From owner-freebsd-security@FreeBSD.ORG Sun May 25 14:01:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8842237B401 for ; Sun, 25 May 2003 14:01:17 -0700 (PDT) Received: from thalia.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6853B43F85 for ; Sun, 25 May 2003 14:01:16 -0700 (PDT) (envelope-from keramida@freebsd.org) Received: from gothmog.gr (patr530-b130.otenet.gr [212.205.244.138]) by thalia.otenet.gr (8.12.9/8.12.9) with ESMTP id h4PL19Kd013647; Mon, 26 May 2003 00:01:12 +0300 (EEST) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.9/8.12.9) with ESMTP id h4PL13hC021914; Mon, 26 May 2003 00:01:09 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from giorgos@localhost) by gothmog.gr (8.12.9/8.12.9/Submit) id h4PKpFUJ021821; Sun, 25 May 2003 23:51:15 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Sun, 25 May 2003 23:51:15 +0300 (EEST) From: Giorgos Keramidas X-X-Sender: giorgos@gothmog To: Santos In-Reply-To: <3ED06967.90306@cas.port995.com> Message-ID: <20030525234819.U21691@gothmog> References: <3ED06967.90306@cas.port995.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2003 21:01:17 -0000 On 2003-05-25 07:57, Santos wrote: > root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5 > > 3 Network secure mode - same as highly secure mode, plus IP packet > filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and > dummynet(4) configuration cannot be adjusted. > > root@vigilante /root cuaa1# sysctl -a |grep secure > kern.securelevel: 3 > [...] > root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0 > net.inet.ip.fw.enable: 1 -> 0 > > root@vigilante /root cuaa1# ping 216.136.204.21 > PING 216.136.204.21 (216.136.204.21): 56 data bytes > 64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms > ^C Try this patch. Unless of course, you're not using IPFW version 1, in which case someone more knowledgeable will hopefully correct me :) <<<<<<< Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.192 diff -u -r1.192 ip_fw.c --- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192 +++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000 @@ -95,7 +95,7 @@ #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3, &fw_enable, 0, "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, &fw_one_pass, 0, >>>>>>> - Giorgos From owner-freebsd-security@FreeBSD.ORG Sun May 25 21:17:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8027937B401 for ; Sun, 25 May 2003 21:17:57 -0700 (PDT) Received: from port995.com (port995.com [213.162.97.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3171943F75 for ; Sun, 25 May 2003 21:17:56 -0700 (PDT) (envelope-from sansan@cas.port995.com) Received: by port995.com (Port995 Mail, from userid 77) id CA7E81407681; Mon, 26 May 2003 05:17:38 +0100 (BST) Received: from cas.port995.com (Authenticated SMTP client) by port995.com (Port995 Mail) with ESMTP id 48EA21407683; Mon, 26 May 2003 05:17:37 +0100 (BST) Message-ID: <3ED19590.80309@cas.port995.com> Date: Mon, 26 May 2003 05:18:24 +0100 From: Santos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog> In-Reply-To: <20030525234819.U21691@gothmog> X-Enigmail-Version: 0.75.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 04:17:57 -0000 Giorgos Keramidas wrote: > On 2003-05-25 07:57, Santos wrote: > >>root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5 >> >>3 Network secure mode - same as highly secure mode, plus IP packet >> filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and >> dummynet(4) configuration cannot be adjusted. >> >>root@vigilante /root cuaa1# sysctl -a |grep secure >>kern.securelevel: 3 >>[...] >>root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0 >>net.inet.ip.fw.enable: 1 -> 0 >> >>root@vigilante /root cuaa1# ping 216.136.204.21 >>PING 216.136.204.21 (216.136.204.21): 56 data bytes >>64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms >>^C > > > Try this patch. Unless of course, you're not using IPFW version 1, > in which case someone more knowledgeable will hopefully correct me :) > > <<<<<<< > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.192 > diff -u -r1.192 ip_fw.c > --- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192 > +++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000 > @@ -95,7 +95,7 @@ > > #ifdef SYSCTL_NODE > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3, > &fw_enable, 0, "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > &fw_one_pass, 0, > > > - Giorgos Sorry i missed a uname and a grep :) root@vigilante /root p1# uname -a FreeBSD vigilante.garden 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Tue May 20 20:19:53 WEST 2003 root@vigilante.garden:/usr/obj/usr/src/sys/VIGILANTE i386 root@vigilante /root p1# grep -i ipfw /sys/i386/conf/VIGILANTE options IPFW2 I hope this gets fixed, it defeats the purpose of secure levels, at least, of the 3 one. It would be nice to have a 4 level where sysctl variables couldn't be changed, but something tells me that isn't possible... some variables are dynamic, change all the time, no? Santos From owner-freebsd-security@FreeBSD.ORG Mon May 26 00:54:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D40F137B401 for ; Mon, 26 May 2003 00:54:55 -0700 (PDT) Received: from thalia.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 828DA43FAF for ; Mon, 26 May 2003 00:54:54 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a020.otenet.gr [212.205.215.20]) by thalia.otenet.gr (8.12.9/8.12.9) with ESMTP id h4Q7snKd008379; Mon, 26 May 2003 10:54:50 +0300 (EEST) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.9/8.12.9) with ESMTP id h4Q7smhA029406; Mon, 26 May 2003 10:54:48 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.9/8.12.9/Submit) id h4Q7smXV029405; Mon, 26 May 2003 10:54:48 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 26 May 2003 10:54:47 +0300 From: Giorgos Keramidas To: Santos Message-ID: <20030526075447.GA29390@gothmog.gr> References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog> <3ED19590.80309@cas.port995.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3ED19590.80309@cas.port995.com> cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 07:54:56 -0000 On 2003-05-26 05:18, Santos wrote: > Giorgos Keramidas wrote: > >Try this patch. Unless of course, you're not using IPFW version 1, > >in which case someone more knowledgeable will hopefully correct me :) > > > ><<<<<<< > >Index: ip_fw.c > >=================================================================== > >RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > >retrieving revision 1.192 > >diff -u -r1.192 ip_fw.c > >--- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192 > >+++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000 > >@@ -95,7 +95,7 @@ > > > > #ifdef SYSCTL_NODE > > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > >-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > >+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3, > > &fw_enable, 0, "Enable ipfw"); > > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > > &fw_one_pass, 0, > > Sorry i missed a uname and a grep :) Ah, that's fine. I don't have the time to test it now, but something similar to the following should do the trick. Sorry for not running this through a compile and a test run, but this is a very hectic day. Someone with enough time to run a full buildworld/buildkernel and fix any errors I have made should check that this fixes the problem and then notify the security officer. It looks like something that would be nice to have in STABLE *and* the security branches IMHO. <<<<<<< Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.39 diff -u -r1.131.2.39 ip_fw.c --- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39 +++ ip_fw.c 26 May 2003 07:50:05 -0000 @@ -94,9 +94,25 @@ MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); #ifdef SYSCTL_NODE + +static int +sysctl_fw_enable(SYSCTL_HANDLER_ARGS) +{ + int error, v; + + if (securelevel >= 3) + return (ENOPERM); + + error = sysctl_handle_int(oidp, oidp->oid_arg1, 0, req); + if (error || !req->newptr) + return (error); + + return (0); +} + SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, - &fw_enable, 0, "Enable ipfw"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW, + &fw_enable, 0, sysctl_fw_enable, "I", "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, &fw_one_pass, 0, "Only do a single pass through ipfw when using dummynet(4)"); >>>>>>> From owner-freebsd-security@FreeBSD.ORG Mon May 26 09:33:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4EAE37B401 for ; Mon, 26 May 2003 09:33:11 -0700 (PDT) Received: from relay2.mecon.ar (relay2.mecon.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5881A43F75 for ; Mon, 26 May 2003 09:33:08 -0700 (PDT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.ar [168.101.133.15]) by relay2.mecon.ar (8.12.6p2/8.12.6) with ESMTP id h4QGX5AG081883 for ; Mon, 26 May 2003 13:33:05 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h4QGX0sR066260 for ; Mon, 26 May 2003 13:33:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h4QGX0TV066256 for ; Mon, 26 May 2003 13:33:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) by bal740r0.mecon.gov.ar (8.12.6/8.12.6) with ESMTP id h4QGX0vE001074 for ; Mon, 26 May 2003 13:33:00 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.6/8.12.6/Submit) id h4QGWtCH001073 for freebsd-security@freebsd.org; Mon, 26 May 2003 13:32:55 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Mon, 26 May 2003 13:32:55 -0300 From: Fernando Schapachnik To: freebsd-security@freebsd.org Message-ID: <20030526163255.GJ637@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org Subject: sshd doing dns queries on localhost? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 16:33:12 -0000 Hi, I noted on my 4.7 machines that when a ssh conection is made, the following PTR query happens (10.11.1.11 is the src address in the example): 13:23:21.120290 PUBLIC_IP.4523 > PUBLIC_IP.53: 52788+ PTR? 11.1.11.10.in-addr.arpa. (41) 13:23:21.120517 PUBLIC_IP.4524 > PUBLIC_IP.53: 52788+ PTR? 11.1.11.10.in-addr.arpa. (41) 13:23:21.120683 PUBLIC_IP.4525 > PUBLIC_IP.53: 52788+ PTR? 11.1.11.10.in-addr.arpa. (41) 13:23:21.120784 PUBLIC_IP.4526 > PUBLIC_IP.53: 52788+ PTR? 11.1.11.10.in-addr.arpa. (41) This is very weird because resolv.conf points to another server. Also, the capture is from lo0. Not that I see a security problem here (just the annoyance of this filling my log_in_vain logs), but I'm curious about the reason; at least didn't find any clue looking at source. May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4523 May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4524 May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4525 May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4526 Thanks for any pointer! Regards! Fernando. From owner-freebsd-security@FreeBSD.ORG Mon May 26 10:02:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2D4637B401 for ; Mon, 26 May 2003 10:02:41 -0700 (PDT) Received: from thedarkside.nl (cc31301-c.assen1.dr.home.nl [212.120.68.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4D4E43FA3 for ; Mon, 26 May 2003 10:02:39 -0700 (PDT) (envelope-from g.p.de.boer@st.hanze.nl) Received: from edinburgh (edinburgh [10.0.0.3]) by thedarkside.nl (8.12.8p1/8.12.8) with ESMTP id h4QH2aXY002721; Mon, 26 May 2003 19:02:36 +0200 (CEST) (envelope-from g.p.de.boer@st.hanze.nl) From: "G.P. de Boer" To: Fernando Schapachnik In-Reply-To: <20030526163255.GJ637@bal740r0.mecon.gov.ar> References: <20030526163255.GJ637@bal740r0.mecon.gov.ar> Content-Type: text/plain Organization: Message-Id: <1053968550.574.3.camel@edinburgh> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.1 Date: 26 May 2003 19:02:30 +0200 Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: sshd doing dns queries on localhost? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 17:02:42 -0000 On Mon, 2003-05-26 at 18:32, Fernando Schapachnik wrote: This is becoming a FAQ. Current OpenSSH daemons implement a feature called 'privilege seperation', which splits the daemon in two: one part running as root, the other as user 'sshd' (or whatever you define), minimalizing security threats. One disadvantage though: /etc/resolv.conf is read AFTER chroot()ing to the directory '/var/empty' (talking about OpenSSH in base). If resolv.conf can't be found there, sshd will lookup IP's via 127.0.0.1, generating those log_in_vain messages you see. How to solve? Well.. copy /etc/resolv.conf to /var/empty/etc/. Regards, Pieter From owner-freebsd-security@FreeBSD.ORG Mon May 26 10:06:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7D4C37B404 for ; Mon, 26 May 2003 10:06:31 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id F045843F3F for ; Mon, 26 May 2003 10:06:29 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h4QH6RPW005010; Mon, 26 May 2003 21:06:27 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id K74KPG5S; Mon, 26 May 2003 21:06:27 +0400 Date: Mon, 26 May 2003 21:05:59 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <7112464012.20030526210559@internethelp.ru> To: Fernando Schapachnik In-reply-To: <20030526163255.GJ637@bal740r0.mecon.gov.ar> References: <20030526163255.GJ637@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: sshd doing dns queries on localhost? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 17:06:32 -0000 Hello Fernando, FAQ. for example see ;------- http://www.freebsd.org/cgi/search.cgi?words=sshd+resolv.conf+privsep&max=25&sort=score&index=all&source=freebsd-security ;------- (URL can be wrapped) Monday, May 26, 2003, 8:32:55 PM, you wrote: FS> Hi, FS> I noted on my 4.7 machines that when a ssh conection is made, the FS> following PTR query happens (10.11.1.11 is the src address in the example): FS> 13:23:21.120290 PUBLIC_IP.4523 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120517 PUBLIC_IP.4524 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120683 PUBLIC_IP.4525 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120784 PUBLIC_IP.4526 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> This is very weird because resolv.conf points to another server. Also, FS> the capture is from lo0. FS> Not that I see a security problem here (just the annoyance of this FS> filling my log_in_vain logs), but I'm curious about the reason; at least didn't FS> find any clue looking at source. FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4523 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4524 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4525 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4526 FS> Thanks for any pointer! FS> Regards! FS> Fernando. FS> _______________________________________________ FS> freebsd-security@freebsd.org mailing list FS> http://lists.freebsd.org/mailman/listinfo/freebsd-security FS> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru From owner-freebsd-security@FreeBSD.ORG Mon May 26 10:15:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5339F37B401 for ; Mon, 26 May 2003 10:15:19 -0700 (PDT) Received: from relay2.mecon.ar (relay2.mecon.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id A757943F3F for ; Mon, 26 May 2003 10:15:15 -0700 (PDT) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.ar [168.101.133.15]) by relay2.mecon.ar (8.12.6p2/8.12.6) with ESMTP id h4QHFDAG090263; Mon, 26 May 2003 14:15:13 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h4QHF7sR095458; Mon, 26 May 2003 14:15:07 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.6/8.12.6) with ESMTP id h4QHF7TV095454; Mon, 26 May 2003 14:15:07 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) by bal740r0.mecon.gov.ar (8.12.6/8.12.6) with ESMTP id h4QHF7vE001141; Mon, 26 May 2003 14:15:07 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.6/8.12.6/Submit) id h4QHF6gw001140; Mon, 26 May 2003 14:15:06 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Mon, 26 May 2003 14:15:05 -0300 From: Fernando Schapachnik To: "G.P. de Boer" Message-ID: <20030526171505.GL637@bal740r0.mecon.gov.ar> References: <20030526163255.GJ637@bal740r0.mecon.gov.ar> <1053968550.574.3.camel@edinburgh> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1053968550.574.3.camel@edinburgh> User-Agent: Mutt/1.4.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org cc: freebsd-security@freebsd.org Subject: Re: sshd doing dns queries on localhost? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 17:15:19 -0000 En un mensaje anterior, G.P. de Boer escribió: > On Mon, 2003-05-26 at 18:32, Fernando Schapachnik wrote: > > > > This is becoming a FAQ. Current OpenSSH daemons implement a feature > called 'privilege seperation', which splits the daemon in two: one part > running as root, the other as user 'sshd' (or whatever you define), > minimalizing security threats. One disadvantage though: /etc/resolv.conf > is read AFTER chroot()ing to the directory '/var/empty' (talking about > OpenSSH in base). If resolv.conf can't be found there, sshd will lookup > IP's via 127.0.0.1, generating those log_in_vain messages you see. > > How to solve? Well.. copy /etc/resolv.conf to /var/empty/etc/. Forgot about privsep... Of course that was it. Thanks! From owner-freebsd-security@FreeBSD.ORG Mon May 26 11:02:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8E6137B401 for ; Mon, 26 May 2003 11:02:30 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2343943F3F for ; Mon, 26 May 2003 11:02:30 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4QI2UUp009051 for ; Mon, 26 May 2003 11:02:30 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4QI2TBB009046 for security@freebsd.org; Mon, 26 May 2003 11:02:29 -0700 (PDT) Date: Mon, 26 May 2003 11:02:29 -0700 (PDT) Message-Id: <200305261802.h4QI2TBB009046@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 18:02:31 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon May 26 11:19:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28A7637B401 for ; Mon, 26 May 2003 11:19:52 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0C2D43F85 for ; Mon, 26 May 2003 11:19:50 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h4QIJnPW028552 for ; Mon, 26 May 2003 22:19:49 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id K74KPG67; Mon, 26 May 2003 22:19:49 +0400 Date: Mon, 26 May 2003 22:19:22 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <2716866923.20030526221922@internethelp.ru> To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ip_input.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 18:19:52 -0000 Hi, secfolks. While reading ip_input.c I have met following lines: ;------------------------------------------------- /* 127/8 must not appear on wire - RFC1122 */ if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { ipstat.ips_badaddr++; goto bad; } } ;------------------------------------------- If we have such wonderful code inside freeBSD kernel, do we really need to duplicate in default rc.firewall: ;------------------------------------------- setup_loopback () { ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any } ;------------------------------------------- I think that they are talking about the same thing, no? Best Regards. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru From owner-freebsd-security@FreeBSD.ORG Tue May 20 01:15:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8037D37B401 for ; Tue, 20 May 2003 01:15:05 -0700 (PDT) Received: from hub.seasidesoftware.co.za (tpr-bras-129-173.telkom-ipnet.co.za [165.165.129.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE3D843F75 for ; Tue, 20 May 2003 01:15:03 -0700 (PDT) (envelope-from james@hub.seasidesoftware.co.za) Received: from james by hub.seasidesoftware.co.za with local (Exim 4.14) id 19I1h0-000Pik-ML; Tue, 20 May 2003 09:37:50 +0200 Date: Tue, 20 May 2003 09:37:50 +0200 From: James Ainslie To: Ryan James Message-ID: <20030520073750.GH55410@gambling.com> Mail-Followup-To: Ryan James , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.3i Sender: James Ainslie X-Mailman-Approved-At: Mon, 26 May 2003 13:40:42 -0700 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD firewall block syn flood attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 08:15:05 -0000 On (2003/05/20 01:52), Ryan James wrote:n > Hello, > > I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and > the internet. The servers are being attacked with syn floods and go down > multiple times a day. > > The 7 servers belong to a client, who runs redhat. > > I am trying to find a way to do some kind of syn flood protection inside the > firewall. You could use snort quite effectively here. You can set up snort to act as an active packet filter, in conjunction with a firewall. Then obtain a few signature packets and craft a snort rule to activate the dropping of these packets. The problem with using an IDS in line with a firewall is that you run the horrible risk of false positives. Proceed with extreme caution. :) Hope that helps. James. -- James Ainslie Systems Administrator "Power corrupts, and absolute power corrupts absolutely" Lord Acton So who says FreeBSD isnt a corrupt OS? From owner-freebsd-security@FreeBSD.ORG Thu May 22 22:42:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7320637B401 for ; Thu, 22 May 2003 22:42:30 -0700 (PDT) Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208]) by mx1.FreeBSD.org (Postfix) with SMTP id A121F43F75 for ; Thu, 22 May 2003 22:42:23 -0700 (PDT) (envelope-from nikolay.kanchev@amk-drives.bg) Received: (qmail 82065 invoked by uid 1005); 23 May 2003 05:48:48 -0000 Received: from unknown (HELO kanchev) (192.168.0.13) by 192.168.0.100 with SMTP; 23 May 2003 05:48:46 -0000 Message-ID: <001c01c320f6$e212ea80$0d00a8c0@amkdrives.bg> From: "Nikolay Kanchev" To: "Jer" References: <5.2.0.9.2.20030522181931.00baf808@computer.multihaven.org> Date: Fri, 23 May 2003 08:45:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Virus-Scanned: by AMaViS perl-11 X-Mailman-Approved-At: Mon, 26 May 2003 13:40:42 -0700 cc: freebsd-security@freebsd.org Subject: Re: NAT+IPFW X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2003 05:42:30 -0000 Sent: Friday, May 23, 2003 12:22 AM Subject: NAT+IPFW > Dear all > > I need to do the following > > I have a fbsd router that runs nat and routes some public IP addresses > > I ned to use the ipfw rules to deny traffic from the public IP's AND the > nat o do bandwidth limiting > > eg > deny tcp from 192.168.200.1 to www.yahoo.com http out > and > deny tcp from 24.199.213.1 to www.yahoo.com http out > > my questions are where do I place the rules in relation to the divert rules etc > Hi after divert packets to NAT interface IPFW continue to check next rules after divert rule, therefore You should place your rules after divert rule. Best regards Nikolay Kanchev From owner-freebsd-security@FreeBSD.ORG Tue May 27 10:46:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E579137B401 for ; Tue, 27 May 2003 10:46:26 -0700 (PDT) Received: from aphrodite.gwi.net (aphrodite.gwi.net [207.5.128.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 096DA43F75 for ; Tue, 27 May 2003 10:46:24 -0700 (PDT) (envelope-from ah60@httpsite.com) Received: from andy.gwi.net (blake.gwi.net [207.5.142.8]) by aphrodite.gwi.net (8.12.6p2/8.12.6) with ESMTP id h4RHkMPh063493 for ; Tue, 27 May 2003 13:46:23 -0400 (EDT) (envelope-from ah60@httpsite.com) Message-ID: X-Mailer: XFMail 1.5.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 X-System-Info-OS: FreeBSD 4.8-STABLE #0 X-System-Info-httpd: apache-1.3.27 X-System-Info-WM: windowmaker-0.80.2 X-System-Info-RT: rt-3-0-2 X-System-Info-DB: PostgreSQL-7.3.2 X-System-Info-Perl: v5.8.0 X-Homepage: http://www.nachoz.com X-PGP-Key: RSA-1024 http://www.nachoz.com/andy.pub Date: Tue, 27 May 2003 13:46:37 -0400 (EDT) Sender: aharriso@andy.gwi.net From: Andy Harrison To: freebsd-security@freebsd.org Subject: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 17:46:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Just wondered if anyone had any suggestions about syncing up master.passwd files between multiple machines that didn't involve allowing root login remotely? The users need to be able to log in remotely and own files on the different machines. ~~ Andy Harrison ah##@httpsite.com ICQ: 123472 AIM/Y!: AHinMaine [full headers for details] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtOkfFPEkLgodAWVAQGivwP9EHYSqM/PfEH744F1tRL5Lxz3cRMkuWST GaT1+ZdbMx4AIfh0Zi/ZqB/WoHWK/SdmRtxAiaRwCA/llnMUE0UzWyTGTc56Dw9q vlUG0wRQ4bBVh7wUlKzs4NCe47JAkk2Dou7RgCfrIuLBm7JRScKkzyxkkOai+H/c ucTgljeOROE= =Bb22 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 27 11:30:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF89237B401 for ; Tue, 27 May 2003 11:30:27 -0700 (PDT) Received: from pan.gwi.net (pan.gwi.net [207.5.128.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C58443F3F for ; Tue, 27 May 2003 11:30:27 -0700 (PDT) (envelope-from ah60@httpsite.com) Received: from andy.gwi.net (blake.gwi.net [207.5.142.8]) by pan.gwi.net (8.12.6p2/8.12.6) with ESMTP id h4RIUQEL001489 for ; Tue, 27 May 2003 14:30:26 -0400 (EDT) (envelope-from ah60@httpsite.com) Message-ID: X-Mailer: XFMail 1.5.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200305271413.51090.fbsd@atyantik.net> X-System-Info-OS: FreeBSD 4.8-STABLE #0 X-System-Info-httpd: apache-1.3.27 X-System-Info-WM: windowmaker-0.80.2 X-System-Info-RT: rt-3-0-2 X-System-Info-DB: PostgreSQL-7.3.2 X-System-Info-Perl: v5.8.0 X-Homepage: http://www.nachoz.com X-PGP-Key: RSA-1024 http://www.nachoz.com/andy.pub Date: Tue, 27 May 2003 14:30:41 -0400 (EDT) Sender: aharriso@andy.gwi.net From: Andy Harrison To: freebsd-security@freebsd.org Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 18:30:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 27-May-2003, Amit K. Rao wrote message "Re: multihost master.passwd sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > NIS [yp(8)] ? Lord no... even if you setup a backup nis server, an ailing master server can really screw up your day. I think I thought of a solution though. root cronjob to pgp encrypt the file, change perms so that it can be accessed by a user that is allowed to copy the file to the target host. The file is in encrypted using the public key of root the target machine, so only root on the target will be able to pgp extract the file. ~~ Andy Harrison ah##@httpsite.com ICQ: 123472 AIM/Y!: AHinMaine [full headers for details] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtOuz1PEkLgodAWVAQEupQQAhNGfV9yIg7jqM9D3VuPAfHy6XgcC0QnD hPx5J0+uZZy9mpfBGSjn930To+YUFBZp+h/JcfX80rBFdTs+gSXk/olug7EWkhNp 6Uk+HazQeSN7347Rn5Ln0Pcagiv/Ua3zwQuXISJKxmUnHecufkMrOyc9wMtPbDwL xmFl3gzrq38= =HAT1 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:02:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4A0437B401 for ; Tue, 27 May 2003 12:02:37 -0700 (PDT) Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net [207.115.63.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB2E743F3F for ; Tue, 27 May 2003 12:02:34 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4RJ2Wl8020516 for ; Tue, 27 May 2003 15:02:33 -0400 From: Michael Collette To: FreeBSD Security Date: Tue, 27 May 2003 12:01:40 -0700 User-Agent: KMail/1.5.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305271201.40742.metrol@metrol.net> Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:02:38 -0000 On Tuesday 27 May 2003 11:30 am, Andy Harrison wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > On 27-May-2003, Amit K. Rao wrote message "Re: multihost master.passwd > sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > NIS [yp(8)] ? > > Lord no... even if you setup a backup nis server, an ailing master server > can really screw up your day. > > I think I thought of a solution though. root cronjob to pgp encrypt the > file, change perms so that it can be accessed by a user that is allowed to > copy the file to the target host. The file is in encrypted using the > public key of root the target machine, so only root on the target will be > able to pgp extract the file. Why not just preconfigure SSH keys between the boxes and scp the file across? Seems like a lot of extra work to bring PGP into the mix. Personally, I'm real curious about utilizing an LDAP backend to replace NIS. Read a bit about it, but haven't had a chance to play with it just yet. It sounds like a far more elegant solution for what you're looking to do as well. Assuming it all works as advertised that is. Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:05:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B38637B401 for ; Tue, 27 May 2003 12:05:34 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC0AE43F85 for ; Tue, 27 May 2003 12:05:33 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-218.centtech.com [204.177.173.218]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h4RJ5X56061556; Tue, 27 May 2003 14:05:33 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3ED3B6D8.8000103@centtech.com> Date: Tue, 27 May 2003 14:04:56 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michael Collette References: <200305271201.40742.metrol@metrol.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:05:34 -0000 Michael Collette wrote: > On Tuesday 27 May 2003 11:30 am, Andy Harrison wrote: [..snip..] >>>NIS [yp(8)] ? >> >>Lord no... even if you setup a backup nis server, an ailing master server >>can really screw up your day. >> >>I think I thought of a solution though. root cronjob to pgp encrypt the >>file, change perms so that it can be accessed by a user that is allowed to >>copy the file to the target host. The file is in encrypted using the >>public key of root the target machine, so only root on the target will be >>able to pgp extract the file. > > > Why not just preconfigure SSH keys between the boxes and scp the file across? > Seems like a lot of extra work to bring PGP into the mix. > > Personally, I'm real curious about utilizing an LDAP backend to replace NIS. > Read a bit about it, but haven't had a chance to play with it just yet. It > sounds like a far more elegant solution for what you're looking to do as > well. Assuming it all works as advertised that is. I've started this exact process - replacing my NIS gunk with LDAP.. Not too far through yet, but I'll try to keep good notes for anyone else who may want them.. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:10:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92E8E37B401 for ; Tue, 27 May 2003 12:10:43 -0700 (PDT) Received: from aphrodite.gwi.net (aphrodite.gwi.net [207.5.128.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7C7E43F3F for ; Tue, 27 May 2003 12:10:42 -0700 (PDT) (envelope-from ah60@httpsite.com) Received: from andy.gwi.net (blake.gwi.net [207.5.142.8]) by aphrodite.gwi.net (8.12.6p2/8.12.6) with ESMTP id h4RJAgPh076878 for ; Tue, 27 May 2003 15:10:42 -0400 (EDT) (envelope-from ah60@httpsite.com) Message-ID: X-Mailer: XFMail 1.5.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200305271201.40742.metrol@metrol.net> X-System-Info-OS: FreeBSD 4.8-STABLE #0 X-System-Info-httpd: apache-1.3.27 X-System-Info-WM: windowmaker-0.80.2 X-System-Info-RT: rt-3-0-2 X-System-Info-DB: PostgreSQL-7.3.2 X-System-Info-Perl: v5.8.0 X-Homepage: http://www.nachoz.com X-PGP-Key: RSA-1024 http://www.nachoz.com/andy.pub Date: Tue, 27 May 2003 15:10:57 -0400 (EDT) Sender: aharriso@andy.gwi.net From: Andy Harrison To: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:10:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 27-May-2003, Michael Collette wrote message "Re: multihost master.passwd sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Why not just preconfigure SSH keys between the boxes and scp the file across? > Seems like a lot of extra work to bring PGP into the mix. Because we don't allow root login remotely, mandated from above. > Personally, I'm real curious about utilizing an LDAP backend to replace NIS. > Read a bit about it, but haven't had a chance to play with it just yet. It > sounds like a far more elegant solution for what you're looking to do as > well. Assuming it all works as advertised that is. The problem is that while it allows authentication, it doesn't integrate seamlessly allowing you to own files as a user that only exists in the ldap. ~~ Andy Harrison ah##@httpsite.com ICQ: 123472 AIM/Y!: AHinMaine [full headers for details] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtO4P1PEkLgodAWVAQF15QQAsPRwL67UjAy3CxhhxT/qrYAnXgenJv2f p1gRYI+jsQQTjMhuK0F7wlP/tkEYq8ATUjGo2c/42Cv6TKhJju6Z+9ZrY/+rJ9D/ GHwYuW1FE9cLbrEQZMHM5y0piHHGGvf6EX5EpIZQ3H5oKaO2vN+xSe+WQjAkp1Kv aARSDBzB0v8= =6jPd -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:11:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49CCC37B405 for ; Tue, 27 May 2003 12:11:04 -0700 (PDT) Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net [207.115.63.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8527843F3F for ; Tue, 27 May 2003 12:11:03 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4RJB2l8045814 for ; Tue, 27 May 2003 15:11:02 -0400 From: Michael Collette To: FreeBSD Security Date: Tue, 27 May 2003 12:10:14 -0700 User-Agent: KMail/1.5.2 References: <200305271201.40742.metrol@metrol.net> <3ED3B6D8.8000103@centtech.com> In-Reply-To: <3ED3B6D8.8000103@centtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305271210.14893.metrol@metrol.net> Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:11:04 -0000 On Tuesday 27 May 2003 12:04 pm, Eric Anderson wrote: > Michael Collette wrote: > > On Tuesday 27 May 2003 11:30 am, Andy Harrison wrote: > > [..snip..] > > >>>NIS [yp(8)] ? > >> > >>Lord no... even if you setup a backup nis server, an ailing master > >> server can really screw up your day. > >> > >>I think I thought of a solution though. root cronjob to pgp encrypt the > >>file, change perms so that it can be accessed by a user that is allowed > >> to copy the file to the target host. The file is in encrypted using the > >> public key of root the target machine, so only root on the target will > >> be able to pgp extract the file. > > > > Why not just preconfigure SSH keys between the boxes and scp the file > > across? Seems like a lot of extra work to bring PGP into the mix. > > > > Personally, I'm real curious about utilizing an LDAP backend to replace > > NIS. Read a bit about it, but haven't had a chance to play with it just > > yet. It sounds like a far more elegant solution for what you're looking > > to do as well. Assuming it all works as advertised that is. > > I've started this exact process - replacing my NIS gunk with LDAP.. Not > too far through yet, but I'll try to keep good notes for anyone else who > may want them.. > > Eric FYI, O'Reilley has a fairly new book out concerning this topic. I've only scratched the surface of it thus far, but it's the best I've seen on this topic thus far. I was doing some real serious shopping for an LDAP book a couple of months ago. Anyhow, what I'm talking about... http://www.oreilly.com/catalog/ldapsa/ Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:21:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7280337B401 for ; Tue, 27 May 2003 12:21:37 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D08A843F3F for ; Tue, 27 May 2003 12:21:36 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-218.centtech.com [204.177.173.218]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h4RJLa56063283; Tue, 27 May 2003 14:21:36 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3ED3BA9B.5020008@centtech.com> Date: Tue, 27 May 2003 14:20:59 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andy Harrison References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:21:37 -0000 Andy Harrison wrote: >>Why not just preconfigure SSH keys between the boxes and scp the file across? >>Seems like a lot of extra work to bring PGP into the mix. > > > Because we don't allow root login remotely, mandated from above. so you scp the file to a directory owned by a user designated to only do this function.. then have a cron job that fires up every so often that snags that file and updates the running master.passwd file.. >>Personally, I'm real curious about utilizing an LDAP backend to replace NIS. >>Read a bit about it, but haven't had a chance to play with it just yet. It >>sounds like a far more elegant solution for what you're looking to do as >>well. Assuming it all works as advertised that is. > > > The problem is that while it allows authentication, it doesn't integrate > seamlessly allowing you to own files as a user that only exists in the ldap. Huh? Explain more please.. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:22:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A59FA37B401 for ; Tue, 27 May 2003 12:22:21 -0700 (PDT) Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net [207.115.63.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0811B43F75 for ; Tue, 27 May 2003 12:22:21 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4RJMJJ9014316 for ; Tue, 27 May 2003 15:22:19 -0400 From: Michael Collette To: FreeBSD Security Date: Tue, 27 May 2003 12:21:32 -0700 User-Agent: KMail/1.5.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305271221.32061.metrol@metrol.net> Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:22:22 -0000 On Tuesday 27 May 2003 12:10 pm, Andy Harrison wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > On 27-May-2003, Michael Collette wrote message "Re: multihost master.passwd > sync" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > Why not just preconfigure SSH keys between the boxes and scp the file > > across? Seems like a lot of extra work to bring PGP into the mix. > > Because we don't allow root login remotely, mandated from above. Assuming both machines have their clocks sync'd, two crons. One to pass the file across via an admin/non-root user. The second cron to move the file, change permissions and whatever else you need to do. Just a thought. I tend to do fair amount of scp kind of stuff, so I'm just rather partial to it is all. > > Personally, I'm real curious about utilizing an LDAP backend to replace > > NIS. Read a bit about it, but haven't had a chance to play with it just > > yet. It sounds like a far more elegant solution for what you're looking > > to do as well. Assuming it all works as advertised that is. > > The problem is that while it allows authentication, it doesn't integrate > seamlessly allowing you to own files as a user that only exists in the > ldap. I'm really curious as to what you mean by this. Like I said, I've only scratched the surface concerning LDAP authentication. What doesn't integrate? I thought that was the PAM_LDAP port was supposed to handle? If you get the chance, I'd really appreciate a fuller description of why LDAP isn't a suitable solution for you. I'm trying to get a better handle on the pros and cons of that approach. Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:23:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0281837B401 for ; Tue, 27 May 2003 12:23:43 -0700 (PDT) Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net [207.115.63.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA6DC43F3F for ; Tue, 27 May 2003 12:23:41 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4RJNeJ9030596 for ; Tue, 27 May 2003 15:23:41 -0400 From: Michael Collette To: FreeBSD Security Date: Tue, 27 May 2003 12:22:53 -0700 User-Agent: KMail/1.5.2 References: <3ED3BA9B.5020008@centtech.com> In-Reply-To: <3ED3BA9B.5020008@centtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305271222.53532.metrol@metrol.net> Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:23:43 -0000 Hey, that was my post! :) On Tuesday 27 May 2003 12:20 pm, Eric Anderson wrote: > Andy Harrison wrote: > >>Why not just preconfigure SSH keys between the boxes and scp the file > >> across? Seems like a lot of extra work to bring PGP into the mix. > > > > Because we don't allow root login remotely, mandated from above. > > so you scp the file to a directory owned by a user designated to only do > this function.. then have a cron job that fires up every so often that > snags that file and updates the running master.passwd file.. > > >>Personally, I'm real curious about utilizing an LDAP backend to replace > >> NIS. Read a bit about it, but haven't had a chance to play with it just > >> yet. It sounds like a far more elegant solution for what you're looking > >> to do as well. Assuming it all works as advertised that is. > > > > The problem is that while it allows authentication, it doesn't integrate > > seamlessly allowing you to own files as a user that only exists in the > > ldap. > > Huh? Explain more please.. > > Eric -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:23:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEC7637B401 for ; Tue, 27 May 2003 12:23:46 -0700 (PDT) Received: from bitch.inducedreality.net (adsl-67-124-144-35.dsl.pltn13.pacbell.net [67.124.144.35]) by mx1.FreeBSD.org (Postfix) with SMTP id C8B8343F3F for ; Tue, 27 May 2003 12:23:45 -0700 (PDT) (envelope-from david@bitch.inducedreality.net) Received: (qmail 83038 invoked by uid 1000); 27 May 2003 19:24:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 May 2003 19:24:30 -0000 Date: Tue, 27 May 2003 12:24:30 -0700 (PDT) From: David To: Andy Harrison In-Reply-To: Message-ID: <20030527121830.V82960-100000@bitch.inducedreality.net> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:23:47 -0000 Can't you just have two cron jobs, one on the master machine which dists the file out to the various machines in /var/tmp or something and another one on the slave machine which picks it up and replaces/integrates it? The permissions on the file should keep other people from modifying it. The only possible problem (depending on setup) could be if someone put a passwd file there first and the dist didn't properly handle that. However, if the cron on the slave machine checks the permissions first, that problem can be avoided. David On Tue, 27 May 2003, Andy Harrison wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Just wondered if anyone had any suggestions about syncing up master.passwd > files between multiple machines that didn't involve allowing root login > remotely? The users need to be able to log in remotely and own files on the > different machines. > > > > ~~ > Andy Harrison > ah##@httpsite.com > ICQ: 123472 AIM/Y!: AHinMaine > [full headers for details] > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPtOkfFPEkLgodAWVAQGivwP9EHYSqM/PfEH744F1tRL5Lxz3cRMkuWST > GaT1+ZdbMx4AIfh0Zi/ZqB/WoHWK/SdmRtxAiaRwCA/llnMUE0UzWyTGTc56Dw9q > vlUG0wRQ4bBVh7wUlKzs4NCe47JAkk2Dou7RgCfrIuLBm7JRScKkzyxkkOai+H/c > ucTgljeOROE= > =Bb22 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:27:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7076E37B401 for ; Tue, 27 May 2003 12:27:15 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 87D6243F93 for ; Tue, 27 May 2003 12:27:12 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 57271 invoked from network); 27 May 2003 19:27:11 -0000 Received: from queequeg.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 27 May 2003 19:27:11 -0000 Message-ID: <3ED3BC0E.3030806@tenebras.com> Date: Tue, 27 May 2003 12:27:10 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, en, zh-tw, zh-cn, fr MIME-Version: 1.0 To: Eric Anderson References: <200305271201.40742.metrol@metrol.net> <3ED3B6D8.8000103@centtech.com> In-Reply-To: <3ED3B6D8.8000103@centtech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Security cc: Michael Collette Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:27:15 -0000 Eric Anderson wrote: > I've started this exact process - replacing my NIS gunk with LDAP.. Not > too far through yet, but I'll try to keep good notes for anyone else who > may want them.. Great idea. May I suggest a name? How's "Active Directory?" ;-) From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:27:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C389037B401 for ; Tue, 27 May 2003 12:27:19 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B33D43F75 for ; Tue, 27 May 2003 12:27:17 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 0F47C1524D; Tue, 27 May 2003 12:23:12 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 0E6F71524B for ; Tue, 27 May 2003 12:23:12 -0700 (PDT) Date: Tue, 27 May 2003 12:23:12 -0700 (PDT) From: Mike Hoskins To: freebsd-security@freebsd.org In-Reply-To: Message-ID: <20030527122051.Q56661@fubar.adept.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:27:20 -0000 On Tue, 27 May 2003, Andy Harrison wrote: > Just wondered if anyone had any suggestions about syncing up master.passwd > files between multiple machines that didn't involve allowing root login > remotely? The users need to be able to log in remotely and own files on the > different machines. /usr/ports/net/rsync. -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist! From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:28:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38EC337B401 for ; Tue, 27 May 2003 12:28:31 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFA5F43F93 for ; Tue, 27 May 2003 12:28:30 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 909B31524D; Tue, 27 May 2003 12:24:25 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 8FB781524B for ; Tue, 27 May 2003 12:24:25 -0700 (PDT) Date: Tue, 27 May 2003 12:24:25 -0700 (PDT) From: Mike Hoskins To: security@freebsd.org In-Reply-To: <3ED3BC0E.3030806@tenebras.com> Message-ID: <20030527122339.X56661@fubar.adept.org> References: <200305271201.40742.metrol@metrol.net> <3ED3B6D8.8000103@centtech.com> <3ED3BC0E.3030806@tenebras.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:28:31 -0000 On Tue, 27 May 2003, Michael Sierchio wrote: > Eric Anderson wrote: > > I've started this exact process - replacing my NIS gunk with LDAP.. Not > > too far through yet, but I'll try to keep good notes for anyone else who > > may want them.. > Great idea. May I suggest a name? How's "Active Directory?" ;-) *Riiiight.* Now if AD was actually (non-bastardized) LDAP. -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist! From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:29:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5E4837B407 for ; Tue, 27 May 2003 12:29:00 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F9BE43FDF for ; Tue, 27 May 2003 12:29:00 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-218.centtech.com [204.177.173.218]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h4RJT056064049; Tue, 27 May 2003 14:29:00 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3ED3BC57.1050604@centtech.com> Date: Tue, 27 May 2003 14:28:23 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michael Sierchio References: <200305271201.40742.metrol@metrol.net> <3ED3B6D8.8000103@centtech.com> <3ED3BC0E.3030806@tenebras.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:29:01 -0000 Michael Sierchio wrote: > Eric Anderson wrote: > >> I've started this exact process - replacing my NIS gunk with LDAP.. >> Not too far through yet, but I'll try to keep good notes for anyone >> else who may want them.. > > > Great idea. May I suggest a name? How's "Active Directory?" ;-) Hey, that IS a good name.. but, I did say "good notes for anyone", so that probably would void any agreements having to do with an "Active Directory".. ahh well.. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:31:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC02E37B430 for ; Tue, 27 May 2003 12:31:25 -0700 (PDT) Received: from aphrodite.gwi.net (aphrodite.gwi.net [207.5.128.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id B213243F75 for ; Tue, 27 May 2003 12:31:24 -0700 (PDT) (envelope-from ah60@httpsite.com) Received: from andy.gwi.net (blake.gwi.net [207.5.142.8]) by aphrodite.gwi.net (8.12.6p2/8.12.6) with ESMTP id h4RJVOPh079773 for ; Tue, 27 May 2003 15:31:24 -0400 (EDT) (envelope-from ah60@httpsite.com) Message-ID: X-Mailer: XFMail 1.5.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3ED3BA9B.5020008@centtech.com> X-System-Info-OS: FreeBSD 4.8-STABLE #0 X-System-Info-httpd: apache-1.3.27 X-System-Info-WM: windowmaker-0.80.2 X-System-Info-RT: rt-3-0-2 X-System-Info-DB: PostgreSQL-7.3.2 X-System-Info-Perl: v5.8.0 X-Homepage: http://www.nachoz.com X-PGP-Key: RSA-1024 http://www.nachoz.com/andy.pub Date: Tue, 27 May 2003 15:31:39 -0400 (EDT) Sender: aharriso@andy.gwi.net From: Andy Harrison To: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:31:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 27-May-2003, Eric Anderson wrote message "Re: multihost master.passwd sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Because we don't allow root login remotely, mandated from above. > > so you scp the file to a directory owned by a user designated to only do > this function.. then have a cron job that fires up every so often that > snags that file and updates the running master.passwd file.. Root can't scp a file from one host to another where remote root login is not allowed. ~~ Andy Harrison ah##@httpsite.com ICQ: 123472 AIM/Y!: AHinMaine [full headers for details] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtO9GVPEkLgodAWVAQGVWgP+O0w5w/uSb12xEcgXnmwEYT7qMfG/TpOr 1fVcZECg+B0YYD1E3zZRA2iJJruaq0VZ1ZQAEu3BFJ5dNLVMsUWFTfDX0ah3V1ob NoGeyjlYsOEZqxR1ShTPa/GhfcV/EgSb7uaCbh93fisdGeuog+vV7AJhdPEdtufr 2sx/YUgNm3I= =GUvW -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:33:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 464B337B401 for ; Tue, 27 May 2003 12:33:24 -0700 (PDT) Received: from blackroses.com (broken.blackroses.com [66.101.203.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3ADC043FBF for ; Tue, 27 May 2003 12:33:23 -0700 (PDT) (envelope-from digital@blackroses.com) Received: from blackroses.com (localhost [127.0.0.1]) by blackroses.com (8.12.9/8.12.9) with ESMTP id h4RJXFgp004111; Tue, 27 May 2003 15:33:17 -0400 (EDT) Received: from localhost (digital@localhost) by blackroses.com (8.12.9/8.12.9/Submit) with ESMTP id h4RJXFqh004108; Tue, 27 May 2003 15:33:15 -0400 (EDT) Date: Tue, 27 May 2003 15:33:15 -0400 (EDT) From: digital To: Mike Hoskins In-Reply-To: <20030527122051.Q56661@fubar.adept.org> Message-ID: <20030527153237.T3950@blackroses.com> References: <20030527122051.Q56661@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:33:24 -0000 /usr/ports/net/unison That'll allow you to update passwds anywhere, and keep them all up to date. On Tue, 27 May 2003, Mike Hoskins wrote: > On Tue, 27 May 2003, Andy Harrison wrote: > > Just wondered if anyone had any suggestions about syncing up master.passwd > > files between multiple machines that didn't involve allowing root login > > remotely? The users need to be able to log in remotely and own files on the > > different machines. > > /usr/ports/net/rsync. > > -mrh > > -- > From: "Spam Catcher" > To: spam-catcher@adept.org > Do NOT send email to the address listed above or > you will be added to a blacklist! > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:34:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD2D837B405 for ; Tue, 27 May 2003 12:34:04 -0700 (PDT) Received: from dart.sr.se (dart.SR.SE [134.25.0.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6760743FBD for ; Tue, 27 May 2003 12:34:03 -0700 (PDT) (envelope-from gunnar@oldie.sr.se) Received: from honken.sr.se (honken.sr.se [134.25.128.27]) by dart.sr.se (8.12.6p2/8.12.6) with ESMTP id h4RJY0wv069440; Tue, 27 May 2003 21:34:00 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: from oldie.sr.se (oldie [134.25.200.100]) by honken.sr.se (8.12.3p2/8.12.3) with ESMTP id h4RJY0VT029739; Tue, 27 May 2003 21:34:00 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: from oldie.sr.se (localhost [127.0.0.1]) by oldie.sr.se (8.12.9/8.12.9) with ESMTP id h4RJXxF7006189; Tue, 27 May 2003 21:33:59 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: (from gunnar@localhost) by oldie.sr.se (8.12.9/8.12.9/Submit) id h4RJXxrM006188; Tue, 27 May 2003 21:33:59 +0200 (CEST) Date: Tue, 27 May 2003 21:33:59 +0200 From: Gunnar Flygt To: Eric Anderson Message-ID: <20030527193359.GA6125@sr.se> References: <200305271201.40742.metrol@metrol.net> <3ED3B6D8.8000103@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3ED3B6D8.8000103@centtech.com> User-Agent: Mutt/1.4.1i cc: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gunnar Flygt List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:34:05 -0000 On Tue, May 27, 2003 at 02:04:56PM -0500, Eric Anderson wrote: > Michael Collette wrote: > >On Tuesday 27 May 2003 11:30 am, Andy Harrison wrote: > [..snip..] > >>>NIS [yp(8)] ? > >> > >>Lord no... even if you setup a backup nis server, an ailing master server > >>can really screw up your day. > >> > >>I think I thought of a solution though. root cronjob to pgp encrypt the > >>file, change perms so that it can be accessed by a user that is allowed to > >>copy the file to the target host. The file is in encrypted using the > >>public key of root the target machine, so only root on the target will be > >>able to pgp extract the file. > > > > > >Why not just preconfigure SSH keys between the boxes and scp the file > >across? Seems like a lot of extra work to bring PGP into the mix. > > > >Personally, I'm real curious about utilizing an LDAP backend to replace > >NIS. Read a bit about it, but haven't had a chance to play with it just > >yet. It sounds like a far more elegant solution for what you're looking > >to do as well. Assuming it all works as advertised that is. > > I've started this exact process - replacing my NIS gunk with LDAP.. Not > too far through yet, but I'll try to keep good notes for anyone else who > may want them.. I've installed 5.1-beta on a box that should do nss_ldap, so that I don't have to setup any users directly on that server. The ldap server will be in the corporate network, and the 5.1-RELEASE in a DMZ as ftp-server. I'm interested in all input I can get, to get the whole thing going. > > Eric > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > Attitudes are contagious, is yours worth catching? > ------------------------------------------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Gunnar Flygt OPC Data Sveriges Radio From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:34:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAB8C37B405 for ; Tue, 27 May 2003 12:34:17 -0700 (PDT) Received: from aphrodite.gwi.net (aphrodite.gwi.net [207.5.128.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8509143FD7 for ; Tue, 27 May 2003 12:34:16 -0700 (PDT) (envelope-from ah60@httpsite.com) Received: from andy.gwi.net (blake.gwi.net [207.5.142.8]) by aphrodite.gwi.net (8.12.6p2/8.12.6) with ESMTP id h4RJYGPh080143 for ; Tue, 27 May 2003 15:34:16 -0400 (EDT) (envelope-from ah60@httpsite.com) Message-ID: X-Mailer: XFMail 1.5.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200305271222.53532.metrol@metrol.net> X-System-Info-OS: FreeBSD 4.8-STABLE #0 X-System-Info-httpd: apache-1.3.27 X-System-Info-WM: windowmaker-0.80.2 X-System-Info-RT: rt-3-0-2 X-System-Info-DB: PostgreSQL-7.3.2 X-System-Info-Perl: v5.8.0 X-Homepage: http://www.nachoz.com X-PGP-Key: RSA-1024 http://www.nachoz.com/andy.pub Date: Tue, 27 May 2003 15:34:31 -0400 (EDT) Sender: aharriso@andy.gwi.net From: Andy Harrison To: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:34:18 -0000 -----BEGIN PGP SIGNED MESSAGE----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 27-May-2003, Michael Collette wrote message "Re: multihost master.passwd sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > The problem is that while it allows authentication, it doesn't integrate >> > seamlessly allowing you to own files as a user that only exists in the >> > ldap. >> >> Huh? Explain more please.. I was told that if the user isn't in the passwd file physically, they can't own files on the local server. I've run into this personally with radius, I can't speak with authority on ldap and pam integration. ~~ Andy Harrison ah##@httpsite.com ICQ: 123472 AIM/Y!: AHinMaine [full headers for details] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtO9xVPEkLgodAWVAQHsoQP/YvMmqGUcuBtNdGJOdlIcNekm2Lkiu+oR VT9VBIfiXDZoF+I7oZOiQJTaOFijQfsCDtkY1l/SE7ZbzYiEasRNouWDbqU4Z1CG jUk3tDC6Db83I/1Z/LiPdodIlyckedBoQUmIDeftjNxNJTWTqwU3WR9tqqk4gu0l FmTgJ4VWZ+M= =7csX -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:34:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 246C637B425 for ; Tue, 27 May 2003 12:34:31 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BD3E43FBF for ; Tue, 27 May 2003 12:34:30 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-218.centtech.com [204.177.173.218]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h4RJYU56064619; Tue, 27 May 2003 14:34:30 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3ED3BDA1.5020605@centtech.com> Date: Tue, 27 May 2003 14:33:53 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andy Harrison References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:34:31 -0000 Andy Harrison wrote: >>>Because we don't allow root login remotely, mandated from above. >> >>so you scp the file to a directory owned by a user designated to only do >>this function.. then have a cron job that fires up every so often that >>snags that file and updates the running master.passwd file.. > > > Root can't scp a file from one host to another where remote root login is not > allowed. as root on localbox: % scp /etc/master.passwd genericuser@remotebox: works fine.. you just need to set the keys correctly.. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:35:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50B0A37B405 for ; Tue, 27 May 2003 12:35:38 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA08A43FDF for ; Tue, 27 May 2003 12:35:37 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 8DCE21524B; Tue, 27 May 2003 12:31:32 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 8CF5715247 for ; Tue, 27 May 2003 12:31:32 -0700 (PDT) Date: Tue, 27 May 2003 12:31:32 -0700 (PDT) From: Mike Hoskins To: freebsd-security@freebsd.org In-Reply-To: <20030527122051.Q56661@fubar.adept.org> Message-ID: <20030527122442.S56661@fubar.adept.org> References: <20030527122051.Q56661@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:35:38 -0000 On Tue, 27 May 2003, Mike Hoskins wrote: > On Tue, 27 May 2003, Andy Harrison wrote: > > Just wondered if anyone had any suggestions about syncing up master.passwd > > files between multiple machines that didn't involve allowing root login > > remotely? The users need to be able to log in remotely and own files on the > > different machines. > /usr/ports/net/rsync. Also, /usr/ports/sysutils/cfengine[2] It's working nicely here, but rsync is easier to setup and maintain. The nice thing with cfengine is that it can know about "groups" of servers which may be slightly different. Here, for example, it pushes password updates to FreeBSD, Solaris and Linux servers. -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist! From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:38:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F7AA37B401 for ; Tue, 27 May 2003 12:38:44 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2867C43F75 for ; Tue, 27 May 2003 12:38:43 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-218.centtech.com [204.177.173.218]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h4RJcg56065405; Tue, 27 May 2003 14:38:42 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3ED3BE9E.60407@centtech.com> Date: Tue, 27 May 2003 14:38:06 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andy Harrison References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:38:44 -0000 Andy Harrison wrote: >>>>The problem is that while it allows authentication, it doesn't integrate >>>>seamlessly allowing you to own files as a user that only exists in the >>>>ldap. >>> >>>Huh? Explain more please.. >> > > I was told that if the user isn't in the passwd file physically, they can't own > files on the local server. I've run into this personally with radius, I can't > speak with authority on ldap and pam integration. Oh, ok.. Well, I *believe* that is incorrect.. Should work fine (specially with nss_ldap stuff in FreeBSD-5.1, etc).. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:39:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D988837B401 for ; Tue, 27 May 2003 12:39:16 -0700 (PDT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37CF543F3F for ; Tue, 27 May 2003 12:39:16 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4RJdEPg130164 for ; Tue, 27 May 2003 15:39:15 -0400 From: Michael Collette To: FreeBSD Security Date: Tue, 27 May 2003 12:38:27 -0700 User-Agent: KMail/1.5.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305271238.27152.metrol@metrol.net> Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:39:17 -0000 On Tuesday 27 May 2003 12:31 pm, Andy Harrison wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > On 27-May-2003, Eric Anderson wrote message "Re: multihost master.passwd > sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >> Because we don't allow root login remotely, mandated from above. > > > > so you scp the file to a directory owned by a user designated to only do > > this function.. then have a cron job that fires up every so often that > > snags that file and updates the running master.passwd file.. > > Root can't scp a file from one host to another where remote root login is > not allowed. That's not what Eric was suggesting. You use a non-root user account to do the xfer. You then have a root owned cron job that puts the xfer'd file in place. Root never moves anything across the network. Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:41:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36EB937B401 for ; Tue, 27 May 2003 12:41:45 -0700 (PDT) Received: from home.ephemeron.org (66-215-220-216.riv-eres.charterpipeline.net [66.215.220.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D65B43FA3 for ; Tue, 27 May 2003 12:41:44 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (localhost [127.0.0.1]) by home.ephemeron.org (8.12.6/8.12.6) with ESMTP id h4RJfcrO038961; Tue, 27 May 2003 12:41:38 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost)h4RJfcbq038956; Tue, 27 May 2003 12:41:38 -0700 (PDT) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Tue, 27 May 2003 12:41:37 -0700 (PDT) From: Bigby Findrake To: Eric Anderson In-Reply-To: <3ED3BE9E.60407@centtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:41:45 -0000 On Tue, 27 May 2003, Eric Anderson wrote: > Andy Harrison wrote: > >>>>The problem is that while it allows authentication, it doesn't integrate > >>>>seamlessly allowing you to own files as a user that only exists in the > >>>>ldap. > >>> > >>>Huh? Explain more please.. > >> > > > > I was told that if the user isn't in the passwd file physically, they can't own > > files on the local server. I've run into this personally with radius, I can't > > speak with authority on ldap and pam integration. > > Oh, ok.. Well, I *believe* that is incorrect.. Should work fine > (specially with nss_ldap stuff in FreeBSD-5.1, etc).. NIS is a perfect example of how users not in the password file can own files on a machine. /-------------------------------------------------------------------------/ "I've tried to install this linux crap about nearly five times, but everytime it stops with the error message: 'login:' Fix that immediately or I'll go public with that." -- some random moron http://ephemeron.org:81/~bigby/ finger bigby@ephemeron.org for info /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Tue May 27 13:10:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E77BF37B401 for ; Tue, 27 May 2003 13:10:11 -0700 (PDT) Received: from pan.gwi.net (pan.gwi.net [207.5.128.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B3F943F93 for ; Tue, 27 May 2003 13:10:11 -0700 (PDT) (envelope-from ah60@httpsite.com) Received: from andy.gwi.net (blake.gwi.net [207.5.142.8]) by pan.gwi.net (8.12.6p2/8.12.6) with ESMTP id h4RKAAEL019587 for ; Tue, 27 May 2003 16:10:10 -0400 (EDT) (envelope-from ah60@httpsite.com) Message-ID: X-Mailer: XFMail 1.5.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200305271238.27152.metrol@metrol.net> X-System-Info-OS: FreeBSD 4.8-STABLE #0 X-System-Info-httpd: apache-1.3.27 X-System-Info-WM: windowmaker-0.80.2 X-System-Info-RT: rt-3-0-2 X-System-Info-DB: PostgreSQL-7.3.2 X-System-Info-Perl: v5.8.0 X-Homepage: http://www.nachoz.com X-PGP-Key: RSA-1024 http://www.nachoz.com/andy.pub Date: Tue, 27 May 2003 16:10:25 -0400 (EDT) Sender: aharriso@andy.gwi.net From: Andy Harrison To: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 20:10:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 27-May-2003, Michael Collette wrote message "Re: multihost master.passwd sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > That's not what Eric was suggesting. You use a non-root user account to do > the xfer. You then have a root owned cron job that puts the xfer'd file in > place. > > Root never moves anything across the network. yes, understood. that's what I said in my 2nd post in the thread, actually. ~~ Andy Harrison ah##@httpsite.com ICQ: 123472 AIM/Y!: AHinMaine [full headers for details] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtPGMFPEkLgodAWVAQHPSwQAuiUA/LX8328ThdZDBJFP9caRJjCw9KT9 krta1egpIHOXy5p8OYVp30YIDrwLwNsi1qV/9Z6LjW5ct+WJdS0DLWu/0UcvztOJ dkpcVXHVHAzQ8ta3/C125dZpxDDo40iK5zyW6VkIuCKsHNUv1TCTHdeIqJOnUyMr j/PT30KH08I= =6GYh -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 27 13:13:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 033A937B401 for ; Tue, 27 May 2003 13:13:16 -0700 (PDT) Received: from pan.gwi.net (pan.gwi.net [207.5.128.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7B6543FA3 for ; Tue, 27 May 2003 13:13:14 -0700 (PDT) (envelope-from ah60@httpsite.com) Received: from andy.gwi.net (blake.gwi.net [207.5.142.8]) by pan.gwi.net (8.12.6p2/8.12.6) with ESMTP id h4RKDEEL020049 for ; Tue, 27 May 2003 16:13:14 -0400 (EDT) (envelope-from ah60@httpsite.com) Message-ID: X-Mailer: XFMail 1.5.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3ED3BDA1.5020605@centtech.com> X-System-Info-OS: FreeBSD 4.8-STABLE #0 X-System-Info-httpd: apache-1.3.27 X-System-Info-WM: windowmaker-0.80.2 X-System-Info-RT: rt-3-0-2 X-System-Info-DB: PostgreSQL-7.3.2 X-System-Info-Perl: v5.8.0 X-Homepage: http://www.nachoz.com X-PGP-Key: RSA-1024 http://www.nachoz.com/andy.pub Date: Tue, 27 May 2003 16:13:29 -0400 (EDT) Sender: aharriso@andy.gwi.net From: Andy Harrison To: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 20:13:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 27-May-2003, Eric Anderson wrote message "Re: multihost master.passwd sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Root can't scp a file from one host to another where remote root login is >> not >> allowed. > > as root on localbox: > % scp /etc/master.passwd genericuser@remotebox: > works fine.. you just need to set the keys correctly.. Correction, I should've said "won't" instead of "can't" ~~ Andy Harrison ah##@httpsite.com ICQ: 123472 AIM/Y!: AHinMaine [full headers for details] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtPG6FPEkLgodAWVAQHZIwP/eYXO855jVIp1yrW/22unNV/WtrTuaUrt sXaVXGwPumX8g81ow8pJBty3i/+X6Qs7Ogvp7g5+JCVnZaMwH0ZPNQvhK/p54wa9 jAVd7rCEnlT895UkeegjUtVBTrYBLW+TH2D5LmzrmrZ7A6N1VEraZfF8ztnd+E4E ajhW/WGUrlE= =gmyK -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 27 18:55:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6296537B401 for ; Tue, 27 May 2003 18:55:01 -0700 (PDT) Received: from lily.ezo.net (nsc.ezo.net [68.23.200.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9043743FA3 for ; Tue, 27 May 2003 18:55:00 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from new.ezo.net (peony.ezo.net [68.23.200.11]) by lily.ezo.net (8.12.6/8.12.6) with ESMTP id h4S1t7df030258 for ; Tue, 27 May 2003 21:55:07 -0400 (EDT) (envelope-from jflowers@ezo.net) From: "Jim Flowers" To: FreeBSD Security Date: Tue, 27 May 2003 20:55:06 -0500 Message-Id: <20030528014723.M10167@ezo.net> In-Reply-To: References: <3ED3BDA1.5020605@centtech.com> X-Mailer: Open WebMail 1.90 20030310 X-OriginatingIP: 24.93.231.122 (jflowers) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 01:55:01 -0000 Well, I know the concept will be ridiculed (so be it) but I've just started looking at the webmin cluster users/goups that provides synchronizing passwd files on multiple hosts on an all or part basis as being appropriate for my needs. Seems to work OK for a thousand or two users though I don't know how scalable it is but I haven't yet started looking at the security implications of current webmin design. -- Jim Flowers ---------- Original Message ----------- From: Andy Harrison To: FreeBSD Security Sent: Tue, 27 May 2003 16:13:29 -0400 (EDT) Subject: Re: multihost master.passwd sync > -----BEGIN PGP SIGNED MESSAGE----- > > ~ > On 27-May-2003, Eric Anderson wrote message "Re: multihost > master.passwd sync" ~ > >> Root can't scp a file from one host to another where remote root login is > >> not > >> allowed. > > > From owner-freebsd-security@FreeBSD.ORG Tue May 27 23:32:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45A8837B401 for ; Tue, 27 May 2003 23:32:18 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 244BE43FA3 for ; Tue, 27 May 2003 23:32:14 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 32128 invoked from network); 28 May 2003 06:25:41 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 28 May 2003 06:25:41 -0000 Received: (qmail 2006 invoked by uid 1000); 28 May 2003 06:35:17 -0000 Date: Wed, 28 May 2003 09:35:17 +0300 From: Peter Pentchev To: Andy Harrison Message-ID: <20030528063517.GA667@straylight.oblivion.bg> Mail-Followup-To: Andy Harrison , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 06:32:18 -0000 --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 27, 2003 at 01:46:37PM -0400, Andy Harrison wrote: >=20 > Just wondered if anyone had any suggestions about syncing up master.passwd > files between multiple machines that didn't involve allowing root login > remotely? The users need to be able to log in remotely and own files on = the > different machines. People have mentioned LDAP; I am truly surprised no one has mentioned Kerberos yet. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1Fil7Ri2jRYZRVMRAu81AJ9WrEak18ZwYuSrQx1mxPmHMra2jgCfbZUC nCdhws7Iv+fvG9Oh9YX67SI= =1Vtp -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz-- From owner-freebsd-security@FreeBSD.ORG Tue May 27 23:33:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6652437B404 for ; Tue, 27 May 2003 23:33:25 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 73BA943F3F for ; Tue, 27 May 2003 23:33:21 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 32490 invoked from network); 28 May 2003 06:26:51 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 28 May 2003 06:26:50 -0000 Received: (qmail 2179 invoked by uid 1000); 28 May 2003 06:36:27 -0000 Date: Wed, 28 May 2003 09:36:27 +0300 From: Peter Pentchev To: Andy Harrison Message-ID: <20030528063627.GB667@straylight.oblivion.bg> Mail-Followup-To: Andy Harrison , freebsd-security@FreeBSD.org References: <20030528063517.GA667@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MW5yreqqjyrRcusr" Content-Disposition: inline In-Reply-To: <20030528063517.GA667@straylight.oblivion.bg> User-Agent: Mutt/1.5.4i cc: freebsd-security@FreeBSD.org Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 06:33:25 -0000 --MW5yreqqjyrRcusr Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 28, 2003 at 09:35:17AM +0300, Peter Pentchev wrote: > On Tue, May 27, 2003 at 01:46:37PM -0400, Andy Harrison wrote: > >=20 > > Just wondered if anyone had any suggestions about syncing up master.pas= swd > > files between multiple machines that didn't involve allowing root login > > remotely? The users need to be able to log in remotely and own files o= n the > > different machines. >=20 > People have mentioned LDAP; I am truly surprised no one has mentioned > Kerberos yet. Oh wait, nevermind. That's what I get for posting before coffee; Kerberos still needs some way of telling the system that there is such a user in the first place. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence contradicts itself - or rather - well, no, actually it doesn'= t! --MW5yreqqjyrRcusr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1Fjr7Ri2jRYZRVMRAvNpAKCvsE8AdIxYPjucZDNoqVBI1NA9HgCfbYw/ uvGH63MWW5mJgr1IB1tIVy0= =fZHY -----END PGP SIGNATURE----- --MW5yreqqjyrRcusr-- From owner-freebsd-security@FreeBSD.ORG Wed May 28 06:48:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89E1037B401 for ; Wed, 28 May 2003 06:48:01 -0700 (PDT) Received: from pan.gwi.net (pan.gwi.net [207.5.128.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9B6243F75 for ; Wed, 28 May 2003 06:48:00 -0700 (PDT) (envelope-from ah60@httpsite.com) Received: from andy.gwi.net (blake.gwi.net [207.5.142.8]) by pan.gwi.net (8.12.6p2/8.12.6) with ESMTP id h4SDlxEL043007 for ; Wed, 28 May 2003 09:48:00 -0400 (EDT) (envelope-from ah60@httpsite.com) Message-ID: X-Mailer: XFMail 1.5.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: X-System-Info-OS: FreeBSD 4.8-STABLE #0 X-System-Info-httpd: apache-1.3.27 X-System-Info-WM: windowmaker-0.80.2 X-System-Info-RT: rt-3-0-2 X-System-Info-DB: PostgreSQL-7.3.2 X-System-Info-Perl: v5.8.0 X-Homepage: http://www.nachoz.com X-PGP-Key: RSA-1024 http://www.nachoz.com/andy.pub Date: Wed, 28 May 2003 09:48:15 -0400 (EDT) Sender: aharriso@andy.gwi.net From: Andy Harrison To: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 13:48:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Wow... this generated way more of a thread than I anticipated. I'm going with my pgp idea from my 2nd post in this thread. It's pretty much the only idea I've come up with that is secure and doesn't require an external method of authentication. No, I'm not opposed to external auth, it's just not an option in this case. ~~ Andy Harrison ah##@httpsite.com ICQ: 123472 AIM/Y!: AHinMaine [full headers for details] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPtS+HlPEkLgodAWVAQEbcgP/Z4WtV31VfQgbkT/HjvxB73pYDtxmO8x1 gO065DsYsW6VT6TZtRFlKm4mFL90HowjcxmHoDMm17m1R3aJYLBy0MlpQoBSbQOt Fl6ByUTUUQY3KN/Lwyji76lezvQs93AVmwFEUN+xzfhJcWm2IxeQLXBl/i99f9Ib YNk9UrRdSUA= =XNCK -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed May 28 09:05:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADA6337B411 for ; Wed, 28 May 2003 09:05:32 -0700 (PDT) Received: from port995.com (port995.com [213.162.97.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C97543FCB for ; Wed, 28 May 2003 09:05:26 -0700 (PDT) (envelope-from sansan@cas.port995.com) Received: by port995.com (Port995 Mail, from userid 77) id 5B3091407636; Wed, 28 May 2003 17:05:14 +0100 (BST) Received: from cas.port995.com (Authenticated SMTP client) by port995.com (Port995 Mail) with ESMTP id 2A0851407635; Wed, 28 May 2003 17:05:12 +0100 (BST) Message-ID: <3ED4DE5E.4080600@cas.port995.com> Date: Wed, 28 May 2003 17:05:50 +0100 From: Santos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog> <3ED19590.80309@cas.port995.com> <20030526075447.GA29390@gothmog.gr> In-Reply-To: <20030526075447.GA29390@gothmog.gr> X-Enigmail-Version: 0.75.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 16:05:33 -0000 Giorgos Keramidas wrote: > Ah, that's fine. I don't have the time to test it now, but something > similar to the following should do the trick. Sorry for not running > this through a compile and a test run, but this is a very hectic day. > Someone with enough time to run a full buildworld/buildkernel and fix > any errors I have made should check that this fixes the problem and then > notify the security officer. It looks like something that would be nice > to have in STABLE *and* the security branches IMHO. > > <<<<<<< > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.131.2.39 > diff -u -r1.131.2.39 ip_fw.c > --- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39 > +++ ip_fw.c 26 May 2003 07:50:05 -0000 > @@ -94,9 +94,25 @@ > MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); > > #ifdef SYSCTL_NODE > + > +static int > +sysctl_fw_enable(SYSCTL_HANDLER_ARGS) > +{ > + int error, v; > + > + if (securelevel >= 3) > + return (ENOPERM); > + > + error = sysctl_handle_int(oidp, oidp->oid_arg1, 0, req); > + if (error || !req->newptr) > + return (error); > + > + return (0); > +} > + > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > - &fw_enable, 0, "Enable ipfw"); > +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW, > + &fw_enable, 0, sysctl_fw_enable, "I", "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > &fw_one_pass, 0, > "Only do a single pass through ipfw when using dummynet(4)"); > > This doesn't fix the problem. Maybe this only fixes IPFW1 and not IPFW2 too?... Santos From owner-freebsd-security@FreeBSD.ORG Wed May 28 09:32:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E0E437B409; Wed, 28 May 2003 09:32:48 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84FEA43F75; Wed, 28 May 2003 09:32:47 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 08A6810BF89; Wed, 28 May 2003 18:32:46 +0200 (CEST) Date: Wed, 28 May 2003 18:32:45 +0200 From: "Simon L. Nielsen" To: Santos Message-ID: <20030528163245.GF974@nitro.dk> References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog> <3ED19590.80309@cas.port995.com> <20030526075447.GA29390@gothmog.gr> <3ED4DE5E.4080600@cas.port995.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lteA1dqeVaWQ9QQl" Content-Disposition: inline In-Reply-To: <3ED4DE5E.4080600@cas.port995.com> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 16:32:48 -0000 --lteA1dqeVaWQ9QQl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [Summary: net.inet.ip.fw.enable can be changed at any securelevel on RELENG_4] On 2003.05.28 17:05:50 +0100, Santos wrote: > Giorgos Keramidas wrote: >=20 [CUT] > ><<<<<<< > >Index: ip_fw.c > >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > >retrieving revision 1.131.2.39 > >diff -u -r1.131.2.39 ip_fw.c [CUT] > >--- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39 > This doesn't fix the problem. Maybe this only fixes IPFW1 and not IPFW2= =20 > too?... Yes that fix was only for ipfw1. ipfw2 already have this fixed in -CURRENT (sys/netinet/ip_fw2.c v. 1.11 and 1.23) but was apparently never MFC'ed to -STABLE... This is also PR kern/39396. I CC'ed Crist J. Clark who added to code to -CURRENT, in hope that he has somed time to look at it. --=20 Simon L. Nielsen --lteA1dqeVaWQ9QQl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1OSt8kocFXgPTRwRAhmtAJ9uErNf+VT9k9mFQ2YBKlRr7/LgCQCfSGvj RwqVIBXP9pt2vf4adrhX5Xk= =g4G3 -----END PGP SIGNATURE----- --lteA1dqeVaWQ9QQl-- From owner-freebsd-security@FreeBSD.ORG Wed May 28 10:42:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33CF037B401 for ; Wed, 28 May 2003 10:42:01 -0700 (PDT) Received: from s-smtp-osl-01.bluecom.no (s-smtp-osl-01.bluecom.no [62.101.193.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6377843F85 for ; Wed, 28 May 2003 10:41:58 -0700 (PDT) (envelope-from erik@pentadon.com) Received: from erik (tromso-dhcp-234-175.bluecom.no [62.101.234.175]) by s-smtp-osl-01.bluecom.no (Postfix) with ESMTP id 195B81634F9 for ; Wed, 28 May 2003 19:41:57 +0200 (CEST) From: "Erik Paulsen Skålerud" To: Date: Wed, 28 May 2003 19:41:56 +0200 Message-ID: <005d01c32540$6f0b1dc0$0a00000a@yes.no> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 17:42:01 -0000 I'm forwarding this to security@, as I'm getting no replies on ipfw@. Hope it's relevant enough for you :( ---Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Erik Paulsen Skålerud Sent: Wednesday, May 28, 2003 1:02 AM To: ipfw@freebsd.org Subject: Question about logging. Sorry for asking this, It's probably been asked before, but I've searched google for a while now with no results :( I'm wondering if it's possible to restrict ipfw to -only- log to /var/log/ipfw.log ? Seems like the only way to remove ipfw-logging from the console output (dmesg) is to disable the security messages to the console.. Is there really no other way? Thanks, erik. From owner-freebsd-security@FreeBSD.ORG Wed May 28 10:47:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8D6537B405 for ; Wed, 28 May 2003 10:47:05 -0700 (PDT) Received: from natto.numachi.com (natto.numachi.com [198.175.254.216]) by mx1.FreeBSD.org (Postfix) with SMTP id B97A043F3F for ; Wed, 28 May 2003 10:47:04 -0700 (PDT) (envelope-from reichert@numachi.com) Received: (qmail 8762 invoked by uid 1001); 28 May 2003 17:47:03 -0000 Date: Wed, 28 May 2003 13:47:03 -0400 From: Brian Reichert To: Erik Paulsen =?unknown-8bit?Q?Sk=E5lerud?= Message-ID: <20030528174703.GW90377@numachi.com> References: <005d01c32540$6f0b1dc0$0a00000a@yes.no> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <005d01c32540$6f0b1dc0$0a00000a@yes.no> User-Agent: Mutt/1.4i cc: security@freebsd.org Subject: Re: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 17:47:06 -0000 On Wed, May 28, 2003 at 07:41:56PM +0200, Erik Paulsen Skålerud wrote: > I'm forwarding this to security@, as I'm getting no replies on ipfw@. > > Hope it's relevant enough for you :( > > ---Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Erik Paulsen Skålerud > Sent: Wednesday, May 28, 2003 1:02 AM > To: ipfw@freebsd.org > Subject: Question about logging. > > > Sorry for asking this, It's probably been asked before, but I've searched > google for a while now with no results :( I'm wondering if it's possible to > restrict ipfw to -only- log to /var/log/ipfw.log ? Seems like the only way > to remove ipfw-logging from the console output (dmesg) is to disable the > security messages to the console.. Is there really no other way? It says right in the mapagfe for ipfw(8): When a packet matches a rule with the log keyword, a message will be logged to syslogd(8) with a LOG_SECURITY facility. So, unless you modify ipfw iteslf, you get to tune your syslogd.conf file. > > Thanks, erik. > -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Wed May 28 11:04:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C49CA37B401 for ; Wed, 28 May 2003 11:04:30 -0700 (PDT) Received: from s-smtp-osl-01.bluecom.no (s-smtp-osl-01.bluecom.no [62.101.193.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35DAF43F85 for ; Wed, 28 May 2003 11:04:30 -0700 (PDT) (envelope-from erik@pentadon.com) Received: from erik (tromso-dhcp-234-175.bluecom.no [62.101.234.175]) by s-smtp-osl-01.bluecom.no (Postfix) with ESMTP id E8A1F1634F9; Wed, 28 May 2003 20:04:28 +0200 (CEST) From: "Erik Paulsen Skålerud" To: "'Brian Reichert'" Date: Wed, 28 May 2003 20:04:28 +0200 Message-ID: <007d01c32543$94c3c3c0$0a00000a@yes.no> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: <20030528174703.GW90377@numachi.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: security@freebsd.org Subject: RE: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 18:04:31 -0000 > -----Original Message----- > From: Brian Reichert [reichert@numachi.com] > Sent: Wednesday, May 28, 2003 7:47 PM > Subject: Re: FW: Question about logging. > On Wed, May 28, 2003 at 07:41:56PM +0200, Erik Paulsen Skålerud wrote: > > I'm forwarding this to security@, as I'm getting no replies > on ipfw@. > > > > Hope it's relevant enough for you :( > > > > Sorry for asking this, It's probably been asked before, but I've > > searched google for a while now with no results :( I'm wondering if > > it's possible to restrict ipfw to -only- log to /var/log/ipfw.log ? > > Seems like the only way to remove ipfw-logging from the console output > > (dmesg) is to disable the security messages to the console.. Is there > > really no other way? > > It says right in the mapagfe for ipfw(8): > > When a packet matches a rule with the log keyword, a message will > be logged to syslogd(8) with a LOG_SECURITY facility. > > So, unless you modify ipfw iteslf, you get to tune your > syslogd.conf file. Yeah, I've gotten that far. But, how can I explicity -only- filter out ipfw messages from the default console output? Looks like the only way is to remove kern.debug :( Erik. > -- > Brian 'you Bastard' Reichert > 37 Crystal Ave. #303 Daytime number: (603) 434-6842 > Derry NH 03038-1713 USA BSD > admin/developer at large > From owner-freebsd-security@FreeBSD.ORG Wed May 28 11:36:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2263637B401 for ; Wed, 28 May 2003 11:36:26 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7183943F3F for ; Wed, 28 May 2003 11:36:25 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 934E410BF89; Wed, 28 May 2003 20:36:24 +0200 (CEST) Date: Wed, 28 May 2003 20:36:24 +0200 From: "Simon L. Nielsen" To: Erik Paulsen =?iso-8859-1?Q?Sk=E5lerud?= Message-ID: <20030528183624.GC1981@nitro.dk> References: <20030528174703.GW90377@numachi.com> <007d01c32543$94c3c3c0$0a00000a@yes.no> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pZs/OQEoSSbxGlYw" Content-Disposition: inline In-Reply-To: <007d01c32543$94c3c3c0$0a00000a@yes.no> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 18:36:26 -0000 --pZs/OQEoSSbxGlYw Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.05.28 20:04:28 +0200, Erik Paulsen Sk=E5lerud wrote: > Yeah, I've gotten that far. But, how can I explicity -only- filter out ip= fw > messages from the default console output? Looks like the only way is to > remove kern.debug :( I think you can use something like this in syslog.conf (untested) : !-ipfw *.err;kern.debug;auth.notice;mail.crit /dev/console Or something along those lines... Try looking at syslog.conf(5), it does explain a lot. --=20 Simon L. Nielsen --pZs/OQEoSSbxGlYw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1QGo8kocFXgPTRwRAirPAJ0eenkxgeGHatKGnG/U5MsmpIQcQQCePeww /FpNFxpbczxL1az1QTtLxGA= =Wq2r -----END PGP SIGNATURE----- --pZs/OQEoSSbxGlYw-- From owner-freebsd-security@FreeBSD.ORG Wed May 28 12:01:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C62337B404 for ; Wed, 28 May 2003 12:01:26 -0700 (PDT) Received: from s-smtp-osl-01.bluecom.no (s-smtp-osl-01.bluecom.no [62.101.193.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56A2843FA3 for ; Wed, 28 May 2003 12:01:25 -0700 (PDT) (envelope-from erik@pentadon.com) Received: from erik (tromso-dhcp-234-175.bluecom.no [62.101.234.175]) by s-smtp-osl-01.bluecom.no (Postfix) with ESMTP id D50CE163543; Wed, 28 May 2003 21:01:23 +0200 (CEST) From: "Erik Paulsen Skålerud" To: "'Simon L. Nielsen'" Date: Wed, 28 May 2003 21:01:22 +0200 Message-ID: <009c01c3254b$88163ec0$0a00000a@yes.no> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: <20030528183624.GC1981@nitro.dk> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: security@freebsd.org Subject: RE: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 19:01:26 -0000 > -----Original Message----- > From: Simon L. Nielsen [mailto:simon@nitro.dk] > Sent: Wednesday, May 28, 2003 8:36 PM > To: Erik Paulsen Skålerud > > On 2003.05.28 20:04:28 +0200, Erik Paulsen Skålerud wrote: > > > Yeah, I've gotten that far. But, how can I explicity -only- > filter out > > ipfw messages from the default console output? Looks like > the only way > > is to remove kern.debug :( > > I think you can use something like this in syslog.conf (untested) : > > !-ipfw > *.err;kern.debug;auth.notice;mail.crit /dev/console This didnt work :( > Or something along those lines... :) > Try looking at syslog.conf(5), it does explain a lot. I'll try, but I havent found a solution there yet (I checked before I mailed the mailinglists) Thanks for the help Erik > -- > Simon L. Nielsen > From owner-freebsd-security@FreeBSD.ORG Wed May 28 13:01:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD5AC37B401 for ; Wed, 28 May 2003 13:01:35 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id D262543F75 for ; Wed, 28 May 2003 13:01:30 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 17995 invoked from network); 28 May 2003 19:54:57 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 28 May 2003 19:54:56 -0000 Received: (qmail 46032 invoked by uid 1000); 28 May 2003 20:04:32 -0000 Date: Wed, 28 May 2003 23:04:32 +0300 From: Peter Pentchev To: "Simon L. Nielsen" Message-ID: <20030528200431.GA1676@straylight.oblivion.bg> Mail-Followup-To: "Simon L. Nielsen" , Erik Paulsen Sk?lerud , security@freebsd.org References: <20030528174703.GW90377@numachi.com> <007d01c32543$94c3c3c0$0a00000a@yes.no> <20030528183624.GC1981@nitro.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline In-Reply-To: <20030528183624.GC1981@nitro.dk> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 20:01:36 -0000 --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 28, 2003 at 08:36:24PM +0200, Simon L. Nielsen wrote: > On 2003.05.28 20:04:28 +0200, Erik Paulsen Sk?lerud wrote: >=20 > > Yeah, I've gotten that far. But, how can I explicity -only- filter out = ipfw > > messages from the default console output? Looks like the only way is to > > remove kern.debug :( >=20 > I think you can use something like this in syslog.conf (untested) : >=20 > !-ipfw > *.err;kern.debug;auth.notice;mail.crit /dev/console This would match log entries generated by a userland application named 'ipfw'. The ipfw log lines are, however, generated by the *kernel*, and they would never match this rule. > Or something along those lines... Logging kern.security to a separate file should be enough, I think? Never tried it, though. > Try looking at syslog.conf(5), it does explain a lot. Yep, that too :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This would easier understand fewer had omitted. --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1RZP7Ri2jRYZRVMRAtQKAKCkT2E2q+Z5Gl92aN0rNqcPw8qU1ACgv5fr vMcgFAQo4AOmDH/AwQVA1kc= =3FMT -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7-- From owner-freebsd-security@FreeBSD.ORG Wed May 28 13:14:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28DAE37B401 for ; Wed, 28 May 2003 13:14:21 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CFF843F75 for ; Wed, 28 May 2003 13:14:20 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 8C7A510BF89; Wed, 28 May 2003 22:14:19 +0200 (CEST) Date: Wed, 28 May 2003 22:14:19 +0200 From: "Simon L. Nielsen" To: Erik Paulsen Sk?lerud , security@freebsd.org Message-ID: <20030528201417.GA3741@nitro.dk> References: <20030528174703.GW90377@numachi.com> <007d01c32543$94c3c3c0$0a00000a@yes.no> <20030528183624.GC1981@nitro.dk> <20030528200431.GA1676@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline In-Reply-To: <20030528200431.GA1676@straylight.oblivion.bg> User-Agent: Mutt/1.5.4i Subject: Re: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 20:14:21 -0000 --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.05.28 23:04:32 +0300, Peter Pentchev wrote: > On Wed, May 28, 2003 at 08:36:24PM +0200, Simon L. Nielsen wrote: > > On 2003.05.28 20:04:28 +0200, Erik Paulsen Sk?lerud wrote: > >=20 > > > Yeah, I've gotten that far. But, how can I explicity -only- filter ou= t ipfw > > > messages from the default console output? Looks like the only way is = to > > > remove kern.debug :( > >=20 > > I think you can use something like this in syslog.conf (untested) : > >=20 > > !-ipfw > > *.err;kern.debug;auth.notice;mail.crit /dev/console >=20 > This would match log entries generated by a userland application named > 'ipfw'. The ipfw log lines are, however, generated by the *kernel*, and > they would never match this rule. Ehh, I have the following in my syslog.conf, and it works just fine : !ipfw *.* /var/log/ipfw.log I only get lines like : May 20 02:16:28 arthur /kernel: ipfw: 65300 Deny UDP 192.168.3.2:53 192.168= =2E2.3:49239 in via xl0 in var/log/ipfw.log I guess it shouldn't work, but it does :-) --=20 Simon L. Nielsen --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1RiZ8kocFXgPTRwRAnGuAKCnfMhCFr9IO9rOhn14D6L5bCtt3ACeIHXS 5G9VYTUFbHhBoNHkcsMa6jc= =DWxE -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- From owner-freebsd-security@FreeBSD.ORG Wed May 28 13:40:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DD3837B401 for ; Wed, 28 May 2003 13:40:05 -0700 (PDT) Received: from relay1.ntu-kpi.kiev.ua (oberon.ntu-kpi.kiev.ua [195.245.194.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id D397C43FA3 for ; Wed, 28 May 2003 13:40:01 -0700 (PDT) (envelope-from taren@el.ntu-kpi.kiev.ua) Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 426) id 83C6A1A128; Wed, 28 May 2003 23:39:56 +0300 (EEST) Received: from doppelganger.el.ntu-kpi.kiev.ua (doppelganger.el.ntu-kpi.kiev.ua [10.2.16.2]) by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP id DFBA31A10A; Wed, 28 May 2003 23:39:55 +0300 (EEST) Received: by doppelganger.el.ntu-kpi.kiev.ua (Postfix, from userid 1001) id 10A261BAE8; Wed, 28 May 2003 23:39:55 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by doppelganger.el.ntu-kpi.kiev.ua (Postfix) with ESMTP id E428D1BAE7; Wed, 28 May 2003 23:39:54 +0300 (EEST) Date: Wed, 28 May 2003 23:39:54 +0300 (EEST) From: "Taras Y. NIZHNIK" To: "Simon L. Nielsen" In-Reply-To: <20030528201417.GA3741@nitro.dk> Message-ID: <20030528233144.R52694-100000@doppelganger.el.ntu-kpi.kiev.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org Subject: Re: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 20:40:05 -0000 On Wed, 28 May 2003, Simon L. Nielsen wrote: > > > I think you can use something like this in syslog.conf (untested) : > > > > > > !-ipfw > > > *.err;kern.debug;auth.notice;mail.crit /dev/console > > This would match log entries generated by a userland application named > > 'ipfw'. The ipfw log lines are, however, generated by the *kernel*, and > > they would never match this rule. > Ehh, I have the following in my syslog.conf, and it works just fine : > > !ipfw > *.* /var/log/ipfw.log > > I only get lines like : > May 20 02:16:28 arthur /kernel: ipfw: 65300 Deny UDP 192.168.3.2:53 192.168.2.3:49239 in via xl0 > in var/log/ipfw.log > > I guess it shouldn't work, but it does :-) Why do you think it should not? "man 5 syslog.conf" says, that it *should* work: A program specification for `foo' will also match any message logged by the kernel with the prefix `foo: '. So, if you have no running program, named "ipfw", which logs to syslogd, the only messages logged to /var/log/ipfw.log will be messages from "/kernel: ipfw:" -- Taras Y. NIZHNIK, AKA Taren, XN7211-XTF, TYN-UANIC, TYN1-RIPE From owner-freebsd-security@FreeBSD.ORG Wed May 28 13:44:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9158837B401 for ; Wed, 28 May 2003 13:44:17 -0700 (PDT) Received: from saul.cis.upenn.edu (SAUL.CIS.UPENN.EDU [158.130.12.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE66643F75 for ; Wed, 28 May 2003 13:44:16 -0700 (PDT) (envelope-from agoodloe@saul.cis.upenn.edu) Received: from saul.cis.upenn.edu (localhost [127.0.0.1]) by saul.cis.upenn.edu (8.12.9/8.12.9) with ESMTP id h4SKiFmV022403 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 28 May 2003 16:44:15 -0400 (EDT) Received: from localhost (agoodloe@localhost)h4SKiFYR022398 for ; Wed, 28 May 2003 16:44:15 -0400 (EDT) Date: Wed, 28 May 2003 16:44:14 -0400 (EDT) From: Alwyn Goodloe To: freebsd-security@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: IP SEC filtering issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 20:44:17 -0000 First thing to note is that I am using FreeBSD 4.8 . We would like to send only the syn packet of a tcp connection through certain ipsec tunnels and the rest of the packets in a connection though a simple transport mode setup. Yeah, I know it's strange but what can I say -- we do a lot of strange things. From the best I can tell, the setkey/spadd filtering capability isn't sophisticated enough to detect syn packets. Since ipfw does do this sort of thing we can use this to filter out the syn packet and using divert sockets (we have a lot of experience at writing divert sockets) we can put a wrapper around it so that it goes to a particular port. Since ip sec can filter on ports, we can just filter that out. The process should look something like: syn ---> diverted and wrapped to head for port X ----> ipsec filters on port X sends it into tunnel ......... ........... ipsec does its thing ---> divert socket unwraps ---> sends the packet on its way (not passing though ip sec again). The divert socket solution seems to work fine on the sending side, but there seems to be problems on the receiving side. I suspect that ipfw is looking at the packet before ipsec or some such thing. I know that there were postings about the interaction of ipfw and ipsec and that some of these were going to be fixed in 4.8. If any of you know of a way to get ipsec to filter on syn packets let me know. If you have ever tried to get divert sockets and ip sec working at the same time let me know the secret. I suspect I'm just going to have to hack the ipsec filter to get it to filter on syn packets. Any ideas as to how hard this will be Alwyn Goodloe agoodloe@saul.cis.upenn.edu From owner-freebsd-security@FreeBSD.ORG Wed May 28 14:10:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39ED637B401 for ; Wed, 28 May 2003 14:10:42 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95DBA43F3F for ; Wed, 28 May 2003 14:10:41 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 0A07910BF89; Wed, 28 May 2003 23:10:40 +0200 (CEST) Date: Wed, 28 May 2003 23:10:39 +0200 From: "Simon L. Nielsen" To: "Taras Y. NIZHNIK" Message-ID: <20030528211038.GB3741@nitro.dk> References: <20030528201417.GA3741@nitro.dk> <20030528233144.R52694-100000@doppelganger.el.ntu-kpi.kiev.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="s2ZSL+KKDSLx8OML" Content-Disposition: inline In-Reply-To: <20030528233144.R52694-100000@doppelganger.el.ntu-kpi.kiev.ua> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 21:10:42 -0000 --s2ZSL+KKDSLx8OML Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.05.28 23:39:54 +0300, Taras Y. NIZHNIK wrote: > On Wed, 28 May 2003, Simon L. Nielsen wrote: > > > This would match log entries generated by a userland application named > > > 'ipfw'. The ipfw log lines are, however, generated by the *kernel*, = and > > > they would never match this rule. > > Ehh, I have the following in my syslog.conf, and it works just fine : > > > > !ipfw > > *.* /var/log/ipfw.log > > > > I only get lines like : > > May 20 02:16:28 arthur /kernel: ipfw: 65300 Deny UDP 192.168.3.2:53 192= =2E168.2.3:49239 in via xl0 > > in var/log/ipfw.log > > > > I guess it shouldn't work, but it does :-) > Why do you think it should not? Actually only bacuse Peter Pentchev said it shouldn't, and I didn't read the manual page carefully enough before posting. Thanks for correcting me. --=20 Simon L. Nielsen --s2ZSL+KKDSLx8OML Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1SXO8kocFXgPTRwRAvg5AJ4q63RL7epCHmiLxoT9Nnc7zkbYhACglzEx fIGgywOgplHdmbTNEXDcC/Y= =qMz+ -----END PGP SIGNATURE----- --s2ZSL+KKDSLx8OML-- From owner-freebsd-security@FreeBSD.ORG Wed May 28 23:37:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E109837B401 for ; Wed, 28 May 2003 23:37:26 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id B87B243F93 for ; Wed, 28 May 2003 23:37:22 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 23928 invoked from network); 29 May 2003 06:30:49 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 29 May 2003 06:30:47 -0000 Received: (qmail 22338 invoked by uid 1000); 29 May 2003 06:40:23 -0000 Date: Thu, 29 May 2003 09:40:23 +0300 From: Peter Pentchev To: "Simon L. Nielsen" Message-ID: <20030529064023.GB1676@straylight.oblivion.bg> Mail-Followup-To: "Simon L. Nielsen" , "Taras Y. NIZHNIK" , security@freebsd.org References: <20030528201417.GA3741@nitro.dk> <20030528233144.R52694-100000@doppelganger.el.ntu-kpi.kiev.ua> <20030528211038.GB3741@nitro.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz" Content-Disposition: inline In-Reply-To: <20030528211038.GB3741@nitro.dk> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FW: Question about logging. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 May 2003 06:37:27 -0000 --0eh6TmSyL6TZE2Uz Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 28, 2003 at 11:10:39PM +0200, Simon L. Nielsen wrote: > On 2003.05.28 23:39:54 +0300, Taras Y. NIZHNIK wrote: > > On Wed, 28 May 2003, Simon L. Nielsen wrote: > > > > This would match log entries generated by a userland application na= med > > > > 'ipfw'. The ipfw log lines are, however, generated by the *kernel*= , and > > > > they would never match this rule. > > > Ehh, I have the following in my syslog.conf, and it works just fine : > > > > > > !ipfw > > > *.* /var/log/ipfw.log > > > > > > I only get lines like : > > > May 20 02:16:28 arthur /kernel: ipfw: 65300 Deny UDP 192.168.3.2:53 1= 92.168.2.3:49239 in via xl0 > > > in var/log/ipfw.log > > > > > > I guess it shouldn't work, but it does :-) > > Why do you think it should not? >=20 > Actually only bacuse Peter Pentchev said it shouldn't, and I didn't read > the manual page carefully enough before posting. >=20 > Thanks for correcting me. Erm.. well.. what can I say :) It's great that there are still people who actually read the manpages, and not just those like me who go with vague memories :) Sorry for the confusion. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --0eh6TmSyL6TZE2Uz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1atX7Ri2jRYZRVMRAgESAJwJVBzktjo1rQ1D3AZM2TB+x0Ft3ACePt/A yJMVXH35F6DpkYg89U4gxfA= =9zNN -----END PGP SIGNATURE----- --0eh6TmSyL6TZE2Uz-- From owner-freebsd-security@FreeBSD.ORG Fri May 30 12:53:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B076C37B401 for ; Fri, 30 May 2003 12:53:21 -0700 (PDT) Received: from mail.npubs.com (mail.npubs.com [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E95B43FB1 for ; Fri, 30 May 2003 12:53:19 -0700 (PDT) (envelope-from nielsen@memberwebs.com) Resent-Message-Id: From: "Nielsen" To: "Alwyn Goodloe" , References: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20030530195629.2282B3FF312@mail.npubs.com> Resent-Date: Fri, 30 May 2003 19:56:30 +0000 (GMT) Resent-From: nielsen@memberwebs.com (Postfix Filters) Subject: Re: IP SEC filtering issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Fri, 30 May 2003 19:53:22 -0000 X-List-Received-Date: Fri, 30 May 2003 19:53:22 -0000 >From experience I've found you have to break these things up on different machines. I don't have an intimate knowledge of how and when the IPSEC processing gets done it the kernel, and maybe if someone did they could figure out how and if you could do all of this on single machines. But in our case, we break down the tasks between machines (traffic splitter, ipsec processing, etc...) and it works like a charm. It's also *much* easier to figure out what's wrong, heh. The machines don't have to be powerful. Nate ----- Original Message ----- From: "Alwyn Goodloe" To: Sent: Wednesday, May 28, 2003 14:44 Subject: IP SEC filtering issue > First thing to note is that I am using FreeBSD 4.8 . > > We would like to send only the syn packet of a tcp connection through > certain ipsec tunnels and the rest of the packets in a connection though > a simple transport mode setup. Yeah, I know it's strange but what can I > say -- we do a lot of strange things. From the best I can tell, the > setkey/spadd filtering capability isn't sophisticated enough to detect > syn packets. Since ipfw does do this sort of thing we can use this to > filter out the syn packet and using divert sockets (we have a lot of > experience at writing divert sockets) we can put a wrapper > around it so that it goes to a particular port. Since ip sec can filter on > ports, we can just filter that out. The process should look something > like: > > > > syn ---> diverted and wrapped to head for port X ----> > ipsec filters on port X sends it into tunnel ......... > > > ........... ipsec does its thing ---> divert socket unwraps ---> sends > the packet on its way (not passing though ip sec again). > > > > The divert socket solution seems to work fine on the sending side, but > there seems to be problems on the receiving side. I suspect that ipfw is > looking at the packet before ipsec or some such thing. I know that there > were postings about the interaction of ipfw and ipsec and that some of > these were going to be fixed in 4.8. > > If any of you know of a way to get ipsec to filter on syn packets let me > know. If you have ever tried to get divert sockets and ip sec working at > the same time let me know the secret. I suspect I'm just going to have > to hack the ipsec filter to get it to filter on syn packets. Any ideas as > to how hard this will be > > > Alwyn Goodloe > > agoodloe@saul.cis.upenn.edu > > > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri May 30 15:22:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65DA637B401 for ; Fri, 30 May 2003 15:22:56 -0700 (PDT) Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABCA443F3F for ; Fri, 30 May 2003 15:22:55 -0700 (PDT) (envelope-from avleen@silverwraith.com) Received: from avleen by mail.silverwraith.com with local (Exim 4.14) id 19LsH1-0006v5-B9 for security@freebsd.org; Fri, 30 May 2003 15:22:55 -0700 Date: Fri, 30 May 2003 15:22:55 -0700 From: Avleen Vig To: security@freebsd.org Message-ID: <20030530222255.GZ294@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Sender: Avleen Vig Subject: IPFW logging brokeness? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2003 22:22:56 -0000 I don't think I'm trying to do anything amazing, but IPFW's logging features are giving me a real headache. I can't find much in the archives either, but I find it hard to believe others havne't found this too. My rule: add 100 allow log tcp from any to limit src-addr 2 I want connecting parties to be able to form no more than 2 connection. This works perfectly, jsut as I'd expect it to. Except for 'log'. This rule matches every packet that comes in to the given IP and ports, and as a result, one line is added to the security log per packet. There are a lot of packets. I tried, adding an "add 50 check-state", but that rule doesn't match (the log just carries on logging packets because they match 100), which is very odd. All I want is to have the first packet match of a connection match, like IPF's "log first" capability. Or, better yet, is there a way to format a rule or set of rules, to say "deny if established connections is greater than 2". Logging every one of these packets would be fine. Any suggestions? -- Avleen Vig "Say no to cheese-eating surrender-monkeys" Systems Admin "Fast, Good, Cheap. Pick any two." www.silverwraith.com "Move BSD. For great justice!" From owner-freebsd-security@FreeBSD.ORG Fri May 30 16:20:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B39DC37B401 for ; Fri, 30 May 2003 16:20:28 -0700 (PDT) Received: from bp6.bresler.org (pool-138-88-130-56.esr.east.verizon.net [138.88.130.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id C217E43F93 for ; Fri, 30 May 2003 16:20:27 -0700 (PDT) (envelope-from jmb@bresler.org) Received: by bp6.bresler.org (Postfix, from userid 1000) id B347180; Fri, 30 May 2003 19:20:26 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bp6.bresler.org (Postfix) with ESMTP id B0A1D9901; Fri, 30 May 2003 19:20:26 -0400 (EDT) Date: Fri, 30 May 2003 19:20:26 -0400 (EDT) From: "Jonathan M. Bresler" To: Avleen Vig In-Reply-To: <20030530222255.GZ294@silverwraith.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org Subject: Re: IPFW logging brokeness? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2003 23:20:29 -0000 you need to add "keep-state" to rule 100. this will populate the state table so that the "check-state" rule will have a populated table to check against. try add 100 allow log tcp from any to keep-state limit src-addr 2 jmb On Fri, 30 May 2003, Avleen Vig wrote: > I don't think I'm trying to do anything amazing, but IPFW's logging > features are giving me a real headache. I can't find much in the > archives either, but I find it hard to believe others havne't found this > too. > > My rule: > add 100 allow log tcp from any to limit src-addr 2 > > I want connecting parties to be able to form no more than 2 connection. > This works perfectly, jsut as I'd expect it to. > Except for 'log'. > > This rule matches every packet that comes in to the given IP and ports, > and as a result, one line is added to the security log per packet. There > are a lot of packets. > I tried, adding an "add 50 check-state", but that rule doesn't match > (the log just carries on logging packets because they match 100), which > is very odd. > > All I want is to have the first packet match of a connection match, like > IPF's "log first" capability. > > Or, better yet, is there a way to format a rule or set of rules, to say > "deny if established connections is greater than 2". > Logging every one of these packets would be fine. > > Any suggestions? > > -- > Avleen Vig "Say no to cheese-eating surrender-monkeys" > Systems Admin "Fast, Good, Cheap. Pick any two." > www.silverwraith.com "Move BSD. For great justice!" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat May 31 02:21:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67A8F37B404 for ; Sat, 31 May 2003 02:21:49 -0700 (PDT) Received: from irpen.kiev.ua (irpen.kiev.ua [195.178.133.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02BEC43F3F for ; Sat, 31 May 2003 02:21:47 -0700 (PDT) (envelope-from duke@irpen.kiev.ua) Received: from irpen.kiev.ua (localhost.irpen.kiev.ua [127.0.0.1]) by irpen.kiev.ua (8.12.8p1/8.12.8) with ESMTP id h4V9KTrt019098 for ; Sat, 31 May 2003 12:21:42 +0300 (EEST) (envelope-from duke@irpen.kiev.ua) Received: (from duke@localhost) by irpen.kiev.ua (8.12.8p1/8.12.8/Submit) id h4V9KSAw019097 for freebsd-security@freebsd.org; Sat, 31 May 2003 12:20:28 +0300 (EEST) (envelope-from duke) Date: Sat, 31 May 2003 12:20:28 +0300 From: Vandyuk Eugene To: freebsd-security@freebsd.org Message-ID: <20030531122028.A16361@irpen.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Subject: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 May 2003 09:21:49 -0000 Hi. On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all: - IPFW - traffic accounting, shaping, balancing and filtering; - IPFilter - policy routing; - IPNAT - masquerading. I want to know, how IP-packets flow through all of this components? What's the path? incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? Is this correct? Or IPNAT on the incoming packets run before IPFW L3: incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ? I think this path is more preferable, because IPFW always use not masqueraded IP-headers. Any help appreciated. From owner-freebsd-security@FreeBSD.ORG Sat May 31 02:40:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB6A537B401 for ; Sat, 31 May 2003 02:40:58 -0700 (PDT) Received: from mta01-svc.ntlworld.com (mta01-svc.ntlworld.com [62.253.162.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBD1343F93 for ; Sat, 31 May 2003 02:40:57 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from piii600.wadham.ox.ac.uk ([81.103.196.4]) by mta01-svc.ntlworld.comESMTP <20030531094056.ZAUV2283.mta01-svc.ntlworld.com@piii600.wadham.ox.ac.uk> for ; Sat, 31 May 2003 10:40:56 +0100 Message-Id: <5.0.2.1.1.20030531095329.047965e0@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 31 May 2003 10:39:43 +0100 To: freebsd-security@freebsd.org From: Colin Percival Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Advisory: security/freebsd-update port X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 May 2003 09:40:59 -0000 Topic: Potential failure to update vulnerable files Synopsis: FreeBSD Update is a system for tracking FreeBSD release (aka security) branches via signed binary updates. At present, updates are being built for FreeBSD 4.7-RELEASE and 4.8-RELEASE. As a result of differences between the ISO image and FTP distributions of 4.7-RELEASE, FreeBSD Update may have failed to recognize certain files as needing replacement. Based on server logs, I believe up to 20 people may have been affected by this. Impact: Some security patches might have not been applied, potentially leaving a system open to attack. Fix: Run FreeBSD Update again; it will fetch the latest update index, which corrects this issue. Colin Percival