From owner-freebsd-security Sun May 31 15:04:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA00227 for freebsd-security-outgoing; Sun, 31 May 1998 15:04:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29848 for ; Sun, 31 May 1998 15:03:19 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from mfg1.cim.alcatel.com.au ("port 1260"@[139.188.23.1]) by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IXPR0IG01S001Y1L@gatekeeper.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Mon, 1 Jun 1998 08:02:40 +1000 Received: from gsms01.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #U2695) with ESMTP id <01IXPQZMG6FKI3SYZA@cim.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Mon, 01 Jun 1998 08:01:58 +1000 Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3) id IAA01058 for freebsd-security@FreeBSD.ORG; Mon, 01 Jun 1998 08:02:18 +1000 (EST) Date: Mon, 01 Jun 1998 08:02:18 +1000 (EST) From: Peter Jeremy Subject: Re: MD5 v. DES? To: freebsd-security@FreeBSD.ORG Message-id: <199805312202.IAA01058@gsms01.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 30 May 1998 11:33:49 +1000 (EST), "Daniel O'Callaghan" wrote: > The reason >that hashing is exportable is that it is only useful for identification >and integrity, not privacy. That is the official line, but it was obviously written by someone who hadn't studied much cryptography. Cipher feedback and output feedback block ciphers use identical functions for both encryption and decryption. This function can just as easily be a one-way hash of the key and text as a traditional encryption of text using key. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun May 31 23:56:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA12675 for freebsd-security-outgoing; Sun, 31 May 1998 23:56:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (sreid@sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA12664 for ; Sun, 31 May 1998 23:56:09 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.8.7/8.8.7) id XAA07184; Sun, 31 May 1998 23:56:23 -0700 Date: Sun, 31 May 1998 23:56:23 -0700 (PDT) From: Steve Reid To: freebsd-security@FreeBSD.ORG Subject: /usr/sbin/named Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is /usr/sbin/named as distributed with FreeBSD 2.2.6-RELEASE vulnerable to known exploits? Strings shows the version as 4.9.6-REL and a recent Bugtraq post listed this version as exploitable. However, although the _version_ is the same between my 2.2.6-RELEASE and 2.2.5-RELEASE machines, the _dates_ are different. Is /usr/sbin/named in 2.2.6-RELEASE fixed? Also... Is there any reason for this daemon to run as root, other than binding to port 53? Would it be possible and reasonable to patch it to give up root after binding to the port? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 05:32:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA26738 for freebsd-security-outgoing; Mon, 1 Jun 1998 05:32:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA26719 for ; Mon, 1 Jun 1998 05:32:10 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id IAA06334; Mon, 1 Jun 1998 08:31:59 -0400 (EDT) Date: Mon, 1 Jun 1998 08:31:59 -0400 (EDT) From: Mike To: Steve Reid cc: freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 31 May 1998, Steve Reid wrote: > Strings shows the version as 4.9.6-REL and a recent Bugtraq post listed > this version as exploitable. However, although the _version_ is the same The versions the Bugtraq post list as vulerable are vulnerable if you are using the named.boot/conf options mentioned. If you're not using these options, you are not vulnerable. My 2.2.6-REL box was running a "vulnerable version", but was not "vulnerable" since I didn't accept fake queries, etc. I've since upgraded to 8.1.2-T3B. You could re-compile with certain compile-time options unset (as mentioined in the post), upgrade to 4.9.7 or 8.1.2, or not worry about this at all if you are not using the named.boot/conf settings that allow your system to be vulnerable. later, Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 07:07:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA11023 for freebsd-security-outgoing; Mon, 1 Jun 1998 07:07:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from access.sanet.ge (access.sanet.ge [208.239.39.51]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA10978 for ; Mon, 1 Jun 1998 07:07:01 -0700 (PDT) (envelope-from kai@sanet.ge) Received: from crystal.sanet.ge (SANET@crystal.sanet.ge [208.239.39.40]) by access.sanet.ge (8.8.8/8.8.7) with SMTP id SAA18719 for ; Mon, 1 Jun 1998 18:05:39 +0500 (GET) (envelope-from kai@sanet.ge) Message-ID: <3572B4E3.704@sanet.ge> Date: Mon, 01 Jun 1998 18:04:19 +0400 From: Alexander Kandelaki Reply-To: kai@sanet.ge Organization: Sa*Net Network X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Possible Atack !!! Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello ! I have strange situation on my system FreeBSD-2.2.5,. I runn command netstat and get : I think it's very strange parametrs . Why it happens ?? Sincerely yours, Alexander Kandelaki ==================================================================== Alexander I. Kandelaki Sa*Net Network, System Administrator 37 Rustaveli ave., Tbilisi,380008, Georgia Phones : +995 32 987414, 922949 WWW : http://www.sanet.ge 987470, 922989 E-Mail: kai@sanet.ge Fax: : +995 32 001367 ICQ : 2851311 tcp 0 0 access.smtp tdv4.star.net.uk.18516 TIME_WAIT tcp 0 0 access.pop3 ppp36-tc1.1026 TIME_WAIT tcp 0 0 access.3120 208.239.36.131.smtp TIME_WAIT tcp 0 0 access.3118 209.117.182.2.smtp TIME_WAIT tcp 70 -265816412 0.239.8.241.glogger 144.70.8.241.6215 CLOSED tcp 1078 -265861860 128.248.7.241.glogger 16.203.254.240.4328 -26584912 8 tcp 259 -266060032 128.45.8.241.glogger 16.129.7.241.37032 CLOSED tcp 405 -266141856 128.222.241.240.glogge 144.96.8.241.6215 -26586946 0 tcp 4 -266140584 access.pop3 144.122.7.241.1027 -26585880 0 tcp 25 -265882920 access.3131 16.95.231.240.25 -26577409 2 tcp 4289 -266149744 access.3134 16.89.254.240.25 CLOSED tcp 0 -266058732 access.pop3 16.91.255.240.2050 CLOSED* tcp 29 -266199928 access.3050 16.224.7.241.25 CLOSED udp 0 0 localhost.domain *.* udp 0 0 access.domain *.* Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr f0ede000 dgram 0 0 0 f0a04c14 0 f0a04794 f0ede700 dgram 0 0 0 f0a04c14 0 f0a04814 f108d300 dgram 0 0 0 f0a04c14 0 f0a04594 f0ea2b00 dgram 0 0 0 f0a04c14 0 f0a04a To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 07:32:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA15730 for freebsd-security-outgoing; Mon, 1 Jun 1998 07:32:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA15593 for ; Mon, 1 Jun 1998 07:32:00 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.0/frmug-2.3/nospam) with UUCP id QAA03118 for freebsd-security@FreeBSD.ORG; Mon, 1 Jun 1998 16:31:54 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: (from roberto@localhost) by keltia.freenix.fr (8.9.0.Beta4/keltia-2.14/nospam) id LAA10818 for freebsd-security@FreeBSD.ORG; Mon, 1 Jun 1998 11:51:12 +0200 (CEST) (envelope-from roberto) Message-ID: <19980601115112.A10806@keltia.freenix.fr> Date: Mon, 1 Jun 1998 11:51:12 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.92.3i In-Reply-To: ; from Steve Reid on Sun, May 31, 1998 at 11:56:23PM -0700 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4311 AMD-K6 MMX @ 225 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Steve Reid: > Also... Is there any reason for this daemon to run as root, other than > binding to port 53? Would it be possible and reasonable to patch it to > give up root after binding to the port? Zone transferts are done by connecting tcp(53) to tcp(53). Name resolution between servers are using 53 too so you'll need to bind several times on that port. After loading the zone, you'll also need to write it on disk... -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #60: Fri May 15 21:04:22 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 07:59:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA20467 for freebsd-security-outgoing; Mon, 1 Jun 1998 07:59:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nemesis.psionic.com (nemesis.bipolar.net [209.30.119.58]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20454 for ; Mon, 1 Jun 1998 07:59:09 -0700 (PDT) (envelope-from crowland@psionic.com) Received: (from maildrop@localhost) by nemesis.psionic.com id JAA18210; Mon, 1 Jun 1998 09:59:31 -0500 (CDT) X-Authentication-Warning: nemesis.psionic.com: maildrop set sender to using -f Received: from dolemite.bipolar.net(209.30.119.59) by nemesis via smap (V2.0) id xma022616; Mon, 1 Jun 98 09:59:12 -0500 Date: Mon, 1 Jun 1998 09:58:26 -0400 (EDT) From: "Craig H. Rowland" To: Ollivier Robert cc: freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named In-Reply-To: <19980601115112.A10806@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Version 8.x has several new options that allow securing BIND more reasonably: -t - chroot() directory -u - UID to run under after bind() -g - GID to run under after bind() I have a web page up that describes how to run BIND 8.x under a chroot() environment under OpenBSD 2.x. A lot of the information should apply to FreeBSD as well. Here is the URL: http://www.psionic.com/papers/dns.html Adam Shostack has a similar paper (mine is based off of his original article). It deals with BIND on Solaris: http://www.homeport.org/~adam/dns.html -- Craig On Mon, 1 Jun 1998, Ollivier Robert wrote: > According to Steve Reid: > > Also... Is there any reason for this daemon to run as root, other than > > binding to port 53? Would it be possible and reasonable to patch it to > > give up root after binding to the port? > > Zone transferts are done by connecting tcp(53) to tcp(53). Name resolution > between servers are using 53 too so you'll need to bind several times on > that port. > > After loading the zone, you'll also need to write it on disk... > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 3.0-CURRENT #60: Fri May 15 21:04:22 CEST 1998 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 08:12:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA22501 for freebsd-security-outgoing; Mon, 1 Jun 1998 08:12:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA22486 for ; Mon, 1 Jun 1998 08:12:40 -0700 (PDT) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.0/8.6.10) id IAA29510; Mon, 1 Jun 1998 08:12:10 -0700 (PDT) Message-Id: <199806011512.IAA29510@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaaCzsa; Mon Jun 1 08:12:06 1998 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: Steve Reid cc: freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named In-reply-to: Your message of "Sun, 31 May 1998 23:56:23 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 01 Jun 1998 08:11:44 -0700 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Named under FreeBSD is not compiled with inverse query. Out-of-the-box FreeBSD should be impervious to this attack. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC > Is /usr/sbin/named as distributed with FreeBSD 2.2.6-RELEASE vulnerable > to known exploits? > > Strings shows the version as 4.9.6-REL and a recent Bugtraq post listed > this version as exploitable. However, although the _version_ is the same > between my 2.2.6-RELEASE and 2.2.5-RELEASE machines, the _dates_ are > different. Is /usr/sbin/named in 2.2.6-RELEASE fixed? > > Also... Is there any reason for this daemon to run as root, other than > binding to port 53? Would it be possible and reasonable to patch it to > give up root after binding to the port? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 12:50:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA15825 for freebsd-security-outgoing; Mon, 1 Jun 1998 12:50:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA15812 for ; Mon, 1 Jun 1998 12:50:43 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id PAA05127; Mon, 1 Jun 1998 15:47:38 -0400 (EDT) Date: Mon, 1 Jun 1998 15:47:38 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Poul-Henning Kamp cc: Eivind Eklund , "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? In-Reply-To: <20473.896555907@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 30 May 1998, Poul-Henning Kamp wrote: > I have been considering if we shouldn't introduce a > > int checkuserpassword(char *user, char *password); > > in some library, rather than having all these programs know that > you should strcmp after calling crypt(). This would allow us to > do what you propose or RADIUS authentication for that matter... I personally dislike this idea -- where does this leave one-time-password users, etc? Authentication really occurs through negotiation, and may involve challenges, as well as arbitrary chunks of data, etc (for pk-authentication). I'd like to see a nice API and text-based protocol (maybe SASL fits the bill?) to all authentication between an authentication API bottom and an end-agent, possibly a user. This way a an arrangement such as: user <-KEYBOARD-> Netscape <-IMAP-> Mail Server <-API-> Authentication Module could occur. But it would not suffer from PAM's opaqueness, so Netscape (if it understood the auth type) could cache, etc. If done correctly, you would be able to have larger number of hops along the way: user <-KEYBOARD-> Netscape <-IMAP-> Firewall <-IMAP-> Firewall <-IMAP-> Mail Server <-API-> Authentication Library <-MYSPIFFYPROTOCOL-> Auth Server Or something. It would have to fit into a general architecture for authentication services between a number of types of clients, servers, whatever. Also, one would avoid opaque strings (such as used by PAM) to allow more easy automated authentication (i.e., server-server authentication on a daily event). Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 13:00:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA18543 for freebsd-security-outgoing; Mon, 1 Jun 1998 13:00:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.129.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA18178 for ; Mon, 1 Jun 1998 12:59:29 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id VAA05632; Mon, 1 Jun 1998 21:57:29 +0200 (CEST) To: Robert Watson cc: Eivind Eklund , "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? In-reply-to: Your message of "Mon, 01 Jun 1998 15:47:38 EDT." Date: Mon, 01 Jun 1998 21:57:29 +0200 Message-ID: <5630.896731049@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Robert Watson writes: >> I have been considering if we shouldn't introduce a >> >> int checkuserpassword(char *user, char *password); >> >> in some library, rather than having all these programs know that >> you should strcmp after calling crypt(). This would allow us to >> do what you propose or RADIUS authentication for that matter... > >I personally dislike this idea -- where does this leave one-time-password >users, etc? Perfectly safe as always. All it does is to make sure that you don't have to modify, ftpd, telnetd, login, popper, and uhm... what is the last one, I keep forgetting, Hmm..... Basically what I'm saying is that if all the places which have to authenticate a user, had a call where they could say: "Is password acceptable for user in context " Then you can implement this function whichever way you want, rather than have to modify twenty-odd programs which all do the wp = getpwbyname(...); getpassword(buffer); if (strcmp(pw->pw_passwd, crypt(pw->pw_password, buffer))) { sorry... } -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 13:25:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA25135 for freebsd-security-outgoing; Mon, 1 Jun 1998 13:25:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gw.sut.ru (gw.sut.ru [194.190.126.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA24955 for ; Mon, 1 Jun 1998 13:24:22 -0700 (PDT) (envelope-from uwl@lanck.ru) Received: from lanck.ru (lanck.ru [194.226.196.66]) by gw.sut.ru (8.6.12/8.6.12) with ESMTP id AAA20912 for ; Tue, 2 Jun 1998 00:38:08 +0400 Received: by lanck.ru with UUCP id AAA11842; (8.8.5/vak/1.9) Tue, 2 Jun 1998 00:19:07 +0400 (MSD) Received: (from uwl@localhost) by koala.lanck.ru (8.8.8/8.8.8) id WAA15303; Mon, 1 Jun 1998 22:16:23 +0400 (MSD) (envelope-from uwl) Message-ID: <19980601221622.06118@lanck.ru> Date: Mon, 1 Jun 1998 22:16:22 +0400 From: Vladimir Uralsky To: freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: ; from Steve Reid on Sun, May 31, 1998 at 11:56:23PM -0700 X-Operating-System: FreeBSD 3.0-980426-SNAP i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 31, 1998 at 11:56:23PM -0700, Steve Reid wrote: > Is /usr/sbin/named as distributed with FreeBSD 2.2.6-RELEASE vulnerable > to known exploits? > > Strings shows the version as 4.9.6-REL and a recent Bugtraq post listed > this version as exploitable. However, although the _version_ is the same > between my 2.2.6-RELEASE and 2.2.5-RELEASE machines, the _dates_ are > different. Is /usr/sbin/named in 2.2.6-RELEASE fixed? Today's stable contain a 4.9.7 but without compat directory, I had only a few time to see it and don't understand is it a bug in source directory tree or in my arms ;-) -- Vova. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 14:03:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA04257 for freebsd-security-outgoing; Mon, 1 Jun 1998 14:03:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04181 for ; Mon, 1 Jun 1998 14:03:33 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id XAA07072; Mon, 1 Jun 1998 23:03:23 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) X-Authentication-Warning: mail.ftf.dk: Host [192.168.100.2] claimed to be mail.prosa.dk Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id XAA19030; Mon, 1 Jun 1998 23:04:26 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id XAA06850; Mon, 1 Jun 1998 23:02:26 +0200 (CEST) Message-ID: <19980601230226.36699@deepo.prosa.dk> Date: Mon, 1 Jun 1998 23:02:26 +0200 From: Philippe Regnauld To: "Craig H. Rowland" Cc: Ollivier Robert , freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named References: <19980601115112.A10806@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: ; from Craig H. Rowland on Mon, Jun 01, 1998 at 09:58:26AM -0400 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Craig H. Rowland writes: > > I have a web page up that describes how to run BIND 8.x under a chroot() > environment under OpenBSD 2.x. A lot of the information should apply to > FreeBSD as well. Here is the URL: > > http://www.psionic.com/papers/dns.html Didn't OpenBSD go a bit further and allow certain non-root programs to bind <1024 for this reason ? -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 15:09:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA20278 for freebsd-security-outgoing; Mon, 1 Jun 1998 15:09:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nemesis.psionic.com (nemesis.bipolar.net [209.30.119.58]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA20254 for ; Mon, 1 Jun 1998 15:09:01 -0700 (PDT) (envelope-from crowland@psionic.com) Received: (from maildrop@localhost) by nemesis.psionic.com id RAA00345; Mon, 1 Jun 1998 17:09:31 -0500 (CDT) X-Authentication-Warning: nemesis.psionic.com: maildrop set sender to using -f Received: from dolemite.bipolar.net(209.30.119.59) by nemesis via smap (V2.0) id xma003614; Mon, 1 Jun 98 17:09:22 -0500 Date: Mon, 1 Jun 1998 17:08:37 -0400 (EDT) From: "Craig H. Rowland" To: Philippe Regnauld cc: Ollivier Robert , freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named In-Reply-To: <19980601230226.36699@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id PAA20262 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was originally under this impression as well and have seen patches for Linux that do this. Does anyone know what procedures are required to do this if it is built in? I also remember reading about this feature with FreeBSD as well but can't recall where. If anyone has this information I'd love to hear about it so I can update my document. Thanks for any pointers.. -- Craig On Mon, 1 Jun 1998, Philippe Regnauld wrote: > Craig H. Rowland writes: > > > > I have a web page up that describes how to run BIND 8.x under a chroot() > > environment under OpenBSD 2.x. A lot of the information should apply to > > FreeBSD as well. Here is the URL: > > > > http://www.psionic.com/papers/dns.html > > Didn't OpenBSD go a bit further and allow certain non-root programs > to bind <1024 for this reason ? > > -- > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- > «Pluto placed his bad dog at the entrance of Hades to keep the dead > IN and the living OUT! The archetypical corporate firewall?» > - S. Kelly Bootle > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 15:45:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28330 for freebsd-security-outgoing; Mon, 1 Jun 1998 15:45:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA28180 for ; Mon, 1 Jun 1998 15:44:55 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Mon, 01 Jun 1998 17:46:38 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD8D84.F10618B0@w3svcs.mfn.org>; Mon, 1 Jun 1998 17:44:35 -0500 Message-ID: <01BD8D84.F10618B0@w3svcs.mfn.org> From: "J.A. Terranson" To: "'FreeBSD Security'" , "'Joe Hagen'" , "'Secure-NT'" , "'NT Security Listserv'" , "'SpaceBar'" , "'SpaceBar #2'" To: "'Tristy Granger'" Cc: "'rmras@primary.gtu.com'" Subject: (Admittedly Premature) Exploit (?) Warning. Date: Mon, 1 Jun 1998 17:44:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While I realize that this issue may not yet be "ripe", as I the folks involved (myself and at least three other sites) have not yet firmly established just *exactly* what is going on here, but... There appears to be some kind of exploit making the rounds that utilizes TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143. These packet traces are right now available only as historical log entries that are *loosely* associated with 2 successful "root" attacks against IMAP enabled servers, an unsuccessful attack against another (ours), and the possible compromise of another. In short, I dont know a lot, other than in the course of reviewing my daily logs, I saw a couple of freaky packets (above) addressed to my nameservers (both of them). They were rejected and logged at the routers, however, as a common courtesy, we notified the admin of the "sending" machine that they had a sick box. As it developed, this person had recieved other emails regarding this from other admins, 2 of which had suffered the successful attacks mentioned above - all of us seeing the originating machine as the same box. It is unknown if the source address was spoofed. Basically, I think this is just a "common-cause" warning to look out for weird packets of this nature, and to take notice if you see any. Rather than keep a running blow-by-blow going on the various lists, please address anything regarding this to me directly... Thanks J.A. Terranson sysadmin@mfn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 16:49:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA12934 for freebsd-security-outgoing; Mon, 1 Jun 1998 16:49:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12905 for ; Mon, 1 Jun 1998 16:49:11 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id TAA07894; Mon, 1 Jun 1998 19:46:35 -0400 (EDT) Date: Mon, 1 Jun 1998 19:46:35 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Poul-Henning Kamp cc: Eivind Eklund , "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? In-Reply-To: <5630.896731049@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 1 Jun 1998, Poul-Henning Kamp wrote: > >I personally dislike this idea -- where does this leave one-time-password > >users, etc? > > Perfectly safe as always. All it does is to make sure that you don't have > to modify, ftpd, telnetd, login, popper, and uhm... what is the last one, > I keep forgetting, Hmm..... This works fine for all authentication systems where username + something allows authentication. But I'd like to have a more extensible system that provides a context for challenge/response, if we are going to break from the pack of do-it-yourself-crypt-foo. I have problems with the implementation of linux-style PAM, but the general concept of having multiple authentication support with a series of challenges/responses does make sense. triple of (username,password,context) breaks down as soon as you need the s/key challenge from the auth module. It would also be nice to have the policy for authentication in a seperate independant location (as you hint with the context field). It would be cool to be able to have the following policies: Accept kerberosIV, local passwords, one-time-passwords when using ssh or kerberized rlogin. Accept one-time-passwords only when using telnet, ftp (and other unencrypted daemons). The "context" would probably be something a little more sophisticated -- perhaps a two part field, the first with the daemon name, and the second with a classifying field, such as telnetd/kerberized, or httpd/ssl or something. To allow a more flexible policy in the policy subsystem without it having to have more access to the daemon than necessary. For the sake of the library/etc, it might be nice to have the uid of the authenticating process be part of the context. In a nice modular environment, it might be desirable to have an "authentication daemon" that listens on a unix domain socket (or such). Daemons like CMU's imapd already make use of this so that the daemon itself can run non-root yet still take advantage of username/password authentication. The daemon might take into account the identity of the requestor, refusing to provide information about username/password authentication to normal user processes, but allowing it for the www user (or something like that). On should also be careful to not restrict oneself to nul-terminated strings -- allowing a kerberos authenticator in might be useful, and it can contain nuls. > Basically what I'm saying is that if all the places which have to > authenticate a user, had a call where they could say: > > "Is password acceptable for user in context " > > Then you can implement this function whichever way you want, rather than > have to modify twenty-odd programs which all do the > > wp = getpwbyname(...); > getpassword(buffer); > if (strcmp(pw->pw_passwd, crypt(pw->pw_password, buffer))) { > sorry... > } But I'm saying that when I add one-time-password support with challenge/response, I'm going to have to go modify all of those daemons again to do the challenge. This is a much harder problem that some people address (possibly badly) through PAM, and for which a better solution should be found. It might also be useful if the authentication system could pass back "tickets" or "tokens" that might be useful to the daemon, if the daemon chose to accept them (that is, it knew what to do with them). For samba, this would be useful in environments using Coda or AFS. For login, this would allow the acquisition of kerberos tickets, etc -- the authentication manager would return these as optional data to the authenticating process where it deemed appropriate. My feeling is that we might as well leave things as they are until a rigorous authentication management system is defined, and then use that. Of course, if you write the code you describe, I'll use it, but... :-) Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 16:52:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA13631 for freebsd-security-outgoing; Mon, 1 Jun 1998 16:52:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA13561 for ; Mon, 1 Jun 1998 16:51:59 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id XAA13404; Mon, 1 Jun 1998 23:51:50 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id BAA06227; Tue, 2 Jun 1998 01:51:32 +0200 (MET DST) Message-ID: <19980602015132.55099@follo.net> Date: Tue, 2 Jun 1998 01:51:32 +0200 From: Eivind Eklund To: Robert Watson , Poul-Henning Kamp Cc: "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? References: <5630.896731049@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from Robert Watson on Mon, Jun 01, 1998 at 07:46:35PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 01, 1998 at 07:46:35PM -0400, Robert Watson wrote: > Accept kerberosIV, local passwords, one-time-passwords when using ssh or > kerberized rlogin. The SSH-1 protocol doesn't make it possible to use s/key for one-time passwords, at least. There is no provision for showing a challenge to the user. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 17:01:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA15534 for freebsd-security-outgoing; Mon, 1 Jun 1998 17:01:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA15468 for ; Mon, 1 Jun 1998 17:00:59 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id TAA08052; Mon, 1 Jun 1998 19:58:16 -0400 (EDT) Date: Mon, 1 Jun 1998 19:58:16 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Eivind Eklund cc: Poul-Henning Kamp , "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? In-Reply-To: <19980602015132.55099@follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Jun 1998, Eivind Eklund wrote: > On Mon, Jun 01, 1998 at 07:46:35PM -0400, Robert Watson wrote: > > Accept kerberosIV, local passwords, one-time-passwords when using ssh or > > kerberized rlogin. > > The SSH-1 protocol doesn't make it possible to use s/key for one-time > passwords, at least. There is no provision for showing a challenge to > the user. This is a problem with a protocol that claims to be a secure shell protocol. For the sake of example, then, how about IMAP using SASL support for s/key over SSL? Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 17:20:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA19880 for freebsd-security-outgoing; Mon, 1 Jun 1998 17:20:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA19836 for ; Mon, 1 Jun 1998 17:20:25 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost [127.0.0.1]) by dingo.cdrom.com (8.8.8/8.8.5) with ESMTP id QAA01886; Mon, 1 Jun 1998 16:11:17 -0700 (PDT) Message-Id: <199806012311.QAA01886@dingo.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Poul-Henning Kamp cc: Robert Watson , Eivind Eklund , "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? In-reply-to: Your message of "Mon, 01 Jun 1998 21:57:29 +0200." <5630.896731049@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 01 Jun 1998 16:11:16 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In message , Robert > Watson writes: > > >> I have been considering if we shouldn't introduce a > >> > >> int checkuserpassword(char *user, char *password); > >> > >> in some library, rather than having all these programs know that > >> you should strcmp after calling crypt(). This would allow us to > >> do what you propose or RADIUS authentication for that matter... > > > >I personally dislike this idea -- where does this leave one-time-password > >users, etc? > > Perfectly safe as always. All it does is to make sure that you don't have > to modify, ftpd, telnetd, login, popper, and uhm... what is the last one, > I keep forgetting, Hmm..... Actually, it sucks. See PAM and the XSSO stuff for some better directions, but basically it still loses. The principal difficulty is that many more sophisticated password schemes are challenge-response based, eg. s/key, SecurID, etc. There's no easy way for the authenticator to backchat with the user, which is often required (but not always possible, eg. POP3). -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Jun 1 21:19:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA02975 for freebsd-security-outgoing; Mon, 1 Jun 1998 21:19:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA02929 for ; Mon, 1 Jun 1998 21:18:58 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id VAA14408 for ; Mon, 1 Jun 1998 21:18:56 -0700 (PDT) Date: Mon, 1 Jun 1998 21:18:55 -0700 (PDT) From: Roger Marquis To: freebsd-security@FreeBSD.ORG Subject: SSH + s/key (was: Re: MD5 v. DES) In-Reply-To: <19980602015132.55099@follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Jun 1998, Eivind Eklund wrote: > The SSH-1 protocol doesn't make it possible to use s/key for one-time > passwords, at least. There is no provision for showing a challenge to > the user. Partly true. You can accomplish the same goal by creating an "skey" user account with no password and skeysh as the shell. "ssh -l skey" will establish an encrypted connection, log into the skey account and ask for a username before displaying the skey sequence number and password prompt. Roger Marquis Roble Systems Consulting http://www.roble.com/consulting To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 01:08:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA10416 for freebsd-security-outgoing; Tue, 2 Jun 1998 01:08:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from portal.eltex.spb.ru ([195.19.195.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA10377 for ; Tue, 2 Jun 1998 01:07:43 -0700 (PDT) (envelope-from ark@eltex.spb.ru) From: ark@eltex.spb.ru Received: from paranoid.eltex.spb.ru (border1.eltex.spb.ru [194.58.218.11] (may be forged)) by portal.eltex.spb.ru (8.8.8/8.8.8) with ESMTP id LAA29143; Tue, 2 Jun 1998 11:58:51 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id MAA19702; Tue, 2 Jun 1998 12:01:01 GMT Date: Tue, 2 Jun 1998 12:01:01 GMT Message-Id: <199806021201.MAA19702@paranoid.eltex.spb.ru> In-Reply-To: <19980602015132.55099@follo.net> from "Eivind Eklund " Organization: "Klingon Imperial Intelligence Service" Subject: Re: MD5 v. DES? To: eivind@yes.no Cc: robert+freebsd@cyrus.watson.org, Poul-Henning@paranoid.eltex.spb.ru, Kamp@paranoid.eltex.spb.ru, , "J.A.,Terranson"@paranoid.eltex.spb.ru, , "freebsd-security@FreeBSD.ORG"@paranoid.eltex.spb.ru, Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Eivind Eklund said : > On Mon, Jun 01, 1998 at 07:46:35PM -0400, Robert Watson wrote: > > Accept kerberosIV, local passwords, one-time-passwords when using ssh or > > kerberized rlogin. > > The SSH-1 protocol doesn't make it possible to use s/key for one-time > passwords, at least. There is no provision for showing a challenge to > the user. Don't know what is "SSH-1" protocol you are reffering to, but ssh (at least versions 1.2.20 and newer) do support OTP and even authentication server. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNXPpfKH/mIJW9LeBAQHg2AP/RiTXURl/s1frhUvuA2ZCmGEzNHqgzDOv Ur1TD1xXDZwuozQKOfC0W562KTP1Cn6UbYYukepTilLFoH1UnEmoTfOIQDGQikE+ qL9EcDEml8qknN5mNtEGaB/WLJMd4cc/5yNBMLUDgpX+KTguO2W/Q2upjJj7Kif5 /uW0mxKVZHY= =B958 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 04:35:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA08039 for freebsd-security-outgoing; Tue, 2 Jun 1998 04:35:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA08025 for ; Tue, 2 Jun 1998 04:35:46 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id LAA05312; Tue, 2 Jun 1998 11:32:52 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id NAA23653; Tue, 2 Jun 1998 13:32:26 +0200 (MET DST) Message-ID: <19980602133226.00055@follo.net> Date: Tue, 2 Jun 1998 13:32:26 +0200 From: Eivind Eklund To: ark@eltex.spb.ru Cc: robert+freebsd@cyrus.watson.org, Poul-Henning@paranoid.eltex.spb.ru, Kamp@paranoid.eltex.spb.ru, phk@critter.freebsd.dk, "J.A.,Terranson"@paranoid.eltex.spb.ru, sysadmin@mfn.org, "freebsd-security@FreeBSD.ORG"@paranoid.eltex.spb.ru, freebsd-security@FreeBSD.ORG Subject: Re: MD5 v. DES? References: <19980602015132.55099@follo.net> <199806021201.MAA19702@paranoid.eltex.spb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <199806021201.MAA19702@paranoid.eltex.spb.ru>; from ark@eltex.spb.ru on Tue, Jun 02, 1998 at 12:01:01PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 02, 1998 at 12:01:01PM +0000, ark@eltex.spb.ru wrote: > > The SSH-1 protocol doesn't make it possible to use s/key for one-time > > passwords, at least. There is no provision for showing a challenge to > > the user. > > Don't know what is "SSH-1" protocol you are reffering to, but ssh > (at least versions 1.2.20 and newer) do support OTP and even > authentication server. Are you referring to the SecurID support? This is challenge-free, and this comment is from the third paragraph of README.SECURID in the ssh distribution: [ ... ] It would be nice if we could change the prompt, but this would involve changing the dialog between the server and the client (since it the server that knows the user's authentication protocol, but the client which does the prompt). Maybe next time. As I said, there is no way of presenting a challenge - which is extremely annoying. I don't know if this is fixed in V2.0 of the protocol. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 04:57:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA10296 for freebsd-security-outgoing; Tue, 2 Jun 1998 04:57:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from portal.eltex.spb.ru ([195.19.195.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA10282 for ; Tue, 2 Jun 1998 04:56:55 -0700 (PDT) (envelope-from ark@eltex.spb.ru) From: ark@eltex.spb.ru Received: from paranoid.eltex.spb.ru (border1.eltex.spb.ru [194.58.218.11] (may be forged)) by portal.eltex.spb.ru (8.8.8/8.8.8) with ESMTP id PAA29563; Tue, 2 Jun 1998 15:45:41 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id PAA20263; Tue, 2 Jun 1998 15:47:56 GMT Date: Tue, 2 Jun 1998 15:47:56 GMT Message-Id: <199806021547.PAA20263@paranoid.eltex.spb.ru> In-Reply-To: <19980602133226.00055@follo.net> from "Eivind Eklund " Organization: "Klingon Imperial Intelligence Service" Subject: d.eltex.spb.ru, freebsd-security@FreeBSD.ORG To: eivind@yes.no Cc: ark@eltex.spb.ru, robert+freebsd@cyrus.watson.org, Poul-Henning@paranoid.eltex.spb.ru, Kamp@paranoid.eltex.spb.ru, phk@critter.freebsd.dk, "J.A.,Terranson"@paranoid.eltex.spb.ru, sysadmin@mfn.org, "freebsd-security@FreeBSD.ORG"@paranoid.eltex.spb.ru, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Eivind Eklund said : > On Tue, Jun 02, 1998 at 12:01:01PM +0000, ark@eltex.spb.ru wrote: > > > The SSH-1 protocol doesn't make it possible to use s/key for one-time > > > passwords, at least. There is no provision for showing a challenge to > > > the user. > > > > Don't know what is "SSH-1" protocol you are reffering to, but ssh > > (at least versions 1.2.20 and newer) do support OTP and even > > authentication server. > > Are you referring to the SecurID support? This is challenge-free, and > this comment is from the third paragraph of README.SECURID in the ssh > distribution: [dd] Nope, i mean TISAuthentication option which definitely _can_ be challenge-based. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNXQeq6H/mIJW9LeBAQFpJwP/WQDaPN9OtOejNyZTe3/YV9PICdDtJ3mo uHFFmtVV8xaW7GvIbQBU2fJFA1WT7IIDdXIc+c9VNTzQoMlFG3mu4xCto7+Wkyvg gb7XlfYRmKTTp6mgCMvnly4yH3MGfCUQNdtvz3+Y+wGRkO3WB4stxMq1QXLYTZCg Xle9XIZxais= =1aHm -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 05:21:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA13957 for freebsd-security-outgoing; Tue, 2 Jun 1998 05:21:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA13915 for ; Tue, 2 Jun 1998 05:21:24 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id MAA07876; Tue, 2 Jun 1998 12:20:58 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id OAA23795; Tue, 2 Jun 1998 14:20:38 +0200 (MET DST) Message-ID: <19980602142038.43482@follo.net> Date: Tue, 2 Jun 1998 14:20:38 +0200 From: Eivind Eklund To: Roger Marquis , freebsd-security@FreeBSD.ORG Subject: Re: SSH + s/key (was: Re: MD5 v. DES) References: <19980602015132.55099@follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from Roger Marquis on Mon, Jun 01, 1998 at 09:18:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jun 01, 1998 at 09:18:55PM -0700, Roger Marquis wrote: > On Tue, 2 Jun 1998, Eivind Eklund wrote: > > The SSH-1 protocol doesn't make it possible to use s/key for one-time > > passwords, at least. There is no provision for showing a challenge to > > the user. > > Partly true. You can accomplish the same goal by creating an "skey" user > account with no password and skeysh as the shell. "ssh -l > skey" will establish an encrypted connection, log into the skey account > and ask for a username before displaying the skey sequence number and > password prompt. Neat trick! However, I believe it still doesn't really solve the problem, as (I guess) scp etc won't work. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 05:31:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA15703 for freebsd-security-outgoing; Tue, 2 Jun 1998 05:31:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA15682 for ; Tue, 2 Jun 1998 05:31:35 -0700 (PDT) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id IAA27816; Tue, 2 Jun 1998 08:29:27 -0400 (EDT) From: Adam Shostack Message-Id: <199806021229.IAA27816@homeport.org> Subject: Re: /usr/sbin/named In-Reply-To: from "Craig H. Rowland" at "Jun 1, 98 05:08:37 pm" To: crowland@psionic.com (Craig H. Rowland) Date: Tue, 2 Jun 1998 08:29:27 -0400 (EDT) Cc: regnauld@deepo.prosa.dk, roberto@keltia.freenix.fr, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=UNKNOWN-8BIT Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OpenBSD does not. You may be recalling that I brought it up once on the OpenBSD tech list, and was unable to suggest an elegant way to implement it, other than lowering maxreservedport, or adding users who can bind to any port, neither of which are clean. Adam Craig H. Rowland wrote: | I was originally under this impression as well and have seen | patches for Linux that do this. Does anyone know what procedures are | required to do this if it is built in? I also remember reading about this | feature with FreeBSD as well but can't recall where. If anyone has this | information I'd love to hear about it so I can update my document. | | Thanks for any pointers.. | | -- Craig | | | On Mon, 1 Jun 1998, Philippe Regnauld wrote: | | > Craig H. Rowland writes: | > > | > > I have a web page up that describes how to run BIND 8.x under a chroot() | > > environment under OpenBSD 2.x. A lot of the information should apply to | > > FreeBSD as well. Here is the URL: | > > | > > http://www.psionic.com/papers/dns.html | > | > Didn't OpenBSD go a bit further and allow certain non-root programs | > to bind <1024 for this reason ? | > | > -- | > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- | > «Pluto placed his bad dog at the entrance of Hades to keep the dead | > IN and the living OUT! The archetypical corporate firewall?» | > - S. Kelly Bootle | > | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe security" in the body of the message | -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 06:19:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA22397 for freebsd-security-outgoing; Tue, 2 Jun 1998 06:19:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA22366 for ; Tue, 2 Jun 1998 06:19:36 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id NAA11970; Tue, 2 Jun 1998 13:19:27 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id PAA23995; Tue, 2 Jun 1998 15:19:06 +0200 (MET DST) Message-ID: <19980602151906.20815@follo.net> Date: Tue, 2 Jun 1998 15:19:06 +0200 From: Eivind Eklund To: ark@eltex.spb.ru Cc: robert+freebsd@cyrus.watson.org, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG Subject: Re: d.eltex.spb.ru, freebsd-security@FreeBSD.ORG References: <19980602133226.00055@follo.net> <199806021547.PAA20263@paranoid.eltex.spb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <199806021547.PAA20263@paranoid.eltex.spb.ru>; from ark@eltex.spb.ru on Tue, Jun 02, 1998 at 03:47:56PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 02, 1998 at 03:47:56PM +0000, ark@eltex.spb.ru wrote: > > > Don't know what is "SSH-1" protocol you are reffering to, but ssh > > > (at least versions 1.2.20 and newer) do support OTP and even > > > authentication server. > > > > Are you referring to the SecurID support? This is challenge-free, and > > this comment is from the third paragraph of README.SECURID in the ssh > > distribution: > > [dd] > > Nope, i mean TISAuthentication option which definitely _can_ be > challenge-based. Yes. It involves extensions to the protocol. I hadn't noticed this, so thanks for bringing it to my attention. I think it may be possible to hijack it to provide for s/key support. The support for TIS right now is really a kludge - it extend the protocol with messages that are special for TIS (SSH_SMSG_AUTH_TIS_CHALLENGE, SSH_SMSG_AUTH_TIS_CHALLENGE, SSH_AUTH_TIS, etc) instead of adding proper infrastructure to do challenges and then using that. It may stille be possible to abuse the kludge to do s/key - I'll see how pretty it turn out. BTW: Your mailreader (or something) has really screwed up the headers. I've cleaned them out, but it is something to be aware of. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 08:19:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA11943 for freebsd-security-outgoing; Tue, 2 Jun 1998 08:19:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mixcom.mixcom.com (daemon@mixcom.mixcom.com [198.137.186.100]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA11903 for ; Tue, 2 Jun 1998 08:19:25 -0700 (PDT) (envelope-from lwatkins@mixcom.com) Received: by mixcom.mixcom.com (8.6.12/2.2) id KAA09185; Tue, 2 Jun 1998 10:21:29 -0500 Received: from mix-nt.mixcom.com(198.137.186.7) by mixcom.mixcom.com via smap (V1.3) id sma009133; Tue Jun 2 10:21:05 1998 Message-ID: <000c01bd8e39$c9809850$07ba89c6@mix-nt.mixcom.com> From: "Lawrence Watkins" To: Subject: unsubscribe Date: Tue, 2 Jun 1998 10:19:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 09:18:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA22252 for freebsd-security-outgoing; Tue, 2 Jun 1998 09:18:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles327.castles.com [208.214.167.27]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA22224 for ; Tue, 2 Jun 1998 09:17:53 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id IAA00439; Tue, 2 Jun 1998 08:13:32 -0700 (PDT) Message-Id: <199806021513.IAA00439@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Roger Marquis cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH + s/key (was: Re: MD5 v. DES) In-reply-to: Your message of "Mon, 01 Jun 1998 21:18:55 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 02 Jun 1998 08:13:31 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, 2 Jun 1998, Eivind Eklund wrote: > > The SSH-1 protocol doesn't make it possible to use s/key for one-time > > passwords, at least. There is no provision for showing a challenge to > > the user. > > Partly true. You can accomplish the same goal by creating an "skey" user > account with no password and skeysh as the shell. "ssh -l > skey" will establish an encrypted connection, log into the skey account > and ask for a username before displaying the skey sequence number and > password prompt. Except that logging in is only one of the things that you do with a username/password pair. How does this help, eg. FTP? -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Jun 2 12:24:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA22744 for freebsd-security-outgoing; Tue, 2 Jun 1998 12:24:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (guido@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA22642; Tue, 2 Jun 1998 12:24:00 -0700 (PDT) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id VAA13079; Tue, 2 Jun 1998 21:23:51 +0200 (MET DST) Date: Tue, 2 Jun 1998 21:23:51 +0200 (MET DST) Message-Id: <199806021923.VAA13079@gvr.gvr.org> From: FreeBSD Security Officer Subject: Announcement regarding FreeBSD Security advisories Reply-To: security-officer@FreeBSD.ORG To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- This document explains the policy currently in use by the FreeBSD security officer with respect to security advisories. FreeBSD provides security advisories. The advisories will cover recent releases of FreeBSD. The security advisories will cover these releases: the most recent official release of FreeBSD, FreeBSD-current, FreeBSD-stable, when 2 releases are based on it. the previous FreeBSD-stable in case the new stable does not yet have 2 releases based on it. At this time, security advisories are available for: FreeBSD 2.2.6 FreeBSD-current FreeBSD-stable Older releases will not be actively maintained. You are encouraged to upgrade to one of the supported releases. An advisory will be sent out when a security hole exists that is either being actively abused (as indicated to us via reports from end users or CERT like organizations), or when the security hole is public knowledge (e.g. because a report has been posted to a public mailing list). Like all development efforts, security fixes are first brought into the FreeBSD-current branch. After a couple of days, the fix will be retrofitted into the covered FreeBSD-stable branch(es). Then an advisory will be sent out. Advisories will be sent to the following FreeBSD mailing lists: FreeBSD-security-notifications FreeBSD-security FreeBSD-announce Advisories will always be signed using the FreeBSD security-officer PGP key. This key can be found at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Advisories are archived at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories Patches mentioned in advisories are archived (both signed and unsigned) at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNXRPbFUuHi5z0oilAQFLagP+I6ZuGubJnmVBd6Geysrhrgfd38hsN5XA 8zKnHVMckmfueneDBv2AQj+J1DzdAP//K2keow50ZpIRZh+SBSjlk2NVlDIL6MUP aO28cmjgWnIwP14sRQHzRsXJzZ6aBf48uIUHuPouh1J2hAUNeiQls0+mqqgHS2Ue BF1MbjYcNGI= =9YV4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jun 3 01:09:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA25259 for freebsd-security-outgoing; Wed, 3 Jun 1998 01:09:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA25216 for ; Wed, 3 Jun 1998 01:09:10 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.0/8.6.10) id BAA00226; Wed, 3 Jun 1998 01:09:09 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaaDjma; Wed Jun 3 01:09:04 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.0/8.6.10) id BAA11430; Wed, 3 Jun 1998 01:08:51 -0700 (PDT) Message-Id: <199806030808.BAA11430@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdY11420; Wed Jun 3 01:08:35 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Robert Watson cc: Poul-Henning Kamp , Eivind Eklund , "J.A. Terranson" , "freebsd-security@FreeBSD.ORG" Subject: Re: MD5 v. DES? In-reply-to: Your message of "Mon, 01 Jun 1998 19:46:35 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 03 Jun 1998 01:08:29 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > environment, it might be desirable to have an "authentication daemon" that > listens on a unix domain socket (or such). Daemons like CMU's imapd This looks like a nice clean approach, however what if the daemon (or something else for that matter) is broken? I suppose falling back to a primitive level of authentification, e.g. only /etc/passwd, to ensure that the system is not totally hosed. Any thoughts? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jun 3 06:05:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA07618 for freebsd-security-outgoing; Wed, 3 Jun 1998 06:05:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA07586 for ; Wed, 3 Jun 1998 06:05:33 -0700 (PDT) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id IAA06307; Wed, 3 Jun 1998 08:59:54 -0400 (EDT) From: Adam Shostack Message-Id: <199806031259.IAA06307@homeport.org> Subject: Re: MD5 v. DES? In-Reply-To: <199806030808.BAA11430@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Jun 3, 98 01:08:29 am" To: cschuber@uumail.gov.bc.ca Date: Wed, 3 Jun 1998 08:59:53 -0400 (EDT) Cc: robert+freebsd@cyrus.watson.org, phk@critter.freebsd.dk, eivind@yes.no, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org TIS wrote one of these that isn't bad as long as you don't let the protocol cross the network. It was part of the firewall toolkit. Since a number of vendors support that, it would be nice to be compatible with it. With a little effort, the protocol could be revised to tie the 'ok' messages to the rest of the system, and it could be made network safe. Adam Cy Schubert - ITSD Open Systems Group wrote: | > environment, it might be desirable to have an "authentication daemon" that | > listens on a unix domain socket (or such). Daemons like CMU's imapd | | This looks like a nice clean approach, however what if the daemon (or | something else for that matter) is broken? I suppose falling back to a | primitive level of authentification, e.g. only /etc/passwd, to ensure | that the system is not totally hosed. | | Any thoughts? | | | Regards, Phone: (250)387-8437 | Cy Schubert Fax: (250)387-5766 | Open Systems Group Internet: cschuber@uumail.gov.bc.ca | ITSD Cy.Schubert@gems8.gov.bc.ca | Government of BC | | | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe security" in the body of the message | -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jun 3 08:15:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA27181 for freebsd-security-outgoing; Wed, 3 Jun 1998 08:15:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from portal.eltex.spb.ru ([195.19.204.46]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA27170 for ; Wed, 3 Jun 1998 08:15:22 -0700 (PDT) (envelope-from ark@eltex.spb.ru) From: ark@eltex.spb.ru Received: from paranoid.eltex.spb.ru (border1.eltex.spb.ru [194.58.218.11] (may be forged)) by portal.eltex.spb.ru (8.8.8/8.8.8) with ESMTP id SAA04358; Wed, 3 Jun 1998 18:48:54 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id SAA25260; Wed, 3 Jun 1998 18:52:58 GMT Date: Wed, 3 Jun 1998 18:52:58 GMT Message-Id: <199806031852.SAA25260@paranoid.eltex.spb.ru> In-Reply-To: <199806031259.IAA06307@homeport.org> from "Adam Shostack " Organization: "Klingon Imperial Intelligence Service" Subject: Re: MD5 v. DES? To: adam@homeport.org Cc: cschuber@uumail.gov.bc.ca, robert+freebsd@cyrus.watson.org, phk@critter.freebsd.dk, eivind@yes.no, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Adam Shostack said : > TIS wrote one of these that isn't bad as long as you don't let the > protocol cross the network. It was part of the firewall toolkit. > Since a number of vendors support that, it would be nice to be > compatible with it. Hmm, there are other clients/servers (except TIS and ssh) that do support authsrv protocol? I've never seen any. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNXWbiKH/mIJW9LeBAQEZXAP+OgFuATSLENGCNWEO/7OekgOHpE3G/3Bk FdL9IFga0Sal2TBoea90dFGRZWPWWhQy0ekppyGWNpcMV5D/9fespEKJKIopnyPl IcYIvUsX2Ec3YbKWxMs6rF57yh29SRkDS9uzGocEDYxv2F4TL+VmQvM9YB6a39Ft oE0WVstTUrw= =mjRx -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jun 3 10:44:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA22893 for freebsd-security-outgoing; Wed, 3 Jun 1998 10:44:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (guido@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA22869; Wed, 3 Jun 1998 10:44:34 -0700 (PDT) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id TAA17439; Wed, 3 Jun 1998 19:44:29 +0200 (MET DST) Date: Wed, 3 Jun 1998 19:44:29 +0200 (MET DST) Message-Id: <199806031744.TAA17439@gvr.gvr.org> From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-98:04.mmap Reply-To: security-officer@FreeBSD.ORG To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-98:04 Security Advisory FreeBSD, Inc. Topic: security compromise via mmap Category: core Module: kernel Announced: 1998-06-02 Affects: FreeBSD 2.2.*, FreeBSD-stable before 1998/05/24 and FreeBSD-current before 1998/05/19 suffer from this problem. Corrected: FreeBSD-current as of 1998/05/19 FreeBSD-stable as of 1998/05/24 FreeBSD only: no (also other 4.4BSD based systems may be affected) Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:04/ ============================================================================= IMPORTANT MESSAGE: The FreeBSD security officer now uses the policy ftp://freebsd.org/pub/CERT to ftp://ftp.freebsd.org/pub/FreeBSD/POLICY for sending out advisories. ============================================================================= I. Background The 4.4BSD VM system allows files to be "memory mapped", which causes the specified contents of a file to be made available to a process via its address space. Manipulations of that file can then be performed simply by manipulating memory, rather than using filesystem I/O calls. This technique is used to simplify code, speed up access to files, and provide interprocess communication. In 4.4BSD, 4 new FFS flags were added that give the possibility to mark files as append-only or immutable. II. Problem Description It is possible for a process to open an append-only file according to the limitations of the flags, and then mmap the file shared with write permission even when the file is marked as append-only or immutable. This circumvents the concept of the the append-only flag. III. Impact It is possible to change the contents of append-only files. IV. Workaround No workaround is known. V. Solution Apply one of the following patches, rebuild your kernel, install it and reboot your system. The patches below can be found on ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:04/ NOTE: Users of FreeBSD 2.2.5 or FreeBSD-current or FreeBSD-stable dated before 1998/03/12 will need to apply the patch mentioned in FreeBSD advisory SA-98:02. Patch for 3.0-current systems: Index: vm_mmap.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/vm/vm_mmap.c,v retrieving revision 1.75 retrieving revision 1.77 diff -u -r1.75 -r1.77 --- vm_mmap.c 1998/03/12 19:36:18 1.75 +++ vm_mmap.c 1998/05/19 07:13:21 1.77 @@ -58,6 +58,7 @@ #include #include #include +#include #include #include @@ -295,12 +296,25 @@ * we're at securelevel < 1, to allow the XIG X server * to continue to work. */ - if (((flags & MAP_SHARED) != 0 || - (vp->v_type == VCHR && disablexworkaround)) && - (fp->f_flag & FWRITE) == 0 && (prot & PROT_WRITE) != 0) - return (EACCES); - else + + if ((flags & MAP_SHARED) != 0 || + (vp->v_type == VCHR && disablexworkaround)) { + if ((fp->f_flag & FWRITE) != 0) { + struct vattr va; + if ((error = + VOP_GETATTR(vp, &va, + p->p_ucred, p))) + return (error); + if ((va.va_flags & + (IMMUTABLE|APPEND)) == 0) + maxprot |= VM_PROT_WRITE; + else if (prot & PROT_WRITE) + return (EPERM); + } else if ((prot & PROT_WRITE) != 0) + return (EACCES); + } else maxprot |= VM_PROT_WRITE; + handle = (void *)vp; } } Patch for 2.2 systems: Index: vm_mmap.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/vm/vm_mmap.c,v retrieving revision 1.53.2.3 retrieving revision 1.53.2.4 diff -u -r1.53.2.3 -r1.53.2.4 --- vm_mmap.c 1998/03/12 19:36:50 1.53.2.3 +++ vm_mmap.c 1998/05/24 19:47:02 1.53.2.4 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include @@ -275,12 +276,26 @@ * we're at securelevel < 1, to allow the XIG X server * to continue to work. */ - if (((flags & MAP_SHARED) != 0 || - (vp->v_type == VCHR && disablexworkaround)) && - (fp->f_flag & FWRITE) == 0 && (prot & PROT_WRITE) != 0) - return (EACCES); - else + + if ((flags & MAP_SHARED) != 0 || + (vp->v_type == VCHR && disablexworkaround)) { + if ((fp->f_flag & FWRITE) != 0) { + struct vattr va; + + if ((error = + VOP_GETATTR(vp, &va, + p->p_ucred, p))) + return (error); + if ((va.va_flags & + (IMMUTABLE|APPEND)) == 0) + maxprot |= VM_PROT_WRITE; + else if (prot & PROT_WRITE) + return (EPERM); + } else if ((prot & PROT_WRITE) != 0) + return (EACCES); + } else maxprot |= VM_PROT_WRITE; + handle = (caddr_t) vp; } } VI. Thanks This advisory is based on NetBSD Security Advisory 1998-003. In porting the NetBSD patch, we accidentally mentioned that we obtained the patch from OpenBSD, which was evidently wrong. ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNXWJC1UuHi5z0oilAQG3nAP9GjmOtlc1WxPJjcbRwvXmKzhRInCfuVTL f5k7dAyFmUmo6wnyQwsBoQUsa7d/kS0YCnfTIkFYrGkFvBa8hnw/i9VVdMFaUFFV kTo6YLQfgG35znTxftACAs4uzjeRbh/6dr1YsERYxWNW0PabKbYfjMQapmY5GUVm px3WF/jRI5k= =Umgx -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Jun 3 16:50:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA02566 for freebsd-security-outgoing; Wed, 3 Jun 1998 16:50:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from red.juniper.net (red.juniper.net [208.197.169.254]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA02450 for ; Wed, 3 Jun 1998 16:49:52 -0700 (PDT) (envelope-from pst@juniper.net) Received: from base.juniper.net (base.juniper.net [208.197.169.208]) by red.juniper.net (8.8.5/8.8.5) with ESMTP id QAA10767; Wed, 3 Jun 1998 16:48:48 -0700 (PDT) Received: (from pst@localhost) by base.juniper.net (8.8.8/8.7.3) id QAA06307; Wed, 3 Jun 1998 16:48:48 -0700 (PDT) To: freebsd-security@FreeBSD.ORG Subject: radius/OTP framework vs checkuserpassword() From: Paul Traina Date: 03 Jun 1998 16:48:47 -0700 Message-ID: <7yg1hmm4gw.fsf@base.juniper.net> Lines: 12 X-Mailer: Gnus v5.4.37/XEmacs 19.16 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, We (Juniper) have already commissioned a RADIUS client implementation for FreeBSD that we intend to contribute back. Part of this is an authentication framework/API so that we can handle both challenge/response and shared secret authentication methods. The framework and API are still in design specification stage. Qualified (by me) FreeBSD security folk who want to review the document once we're ready with a draft spec should send a note to me. Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jun 4 06:14:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA04096 for freebsd-security-outgoing; Thu, 4 Jun 1998 06:14:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA04084 for ; Thu, 4 Jun 1998 06:14:03 -0700 (PDT) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id JAA14669; Thu, 4 Jun 1998 09:08:40 -0400 (EDT) From: Adam Shostack Message-Id: <199806041308.JAA14669@homeport.org> Subject: Re: MD5 v. DES? In-Reply-To: <199806031852.SAA25260@paranoid.eltex.spb.ru> from "ark@eltex.spb.ru" at "Jun 3, 98 06:52:58 pm" To: ark@eltex.spb.ru Date: Thu, 4 Jun 1998 09:08:40 -0400 (EDT) Cc: adam@homeport.org, cschuber@uumail.gov.bc.ca, robert+freebsd@cyrus.watson.org, phk@critter.freebsd.dk, eivind@yes.no, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ark@eltex.spb.ru wrote: | Adam Shostack said : | | > TIS wrote one of these that isn't bad as long as you don't let the | > protocol cross the network. It was part of the firewall toolkit. | > Since a number of vendors support that, it would be nice to be | > compatible with it. | | Hmm, there are other clients/servers (except TIS and ssh) that do | support authsrv protocol? I've never seen any. Some of the handheld vendors support it. I know the cryptocard people have a plug in, and recall others having them as well. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jun 4 10:58:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA24521 for freebsd-security-outgoing; Thu, 4 Jun 1998 10:58:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (guido@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA24169; Thu, 4 Jun 1998 10:56:40 -0700 (PDT) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id TAA22999; Thu, 4 Jun 1998 19:56:36 +0200 (MET DST) Date: Thu, 4 Jun 1998 19:56:36 +0200 (MET DST) Message-Id: <199806041756.TAA22999@gvr.gvr.org> From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-98:05.nfs Reply-To: security-officer@FreeBSD.ORG To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-98:05 Security Advisory FreeBSD, Inc. Topic: system crash with NFS Category: core Module: kernel Announced: 1998-06-04 Affects: FreeBSD 2.2.* and FreeBSD-stable before 1998/05/31 this problem. Corrected: FreeBSD-current as of 1998/05/31 FreeBSD only: no (also other 4.4BSD based systems may be affected) Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:05/ ============================================================================= IMPORTANT MESSAGE: The FreeBSD security officer now uses the policy ftp://ftp.freebsd.org/pub/FreeBSD/POLICY.asc for sending out advisories. ============================================================================= I. Background NFS can be used to mount remote file systems. Apart from being remote, it acts like a normal UFS file system. Among others, This means that creating hard links can be done in NFS file systems II. Problem Description When creating hard links on file systems, the kernel checks that both the original file and the link to it are located on the same file system. Unfortunately, there is an error in the NFS kernel code in FreeBSD 2.2.* systems that performs this check. III. Impact It is possible to crash a FreeBSD 2.2.* system by hard linking a device special files to a file on an NFS mounted file system. FreeBSD-current is not vulnerable. IV. Workaround No real work around is known (except for unmounting your NFS file systems). V. Solution Apply one of the following patches, rebuild your kernel, install it and reboot your system. The patches below can be found on ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:05/ Patch for 2.2.5 and 2.2.6 systems: Index: nfs_vnops.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/nfs/nfs_vnops.c,v retrieving revision 1.36.2.6 retrieving revision 1.36.2.7 diff -u -r1.36.2.6 -r1.36.2.7 --- nfs_vnops.c 1998/05/13 05:48:45 1.36.2.6 +++ nfs_vnops.c 1998/05/31 00:07:29 1.36.2.7 @@ -1755,17 +1755,8 @@ struct componentname *a_cnp; } */ *ap; { -#if defined(__NetBSD__) - /* - * Since the args are reversed in the VOP_LINK() calls, - * switch them back. Argh! - */ - register struct vnode *vp = ap->a_tdvp; - register struct vnode *tdvp = ap->a_vp; -#else register struct vnode *vp = ap->a_vp; register struct vnode *tdvp = ap->a_tdvp; -#endif register struct componentname *cnp = ap->a_cnp; register u_long *tl; register caddr_t cp; @@ -1776,11 +1767,8 @@ int v3 = NFS_ISV3(vp); if (vp->v_mount != tdvp->v_mount) { - VOP_ABORTOP(vp, cnp); - if (tdvp == vp) - vrele(tdvp); - else - vput(tdvp); + VOP_ABORTOP(tdvp, cnp); + vput(tdvp); return (EXDEV); } ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNXbehFUuHi5z0oilAQHS8gQAgIgUrioo3hT+mJLyxUp//ASoFPSf2+vw fmq2D9qEYyV5Od/HLBnzgb3jz5xyqWDLBx6pNV3QIPAimw3+S0oHOUYG+UCn96yD 58kEx6mc8KanEHs0lzdgoqFi6ioVkPzCplxzqy+QfQvDCJPE+w7BbFkwVXhJHNof 4JvVbewoA9c= =ILgB -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jun 4 12:39:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA19159 for freebsd-security-outgoing; Thu, 4 Jun 1998 12:39:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (sreid@sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA19141 for ; Thu, 4 Jun 1998 12:38:50 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.8.7/8.8.7) id MAA22726; Thu, 4 Jun 1998 12:40:58 -0700 Date: Thu, 4 Jun 1998 19:40:57 +0000 ( ) From: Steve Reid To: freebsd-security@FreeBSD.ORG Subject: Advisory format nitpicking Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How about putting real version numbers in these advisories? This "2.2.*" thing is only accurate until a new, fixed release appears. Looking over past advisories (to secure a freshly installed system) is a headache because _all_ the advisories say "Affects: FreeBSD 2.2.*". > Topic: security compromise via mmap > Category: core > Module: kernel > Announced: 1998-06-02 > Affects: FreeBSD 2.2.*, FreeBSD-stable before 1998/05/24 > and FreeBSD-current before 1998/05/19 suffer from > this problem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jun 4 13:22:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA27425 for freebsd-security-outgoing; Thu, 4 Jun 1998 13:22:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA27321 for ; Thu, 4 Jun 1998 13:22:28 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 20256 invoked by uid 1001); 4 Jun 1998 20:22:24 +0000 (GMT) To: crowland@psionic.com Cc: roberto@keltia.freenix.fr, freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named In-Reply-To: Your message of "Mon, 1 Jun 1998 09:58:26 -0400 (EDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 04 Jun 1998 22:22:24 +0200 Message-ID: <20254.896991744@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Version 8.x has several new options that allow securing BIND more > reasonably: > > -t - chroot() directory > -u - UID to run under after bind() > -g - GID to run under after bind() > > I have a web page up that describes how to run BIND 8.x under a chroot() > environment under OpenBSD 2.x. A lot of the information should apply to > FreeBSD as well. Here is the URL: > > http://www.psionic.com/papers/dns.html Note that you may want to correct Step Seven on your Web page. Advising people to block TCP access to port 53 is *not* a good idea, for the following reasons: - Normal DNS queries using TCP are perfectly legitimate. - The spec states that if an answer is truncated (TC bit set), the query *should* be retried using TCP instead of UDP. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Jun 4 23:30:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA16593 for freebsd-security-outgoing; Thu, 4 Jun 1998 23:30:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from arc.netlab.sk (arc.netlab.sk [195.168.1.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA16582 for ; Thu, 4 Jun 1998 23:30:39 -0700 (PDT) (envelope-from palo.adamec@tecton.sk) Received: from PCNTWS1 (ba66.netlab.sk [195.168.14.66]) by arc.netlab.sk (8.8.8/8.8.7) with SMTP id IAA05815 for ; Fri, 5 Jun 1998 08:30:29 +0200 (CEST) (envelope-from palo.adamec@tecton.sk) Received: by PCNTWS1 with Microsoft Mail id <01BD905D.02DC1D20@PCNTWS1>; Fri, 5 Jun 1998 08:36:19 +0200 Message-ID: <01BD905D.02DC1D20@PCNTWS1> From: Pavol Adamec To: "freebsd-security@FreeBSD.ORG" Subject: Re: /usr/sbin/named Date: Fri, 5 Jun 1998 08:35:27 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id XAA16584 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no wrote : > - Normal DNS queries using TCP are perfectly legitimate. > - The spec states that if an answer is truncated (TC bit set), the > query *should* be retried using TCP instead of UDP. As for I know, this is not the only case. O'Reilly's book on BIND states that some DNS implementations use __ONLY__ TCP (I thing AIX was one of them). Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Jun 5 00:42:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA28442 for freebsd-security-outgoing; Fri, 5 Jun 1998 00:42:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA28434 for ; Fri, 5 Jun 1998 00:42:40 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 23829 invoked by uid 1001); 5 Jun 1998 07:42:38 +0000 (GMT) To: roberto@keltia.freenix.fr Cc: freebsd-security@FreeBSD.ORG Subject: Re: /usr/sbin/named In-Reply-To: Your message of "Mon, 1 Jun 1998 11:51:12 +0200" References: <19980601115112.A10806@keltia.freenix.fr> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 05 Jun 1998 09:42:37 +0200 Message-ID: <23827.897032557@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Also... Is there any reason for this daemon to run as root, other than > > binding to port 53? Would it be possible and reasonable to patch it to > > give up root after binding to the port? > > Zone transferts are done by connecting tcp(53) to tcp(53). Name resolution > between servers are using 53 too so you'll need to bind several times on > that port. Name resolution between servers (ie. a server sends a query to another server) is done using port 53 in BIND-4.9.x (ie. the standard FreeBSD setup). In BIND-8.1.x, queries from the server itself are *not* sent from port 53 unless you specifically tell named to do so. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Jun 6 15:23:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29206 for freebsd-security-outgoing; Sat, 6 Jun 1998 15:23:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adk.gr (COREDUMP.CIS.UPENN.EDU [158.130.6.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29175 for ; Sat, 6 Jun 1998 15:22:47 -0700 (PDT) (envelope-from angelos@dsl.cis.upenn.edu) Received: from dsl.cis.upenn.edu (localhost [127.0.0.1]) by adk.gr (8.8.8/8.8.5) with ESMTP id SAA07985 for ; Sat, 6 Jun 1998 18:22:15 -0400 (EDT) Message-Id: <199806062222.SAA07985@adk.gr> To: freebsd-security@FreeBSD.ORG Subject: Corrected URL Date: Sat, 06 Jun 1998 18:22:15 -0400 From: "Angelos D. Keromytis" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- To: freebsd-security@freebsd.org Subject: Corrected URL Cc: Date: 06/06/98, 18:22:14 About a week ago, I posted a URL for a paper on IPsec on this list. A couple of people complained that the URL wasn't right (and it wasn't). Just for completeness, the correct URL for the paper on the OpenBSD IPsec architecture is at http://www.cis.upenn.edu/~angelos/Papers/ipsec.ps.gz Apologies for the confusion, - -Angelos PS. The wrong URL was http://www.cis.upenn.edu/~angelos/ipsec.ps.gz -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNXnBFr0pBjh2h1kFAQGu6gP+LOBD/a/iu3Es5Oi3PSTspGHan3tQpyn7 VOTKJX+B2S8GxLD/08DVDut/10xQJYJogabQ1SaVjAYiTiZ7PVQzSC2dPBctp1ZA wieJ3IIGaVbkX7+y1Tr+M4WCmQ9RMAY+Y7ePU+tyZ0gPag5nbrcS1m8Oz/2cJeBC c5Cjtshqt8o= =oDNQ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message