of threat anyway. On the other hand, an attacker trying an online brute-force password guess against the server still has no hope, without the unprotected key, even if the key is not protected by a passphrase. I don't disagree with any argument that more auth factors is better, of course. But passphrase-less SSH keys are not necessarily the worst thing in the world. From owner-freebsd-security@FreeBSD.ORG Thu Feb 4 19:00:25 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 81731106566B for ; Thu, 4 Feb 2010 19:00:25 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 1818E151216 for ; Thu, 4 Feb 2010 19:00:25 +0000 (UTC) Received: (qmail 46680 invoked from network); 4 Feb 2010 19:00:24 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2010 19:00:24 -0000 Message-ID: <4B6B1948.4040408@freebsd.org> Date: Thu, 04 Feb 2010 11:00:24 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.23 (X11/20091215) MIME-Version: 1.0 To: freebsd security , FreeBSD Stable X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: FreeBSD supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 19:00:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 6.3. The new list is below and at . Users of FreeBSD 6.3 are advised to upgrade promptly to a newer release, either by downloading an updated source tree and building updates manually, or (for i386 and amd64 systems) using the FreeBSD Update utility as described in the relevant release announcement. [Excerpt from http://security.freebsd.org/ follows] FreeBSD Security Advisories The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * The -STABLE branch tags have names like RELENG_7. The corresponding builds have names like FreeBSD 7.0-STABLE. * Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_7_0. The corresponding builds have names like FreeBSD 7.0-RELEASE-p1. Isses affecting the FreeBSD Ports Collection are covered in the FreeBSD VuXML document. Each branch is supported by the Security Officer for a limited time only, and is designated as one of `Early adopter', `Normal', or `Extended'. The designation is used as a guideline for determining the lifetime of the branch as follows. Early adopter Releases which are published from the -CURRENT branch will be supported by the Security Officer for a minimum of 6 months after the release. Normal Releases which are published from a -STABLE branch will be supported by the Security Officer for a minimum of 12 months after the release, and for sufficient additional time (if needed) to ensure that there is a newer release for at least 3 months before the older Normal release expires. Extended Selected releases (normally every second release plus the last release from each -STABLE branch) will be supported by the Security Officer for a minimum of 24 months after the release, and for sufficient additional time (if needed) to ensure that there is a newer Extended release for at least 3 months before the older Extended release expires. The current designation and estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed. +--------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+-----------+--------+-----------------+-----------------| |RELENG_6 |n/a |n/a |n/a |November 30, 2010| |-----------+-----------+--------+-----------------+-----------------| |RELENG_6_4 |6.4-RELEASE|Extended|November 28, 2008|November 30, 2010| |-----------+-----------+--------+-----------------+-----------------| |RELENG_7 |n/a |n/a |n/a |last release + 2y| |-----------+-----------+--------+-----------------+-----------------| |RELENG_7_1 |7.1-RELEASE|Extended|January 4, 2009 |January 31, 2011 | |-----------+-----------+--------+-----------------+-----------------| |RELENG_7_2 |7.2-RELEASE|Normal |May 4, 2009 |May 31, 2010 | |-----------+-----------+--------+-----------------+-----------------| |RELENG_8 |n/a |n/a |n/a |last release + 2y| |-----------+-----------+--------+-----------------+-----------------| |RELENG_8_0 |8.0-RELEASE|Extended|November 25, 2009|November 30, 2010| +--------------------------------------------------------------------+ [End excerpt] The upcoming FreeBSD 7.3-RELEASE will receive Extended support, i.e., it will be supported until early 2012. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAktrGFwACgkQFdaIBMps37JxjACfcgWacpfcPj94zP4NtsvF6rWp TiUAmwbfcPuFiKaSsZvxkncYo/DNXzpm =yIFR -----END PGP SIGNATURE----- -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid