From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 07:48:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0394416A4B3 for ; Tue, 23 Sep 2003 07:48:48 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 414BA43FEC for ; Tue, 23 Sep 2003 07:48:48 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 78937 invoked from network); 23 Sep 2003 14:48:46 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 23 Sep 2003 14:48:46 -0000 Message-ID: <3F705D4D.4070404@tenebras.com> Date: Tue, 23 Sep 2003 07:48:45 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2003 14:48:49 -0000 This affects only 3.7p1 and 3.7.1p1. The advice to leave PAM disabled is far from heartening, nor is the semi-lame blaming the PAM spec for implementation bugs. I happen to like OPIE for remote access. Subject: Portable OpenSSH Security Advisory: sshpam.adv This document can be found at: http://www.openssh.com/txt/sshpam.adv 1. Versions affected: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable. Older versions of portable OpenSSH are not vulnerable. 2. Solution: Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no" in sshd_config). Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites only using public key or simple password authentication usually have little need to enable PAM From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 11:18:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF12916A4B3 for ; Fri, 19 Sep 2003 11:18:22 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00C4344001 for ; Fri, 19 Sep 2003 11:18:20 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h8JIIJt1040489; Fri, 19 Sep 2003 19:18:19 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h8JIIJTc040488; Fri, 19 Sep 2003 19:18:19 +0100 (BST) (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h8JIJOfq013739; Fri, 19 Sep 2003 19:19:24 +0100 (BST) (envelope-from mark@grondar.org) From: Mark Murray Message-Id: <200309191819.h8JIJOfq013739@grimreaper.grondar.org> To: Michael Sierchio In-Reply-To: Your message of "Fri, 19 Sep 2003 07:57:20 PDT." <3F6B1950.8090304@tenebras.com> Date: Fri, 19 Sep 2003 19:19:24 +0100 Sender: mark@grondar.org X-Spam-Status: No, hits=-0.1 required=5.0 tests=EMAIL_ATTRIBUTION,FROM_NO_LOWER,FWD_MSG,IN_REP_TO, QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Mailman-Approved-At: Tue, 23 Sep 2003 09:29:43 -0700 cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 18:18:22 -0000 Michael Sierchio writes: > > In FreeBSD-5-* there is no separate /dev/urandom, and /dev/random is > > driven by Yarrow (http://www.counterpane.com/yarrow/). This is a > > PRNG+entropy-harvester, and it it _very_ conservative. As long as > > _some_ entropy is being harvested, it is unlikely that either generator > > wil produce a repeating sequence _ever_. > > Oh? I believe that, for any finite binary string, the probability > of it appearing again approaches 1 as time goes on. Don't you? For a pure PRNG, I believe that. For such a PRNG, such a string will appear with a predictable period, and for a particular string, the period is the same length as the string. Thus, there is no entropy in a pure PRNG. If the PRNG is perturbed with entropy, then the cyclic behaviour is broken, and the predictablility is compromised. With good technique, it can be made Very Hard(tm) to predict the sequence. > Question, since I haven't looked at the code -- does it honor the > /dev/crypto interface? Since, if a HW RBG is included in a crypto > device, it should be used to help stir the pot. Yes. Internally. And more is coming. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 13:52:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8EF816A4B3 for ; Tue, 23 Sep 2003 13:52:59 -0700 (PDT) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C04943FE3 for ; Tue, 23 Sep 2003 13:52:59 -0700 (PDT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 5AAF32F916; Tue, 23 Sep 2003 16:53:18 -0400 (EDT) Date: Tue, 23 Sep 2003 16:53:18 -0400 From: Haesu To: Michael Sierchio , security@freebsd.org Message-ID: <20030923205318.GB3346@scylla.towardex.com> References: <3F705D4D.4070404@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F705D4D.4070404@tenebras.com> User-Agent: Mutt/1.4.1i Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2003 20:52:59 -0000 Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD 4.8/4.9 are not effected :) -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Tue, Sep 23, 2003 at 07:48:45AM -0700, Michael Sierchio wrote: > This affects only 3.7p1 and 3.7.1p1. The advice to leave > PAM disabled is far from heartening, nor is the semi-lame > blaming the PAM spec for implementation bugs. > > I happen to like OPIE for remote access. > > > > Subject: Portable OpenSSH Security Advisory: sshpam.adv > > This document can be found at: http://www.openssh.com/txt/sshpam.adv > > 1. Versions affected: > > Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple > vulnerabilities in the new PAM code. At least one of these bugs > is remotely exploitable (under a non-standard configuration, > with privsep disabled). > > The OpenBSD releases of OpenSSH do not contain this code and > are not vulnerable. Older versions of portable OpenSSH are not > vulnerable. > > 2. Solution: > > Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM > support ("UsePam no" in sshd_config). > > Due to complexity, inconsistencies in the specification and > differences between vendors' PAM implementations we recommend > that PAM be left disabled in sshd_config unless there is a need > for its use. Sites only using public key or simple password > authentication usually have little need to enable PAM > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 14:08:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 707BA16A4B3 for ; Tue, 23 Sep 2003 14:08:17 -0700 (PDT) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id A159E43FB1 for ; Tue, 23 Sep 2003 14:08:16 -0700 (PDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.9p/8.12.9) with ESMTP id h8NL8Fxv095986; Tue, 23 Sep 2003 17:08:15 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p1/8.12.9) with ESMTP id h8NL8FdK053894; Tue, 23 Sep 2003 17:08:15 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030923170736.06cad540@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Tue, 23 Sep 2003 17:10:36 -0400 To: security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by Sentex Communications (avscan1/20021227) Subject: NTP common code base ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2003 21:08:17 -0000 Cisco released an advisory about their ntp client and server having a bug http://www.cisco.com/warp/public/707/NTP-pub.shtml Is there a common code base at all that would have relevance to the code in FreeBSD ? I noticed in the COPYRIGHT file cisco has made some contributions. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 17:14:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A639416A4B3; Tue, 23 Sep 2003 17:14:00 -0700 (PDT) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D4A543FFB; Tue, 23 Sep 2003 17:13:59 -0700 (PDT) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.22) id 1A1xI6-00012i-Rd; Wed, 24 Sep 2003 01:13:58 +0100 Date: Wed, 24 Sep 2003 01:13:58 +0100 From: Jez Hancock To: FreeBSD Security List , FreeBSD ISP List Message-ID: <20030924001358.GB901@users.munk.nu> Mail-Followup-To: FreeBSD Security List , FreeBSD ISP List Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="nVMJ2NtxeReIH9PS" Content-Disposition: inline User-Agent: Mutt/1.4.1i Sender: User Munk Subject: [da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 00:14:00 -0000 --nVMJ2NtxeReIH9PS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Recent proftpd security vulnerability release FYI. Ports has latest patched proftpd distribution. -- Jez http://www.munk.nu/ --nVMJ2NtxeReIH9PS Content-Type: message/rfc822 Content-Disposition: inline Received: from outgoing2.securityfocus.com ([205.206.231.26]) by munk.nu with esmtp (Exim 4.22) id 1A1sTY-000JnK-0k for jez.hancock@munk.nu; Tue, 23 Sep 2003 20:05:28 +0100 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 19F208FDBE; Tue, 23 Sep 2003 04:44:48 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 29816 invoked from network); 23 Sep 2003 10:31:52 -0000 Date: Tue, 23 Sep 2003 10:25:54 -0600 (MDT) From: Dave Ahmad To: bugtraq@securityfocus.com Subject: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: -103.8 (---------------------------------------------------) X-Spam-Status: No, hits=-103.8 required=6.0 tests=KNOWN_MAILING_LIST,PGP_SIGNATURE,USER_AGENT_PINE, USER_IN_WHITELIST version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Brief September 23, 2003 ProFTPD ASCII File Remote Compromise Vulnerability Synopsis: ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD is a highly configurable FTP (File Transfer Protocol) server for Unix that allows for per-directory access restrictions, easy configuration of virtual FTP servers, and support for multiple authentication mechanisms. A flaw exists in the ProFTPD component that handles incoming ASCII file transfers. Impact: An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites. Affected Versions: ProFTPD 1.2.7 ProFTPD 1.2.8 ProFTPD 1.2.8rc1 ProFTPD 1.2.8rc2 ProFTPD 1.2.9rc1 ProFTPD 1.2.9rc2 Note: Versions previous to version 1.2.7 may also be vulnerable. For the complete ISS X-Force Security Advisory, please visit: http://xforce.iss.net/xforce/alerts/id/154 ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBP3BeFTRfJiV99eG9AQG2ngP/XopPpEYCbR6HSYhObaK+c2D32kwfiQEP CJqXmoljU661kBKvL2RclLF8tutegL3T44/5utBuVgzCWALSRrJiJgZMWafRtE7m lnl7V5Rzo7aEBxhmiaOqdLoNgzNd8NTtSkPrcFQZxjrQe9FvpIgsyiuY6ADNoDfH mXStpCwCFWg= =TZR3 -----END PGP SIGNATURE----- --nVMJ2NtxeReIH9PS-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 17:18:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C772816A4C4 for ; Tue, 23 Sep 2003 17:18:13 -0700 (PDT) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B133643FFB for ; Tue, 23 Sep 2003 17:18:12 -0700 (PDT) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.22) id 1A1xMC-000198-Hn for security@freebsd.org; Wed, 24 Sep 2003 01:18:12 +0100 Date: Wed, 24 Sep 2003 01:18:12 +0100 From: Jez Hancock To: FreeBSD Security List Message-ID: <20030924001812.GC901@users.munk.nu> Mail-Followup-To: FreeBSD Security List References: <20030924001358.GB901@users.munk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030924001358.GB901@users.munk.nu> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: [da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 00:18:14 -0000 Apologies for double post! From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 19:04:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51F2416A4B3 for ; Tue, 23 Sep 2003 19:04:32 -0700 (PDT) Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2172143FCB for ; Tue, 23 Sep 2003 19:04:31 -0700 (PDT) (envelope-from koroush.saraf@lmco.com) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw2a.lmco.com (8.11.6p2/8.11.6) with ESMTP id h8O243F09706 for ; Tue, 23 Sep 2003 22:04:18 -0400 (EDT) Received: from CONVERSION-DAEMON.lmco.com by lmco.com (PMDF V6.1-1 #40643) id <0HLP00H013GGBF@lmco.com> for security@freebsd.org; Tue, 23 Sep 2003 18:43:28 -0700 (PDT) Received: from BSDWIN2KKOROUSH ([129.197.244.4]) by lmco.com (PMDF V6.1-1 #40643) with SMTP id <0HLP007OP3GF1Q@lmco.com> for security@freebsd.org; Tue, 23 Sep 2003 18:43:27 -0700 (PDT) Date: Tue, 23 Sep 2003 18:46:53 -0700 From: Koroush Saraf To: FreeBSD Security List Message-id: <01fc01c3823d$bb1cf940$04f4c581@BSDWIN2KKOROUSH> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Mailer: Microsoft Outlook Express 6.00.2800.1158 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <20030924001358.GB901@users.munk.nu> <20030924001812.GC901@users.munk.nu> Subject: Problem with Changing Pipe and Queue Configurations repeatedly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 02:04:32 -0000 Hi All, I would like to change the weight of queues without loosing data that might already be queued. So I initially create a queue by typing ipfw queue 103 config weight 10 queue 4000KBytes pipe 100 and data flows through the associate queue and pipe just fine. I again type the command ipfw queue 103 config weight 20 queue 4000KBytes pipe 100 to change the weight to 20 but nothing happens. the weight remains as the original value of 10. I thought I had already tested this before and saw it working. Can someone tell me why I might be having this problem now and if its fixable? I'm using FreeBSD4.6. thanks, ~koroush From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 23:19:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46B5416A4B3 for ; Tue, 23 Sep 2003 23:19:56 -0700 (PDT) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16CB643FF5 for ; Tue, 23 Sep 2003 23:19:55 -0700 (PDT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 9A9BE2F912; Wed, 24 Sep 2003 02:20:14 -0400 (EDT) Date: Wed, 24 Sep 2003 02:20:14 -0400 From: Haesu To: freebsd-security@freebsd.org Message-ID: <20030924062014.GA36641@scylla.towardex.com> References: <20030924001358.GB901@users.munk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030924001358.GB901@users.munk.nu> User-Agent: Mutt/1.4.1i Subject: Re: [da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 06:19:56 -0000 I just want to clarify... # $FreeBSD: ports/ftp/proftpd/Makefile,v 1.56 2003/09/23 18:42:43 mharo Exp $ # PORTNAME= proftpd PORTVERSION= 1.2.8 PORTREVISION= 1 Is that the updated port that fixes vulnerability? It's 1.2.8 still, but I think this is the patched version, since rcsID shows 9/23 which is yesterday. Thanks, -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Wed, Sep 24, 2003 at 01:13:58AM +0100, Jez Hancock wrote: > Recent proftpd security vulnerability release FYI. Ports has latest > patched proftpd distribution. > -- > Jez > > http://www.munk.nu/ > Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm > Precedence: bulk > List-Id: > List-Post: > List-Help: > List-Unsubscribe: > List-Subscribe: > Delivered-To: mailing list bugtraq@securityfocus.com > Delivered-To: moderator for bugtraq@securityfocus.com > Date: Tue, 23 Sep 2003 10:25:54 -0600 (MDT) > From: Dave Ahmad > To: bugtraq@securityfocus.com > Subject: ISS Security Brief: ProFTPD ASCII File Remote Compromise > Vulnerability (fwd) > X-Spam-Score: -103.8 (---------------------------------------------------) > X-Spam-Status: No, hits=-103.8 required=6.0 > tests=KNOWN_MAILING_LIST,PGP_SIGNATURE,USER_AGENT_PINE, > USER_IN_WHITELIST > version=2.55 > X-Spam-Level: > X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > > > -----BEGIN PGP SIGNED MESSAGE----- > > Internet Security Systems Security Brief > September 23, 2003 > > ProFTPD ASCII File Remote Compromise Vulnerability > > Synopsis: > > ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD > is a highly configurable FTP (File Transfer Protocol) server for Unix > that allows for per-directory access restrictions, easy configuration of > virtual FTP servers, and support for multiple authentication mechanisms. > A flaw exists in the ProFTPD component that handles incoming ASCII file > transfers. > > Impact: > > An attacker capable of uploading files to the vulnerable system can > trigger a buffer overflow and execute arbitrary code to gain complete > control of the system. Attackers may use this vulnerability to destroy, > steal, or manipulate data on vulnerable FTP sites. > > Affected Versions: > > ProFTPD 1.2.7 > ProFTPD 1.2.8 > ProFTPD 1.2.8rc1 > ProFTPD 1.2.8rc2 > ProFTPD 1.2.9rc1 > ProFTPD 1.2.9rc2 > > Note: Versions previous to version 1.2.7 may also be vulnerable. > > For the complete ISS X-Force Security Advisory, please visit: > http://xforce.iss.net/xforce/alerts/id/154 > > ______ > > About Internet Security Systems (ISS) > Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a > pioneer and world leader in software and services that protect critical > online resources from an ever-changing spectrum of threats and misuse. > Internet Security Systems is headquartered in Atlanta, GA, with > additional operations throughout the Americas, Asia, Australia, Europe > and the Middle East. > > Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved > worldwide. > > Permission is hereby granted for the electronic redistribution of this > document. It is not to be edited or altered in any way without the > express written consent of the Internet Security Systems X-Force. If you > wish to reprint the whole or any part of this document in any other > medium excluding electronic media, please email xforce@iss.net for > permission. > > Disclaimer: The information within this paper may change without notice. > Use of this information constitutes acceptance for use in an AS IS > condition. There are NO warranties, implied or otherwise, with regard to > this information or its use. Any use of this information is at the > user's risk. In no event shall the author/distributor (Internet Security > Systems X-Force) be held liable for any damages whatsoever arising out > of or in connection with the use or spread of this information. > X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, > as well as at http://www.iss.net/security_center/sensitive.php > Please send suggestions, updates, and comments to: X-Force > xforce@iss.net of Internet Security Systems, Inc. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBP3BeFTRfJiV99eG9AQG2ngP/XopPpEYCbR6HSYhObaK+c2D32kwfiQEP > CJqXmoljU661kBKvL2RclLF8tutegL3T44/5utBuVgzCWALSRrJiJgZMWafRtE7m > lnl7V5Rzo7aEBxhmiaOqdLoNgzNd8NTtSkPrcFQZxjrQe9FvpIgsyiuY6ADNoDfH > mXStpCwCFWg= > =TZR3 > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 00:28:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57EF216A4B3 for ; Wed, 24 Sep 2003 00:28:46 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 182F843FBF for ; Wed, 24 Sep 2003 00:28:44 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 13832 invoked from network); 24 Sep 2003 07:20:25 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 24 Sep 2003 07:20:24 -0000 Received: (qmail 46383 invoked by uid 1000); 24 Sep 2003 07:28:40 -0000 Date: Wed, 24 Sep 2003 10:28:40 +0300 From: Peter Pentchev To: Haesu Message-ID: <20030924072840.GD396@straylight.oblivion.bg> Mail-Followup-To: Haesu , freebsd-security@freebsd.org References: <20030924001358.GB901@users.munk.nu> <20030924062014.GA36641@scylla.towardex.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/Uq4LBwYP4y1W6pO" Content-Disposition: inline In-Reply-To: <20030924062014.GA36641@scylla.towardex.com> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: [da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 07:28:46 -0000 --/Uq4LBwYP4y1W6pO Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 24, 2003 at 02:20:14AM -0400, Haesu wrote: > I just want to clarify... >=20 > # $FreeBSD: ports/ftp/proftpd/Makefile,v 1.56 2003/09/23 18:42:43 mharo E= xp $ > # >=20 > PORTNAME=3D proftpd > PORTVERSION=3D 1.2.8 > PORTREVISION=3D 1 >=20 > Is that the updated port that fixes vulnerability? It's 1.2.8 still, but = I think > this is the patched version, since rcsID shows 9/23 which is yesterday. Yes, this is the fixed version. Although the port version is still at 1.2.8, the port revision was bumped to 1 yesterday (it was not defined previously, which would be equivalent to a revision of 0), so that the FreeBSD port version is now actually 1.2.8_1. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just fin= ished reading. --/Uq4LBwYP4y1W6pO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD4DBQE/cUeo7Ri2jRYZRVMRAkptAKCcVyIVcxUEYABPdqWEJkOnGXdCSACY3E3H cB/A1tVgty+KeQhNjKew8Q== =hHq5 -----END PGP SIGNATURE----- --/Uq4LBwYP4y1W6pO-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 02:16:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF50A16A4C2 for ; Wed, 24 Sep 2003 02:16:12 -0700 (PDT) Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3EAA43FEC for ; Wed, 24 Sep 2003 02:16:11 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 4.22) id 1A25kh-0005wr-LF; Wed, 24 Sep 2003 11:16:03 +0200 Date: Wed, 24 Sep 2003 11:16:03 +0200 From: Sheldon Hearn To: Haesu Message-ID: <20030924091603.GC22622@starjuice.net> References: <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030923205318.GB3346@scylla.towardex.com> User-Agent: Mutt/1.5.4i Sender: Sheldon Hearn cc: security@freebsd.org Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 09:16:12 -0000 On (2003/09/23 16:53), Haesu wrote: > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD > 4.8/4.9 are not effected :) Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this issue affects FreeBSD at all. Ciao, Sheldon. From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 07:20:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02A0D16A4C2 for ; Wed, 24 Sep 2003 07:20:19 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42F1A43FE5 for ; Wed, 24 Sep 2003 07:20:16 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id DCE7354846; Wed, 24 Sep 2003 09:20:15 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 723546D454; Wed, 24 Sep 2003 09:20:15 -0500 (CDT) Date: Wed, 24 Sep 2003 09:20:15 -0500 From: "Jacques A. Vidrine" To: Sheldon Hearn Message-ID: <20030924142015.GC57288@madman.celabo.org> References: <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030924091603.GC22622@starjuice.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: security@freebsd.org cc: Haesu Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 14:20:19 -0000 On Wed, Sep 24, 2003 at 11:16:03AM +0200, Sheldon Hearn wrote: > On (2003/09/23 16:53), Haesu wrote: > > > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD > > 4.8/4.9 are not effected :) > > Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this > issue affects FreeBSD at all. Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was taken from FreeBSD's PAM code. des@ is working the issue now. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 07:27:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC6D016A53E; Wed, 24 Sep 2003 07:27:30 -0700 (PDT) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id D228743FFB; Wed, 24 Sep 2003 07:27:29 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id 78D4581B8; Wed, 24 Sep 2003 09:27:18 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id h8OERI009056; Wed, 24 Sep 2003 09:27:18 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Wed, 24 Sep 2003 09:27:17 -0500 From: D J Hawkey Jr To: "Jacques A. Vidrine" Message-ID: <20030924142717.GA9026@sheol.localdomain> References: <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> <20030924142015.GC57288@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030924142015.GC57288@madman.celabo.org> User-Agent: Mutt/1.4.1i cc: security@freebsd.org Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 14:27:30 -0000 On Sep 24, at 09:20 AM, Jacques A. Vidrine wrote: > > On Wed, Sep 24, 2003 at 11:16:03AM +0200, Sheldon Hearn wrote: > > On (2003/09/23 16:53), Haesu wrote: > > > > > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD > > > 4.8/4.9 are not effected :) > > > > Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this > > issue affects FreeBSD at all. > > Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was > taken from FreeBSD's PAM code. des@ is working the issue now. But just "portable", right? Or are any "core" OpenSSHes across various FreeBSD releases also vulnerable? Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 07:29:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0F2B16A4BF; Wed, 24 Sep 2003 07:29:56 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D97534400D; Wed, 24 Sep 2003 07:29:53 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8OETrFY097906; Wed, 24 Sep 2003 07:29:53 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8OETrhk097904; Wed, 24 Sep 2003 07:29:53 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 24 Sep 2003 07:29:53 -0700 (PDT) Message-Id: <200309241429.h8OETrhk097904@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 14:29:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:14.arp Security Advisory The FreeBSD Project Topic: denial of service due to ARP resource starvation Category: core Module: sys Announced: 2003-09-23 Credits: Apple Product Security Affects: All releases of FreeBSD FreeBSD 4-STABLE prior to the correction date Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6) 2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15) 2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8) 2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18) 2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21) 2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33) 2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43) 2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39) FreeBSD only: NO For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Address Resolution Protocol (ARP) is fundamental to the operation of IP with a variety of network technologies, such as Ethernet and WLAN. It is used to map IP addresses to MAC addresses, which enables hosts on a local network segment to communicate with each other directly. These mappings are stored in the system's ARP cache. FreeBSD's ARP cache is implemented within the kernel routing table as a set of routes for the address family in use that have the LLINFO flag set. This is most commonly often AF_INET (for IPv4). Normally, when a FreeBSD system receives an ARP request for a network address configured on one of its interfaces from a system on a local network, it adds a reciprocal ARP entry to the cache for the system from where the request originated. Expiry timers are used to purge unused entries from the ARP cache. A reference count is maintained for each ARP entry. If the reciprocal ARP entry is not in use by an upper layer protocol, the reference count will be zero. II. Problem Description Under certain circumstances, it is possible for an attacker to flood a FreeBSD system with spoofed ARP requests, causing resource starvation which eventually results in a system panic. (The critical condition is that a route exists for the apparent source of the ARP request. This is always the case if the system has a default route configured for that protocol family.) If a large number of ARP requests with different network protocol addresses are sent in a small space of time, resource starvation can result, as the arplookup() function does not delete unnecessary ARP entries cached as the result of responding to an ARP request. NOTE WELL: Other BSD-derived systems may also be affected, as the affected code dates well back to the CSRG branches. III. Impact An attacker on the local network may be able to cause the system to hang or crash. The attacker must have physical access to the shared network medium. In the case of a wireless network obtaining this access may be trivial. Networks where proxy ARP is used to direct traffic between LANs may be particularly vulnerable to the attack, as the spoofed ARP requests could be bounced through to the target via routers implementing proxy ARP. Because the attack operates at Layer 2, the use of strong encryption technologies such as IPsec cannot protect a system against the attack. IV. Workaround There is no known workaround at this time. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_1, RELENG_5_0, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5-CURRENT, 4.9-PRERELEASE, and 4.8 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Rebuild your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/netinet/if_ether.c 1.64.2.25 RELENG_5_1 src/UPDATING 1.251.2.8 src/sys/conf/newvers.sh 1.50.2.8 src/sys/netinet/if_ether.c 1.104.2.1 RELENG_5_0 src/UPDATING 1.229.2.21 src/sys/conf/newvers.sh 1.48.2.16 src/sys/netinet/if_ether.c 1.96.2.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.10 src/sys/conf/newvers.sh 1.44.2.29.2.9 src/sys/netinet/if_ether.c 1.64.2.22.2.1 RELENG_4_7 src/UPDATING 1.73.2.74.2.21 src/sys/conf/newvers.sh 1.44.2.26.2.20 src/sys/netinet/if_ether.c 1.64.2.19.2.1 RELENG_4_6 src/UPDATING 1.73.2.68.2.50 src/sys/conf/newvers.sh 1.44.2.23.2.38 src/sys/netinet/if_ether.c 1.64.2.18.2.1 RELENG_4_5 src/UPDATING 1.73.2.50.2.50 src/sys/conf/newvers.sh 1.44.2.20.2.34 src/sys/netinet/if_ether.c 1.64.2.15.2.1 RELENG_4_4 src/UPDATING 1.73.2.43.2.51 src/sys/conf/newvers.sh 1.44.2.17.2.42 src/sys/netinet/if_ether.c 1.64.2.11.2.1 RELENG_4_3 src/UPDATING 1.73.2.28.2.38 src/sys/conf/newvers.sh 1.44.2.14.2.28 src/sys/netinet/if_ether.c 1.64.2.10.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/caZOFdaIBMps37IRApJAAJoDBwhwQXQli7PKuVigYwgTSaDaqwCfUoFD 5CupjAoAR1irbq9TSn3Id+4= =G144 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 07:38:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 023B216A4B3 for ; Wed, 24 Sep 2003 07:38:40 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 60D8B43FA3 for ; Wed, 24 Sep 2003 07:38:33 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 96815 invoked from network); 24 Sep 2003 14:38:32 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 24 Sep 2003 14:38:32 -0000 Message-ID: <3F71AC68.2020607@tenebras.com> Date: Wed, 24 Sep 2003 07:38:32 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: security@freebsd.org References: <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> <20030924142015.GC57288@madman.celabo.org> In-Reply-To: <20030924142015.GC57288@madman.celabo.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 14:38:40 -0000 Jacques A. Vidrine wrote: > Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was > taken from FreeBSD's PAM code. des@ is working the issue now. Jacques, Dag-Erling - The effort is much appreciated. There are a couple of PAMs I'm working on at the moment, and would love to be able to trust the AAA chain. Regards, MS From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 07:44:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EA3816A4B3 for ; Wed, 24 Sep 2003 07:44:27 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id AB0FC43FE1 for ; Wed, 24 Sep 2003 07:44:26 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 96892 invoked from network); 24 Sep 2003 14:44:26 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 24 Sep 2003 14:44:26 -0000 Message-ID: <3F71ADCA.7090408@tenebras.com> Date: Wed, 24 Sep 2003 07:44:26 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: security@freebsd.org References: <200309241429.h8OETrhk097904@freefall.freebsd.org> In-Reply-To: <200309241429.h8OETrhk097904@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 14:44:27 -0000 FreeBSD Security Advisories wrote: > IV. Workaround > > There is no known workaround at this time. Using static ARP entries and turning off ARP on the interface should be a workaround. Whether this is remotely feasible depends on your situation. From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 08:31:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25F5916A4B3 for ; Wed, 24 Sep 2003 08:31:03 -0700 (PDT) Received: from main.gmane.org (main.gmane.org [80.91.224.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5B6243FA3 for ; Wed, 24 Sep 2003 08:31:00 -0700 (PDT) (envelope-from freebsd-security@m.gmane.org) Received: from root by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1A2Bb2-0005Vm-00 for ; Wed, 24 Sep 2003 17:30:28 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org Received: from sea.gmane.org ([80.91.224.252]) by main.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1A2Abk-0002dz-00 for ; Wed, 24 Sep 2003 16:27:08 +0200 Received: from news by sea.gmane.org with local (Exim 3.35 #1 (Debian)) id 1A2AcE-00017i-00 for ; Wed, 24 Sep 2003 16:27:38 +0200 From: Jesse Guardiani Date: Wed, 24 Sep 2003 10:27:37 -0400 Organization: WingNET Lines: 132 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org User-Agent: KNode/0.7.2 X-Mail-Copies-To: never Sender: news Subject: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesse@wingnet.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 15:31:03 -0000 Howdy list, Sorry if this is a frequently discussed topic, or an off-topic question, but I couldn't find much info about my question by performing quick searches in the archives, and my question is pretty tightly related to security... Background: =========== I have a number of FreeBSD machines. Most are 4.x, but a few are 5.x (mainly the testing/devel machines). I also have a single Red Hat Linux machine (mostly a former employee's play toy), a legacy BSDi 4.1 machine, and a single Windows 2000 Server. And, of coarse, I have a number of Cisco routers of all shapes, sizes, and capacities. I have recently been plagued by the security audit woes, as employees have left the company and new employees have come in. The former Sys Admin didn't keep a list of places where passwords are stored, and the company really has very little in the way of a security policy, so I'm having to audit and document as I go. The motivation behind this email is simply that I am seeking to end my security woes. I'd like to be able to quickly (10-30 minutes) setup and remove employees from the various servers/routers and have the knowledge that I haven't missed anything. I've been thinking about it, and it seems like it would be beneficial to define "security clearances" and possibly different passwords for each employee at each security clearance level. That way, if one password was somehow sniffed or stolen, the security breach might stand a better chance of being contained. Software: ========= Here is a quick summary of the software we use: Mail Server: ------------ qmail-1.03 MySQL (for vpopmail authentication) vpopmail qmailadmin sqwebmail Apache 1.3.28 (PHP4, mod_perl) Web Server: ----------- Apache 1.3.28 (PHP4, mod_perl) MySQL The mail server already has a robust, tightly integrated, and very fast authentication system with vpopmail + MySQL. And we are currently working on integrating this authentication system into our billing system. These facts lead me to believe that I would like our mail server's auth system to be totally separate from the "corporate" auth system. If we want an employee to have an email account, we will either set up an internal mail server, add the employee to the billing system with a free rate code, or develop some sort of automation system that takes the corporate auth database and merges it with the billing system. The web server, on the other hand, is a different matter altogether. I would like to see some meshing of the "corporate" auth system and the web server. This way, I could define a certain website or web page to be within a certain security clearance for read access and/or write access, and the employee would automatically have the appropriate access based on security clearance. Questions: ========== Anyway, I'm seeking more of a discussion than a single definitive answer at this point. I'm ashamed to admit it, but I'm really not aware of what my options are, or what the strengths and weeknesses of each option might be. Listed below are the buzz words I've heard which I think might be possible options: 1.) Kerberos 2.) PAM (Seems to be more of a library than a complete solution.) 3.) LDAP 4.) RADIUS 5.) NIS/NIS+ We already use RADIUS to authenticate our dialup pool, and I wouldn't mind using it to authenticate employees, but I'm not sure if I can use RADIUS to authenticate FreeBSD system logins and such. The rest of the above items are relatively foreign to me. At first, I thought Kerberos sounded like the best solution, but the more I read about it, the more I start to think it may be an aging solution and that I might be better served to go with something else. Then again, I think I've seen kerberos authentication options in my Cisco routers... so maybe it's a good choice after all... In conclusion, I'd love to hear how other people have defined and implemented their organization's security model. Any personal stories, website links, or advice would be welcome. Thanks! -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 08:32:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 050AB16A4B3 for ; Wed, 24 Sep 2003 08:32:07 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1480643FE5 for ; Wed, 24 Sep 2003 08:32:06 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 8574A54861; Wed, 24 Sep 2003 10:32:05 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id BC2676D454; Wed, 24 Sep 2003 10:32:04 -0500 (CDT) Date: Wed, 24 Sep 2003 10:32:04 -0500 From: "Jacques A. Vidrine" To: D J Hawkey Jr Message-ID: <20030924153204.GE57702@madman.celabo.org> References: <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> <20030924142015.GC57288@madman.celabo.org> <20030924142717.GA9026@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030924142717.GA9026@sheol.localdomain> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: security@freebsd.org Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 15:32:07 -0000 On Wed, Sep 24, 2003 at 09:27:17AM -0500, D J Hawkey Jr wrote: > On Sep 24, at 09:20 AM, Jacques A. Vidrine wrote: > > > > On Wed, Sep 24, 2003 at 11:16:03AM +0200, Sheldon Hearn wrote: > > > On (2003/09/23 16:53), Haesu wrote: > > > > > > > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD > > > > 4.8/4.9 are not effected :) > > > > > > Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this > > > issue affects FreeBSD at all. > > > > Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was > > taken from FreeBSD's PAM code. des@ is working the issue now. > > But just "portable", right? No, not just OpenSSH-portable. > Or are any "core" OpenSSHes across various > FreeBSD releases also vulnerable? I'm only talking about the base system OpenSSH above (which is based on OpenSSH-portable), but both `openssh' and `openssh-portable' in the Ports Collection are likely affected, as they contain the same code (brought in by the port maintainer). Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 08:56:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7C9216A4B3 for ; Wed, 24 Sep 2003 08:56:14 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id D424143FDD for ; Wed, 24 Sep 2003 08:56:13 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 98011 invoked from network); 24 Sep 2003 15:56:13 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 24 Sep 2003 15:56:13 -0000 Message-ID: <3F71BE9D.7000401@tenebras.com> Date: Wed, 24 Sep 2003 08:56:13 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Possible (or possibly painful) workaround for FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 15:56:14 -0000 Of course you should patch/upgrade, etc. A stopgap measure could be to use static ARP for a segment. I have done this for a long time with wireless hosts, since I'm in an urban environment with many visible nodes, some in autos, and ARP cache poisoning is a well-known DoS against wireless. You may find it extremely painful and less-than-useful to have static IP addrs, etc. for hosts. Here's a snippet of /usr/local/etc/rc.d/20-statarp.sh from my FreeBSD host (192.168.1.1) serving as a wireless router #! /bin/sh PATH=/usr/sbin:/sbin ifconfig wi0 -arp arp -d -a 2>&1 > /dev/null # wireless NICs arp -s 192.168.1.1 00:02:2d:0e:00:40 2>&1 > /dev/null arp -s 192.168.1.129 00:30:ab:14:11:46 2>&1 > /dev/null arp -s 192.168.1.130 00:30:ab:14:11:f6 2>&1 > /dev/null ###$# many entries deleted ... arp -s 192.168.1.195 00:30:ab:14:0f:89 2>&1 > /dev/null # end From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 09:21:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAC8516A4B3 for ; Wed, 24 Sep 2003 09:21:27 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9B5C44001 for ; Wed, 24 Sep 2003 09:21:22 -0700 (PDT) (envelope-from ru@sunbay.com) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h8OGLBrX024880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Sep 2003 19:21:12 +0300 (EEST) (envelope-from ru@sunbay.com) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h8OGLBmR024879; Wed, 24 Sep 2003 19:21:11 +0300 (EEST) (envelope-from ru) Date: Wed, 24 Sep 2003 19:21:11 +0300 From: Ruslan Ermilov To: Michael Sierchio Message-ID: <20030924162111.GA23542@sunbay.com> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99" Content-Disposition: inline In-Reply-To: <3F71ADCA.7090408@tenebras.com> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 16:21:28 -0000 --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 24, 2003 at 07:44:26AM -0700, Michael Sierchio wrote: > FreeBSD Security Advisories wrote: >=20 > >IV. Workaround > > > >There is no known workaround at this time. >=20 > Using static ARP entries and turning off ARP on the interface > should be a workaround. Whether this is remotely feasible > depends on your situation. >=20 I still have not committed the code that supports static ARP on an interface -- there's currently no way to do static ARP only, if you disable ARP on an interface it will be disabled in its whole. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --5vNYLRcllDrimb99 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/ccR3Ukv4P6juNwoRAl+qAJ4j6MOzbCr00yFDQe/IGGRlhp4UkgCeIkwK Rcax+v2rY9PAIq/JNpJx2B0= =UNJd -----END PGP SIGNATURE----- --5vNYLRcllDrimb99-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 09:27:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A31616A4B3 for ; Wed, 24 Sep 2003 09:27:14 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 08D9443FBD for ; Wed, 24 Sep 2003 09:27:12 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 98530 invoked from network); 24 Sep 2003 16:27:11 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 24 Sep 2003 16:27:11 -0000 Message-ID: <3F71C5DF.5030506@tenebras.com> Date: Wed, 24 Sep 2003 09:27:11 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Ruslan Ermilov References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> In-Reply-To: <20030924162111.GA23542@sunbay.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 16:27:14 -0000 Ruslan Ermilov wrote: > On Wed, Sep 24, 2003 at 07:44:26AM -0700, Michael Sierchio wrote: > >>FreeBSD Security Advisories wrote: >> >> >>>IV. Workaround >>> >>>There is no known workaround at this time. >> >>Using static ARP entries and turning off ARP on the interface >>should be a workaround. Whether this is remotely feasible >>depends on your situation. >> > > I still have not committed the code that supports static ARP > on an interface -- there's currently no way to do static ARP > only, if you disable ARP on an interface it will be disabled > in its whole. I'm puzzled by this -- you mean when I see wi0: flags=88c3 mtu 1366 it's just *kidding* about the NOARP flag? IOW the NOARP flag changes the output of ifconfig, and that's it? From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 09:32:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DAD216A4B3 for ; Wed, 24 Sep 2003 09:32:53 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 08BC644025 for ; Wed, 24 Sep 2003 09:32:52 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 98633 invoked from network); 24 Sep 2003 16:32:51 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 24 Sep 2003 16:32:51 -0000 Message-ID: <3F71C733.6070708@tenebras.com> Date: Wed, 24 Sep 2003 09:32:51 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Ruslan Ermilov References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> In-Reply-To: <20030924162111.GA23542@sunbay.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 16:32:53 -0000 Ruslan Ermilov wrote: > I still have not committed the code that supports static ARP > on an interface -- there's currently no way to do static ARP > only, if you disable ARP on an interface it will be disabled > in its whole. It's clear to me that turning ARP off on wi0 on my machine means no gratuitous arp will be xmitted, and no arp messages will be responded to. It's also clear that the static arp entries for the wireless LAN get entered into the table, and that ARP continues to work on the wired section. Are you saying I'm hallucinating? From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 09:35:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB6B616A4C0 for ; Wed, 24 Sep 2003 09:35:04 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 40B1B43FE0 for ; Wed, 24 Sep 2003 09:35:04 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 98694 invoked from network); 24 Sep 2003 16:35:02 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 24 Sep 2003 16:35:02 -0000 Message-ID: <3F71C7B5.5080509@tenebras.com> Date: Wed, 24 Sep 2003 09:35:01 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: jesse@wingnet.net References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 16:35:04 -0000 Jesse Guardiani wrote: If you'd like to help me work on my Active Directory Connector PAM module, I'd welcome it. ;-) From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:04:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E69216A4C0 for ; Wed, 24 Sep 2003 10:04:59 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F6504400D for ; Wed, 24 Sep 2003 10:04:53 -0700 (PDT) (envelope-from ru@sunbay.com) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h8OH4grX030640 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Sep 2003 20:04:43 +0300 (EEST) (envelope-from ru@sunbay.com) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h8OH4gXA030639; Wed, 24 Sep 2003 20:04:42 +0300 (EEST) (envelope-from ru) Date: Wed, 24 Sep 2003 20:04:42 +0300 From: Ruslan Ermilov To: Michael Sierchio Message-ID: <20030924170442.GC23542@sunbay.com> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <3F71C733.6070708@tenebras.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mSxgbZZZvrAyzONB" Content-Disposition: inline In-Reply-To: <3F71C733.6070708@tenebras.com> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:04:59 -0000 --mSxgbZZZvrAyzONB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 24, 2003 at 09:32:51AM -0700, Michael Sierchio wrote: > Ruslan Ermilov wrote: >=20 > >I still have not committed the code that supports static ARP > >on an interface -- there's currently no way to do static ARP > >only, if you disable ARP on an interface it will be disabled > >in its whole. >=20 > It's clear to me that turning ARP off on wi0 on my machine > means no gratuitous arp will be xmitted, and no arp messages > will be responded to. It's also clear that the static arp > entries for the wireless LAN get entered into the table, and > that ARP continues to work on the wired section. >=20 > Are you saying I'm hallucinating? >=20 Right. But static ARP means something different. It means that the APR table is frozen, but system will still reply to ARP requests for its addresses, which is not done if IFF_NOARP flag is set on an interface. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --mSxgbZZZvrAyzONB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/cc6qUkv4P6juNwoRAumLAJ4jP4Oj/bQUZLiJf9tCB3spJoSakACcC83Y X+IUB//ksiSCgvDHC4rDDN0= =/kQg -----END PGP SIGNATURE----- --mSxgbZZZvrAyzONB-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:10:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDF0616A4B3 for ; Wed, 24 Sep 2003 10:10:34 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id E492F4401A for ; Wed, 24 Sep 2003 10:10:31 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 99220 invoked from network); 24 Sep 2003 17:10:31 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 24 Sep 2003 17:10:31 -0000 Message-ID: <3F71D007.3040406@tenebras.com> Date: Wed, 24 Sep 2003 10:10:31 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Ruslan Ermilov References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <3F71C733.6070708@tenebras.com> <20030924170442.GC23542@sunbay.com> In-Reply-To: <20030924170442.GC23542@sunbay.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:10:34 -0000 Ruslan Ermilov wrote: > Right. But static ARP means something different. It means > that the APR table is frozen, but system will still reply > to ARP requests for its addresses, which is not done if > IFF_NOARP flag is set on an interface. Okay, I may have been misusing the term. I meant *permanent* and *manual* entries in the ARP table, via the arp command, and disabling ARP on the interface. That seems to work. What does your lexicon say for "static arp?" From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:12:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A4C516A4B3 for ; Wed, 24 Sep 2003 10:12:26 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30E3C43FB1 for ; Wed, 24 Sep 2003 10:12:17 -0700 (PDT) (envelope-from ru@sunbay.com) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h8OHC8rX032213 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Sep 2003 20:12:08 +0300 (EEST) (envelope-from ru@sunbay.com) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h8OHC8AG032212; Wed, 24 Sep 2003 20:12:08 +0300 (EEST) (envelope-from ru) Date: Wed, 24 Sep 2003 20:12:08 +0300 From: Ruslan Ermilov To: Michael Sierchio Message-ID: <20030924171208.GA31618@sunbay.com> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <3F71C733.6070708@tenebras.com> <20030924170442.GC23542@sunbay.com> <3F71D007.3040406@tenebras.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline In-Reply-To: <3F71D007.3040406@tenebras.com> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:12:26 -0000 --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 24, 2003 at 10:10:31AM -0700, Michael Sierchio wrote: > Ruslan Ermilov wrote: >=20 > >Right. But static ARP means something different. It means > >that the APR table is frozen, but system will still reply > >to ARP requests for its addresses, which is not done if > >IFF_NOARP flag is set on an interface. >=20 > Okay, I may have been misusing the term. I meant *permanent* and > *manual* entries in the ARP table, via the arp command, and > disabling ARP on the interface. >=20 > That seems to work. What does your lexicon say for "static arp?" >=20 Read what I have said -- static ARP means that ARP is functional, but no updates are allowed based on information from the network. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/cdBoUkv4P6juNwoRAk9fAJ9zf2GhmpfDsWPYCeLsGAYdseri/ACfVFHq OiBuBnF6dBLA4J4pBR7XtW0= =b5iE -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:20:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A011916A4B3; Wed, 24 Sep 2003 10:20:42 -0700 (PDT) Received: from grosbein.pp.ru (D00015.dialonly.kemerovo.su [213.184.66.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00BC443FBF; Wed, 24 Sep 2003 10:20:40 -0700 (PDT) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (eugen@localhost [127.0.0.1]) by grosbein.pp.ru (8.12.9p1/8.12.9) with ESMTP id h8OHKXY8000675; Thu, 25 Sep 2003 01:20:33 +0800 (KRAST) (envelope-from eugen@grosbein.pp.ru) Received: (from eugen@localhost) by grosbein.pp.ru (8.12.9p1/8.12.9/Submit) id h8OHKXnd000674; Thu, 25 Sep 2003 01:20:33 +0800 (KRAST) (envelope-from eugen) Date: Thu, 25 Sep 2003 01:20:33 +0800 From: Eugene Grosbein To: Ruslan Ermilov Message-ID: <20030925012033.A567@grosbein.pp.ru> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <3F71C733.6070708@tenebras.com> <20030924170442.GC23542@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030924170442.GC23542@sunbay.com>; from ru@freebsd.org on Wed, Sep 24, 2003 at 08:04:42PM +0300 cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:20:42 -0000 On Wed, Sep 24, 2003 at 08:04:42PM +0300, Ruslan Ermilov wrote: > Right. But static ARP means something different. It means > that the APR table is frozen, but system will still reply > to ARP requests for its addresses, which is not done if > IFF_NOARP flag is set on an interface. Realization: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/40763 In production for years. Of course, it is better to apply patch from SA. Eugene Grosbein From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:35:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A35416A4D8; Wed, 24 Sep 2003 10:35:26 -0700 (PDT) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F6A943FBD; Wed, 24 Sep 2003 10:35:25 -0700 (PDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id 8FEF359DF3; Wed, 24 Sep 2003 13:35:24 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 92713-03; Wed, 24 Sep 2003 13:35:24 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by avscan2.sentex.ca (Postfix) with ESMTP id 6014659DED; Wed, 24 Sep 2003 13:35:24 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p1/8.12.9) with ESMTP id h8OHZNdK056420; Wed, 24 Sep 2003 13:35:23 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030924133736.088d4450@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 24 Sep 2003 13:38:32 -0400 To: Eugene Grosbein , Ruslan Ermilov From: Mike Tancsa In-Reply-To: <20030925012033.A567@grosbein.pp.ru> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <3F71C733.6070708@tenebras.com> <20030924170442.GC23542@sunbay.com> <20030925012033.A567@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by Sentex Communications (avscan2/20030314p2) cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:35:26 -0000 At 01:20 PM 24/09/2003, Eugene Grosbein wrote: >In production for years. Of course, it is better to apply patch from SA. Although it seems to have broken a few boxes for people. Have a look at the threads in stable. ---Mike From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:39:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C160916A4B3; Wed, 24 Sep 2003 10:39:10 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id A243143FA3; Wed, 24 Sep 2003 10:39:08 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id E1A0D65444; Wed, 24 Sep 2003 18:39:07 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 93925-01-12; Wed, 24 Sep 2003 18:39:07 +0100 (BST) Received: from saboteur.dek.spc.org (lardystuffer.demon.co.uk [212.228.40.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 2EF9765410; Wed, 24 Sep 2003 18:39:06 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 0079C31; Wed, 24 Sep 2003 18:39:00 +0100 (BST) Date: Wed, 24 Sep 2003 18:39:00 +0100 From: Bruce M Simpson To: Ruslan Ermilov Message-ID: <20030924173900.GK650@saboteur.dek.spc.org> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030924162111.GA23542@sunbay.com> cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:39:10 -0000 On Wed, Sep 24, 2003 at 07:21:11PM +0300, Ruslan Ermilov wrote: > On Wed, Sep 24, 2003 at 07:44:26AM -0700, Michael Sierchio wrote: > > Using static ARP entries and turning off ARP on the interface > > should be a workaround. Whether this is remotely feasible > > depends on your situation. > > > I still have not committed the code that supports static ARP > on an interface -- there's currently no way to do static ARP > only, if you disable ARP on an interface it will be disabled > in its whole. I'd like to review and potentially test this patch before it goes in, as it sounds interesting and useful to us. Thanks! BMS From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:42:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4BA016A4B3; Wed, 24 Sep 2003 10:42:28 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF1FA43FFB; Wed, 24 Sep 2003 10:42:27 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id E895465444; Wed, 24 Sep 2003 18:42:26 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 93708-04; Wed, 24 Sep 2003 18:42:26 +0100 (BST) Received: from saboteur.dek.spc.org (lardystuffer.demon.co.uk [212.228.40.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id BA8A665410; Wed, 24 Sep 2003 18:42:21 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 7146731; Wed, 24 Sep 2003 18:42:16 +0100 (BST) Date: Wed, 24 Sep 2003 18:42:16 +0100 From: Bruce M Simpson To: Eugene Grosbein Message-ID: <20030924174216.GL650@saboteur.dek.spc.org> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <3F71C733.6070708@tenebras.com> <20030924170442.GC23542@sunbay.com> <20030925012033.A567@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030925012033.A567@grosbein.pp.ru> cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:42:28 -0000 On Thu, Sep 25, 2003 at 01:20:33AM +0800, Eugene Grosbein wrote: > On Wed, Sep 24, 2003 at 08:04:42PM +0300, Ruslan Ermilov wrote: > > > Right. But static ARP means something different. It means > > that the APR table is frozen, but system will still reply > > to ARP requests for its addresses, which is not done if > > IFF_NOARP flag is set on an interface. > > Realization: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/40763 > > In production for years. Of course, it is better to apply patch from SA. Thanks for your PR. I'll review this along with ru's patch once I get it. BMS From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 10:46:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 925FA16A4B3 for ; Wed, 24 Sep 2003 10:46:59 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6C2E43FBD for ; Wed, 24 Sep 2003 10:46:46 -0700 (PDT) (envelope-from ru@sunbay.com) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h8OHkfrX036777 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Sep 2003 20:46:41 +0300 (EEST) (envelope-from ru@sunbay.com) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h8OHkWNt036771; Wed, 24 Sep 2003 20:46:32 +0300 (EEST) (envelope-from ru) Date: Wed, 24 Sep 2003 20:46:32 +0300 From: Ruslan Ermilov To: Bruce M Simpson Message-ID: <20030924174632.GB31618@sunbay.com> References: <200309241429.h8OETrhk097904@freefall.freebsd.org> <3F71ADCA.7090408@tenebras.com> <20030924162111.GA23542@sunbay.com> <20030924173900.GK650@saboteur.dek.spc.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jousvV0MzM2p6OtC" Content-Disposition: inline In-Reply-To: <20030924173900.GK650@saboteur.dek.spc.org> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 17:46:59 -0000 --jousvV0MzM2p6OtC Content-Type: multipart/mixed; boundary="rJwd6BRFiFCcLxzm" Content-Disposition: inline --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 24, 2003 at 06:39:00PM +0100, Bruce M Simpson wrote: > On Wed, Sep 24, 2003 at 07:21:11PM +0300, Ruslan Ermilov wrote: > > On Wed, Sep 24, 2003 at 07:44:26AM -0700, Michael Sierchio wrote: > > > Using static ARP entries and turning off ARP on the interface > > > should be a workaround. Whether this is remotely feasible > > > depends on your situation. > > >=20 > > I still have not committed the code that supports static ARP > > on an interface -- there's currently no way to do static ARP > > only, if you disable ARP on an interface it will be disabled > > in its whole. >=20 > I'd like to review and potentially test this patch before it goes in, as = it > sounds interesting and useful to us. >=20 Attached. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Content-Transfer-Encoding: quoted-printable Index: sys/net/if.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/net/if.h,v retrieving revision 1.81 diff -u -p -u -r1.81 if.h --- sys/net/if.h 14 Nov 2002 23:16:18 -0000 1.81 +++ sys/net/if.h 26 Dec 2002 15:46:31 -0000 @@ -150,6 +150,7 @@ struct if_data { #define IFF_POLLING 0x10000 /* Interface is in polling mode. */ #define IFF_PPROMISC 0x20000 /* user-requested promisc mode */ #define IFF_MONITOR 0x40000 /* user-requested monitor mode */ +#define IFF_STATICARP 0x80000 /* static ARP */ =20 /* flags set internally only: */ #define IFF_CANTCHANGE \ Index: sys/netinet/if_ether.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v retrieving revision 1.105 diff -u -p -u -r1.105 if_ether.c --- sys/netinet/if_ether.c 23 Sep 2003 16:39:31 -0000 1.105 +++ sys/netinet/if_ether.c 24 Sep 2003 00:10:06 -0000 @@ -454,12 +454,12 @@ arpresolve(ifp, rt, m, dst, desten, rt0) return 1; } /* - * If ARP is disabled on this interface, stop. + * If ARP is disabled or static on this interface, stop. * XXX * Probably should not allocate empty llinfo struct if we are * not going to be sending out an arp request. */ - if (ifp->if_flags & IFF_NOARP) { + if (ifp->if_flags & (IFF_NOARP | IFF_STATICARP)) { m_freem(m); return (0); } @@ -650,6 +650,8 @@ match: itaddr =3D myaddr; goto reply; } + if (ifp->if_flags & IFF_STATICARP) + goto reply; la =3D arplookup(isaddr.s_addr, itaddr.s_addr =3D=3D myaddr.s_addr, 0); if (la && (rt =3D la->la_rt) && (sdl =3D SDL(rt->rt_gateway))) { /* the following is not an error when doing bridging */ Index: sbin/ifconfig/ifconfig.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.8,v retrieving revision 1.71 diff -u -p -u -r1.71 ifconfig.8 --- sbin/ifconfig/ifconfig.8 14 May 2003 16:22:16 -0000 1.71 +++ sbin/ifconfig/ifconfig.8 15 May 2003 00:08:09 -0000 @@ -227,6 +227,18 @@ addresses and .It Fl arp Disable the use of the Address Resolution Protocol .Pq Xr arp 4 . +.It Cm staticarp +If the Address Resolution Protocol is enabled, +the host will only reply to requests for its addresses, +and will never send any requests. +.It Fl staticarp +If the Address Resolution Protocol is enabled, +the host will perform normally, +sending out requests, +listening for replies, +and allowing gratuitous requests to update the +.Tn ARP +table. .It Cm broadcast (Inet only.) Specify the address to use to represent broadcasts to the Index: sbin/ifconfig/ifconfig.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ifconfig/ifconfig.c,v retrieving revision 1.90 diff -u -p -u -r1.90 ifconfig.c --- sbin/ifconfig/ifconfig.c 28 Apr 2003 16:37:38 -0000 1.90 +++ sbin/ifconfig/ifconfig.c 30 Apr 2003 07:02:20 -0000 @@ -234,6 +234,8 @@ struct cmd { { "-link2", -IFF_LINK2, setifflags }, { "monitor", IFF_MONITOR, setifflags }, { "-monitor", -IFF_MONITOR, setifflags }, + { "staticarp", IFF_STATICARP, setifflags }, + { "-staticarp", -IFF_STATICARP, setifflags }, #ifdef USE_IF_MEDIA { "media", NEXTARG, setmedia }, { "mode", NEXTARG, setmediamode }, @@ -1037,7 +1039,7 @@ setifmtu(const char *val, int dummy __un #define IFFBITS \ "\020\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6SMART\7RUNNING" \ "\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2= " \ -"\20MULTICAST\023MONITOR" +"\20MULTICAST\023MONITOR\024STATICARP" =20 #define IFCAPBITS \ "\003\1RXCSUM\2TXCSUM\3NETCONS\4VLAN_MTU\5VLAN_HWTAGGING\6JUMBO_MTU" --rJwd6BRFiFCcLxzm-- --jousvV0MzM2p6OtC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/cdh4Ukv4P6juNwoRAviOAJ4h8KSEganpveJ8S9O36Ihej+EcOgCeJZki WvoCBGReN5KsakdZ0oXOBFA= =CZpH -----END PGP SIGNATURE----- --jousvV0MzM2p6OtC-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 12:00:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BB4B16A4B3 for ; Wed, 24 Sep 2003 12:00:19 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EA2843FE1 for ; Wed, 24 Sep 2003 12:00:18 -0700 (PDT) (envelope-from des@des.no) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id C849B79369; Wed, 24 Sep 2003 21:00:16 +0200 (MEST) Received: by smtp.des.no (Pony Express, from userid 666) id 95D4896121; Wed, 24 Sep 2003 21:00:16 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id ACC8A959E8; Wed, 24 Sep 2003 21:00:12 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 77B48B84A; Wed, 24 Sep 2003 21:00:12 +0200 (CEST) To: Michael Sierchio References: <3F705D4D.4070404@tenebras.com> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Wed, 24 Sep 2003 21:00:12 +0200 In-Reply-To: <3F705D4D.4070404@tenebras.com> (Michael Sierchio's message of "Tue, 23 Sep 2003 07:48:45 -0700") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-2.5 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@freebsd.org Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 19:00:19 -0000 Michael Sierchio writes: > This affects only 3.7p1 and 3.7.1p1. The advice to leave > PAM disabled is far from heartening, nor is the semi-lame > blaming the PAM spec for implementation bugs. They have their axe to grind. The PAM spec is not to be blamed; although the spec is remarkably unclear on some points related to the offending code, the fault for the bug is entirely mine. In the meantime, it is important to point out that privilege separation (which is on by default in FreeBSD) prevents exploitation of the first bug, and that there is no known way to exploit the second bug. It is also important to point out that the second bug is not directly PAM-related. The a bug is in a common portion of the ssh1 kbdint code; it just so happens that the PAM code is the only kbdint device which triggers it. And it just so happens that I wrote those few lines as well :( DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 12:55:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11CA216A4B3 for ; Wed, 24 Sep 2003 12:55:59 -0700 (PDT) Received: from chortos.wingnet.net (chortos.wingnet.net [206.30.57.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 9798043FF7 for ; Wed, 24 Sep 2003 12:55:56 -0700 (PDT) (envelope-from jesse@wingnet.net) Received: (qmail 59501 invoked from network); 24 Sep 2003 19:55:44 -0000 Received: from makrothumia.wingnet.net (HELO 192.168.1.47) (206.30.215.5) by chortos.wingnet.net with SMTP; 24 Sep 2003 19:55:38 -0000 From: Jesse Guardiani Organization: WingNET To: Matthew George Date: Wed, 24 Sep 2003 15:55:30 -0400 User-Agent: KMail/1.5.2 References: <20030924122724.V31322@localhost> In-Reply-To: <20030924122724.V31322@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200309241555.30825.jesse@wingnet.net> cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 19:55:59 -0000 On Wednesday 24 September 2003 12:54, Matthew George wrote: > On Wed, 24 Sep 2003, Jesse Guardiani wrote: > > 1.) Kerberos > > krb is nice, but the problem with it is that all of your applications need > to be kerberized in order to support ticket validation from the krb > server. There is an interesting description (albeit slightly dated) of > how the system works at: > > http://web.mit.edu/kerberos/www/dialogue.html Yes, I found that after I posted to the list. Very informative. I understand what you're saying when you say that all applications need to be kerberized in order to work, but isn't that true of any auth mechanism? Perhaps kerberization just isn't very widespread as something like LDAP? > > > 2.) PAM (Seems to be more of a library than a complete > > solution.) > > Indeed. PAM is a vehicle used to employ various authentication > mechanisms and not actually an authentication service by itself. For > example, you could specify that for login services to a machine, a user > must first attempt to authenticate via tacacs, but should that fail, > authentication against the system password file is sufficient. > > The following PAM support is available in FreeBSD (I'm running 5.1): > > mdg@mdg:/etc/pam.d> ls /usr/lib/pam*so > /usr/lib/pam_chroot.so /usr/lib/pam_opieaccess.so > /usr/lib/pam_deny.so /usr/lib/pam_passwdqc.so > /usr/lib/pam_echo.so /usr/lib/pam_permit.so > /usr/lib/pam_exec.so /usr/lib/pam_radius.so > /usr/lib/pam_ftp.so /usr/lib/pam_rhosts.so > /usr/lib/pam_ftpusers.so /usr/lib/pam_rootok.so > /usr/lib/pam_group.so /usr/lib/pam_securetty.so > /usr/lib/pam_krb5.so /usr/lib/pam_self.so > /usr/lib/pam_ksu.so /usr/lib/pam_ssh.so > /usr/lib/pam_lastlog.so /usr/lib/pam_tacplus.so > /usr/lib/pam_login_access.so /usr/lib/pam_unix.so > /usr/lib/pam_nologin.so /usr/lib/pam_wheel.so > /usr/lib/pam_opie.so > mdg@mdg:/etc/pam.d> ls -d /usr/ports/security/pam* > /usr/ports/security/pam-mysql /usr/ports/security/pam_ldap > /usr/ports/security/pam-pgsql /usr/ports/security/pam_pop3 > /usr/ports/security/pam_alreadyloggedin /usr/ports/security/pam_pwdfile > /usr/ports/security/pam_krb5 /usr/ports/security/pam_smb > > > 3.) LDAP > > LDAP is good because of the centralized directory services it provides. > You can store much more information about users other than their username > and password (such as addresses, job title, department, phone numbers, > location, public key, etc). I've seen documentation online (although the > specific location escapes me at the moment) about how to integrate UNIX > and Windows (active directory) authentication via LDAP (I believe the ADS > controllers become authoritative in this scheme ... not sure if openldap > can be used instead). This isn't something I'm familiar with first-hand, > but it's currently on my list of things to research. > > > 4.) RADIUS > > RADIUS is designed specifically for centralized user administration and > authentication. Support is available for a wide variety of devices (cisco > is included, but I'm pretty sure Windows isn't). pam_radius is included > in the FreeBSD base system and just needs to be enabled via PAM. > > > 5.) NIS/NIS+ > > My personal favorite, NIS can be used to provide many services to UNIX > hosts. NIS is at a bit of a disadvantage due to the unencrypted transport > of information. Although MD5 hashes in the passwd databases make > passwords harder to crack, usernames and group memberships may still be > retrieved with little difficulty if you have access to a network where NIS > is running. I definitely would not recommend running it on networks where > unknown / not-trusted users have access, but it has served me quite well > for access administration on internal servers / corporate networks. I'm > not familiar with a UNIX variant that does not support it, but you may > have problems with other network devices and Windows integration. > > > If you are running a Windows network with NT domain controllers, you may > want to look at pam_smb. > > Since you have cisco devices, you may want to look at pam_tacplus. > > Another alternative is OPIE (an S/Key derivative). This implements > one-time passwords, but will require much more support for users if they > aren't familiar with how it's supposed to work. > > I'm sure I'm forgetting something ... Well, I'm currently trying to decide between these then: Kerberos RADIUS LDAP (OpenLDAP only. I don't have a proprietary LDAP solution.) TACACS pam_smb, possibly. I'm ruling out NIS/NIS+ because: -------------------------------- 1.) I'd like something with decent cyptography built in. That's why I conceptually like Kerberos. 2.) AFAIK, no Cisco support. Now, I suppose the question is this: ------------------------------------ Will any of the above do ALL of the following? (The below is a prioritized list of the things I'd like to see in an authentication system:) 1.) Authenticate for ssh 2.) Authenticate for Cisco equipment 3.) Authenticate for Apache htaccess files 4.) Allow some way to easily set root passwords and su 5.) Do the above from a centralized location 6.) Do so with reasonable security/encryption 7.) Authenticate for Windows boxes And honestly, I could live with ditching the Windows Auth if a given solution works a lot better on *NIX. For example, I've heard that OpenLDAP is a real pain in the rear to install and configure. If that is true, and something like RADIUS or Kerberos would provide a better solution, then that's where I'd likely go. The other question I find myself asking is this: ------------------------------------------------ Once I get authentication working, how do I handle the creation of home directories and basic user files across multiple machines? Do I need to start running NFS, or is there a more elegant solution? Thus far, I've gotten a lot of great feedback from list members. Thanks! -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 13:00:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0251B16A4BF for ; Wed, 24 Sep 2003 13:00:07 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3547644001 for ; Wed, 24 Sep 2003 13:00:03 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8OJxjgL071009; Wed, 24 Sep 2003 15:59:45 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h8OJxjZG071006; Wed, 24 Sep 2003 15:59:45 -0400 (EDT) Date: Wed, 24 Sep 2003 15:59:44 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jesse Guardiani In-Reply-To: <200309241555.30825.jesse@wingnet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Matthew George cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:00:07 -0000 On Wed, 24 Sep 2003, Jesse Guardiani wrote: > On Wednesday 24 September 2003 12:54, Matthew George wrote: > > On Wed, 24 Sep 2003, Jesse Guardiani wrote: > > > 1.) Kerberos > > > > krb is nice, but the problem with it is that all of your applications need > > to be kerberized in order to support ticket validation from the krb > > server. There is an interesting description (albeit slightly dated) of > > how the system works at: > > > > http://web.mit.edu/kerberos/www/dialogue.html > > Yes, I found that after I posted to the list. Very informative. > > I understand what you're saying when you say that all applications need > to be kerberized in order to work, but isn't that true of any auth > mechanism? > > Perhaps kerberization just isn't very widespread as something like LDAP? My current preference in new installs is to use Kerberos5 for authentication and LDAP for account information. If you're willing to throw SSL into the mix, a lack of "kerberization" isn't such a problem -- you basically end up using Kerberos5 as a distributed password mechanism for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL, etc. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 13:14:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FFC316A4B3 for ; Wed, 24 Sep 2003 13:14:13 -0700 (PDT) Received: from main.gmane.org (main.gmane.org [80.91.224.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B84544005 for ; Wed, 24 Sep 2003 13:14:10 -0700 (PDT) (envelope-from freebsd-security@m.gmane.org) Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1A2G14-0001C0-00 for ; Wed, 24 Sep 2003 22:13:38 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org Received: from sea.gmane.org ([80.91.224.252]) by main.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1A2G12-0001Bs-00 for ; Wed, 24 Sep 2003 22:13:36 +0200 Received: from news by sea.gmane.org with local (Exim 3.35 #1 (Debian)) id 1A2G1X-0003dL-00 for ; Wed, 24 Sep 2003 22:14:07 +0200 From: Jesse Guardiani Date: Wed, 24 Sep 2003 16:14:04 -0400 Organization: WingNET Lines: 47 Message-ID: References: <200309241555.30825.jesse@wingnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org User-Agent: KNode/0.7.2 X-Mail-Copies-To: never Sender: news Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesse@wingnet.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:14:13 -0000 Robert Watson wrote: > > On Wed, 24 Sep 2003, Jesse Guardiani wrote: > >> On Wednesday 24 September 2003 12:54, Matthew George wrote: >> > On Wed, 24 Sep 2003, Jesse Guardiani wrote: >> > > 1.) Kerberos >> > >> > krb is nice, but the problem with it is that all of your applications >> > need to be kerberized in order to support ticket validation from the >> > krb >> > server. There is an interesting description (albeit slightly dated) of >> > how the system works at: >> > >> > http://web.mit.edu/kerberos/www/dialogue.html >> >> Yes, I found that after I posted to the list. Very informative. >> >> I understand what you're saying when you say that all applications need >> to be kerberized in order to work, but isn't that true of any auth >> mechanism? >> >> Perhaps kerberization just isn't very widespread as something like LDAP? > > My current preference in new installs is to use Kerberos5 for > authentication and LDAP for account information. If you're willing to > throw SSL into the mix, a lack of "kerberization" isn't such a problem -- > you basically end up using Kerberos5 as a distributed password mechanism > for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL, > etc. And that's more or less what I was thinking of doing here, except it wouldn't be IMAP and SMTP (because that is already handled by my mail server's MySQL database), but Kerberos as a distributed password mechanism for SSH, Apache .htaccess, Cisco routers, etc... Does that work well with FreeBSD 4.8? Or would I need to use 5.x to deploy Kerberos5 in that manner? -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 13:46:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35B6016A4B3 for ; Wed, 24 Sep 2003 13:46:40 -0700 (PDT) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17F5143FA3 for ; Wed, 24 Sep 2003 13:46:39 -0700 (PDT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pcwin002.win.tue.nl (localhost [127.0.0.1]) by pcwin002.win.tue.nl (8.12.10/8.12.10) with ESMTP id h8OKlELY006537; Wed, 24 Sep 2003 22:47:14 +0200 (CEST) (envelope-from stijn@pcwin002.win.tue.nl) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.12.10/8.12.10/Submit) id h8OKlCS7006536; Wed, 24 Sep 2003 22:47:12 +0200 (CEST) (envelope-from stijn) Date: Wed, 24 Sep 2003 22:47:12 +0200 From: Stijn Hoop To: Michael Sierchio Message-ID: <20030924204712.GH95116@pcwin002.win.tue.nl> References: <3F71C7B5.5080509@tenebras.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="B8ONY/mu/bqBak9m" Content-Disposition: inline In-Reply-To: <3F71C7B5.5080509@tenebras.com> User-Agent: Mutt/1.4.1i X-Bright-Idea: Let's abolish HTML mail! cc: freebsd-security@freebsd.org cc: jesse@wingnet.net Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:46:40 -0000 --B8ONY/mu/bqBak9m Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 24, 2003 at 09:35:01AM -0700, Michael Sierchio wrote: > If you'd like to help me work on my Active Directory Connector > PAM module, I'd welcome it. ;-) Now that would rock (and be a major selling point for FreeBSD over here). How far along are you? --Stijn --=20 Q: Why is Batman better than Bill Gates? A: Batman was able to beat the Penguin. --B8ONY/mu/bqBak9m Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/cgLQY3r/tLQmfWcRApwOAJ4y2cze7/RnEqp9+LKXgA6rHDGx4QCeJsZz 3S1Olu5715U1F7T+b3T4R+0= =ChTR -----END PGP SIGNATURE----- --B8ONY/mu/bqBak9m-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 13:50:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9396816A4B3 for ; Wed, 24 Sep 2003 13:50:31 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFCF544025 for ; Wed, 24 Sep 2003 13:50:29 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 3EF5C15D for ; Wed, 24 Sep 2003 14:50:29 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8OKoTU21753 for freebsd-security@freebsd.org; Wed, 24 Sep 2003 14:50:29 -0600 Date: Wed, 24 Sep 2003 14:50:29 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030924145029.V18252@seekingfire.com> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200309241555.30825.jesse@wingnet.net>; from jesse@wingnet.net on Wed, Sep 24, 2003 at 03:55:30PM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:50:31 -0000 On Wed, Sep 24, 2003 at 03:55:30PM -0400, Jesse Guardiani wrote: > Well, I'm currently trying to decide between these then: > > Kerberos > RADIUS > LDAP (OpenLDAP only. I don't have a proprietary LDAP solution.) > TACACS > pam_smb, possibly. These aren't necessarily mutually exclusive. > I'm ruling out NIS/NIS+ because: > -------------------------------- > 1.) I'd like something with decent cyptography built in. That's why I conceptually > like Kerberos. > 2.) AFAIK, no Cisco support. NIS (for authorization info) with Kerberos 5 (for authentication) provides decent cryptography and wide platform support. Cisco supports Kerberos. > Once I get authentication working, how do I handle > the creation of home directories and basic user > files across multiple machines? > > Do I need to start running NFS, or is there a more > elegant solution? OpenAFS, very elegant solution. Unfortunately, it doesn't work on FreeBSD yet (or anymore as a client). -T -- The beauty of the democratic systems of thought control, as contrasted with their clumsy totalitarian counterparts, is that they operate by subtly establishing on a voluntary basis - aided by the force of nationalism and media control by substantial interests - presuppositions that set the limits of debate, rather than by imposing beliefs with a bludgeon. - Noam Chomsky, _After the Cataclysm_ From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 13:54:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68E8B16A4B3 for ; Wed, 24 Sep 2003 13:54:28 -0700 (PDT) Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E0374402B for ; Wed, 24 Sep 2003 13:54:22 -0700 (PDT) (envelope-from mitch@ccmr.cornell.edu) Received: from ori.ccmr.cornell.edu (ori.ccmr.cornell.edu [128.84.231.243]) h8OKsL6r027726; Wed, 24 Sep 2003 16:54:21 -0400 Received: from localhost (mitch@localhost) by ori.ccmr.cornell.edu (8.12.10/8.12.9) with ESMTP id h8OKsLD3003756; Wed, 24 Sep 2003 16:54:21 -0400 X-Authentication-Warning: ori.ccmr.cornell.edu: mitch owned process doing -bs Date: Wed, 24 Sep 2003 16:54:21 -0400 (EDT) From: Mitch Collinsworth To: Jesse Guardiani In-Reply-To: <200309241555.30825.jesse@wingnet.net> Message-ID: References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:54:28 -0000 On Wed, 24 Sep 2003, Jesse Guardiani wrote: > The other question I find myself asking is this: > ------------------------------------------------ > Once I get authentication working, how do I handle > the creation of home directories and basic user > files across multiple machines? > > Do I need to start running NFS, or is there a more > elegant solution? www.openafs.org From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 14:03:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A5C716A4B3 for ; Wed, 24 Sep 2003 14:03:30 -0700 (PDT) Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FAEB44013 for ; Wed, 24 Sep 2003 14:03:29 -0700 (PDT) (envelope-from mitch@ccmr.cornell.edu) Received: from ori.ccmr.cornell.edu (ori.ccmr.cornell.edu [128.84.231.243]) h8OL3S6r028257; Wed, 24 Sep 2003 17:03:28 -0400 Received: from localhost (mitch@localhost) by ori.ccmr.cornell.edu (8.12.10/8.12.9) with ESMTP id h8OL3SRD003806; Wed, 24 Sep 2003 17:03:28 -0400 X-Authentication-Warning: ori.ccmr.cornell.edu: mitch owned process doing -bs Date: Wed, 24 Sep 2003 17:03:28 -0400 (EDT) From: Mitch Collinsworth To: Tillman Hodgson In-Reply-To: <20030924145029.V18252@seekingfire.com> Message-ID: References: <20030924122724.V31322@localhost> <20030924145029.V18252@seekingfire.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 21:03:30 -0000 On Wed, 24 Sep 2003, Tillman Hodgson wrote: > OpenAFS, very elegant solution. Unfortunately, it doesn't work on > FreeBSD yet (or anymore as a client). The arla client works. -Mitch From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 14:17:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50DAE16A4B3 for ; Wed, 24 Sep 2003 14:17:08 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C1E744001 for ; Wed, 24 Sep 2003 14:17:07 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 73F97372 for ; Wed, 24 Sep 2003 15:17:06 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8OLH6m21970 for freebsd-security@freebsd.org; Wed, 24 Sep 2003 15:17:06 -0600 Date: Wed, 24 Sep 2003 15:17:06 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030924151706.X18252@seekingfire.com> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924145029.V18252@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from mitch@ccmr.cornell.edu on Wed, Sep 24, 2003 at 05:03:28PM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 21:17:08 -0000 On Wed, Sep 24, 2003 at 05:03:28PM -0400, Mitch Collinsworth wrote: > > On Wed, 24 Sep 2003, Tillman Hodgson wrote: > > > OpenAFS, very elegant solution. Unfortunately, it doesn't work on > > FreeBSD yet (or anymore as a client). > > The arla client works. That's great news - I last looked at it in May (May 7/8, according to the archives) at it was still broken then. I've tried snapshots of the OpenAFS server code recently - doesn't work on i386 -STABLE, doesn't work on sparc64 -CURRENT. -T -- In Googlis non est, ergo non est. From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 14:26:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29E5C16A4BF for ; Wed, 24 Sep 2003 14:26:06 -0700 (PDT) Received: from main.gmane.org (main.gmane.org [80.91.224.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFC0243FE1 for ; Wed, 24 Sep 2003 14:26:03 -0700 (PDT) (envelope-from freebsd-security@m.gmane.org) Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1A2H8d-00042t-00 for ; Wed, 24 Sep 2003 23:25:31 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org Received: from sea.gmane.org ([80.91.224.252]) by main.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1A2H8c-00042l-00 for ; Wed, 24 Sep 2003 23:25:30 +0200 Received: from news by sea.gmane.org with local (Exim 3.35 #1 (Debian)) id 1A2H97-0002n1-00 for ; Wed, 24 Sep 2003 23:26:01 +0200 From: Jesse Guardiani Date: Wed, 24 Sep 2003 17:25:59 -0400 Organization: WingNET Lines: 51 Message-ID: References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924145029.V18252@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org User-Agent: KNode/0.7.2 X-Mail-Copies-To: never Sender: news Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesse@wingnet.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 21:26:06 -0000 Tillman Hodgson wrote: > On Wed, Sep 24, 2003 at 03:55:30PM -0400, Jesse Guardiani wrote: >> Well, I'm currently trying to decide between these then: >> >> Kerberos >> RADIUS >> LDAP (OpenLDAP only. I don't have a proprietary LDAP solution.) >> TACACS >> pam_smb, possibly. > > These aren't necessarily mutually exclusive. > >> I'm ruling out NIS/NIS+ because: >> -------------------------------- >> 1.) I'd like something with decent cyptography built in. That's why I >> conceptually >> like Kerberos. >> 2.) AFAIK, no Cisco support. > > NIS (for authorization info) with Kerberos 5 (for authentication) What's the difference between authorization and authentication? I thought Kerberos handled authorization by itself. > provides decent cryptography and wide platform support. Cisco supports > Kerberos. Although not very solidly according to other posts on this topic. >> Once I get authentication working, how do I handle >> the creation of home directories and basic user >> files across multiple machines? >> >> Do I need to start running NFS, or is there a more >> elegant solution? > > OpenAFS, very elegant solution. Could you explain why OpenAFS is a more elegant solution than NFS? -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 15:31:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27FDD16A4B3 for ; Wed, 24 Sep 2003 15:31:29 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 354C443FEA for ; Wed, 24 Sep 2003 15:31:28 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 6EF9A123 for ; Wed, 24 Sep 2003 16:31:27 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8OMVRd22136 for freebsd-security@freebsd.org; Wed, 24 Sep 2003 16:31:27 -0600 Date: Wed, 24 Sep 2003 16:31:27 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030924163127.A18252@seekingfire.com> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924145029.V18252@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from jesse@wingnet.net on Wed, Sep 24, 2003 at 05:25:59PM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 22:31:29 -0000 On Wed, Sep 24, 2003 at 05:25:59PM -0400, Jesse Guardiani wrote: > Tillman Hodgson wrote: > > NIS (for authorization info) with Kerberos 5 (for authentication) > > What's the difference between authorization and authentication? > I thought Kerberos handled authorization by itself Kerberos handles authentication ("Prove that you are who you say you are"). It does not handle authorization ("What are you allowed to do") or auditing ("what have you done"). Authorization is also concerned with meta-data, like a user's home directory, preferred shell, etc. /etc/passwd, NIS, LDAP, and others are typically used for authorization. For example, sshd won't let you log in unless you have a valid entry in /etc/passwd (or whatever scheme you're using). As an example of "other", ftpd checks /etc/ftpusers to see who is not allowed to log in. Having a valid Kerberos ticket doesn't circumvent these authorization mechanisms. As far as auditing go, most daemons write a log of who did what. Just be aware that Kerberos doesn't magically centralize this into a master audit log. > > provides decent cryptography and wide platform support. Cisco supports > > Kerberos. > > Although not very solidly according to other posts on this topic. I missed the beginning of the thread so I can't speak to that. > >> Once I get authentication working, how do I handle > >> the creation of home directories and basic user > >> files across multiple machines? > >> > >> Do I need to start running NFS, or is there a more > >> elegant solution? > > > > OpenAFS, very elegant solution. > > Could you explain why OpenAFS is a more elegant solution than > NFS? See the thread in teh archvies entitled "AFS Server and Client" from May 6-8 of this year on freebsd-questions@. -T -- Belief gets in the way of learning. - Robert Heinlein From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 15:56:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3697016A4B3 for ; Wed, 24 Sep 2003 15:56:58 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A67344027 for ; Wed, 24 Sep 2003 15:56:56 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 56159 invoked by uid 1000); 24 Sep 2003 22:56:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Sep 2003 22:56:56 -0000 Date: Wed, 24 Sep 2003 15:56:56 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: <200309241555.30825.jesse@wingnet.net> Message-ID: <20030924153355.T55021@walter> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 22:56:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > 1.) Kerberos > > > > krb is nice, but the problem with it is that all of your applications need > > to be kerberized > > but isn't that true of any auth mechanism? Other auth methods use more generic interfaces that already exist. Many/most unix systems/applications are pam aware nowadays, which means that any auth system which already has pam modules can be dropped in without modifying the apps. And nis is integrated into the libc, so that traditional manual authentication (eg, using getpwnam(3) and friends) will use nis transparently. Also, while kerberos is used for authentication, as far as I understand it, kerberos provide no means for distributing a username-to-uid map, so you would still have to use nis or something for that. (Someone correct me if I'm way off here....) > > > 5.) NIS/NIS+ > > > > NIS is at a bit of a disadvantage due to the unencrypted transport > > of information. Although MD5 hashes in the passwd databases make > > passwords harder to crack, usernames and group memberships may still be > > retrieved with little difficulty Well, it's worse than that - since the packets are not authenticated in any way, an active attacker doesn't need to crack passwords - he can just inject his own packets which can have crypted passwords that he knows. If you use ipsec and a well-known nis server (as opposed to the easy way of just using broadcast), then maybe nis isn't so weak. And all os's and network gear support ipsec by now, right? > > Since you have cisco devices, you may want to look at pam_tacplus. I like tacacs better than radius, but be aware that different devices may have differing notions of what the tacacs privelege levels mean. For example, I used to have cisco and foundry gear, both of which spoke tacacs, but on one, the numeric privelege levels went from low to high with increased priveleges, and on the other, it went from high to low. foundry has since change their stuff to be compatible with cisco, so maybe this isn't an issue any more, but be aware that it might be. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/ciE4swXMWWtptckRAk6LAKD01tOR2AHrVslLtDk2b5M6tdZ0wQCfR8Rr Ts08vo0WMGMeA9/HNScYd7w= =ZHad -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 18:18:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0B2316A4B3 for ; Wed, 24 Sep 2003 18:18:09 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1F5F44001 for ; Wed, 24 Sep 2003 18:18:08 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id AB067123 for ; Wed, 24 Sep 2003 19:18:07 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8P1I7h22740 for freebsd-security@freebsd.org; Wed, 24 Sep 2003 19:18:07 -0600 Date: Wed, 24 Sep 2003 19:18:07 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030924191807.D18252@seekingfire.com> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924153355.T55021@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030924153355.T55021@walter>; from freebsd-security@dfmm.org on Wed, Sep 24, 2003 at 03:56:56PM -0700 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 01:18:09 -0000 On Wed, Sep 24, 2003 at 03:56:56PM -0700, Jason Stone wrote: > > > > 1.) Kerberos > > > > > > krb is nice, but the problem with it is that all of your applications need > > > to be kerberized > > > > but isn't that true of any auth mechanism? > > Other auth methods use more generic interfaces that already exist. > > Many/most unix systems/applications are pam aware nowadays, which means > that any auth system which already has pam modules can be dropped in > without modifying the apps. And nis is integrated into the libc, so that > traditional manual authentication (eg, using getpwnam(3) and friends) will > use nis transparently. You can use PAM with Kerberos, though it's by no means necessary. > Also, while kerberos is used for authentication, as far as I understand > it, kerberos provide no means for distributing a username-to-uid map, so > you would still have to use nis or something for that. (Someone correct > me if I'm way off here....) That's correct. It does authentication, not authorization. It's a feature - I can use NIS on my server, you can use LDAP on your server, Bob can use /etc/passwd with disabled passwords on his server. Flexible mapping schemes allow neat tricks like cross-realm trusts with Active Directory and secondary user databases ("if not in NIS fall back to corporate LDAP", etc). > > > > 5.) NIS/NIS+ > > > > > > NIS is at a bit of a disadvantage due to the unencrypted transport > > > of information. Although MD5 hashes in the passwd databases make > > > passwords harder to crack, usernames and group memberships may still be > > > retrieved with little difficulty > > Well, it's worse than that - since the packets are not authenticated in > any way, an active attacker doesn't need to crack passwords - he can just > inject his own packets which can have crypted passwords that he knows. > > If you use ipsec and a well-known nis server (as opposed to the easy way > of just using broadcast), then maybe nis isn't so weak. And all os's and > network gear support ipsec by now, right? Which is why I use NIS with Kerberos - the passwords aren't in the NIS maps and injected fake users won't be authenticated by Kerberos. -T -- The phrase "we (I) (you) simply must..." designates something that need not be done. "That goes without saying," is a red warning. "Of course..."means you had best check it yourself. And if "everybody knows" such-and-such, then it ain't so, by at least ten thousand to one. - Robert Heinlein From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 23:10:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBAB116A4B3 for ; Wed, 24 Sep 2003 23:10:56 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3844B44013 for ; Wed, 24 Sep 2003 23:10:56 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 84564 invoked by uid 1000); 25 Sep 2003 06:10:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Sep 2003 06:10:56 -0000 Date: Wed, 24 Sep 2003 23:10:55 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: <20030924191807.D18252@seekingfire.com> Message-ID: <20030924230228.K55021@walter> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924153355.T55021@walter> <20030924191807.D18252@seekingfire.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 06:10:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Well, it's worse than that - since the packets are not authenticated in > > any way, an active attacker doesn't need to crack passwords - he can just > > inject his own packets which can have crypted passwords that he knows. > > Which is why I use NIS with Kerberos - the passwords aren't in the NIS > maps and injected fake users won't be authenticated by Kerberos. Okay, but I can still set jason's uid the same as tillman's and then use his dot-files to alias his ssh to a trojan. Or set jason's uid to zero.... -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/cobvswXMWWtptckRAjboAJ9Tce8Ut/0Wl8PFYdGF3bn5LAe+8wCdH/Y5 Ml4lVzqto18/4OKPZUIAhZU= =IxMK -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 13:13:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA53E16A4C0 for ; Wed, 24 Sep 2003 13:13:34 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id E90C243FEA for ; Wed, 24 Sep 2003 13:13:32 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost.nic.fr [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id h8OKDVgk067909 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Wed, 24 Sep 2003 16:13:31 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id h8OKDU8U067906; Wed, 24 Sep 2003 16:13:30 -0400 (EDT) (envelope-from wollman) Date: Wed, 24 Sep 2003 16:13:30 -0400 (EDT) From: Garrett Wollman Message-Id: <200309242013.h8OKDU8U067906@khavrinen.lcs.mit.edu> To: Jesse Guardiani In-Reply-To: <200309241555.30825.jesse@wingnet.net> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> X-Spam-Score: -9.9 () IN_REP_TO,REFERENCES X-Scanned-By: MIMEDefang 2.37 X-Mailman-Approved-At: Thu, 25 Sep 2003 03:43:36 -0700 cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:13:35 -0000 < said: > Will any of the above do ALL of the following? > (The below is a prioritized list of the things > I'd like to see in an authentication system:) Kerberos: > 1.) Authenticate for ssh Yes (with openssh-gssapi). We use this all the time. > 2.) Authenticate for Cisco equipment For certain values of ``authenticate'', ``Cisco'', ``equipment'', and ``Kerberos''. > 3.) Authenticate for Apache htaccess files I strongly advise against using Kerberos for this. We use mod_auth_kerb on exactly one machine: the one that runs the certificate authority. > 4.) Allow some way to easily set root passwords and su The Kerberized `su' utility allows individual root instances for every user. (And any other kind of instance you like; it's almost free-form text.) > 5.) Do the above from a centralized location That's what Kerberos is about: trusted-third-party authentication based on a modified Needham & Schroeder protocol. > 6.) Do so with reasonable security/encryption The Kerberos v4 protocol is cryptographically weak and should not be used in new installations. The Kerberos v5 protocol is currently considered cryptographically sound, provided that keys of appropriate strength are used. It is possible to configure a Kerberos v5 to use 56-bit DES keys for symmetric crypto and an insecure checksum method as pseudo-MAC. Don't do that. (This is one of the key problems with Cisco and Windows interoperability.) > 7.) Authenticate for Windows boxes How well this works and in which directions depends on how your Windows infrastructure is set up. It is relatively trivial to set up Windows (>= 2000) systems to use Kerberos for login authentication in conjunction with standalone (non-domain/AD) local accounts. It requires a significant amount of effort to integrate other sorts of Windows configurations, but can be done and is documented by Microsoft and others. -GAWollman From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 14:18:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6726616A4B3 for ; Wed, 24 Sep 2003 14:18:00 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BFF543FF5 for ; Wed, 24 Sep 2003 14:17:58 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost.nic.fr [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id h8OLHugk068614 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Wed, 24 Sep 2003 17:17:57 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id h8OLHsK2068611; Wed, 24 Sep 2003 17:17:54 -0400 (EDT) (envelope-from wollman) Date: Wed, 24 Sep 2003 17:17:54 -0400 (EDT) From: Garrett Wollman Message-Id: <200309242117.h8OLHsK2068611@khavrinen.lcs.mit.edu> To: Tillman Hodgson In-Reply-To: <20030924145029.V18252@seekingfire.com> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924145029.V18252@seekingfire.com> X-Spam-Score: -19.8 () IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES X-Scanned-By: MIMEDefang 2.37 X-Mailman-Approved-At: Thu, 25 Sep 2003 03:43:36 -0700 cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 21:18:00 -0000 < said: > OpenAFS, very elegant solution. Unfortunately, it doesn't work on > FreeBSD yet (or anymore as a client). The OpenAFS client is evil, vile, disgusting, awful code. I'm trying, slowly, to get a handle on it in my Copious Free Time, as we want to roll out AFS here. -GAWollman From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 20:01:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81A9F16A4B3 for ; Wed, 24 Sep 2003 20:01:13 -0700 (PDT) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB02243FD7 for ; Wed, 24 Sep 2003 20:01:12 -0700 (PDT) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 33561153F27; Wed, 24 Sep 2003 17:01:07 -1000 (HST) Date: Wed, 24 Sep 2003 17:01:05 -1000 From: Clifton Royston To: Jesse Guardiani Message-ID: <20030924170103.A3892@tikitechnologies.com> Mail-Followup-To: Jesse Guardiani , freebsd-security@freebsd.org References: <20030924190048.D69EA16A53C@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030924190048.D69EA16A53C@hub.freebsd.org>; 12:00:48PM -0700 X-Mailman-Approved-At: Thu, 25 Sep 2003 03:43:36 -0700 cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 03:01:13 -0000 On Wed, Sep 24, 2003 at 12:00:48PM -0700, freebsd-security-request@freebsd.org wrote: > Date: Wed, 24 Sep 2003 10:27:37 -0400 > From: Jesse Guardiani > Subject: unified authentication > To: freebsd-security@freebsd.org > Message-ID: > Content-Type: text/plain; charset=us-ascii > > Howdy list, > > Sorry if this is a frequently discussed topic, > or an off-topic question, but I couldn't find much > info about my question by performing quick searches > in the archives, and my question is pretty tightly > related to security... > > Background: > =========== > I have a number of FreeBSD machines. Most are 4.x, > but a few are 5.x (mainly the testing/devel machines). > > I also have a single Red Hat Linux machine (mostly > a former employee's play toy), a legacy BSDi 4.1 > machine, and a single Windows 2000 Server. > > And, of coarse, I have a number of Cisco routers of > all shapes, sizes, and capacities. > > I have recently been plagued by the security audit > woes, as employees have left the company and new > employees have come in. The former Sys Admin didn't > keep a list of places where passwords are stored, > and the company really has very little in the way > of a security policy, so I'm having to audit and > document as I go. > > The motivation behind this email is simply that I am > seeking to end my security woes. I'd like to be able > to quickly (10-30 minutes) setup and remove employees > from the various servers/routers and have the knowledge > that I haven't missed anything. One approach to quickly get you off the ground from your current situation (where everything is a mess and you don't know who has access to what.) 1) Establish classes of servers (e.g. production, test, development, play) and other equipment (e.g. production routers, learning routers, terminal servers, switches.) 2) Each *class* of server or device gets a different root password (or enable password for Ciscos) and every server/device in each class of server or device gets the same password. ** At this point you can do a first sweep through and change all the root/enable passwords, and have a bit less worry about ex-employees. 3) Give users logins only on the systems they reasonably need access to. (E.g. only developers and the top sysadmins have logins on development machines, only sysadmins have logins on routers.) You may need to remove people's access to some machines they were used to doing stuff on; be kind but firm. 4) Give admins logins only on the routers they need access to; you can configure the Cisco routers to access a RADIUS server with a db file of authorized admins as a fairly quick and easy authentication setup. (If you decide you have multiple classes of Ciscos, you can point them to separate Radius instances running off of separate admin db files.) 5) Require ssh-only access for all network devices which support it, and of course for all servers. That reduces sniffing impact. 6) Put sudo onto all servers, and require your staff (including sysadmins) to use sudo in place of su on those servers. Configure sudo to provide "sudo power" access to only limited commands for non sysadmins, via using their own passwords, and full access to senior sysadmins but only via the root password for that server. (That last doesn't improve security per se, but gives you some logging.) ** Now you should be able to cut down on the number of employees who need root access, to just the more seasoned sysadmins. > I've been thinking about it, and it seems like it > would be beneficial to define "security clearances" > and possibly different passwords for each employee > at each security clearance level. That way, if one > password was somehow sniffed or stolen, the security > breach might stand a better chance of being contained. The separate login/sudo passwords above help cover that, plus the separate passwords for separate classes of machines. I think classes of machines, and then groups of users who should have access to each class, is an easier way to think about it. 7) When a user leaves, you need to change only the root passwords which affect the classes of machines they had access to; this only has a big impact when your top sysadmins leave, not whenever every employee leaves. Now you can start worrying about setting up central authentication systems so that you can pop users in and out more readily, and you should have an easier time deploying one because you'll know what classes systems fall into, who should be in each class, etc. This is just basic getting organized stuff it will help you to clear away first. All IMHO, -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 06:05:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9930916A4B3 for ; Thu, 25 Sep 2003 06:05:33 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88E3D44058 for ; Thu, 25 Sep 2003 06:05:30 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 1C51D54840; Thu, 25 Sep 2003 08:05:30 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id ABFBF6D454; Thu, 25 Sep 2003 08:05:29 -0500 (CDT) Date: Thu, 25 Sep 2003 08:05:29 -0500 From: "Jacques A. Vidrine" To: Mike Tancsa Message-ID: <20030925130529.GF64188@madman.celabo.org> References: <6.0.0.22.0.20030923170736.06cad540@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.0.20030923170736.06cad540@209.112.4.2> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: security@freebsd.org Subject: Re: NTP common code base ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 13:05:33 -0000 On Tue, Sep 23, 2003 at 05:10:36PM -0400, Mike Tancsa wrote: > > Cisco released an advisory about their ntp client and server having a bug > http://www.cisco.com/warp/public/707/NTP-pub.shtml > > Is there a common code base at all that would have relevance to the code in > FreeBSD ? I noticed in the COPYRIGHT file cisco has made some contributions. Yes, there is shared code. It seems likely that this is an old NTP bug, probably the one covered in FreeBSD-SA-01:31.ntpd. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 07:07:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64D2116A4B3; Thu, 25 Sep 2003 07:07:45 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95BA944017; Thu, 25 Sep 2003 07:07:41 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8PE7fFY007715; Thu, 25 Sep 2003 07:07:41 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8PE7fqh007714; Thu, 25 Sep 2003 07:07:41 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Thu, 25 Sep 2003 07:07:41 -0700 (PDT) Message-Id: <200309251407.h8PE7fqh007714@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:14.arp [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 14:07:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:14.arp Security Advisory The FreeBSD Project Topic: denial of service due to ARP resource starvation Category: core Module: sys Announced: 2003-09-25 Credits: Apple Product Security Affects: All releases of FreeBSD FreeBSD 4-STABLE prior to the correction date Corrected: 2003-09-24 21:48:00 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-25 13:33:01 UTC (RELENG_5_1, 5.1-RELEASE-p8) 2003-09-25 13:33:29 UTC (RELENG_5_0, 5.0-RELEASE-p16) 2003-09-25 13:34:14 UTC (RELENG_4_8, 4.8-RELEASE-p10) 2003-09-25 13:34:31 UTC (RELENG_4_7, 4.7-RELEASE-p20) 2003-09-25 13:34:52 UTC (RELENG_4_6, 4.6-RELEASE-p23) 2003-09-25 13:35:18 UTC (RELENG_4_5, 4.5-RELEASE-p34) 2003-09-25 13:35:33 UTC (RELENG_4_4, 4.4-RELEASE-p44) 2003-09-25 13:35:48 UTC (RELENG_4_3, 4.3-RELEASE-p40) FreeBSD only: NO For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2003-09-23 Initial release. v1.1 2003-09-25 Initial patch was incorrect. I. Background The Address Resolution Protocol (ARP) is fundamental to the operation of IP with a variety of network technologies, such as Ethernet and WLAN. It is used to map IP addresses to MAC addresses, which enables hosts on a local network segment to communicate with each other directly. These mappings are stored in the system's ARP cache. FreeBSD's ARP cache is implemented within the kernel routing table as a set of routes for the address family in use that have the LLINFO flag set. This is most commonly often AF_INET (for IPv4). Normally, when a FreeBSD system receives an ARP request for a network address configured on one of its interfaces from a system on a local network, it adds a reciprocal ARP entry to the cache for the system from where the request originated. Expiry timers are used to purge unused entries from the ARP cache. A reference count is maintained for each ARP entry. If the reciprocal ARP entry is not in use by an upper layer protocol, the reference count will be zero. II. Problem Description Under certain circumstances, it is possible for an attacker to flood a FreeBSD system with spoofed ARP requests, causing resource starvation which eventually results in a system panic. (The critical condition is that a route exists for the apparent source of the ARP request. This is always the case if the system has a default route configured for that protocol family.) If a large number of ARP requests with different network protocol addresses are sent in a small space of time, resource starvation can result, as the arplookup() function does not delete unnecessary ARP entries cached as the result of responding to an ARP request. NOTE WELL: Other BSD-derived systems may also be affected, as the affected code dates well back to the CSRG branches. III. Impact An attacker on the local network may be able to cause the system to hang or crash. The attacker must have physical access to the shared network medium. In the case of a wireless network obtaining this access may be trivial. Networks where proxy ARP is used to direct traffic between LANs may be particularly vulnerable to the attack, as the spoofed ARP requests could be bounced through to the target via routers implementing proxy ARP. Because the attack operates at Layer 2, the use of strong encryption technologies such as IPsec cannot protect a system against the attack. IV. Workaround There is no known workaround at this time. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_1, RELENG_5_0, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5-CURRENT, 4.9-PRERELEASE, and 4.8 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Rebuild your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/netinet/if_ether.c 1.64.2.26 RELENG_5_1 src/UPDATING 1.251.2.10 src/sys/conf/newvers.sh 1.50.2.10 src/sys/netinet/if_ether.c 1.104.2.2 RELENG_5_0 src/UPDATING 1.229.2.22 src/sys/conf/newvers.sh 1.48.2.17 src/sys/netinet/if_ether.c 1.96.2.2 RELENG_4_8 src/UPDATING 1.73.2.80.2.12 src/sys/conf/newvers.sh 1.44.2.29.2.11 src/sys/netinet/if_ether.c 1.64.2.22.2.2 RELENG_4_7 src/UPDATING 1.73.2.74.2.23 src/sys/conf/newvers.sh 1.44.2.26.2.22 src/sys/netinet/if_ether.c 1.64.2.19.2.2 RELENG_4_6 src/UPDATING 1.73.2.68.2.52 src/sys/conf/newvers.sh 1.44.2.23.2.40 src/sys/netinet/if_ether.c 1.64.2.18.2.2 RELENG_4_5 src/UPDATING 1.73.2.50.2.51 src/sys/conf/newvers.sh 1.44.2.20.2.35 src/sys/netinet/if_ether.c 1.64.2.15.2.2 RELENG_4_4 src/UPDATING 1.73.2.43.2.52 src/sys/conf/newvers.sh 1.44.2.17.2.43 src/sys/netinet/if_ether.c 1.64.2.11.2.2 RELENG_4_3 src/UPDATING 1.73.2.28.2.39 src/sys/conf/newvers.sh 1.44.2.14.2.29 src/sys/netinet/if_ether.c 1.64.2.10.2.2 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/cvNNFdaIBMps37IRAlIsAJ9Kj0u+ZUEOUcpqjl6hISvrALwGQgCfaG5m jpFBTK86xjFNz4t43ZQtcOU= =cfvr -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 07:32:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 597EC16A4B3 for ; Thu, 25 Sep 2003 07:32:53 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74FA143FA3 for ; Thu, 25 Sep 2003 07:32:51 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 981A5123 for ; Thu, 25 Sep 2003 08:32:50 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8PEWoJ25191 for freebsd-security@freebsd.org; Thu, 25 Sep 2003 08:32:50 -0600 Date: Thu, 25 Sep 2003 08:32:50 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030925083250.H18252@seekingfire.com> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924153355.T55021@walter> <20030924191807.D18252@seekingfire.com> <20030924230228.K55021@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030924230228.K55021@walter>; from freebsd-security@dfmm.org on Wed, Sep 24, 2003 at 11:10:55PM -0700 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 14:32:53 -0000 On Wed, Sep 24, 2003 at 11:10:55PM -0700, Jason Stone wrote: > > > Well, it's worse than that - since the packets are not authenticated in > > > any way, an active attacker doesn't need to crack passwords - he can just > > > inject his own packets which can have crypted passwords that he knows. > > > > Which is why I use NIS with Kerberos - the passwords aren't in the NIS > > maps and injected fake users won't be authenticated by Kerberos. > > Okay, but I can still set jason's uid the same as tillman's and then use > his dot-files to alias his ssh to a trojan. Or set jason's uid to zero.... How is this attacker injecting packets onto the network? They must have obtained root on the local machine. If they have root on the local machine they can trojan files /anyway/. They can change UIDs around all they want. This situation is dangerous no matter what network authorization system is in use. Running NIS over IPsec would be better, of course, just as running /anything/ over IPsec is generally better. But I don't think that it's trivial to compromise Kerberos+NIS as a regular user. -T -- All beings are Buddha. All beings are the truth, just as they are. Robert Aitken From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 08:55:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7A9916A4B3 for ; Thu, 25 Sep 2003 08:55:17 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D88CD43FF9 for ; Thu, 25 Sep 2003 08:55:16 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8PFsugL050585; Thu, 25 Sep 2003 11:54:56 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h8PFsuHb050582; Thu, 25 Sep 2003 11:54:56 -0400 (EDT) Date: Thu, 25 Sep 2003 11:54:55 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jesse Guardiani In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 15:55:17 -0000 On Wed, 24 Sep 2003, Jesse Guardiani wrote: > > My current preference in new installs is to use Kerberos5 for > > authentication and LDAP for account information. If you're willing to > > throw SSL into the mix, a lack of "kerberization" isn't such a problem -- > > you basically end up using Kerberos5 as a distributed password mechanism > > for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL, > > etc. > > And that's more or less what I was thinking of doing here, except it > wouldn't be IMAP and SMTP (because that is already handled by my mail > server's MySQL database), but Kerberos as a distributed password > mechanism for SSH, Apache .htaccess, Cisco routers, etc... > > Does that work well with FreeBSD 4.8? Or would I need to use 5.x to > deploy Kerberos5 in that manner? Kerberos5 should work fine; direct support for LDAP is a problem for 4.x due to a lack of complete NSS support--to do this directly, you'd need to run 5.x. My understanding is that some sites dump their LDAP databases to NIS databases and share them on the FreeBSD side using NIS, which is also a reasonable (if less secure) solution. If you just want to use Kerberos5 for password sharing, 4.x should be no problem at all. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 08:56:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 102E716A4B3 for ; Thu, 25 Sep 2003 08:56:25 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDE7D43FF7 for ; Thu, 25 Sep 2003 08:56:24 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8PFu4gL050597; Thu, 25 Sep 2003 11:56:04 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h8PFu41q050594; Thu, 25 Sep 2003 11:56:04 -0400 (EDT) Date: Thu, 25 Sep 2003 11:56:04 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Tillman Hodgson In-Reply-To: <20030924145029.V18252@seekingfire.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 15:56:26 -0000 On Wed, 24 Sep 2003, Tillman Hodgson wrote: > > Once I get authentication working, how do I handle > > the creation of home directories and basic user > > files across multiple machines? > > > > Do I need to start running NFS, or is there a more > > elegant solution? > > OpenAFS, very elegant solution. Unfortunately, it doesn't work on > FreeBSD yet (or anymore as a client). The Arla client used to work quite well, and probably still works quite well on 4.x. I'm not sure of the status of Arla on 5.x. It sounded like Tom Maher had the OpenAFS server code up and running on FreeBSD, so you should at least have access to a pair of AFS client/server that work. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 09:01:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89E8316A4B3 for ; Thu, 25 Sep 2003 09:01:09 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id A162343FCB for ; Thu, 25 Sep 2003 09:01:08 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8PG0mgL050686; Thu, 25 Sep 2003 12:00:48 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h8PG0m1Z050683; Thu, 25 Sep 2003 12:00:48 -0400 (EDT) Date: Thu, 25 Sep 2003 12:00:48 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jesse Guardiani In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 16:01:09 -0000 On Thu, 25 Sep 2003, Robert Watson wrote: > Kerberos5 should work fine; direct support for LDAP is a problem for 4.x > due to a lack of complete NSS support--to do this directly, you'd need > to run 5.x. My understanding is that some sites dump their LDAP > databases to NIS databases and share them on the FreeBSD side using NIS, > which is also a reasonable (if less secure) solution. If you just want > to use Kerberos5 for password sharing, 4.x should be no problem at all. Running NIS on a trusted IP network (i.e., no spoofing, no direct wire access) between a set of trusted hosts, with no modifications to the privileged port set, should be fairly safe against unprivileged users logged into the machines. The same goes for NFS. If you break any of these assumptions, then the security properties go out the window. Another popular solution, if your password files/etc don't change all that frequently, is to push/pull them over cryptographically protected protocols. I.e., to poll using https, or push using ssh. By distributing (in a manner of speaking) the passwords themselves using Kerberos5, most sites have a pretty slow rate of change for password files. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 09:06:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A091416A4B3; Thu, 25 Sep 2003 09:06:51 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69FBF44008; Thu, 25 Sep 2003 09:06:50 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.9/8.12.5) with ESMTP id h8PG6oLj084352; Thu, 25 Sep 2003 10:06:50 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.9/8.12.5/Submit) id h8PG6ogI084351; Thu, 25 Sep 2003 10:06:50 -0600 (MDT) Date: Thu, 25 Sep 2003 10:06:50 -0600 From: "David G. Andersen" To: Robert Watson Message-ID: <20030925100650.B80664@cs.utah.edu> References: <20030924145029.V18252@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from rwatson@freebsd.org on Thu, Sep 25, 2003 at 11:56:04AM -0400 cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 16:06:51 -0000 Robert Watson just mooed: > > On Wed, 24 Sep 2003, Tillman Hodgson wrote: > > > > Once I get authentication working, how do I handle > > > the creation of home directories and basic user > > > files across multiple machines? > > > > > > Do I need to start running NFS, or is there a more > > > elegant solution? > > > > OpenAFS, very elegant solution. Unfortunately, it doesn't work on > > FreeBSD yet (or anymore as a client). > > The Arla client used to work quite well, and probably still works quite > well on 4.x. I'm not sure of the status of Arla on 5.x. It sounded like > Tom Maher had the OpenAFS server code up and running on FreeBSD, so you > should at least have access to a pair of AFS client/server that work. If the client machines are semi-trusted, SFS is a good solution. I don't know that its authentication is integrated with kerberos, but the security model is at least stronger than NFS: Root on a client machine could gain access to users accounts if they accessed them from that machine, but not to accounts that merely were OK to export to that machine. http://www.fs.net/ -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 09:15:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCC4516A4B3 for ; Thu, 25 Sep 2003 09:15:04 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D2264400D for ; Thu, 25 Sep 2003 09:15:03 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id E4B60123 for ; Thu, 25 Sep 2003 10:15:02 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8PGF2p25451 for freebsd-security@freebsd.org; Thu, 25 Sep 2003 10:15:02 -0600 Date: Thu, 25 Sep 2003 10:15:02 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030925101502.M18252@seekingfire.com> References: <20030924145029.V18252@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from rwatson@freebsd.org on Thu, Sep 25, 2003 at 11:56:04AM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 16:15:04 -0000 On Thu, Sep 25, 2003 at 11:56:04AM -0400, Robert Watson wrote: > > On Wed, 24 Sep 2003, Tillman Hodgson wrote: > > > > Once I get authentication working, how do I handle > > > the creation of home directories and basic user > > > files across multiple machines? > > > > > > Do I need to start running NFS, or is there a more > > > elegant solution? > > > > OpenAFS, very elegant solution. Unfortunately, it doesn't work on > > FreeBSD yet (or anymore as a client). > > The Arla client used to work quite well, and probably still works quite > well on 4.x. I'm not sure of the status of Arla on 5.x. It sounded like > Tom Maher had the OpenAFS server code up and running on FreeBSD, so you > should at least have access to a pair of AFS client/server that work. I'd love to use AFS, so I'm encouraged when I hear that. But Arla has been marked as broken since May 17, 2002. And while I haven't tried it in a few months, I've been unable to get the OpenAFS server building on -STABLE (i386) or -CURRENT (sparc64). I suspect that it might work on -CURRENT (i386) but I don't have a test box for that handy. If somebody has it working reliably enough to make a port ... :-) -T -- Say something about a thing and already you're off the mark. Nan-Yueh Huai-Jang From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 09:37:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2118016A4B3 for ; Thu, 25 Sep 2003 09:37:37 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DDF844001 for ; Thu, 25 Sep 2003 09:37:36 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8PGbEgL051052; Thu, 25 Sep 2003 12:37:14 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h8PGbDfb051049; Thu, 25 Sep 2003 12:37:14 -0400 (EDT) Date: Thu, 25 Sep 2003 12:37:13 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "David G. Andersen" In-Reply-To: <20030925100650.B80664@cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 16:37:37 -0000 On Thu, 25 Sep 2003, David G. Andersen wrote: > > The Arla client used to work quite well, and probably still works quite > > well on 4.x. I'm not sure of the status of Arla on 5.x. It sounded like > > Tom Maher had the OpenAFS server code up and running on FreeBSD, so you > > should at least have access to a pair of AFS client/server that work. > > If the client machines are semi-trusted, SFS is a good solution. > I don't know that its authentication is integrated with kerberos, > but the security model is at least stronger than NFS: Root on a > client machine could gain access to users accounts if they accessed > them from that machine, but not to accounts that merely were OK > to export to that machine. > > http://www.fs.net/ And one of the very nice things about the SFS implementation is that it plugs into loop-back NFS on the client, so you don't need special kernel changes, which is what has made the OpenAFS and Arla stuff so difficult. On the other hand, there's presumably the expected observable performance difference... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 09:50:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 851C416A4B3; Thu, 25 Sep 2003 09:50:17 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD43943FFD; Thu, 25 Sep 2003 09:50:16 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.9/8.12.5) with ESMTP id h8PGoGLj085791; Thu, 25 Sep 2003 10:50:16 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.9/8.12.5/Submit) id h8PGoGXP085790; Thu, 25 Sep 2003 10:50:16 -0600 (MDT) Date: Thu, 25 Sep 2003 10:50:16 -0600 From: "David G. Andersen" To: Robert Watson Message-ID: <20030925105016.C80664@cs.utah.edu> References: <20030925100650.B80664@cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from rwatson@freebsd.org on Thu, Sep 25, 2003 at 12:37:13PM -0400 cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 16:50:17 -0000 Robert Watson just mooed: > > > > http://www.fs.net/ > > And one of the very nice things about the SFS implementation is that it > plugs into loop-back NFS on the client, so you don't need special kernel > changes, which is what has made the OpenAFS and Arla stuff so difficult. > On the other hand, there's presumably the expected observable performance > difference... It's suprisingly not bad. The network and crypto are usually the limiting factors. From two machines in the same building going through one router: SFS> /usr/bin/time dd if=/dev/zero of=foo bs=8k count=1k 8388608 bytes transferred in 1.677283 secs (5001308 bytes/sec) 1.87 real 0.00 user 0.10 sys >From a linux NFS client, same dd, same lan, no interposed router, 1.14 elapsed, 0.01 user, 0.02 system. DM's eval suggests that their performance for things like FreeBSD kernel compiles is is usually better than NFS over TCP, barely worse than NFS over UDP, and 25%ish slower than the local filesystem. In other words, it's within the realm of the OK. I don't like compiling with my object trees over any remote filesystem, but I find keeping my source tree on SFS to be about the same as keeping it on NFS. The 'rex' authentication system they've built is pretty slick, but has the downside that my fingers think "ssh" when I want to login... -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 09:58:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37D7716A4B3 for ; Thu, 25 Sep 2003 09:58:51 -0700 (PDT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 0DE5744001 for ; Thu, 25 Sep 2003 09:58:49 -0700 (PDT) (envelope-from mdg@secureworks.net) Received: (qmail 89236 invoked from network); 25 Sep 2003 16:56:17 -0000 Received: from unknown (HELO HOST-192-168-17-31.internal.secureworks.net) (63.239.86.253) by mail.secureworks.net with SMTP; 25 Sep 2003 16:56:17 -0000 Date: Thu, 25 Sep 2003 12:58:25 -0400 (EDT) From: Matthew George X-X-Sender: mdg@localhost To: Robert Watson In-Reply-To: Message-ID: <20030925124655.C31322@localhost> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org cc: Jesse Guardiani Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 16:58:51 -0000 On Thu, 25 Sep 2003, Robert Watson wrote: > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire > access) between a set of trusted hosts, with no modifications to the > privileged port set, should be fairly safe against unprivileged users > logged into the machines. The same goes for NFS. If you break any of > these assumptions, then the security properties go out the window. It should probably also be noted that when using NIS in a multi-platform environment, UNSECURE="True" must be set in /var/yp/Makefile. When using FreeBSD machines only, the passwd maps are generated without password fields, the master.passwd maps are generated with them, and only requests from privileged ports (superuser requests) will be given the master.passwd maps (hence the comment above about modifying the privileged port set). Other operating systems' NIS implementations require the password fields to be in the passwd maps, which are available to unprivileged users. -- Matthew George SecureWorks Technical Operations From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 12:01:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2910616A4B3 for ; Thu, 25 Sep 2003 12:01:50 -0700 (PDT) Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BC4743FBF for ; Thu, 25 Sep 2003 12:01:49 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from huey.psp.pas.earthlink.net ([207.217.78.220]) by avocet.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1A2bN6-0003Ga-00 for freebsd-security@freebsd.org; Thu, 25 Sep 2003 12:01:48 -0700 Message-ID: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> Date: Thu, 25 Sep 2003 15:01:47 -0400 (GMT-04:00) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Zoo Mail 1.0 Subject: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "V. Jones" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 19:01:50 -0000 I administer a remote server and want to apply some of the security patches. (I assume this is the best way to go since I can't go into single-user mode to use CVsup). I have a couple of questions. First, I have installed one of the pgp ports to verify the patches. When I run it, I get this message: > File 'buffer46.patch.asc' has signature, but with no text. > Text is assumed to be in file 'buffer46.patch'. > signature not checked. > Signature made 2003/09/17 18:02 GMT > key does not meet validity threshold. > WARNING: Because this public key is not certified with a trusted > signature, it is not known with high confidence that this public key > actually belongs to: "(KeyID: 0xCA6CDFB2)". I guess that I need to do some additional set up to get pgp to validate this file. Can anyone tell me where to find a howto on this subject or tell me what to do? Second, Do I have apply each patch, then run make after each patch, or can I apply all the patches and just run make once? Any other advice or suggestions on updating a remote system would be appreciated. From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 12:04:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97E7916A4B3 for ; Thu, 25 Sep 2003 12:04:02 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2339943FE1 for ; Thu, 25 Sep 2003 12:04:01 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 343EB2D for ; Thu, 25 Sep 2003 13:03:57 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8PJ3vE25816 for freebsd-security@freebsd.org; Thu, 25 Sep 2003 13:03:57 -0600 Date: Thu, 25 Sep 2003 13:03:56 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030925130356.S18252@seekingfire.com> References: <20030925124655.C31322@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030925124655.C31322@localhost>; from mdg@secureworks.net on Thu, Sep 25, 2003 at 12:58:25PM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 19:04:02 -0000 On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote: > On Thu, 25 Sep 2003, Robert Watson wrote: > > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire > > access) between a set of trusted hosts, with no modifications to the > > privileged port set, should be fairly safe against unprivileged users > > logged into the machines. The same goes for NFS. If you break any of > > these assumptions, then the security properties go out the window. > > It should probably also be noted that when using NIS in a multi-platform > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using > FreeBSD machines only, the passwd maps are generated without password > fields, the master.passwd maps are generated with them, and only requests > from privileged ports (superuser requests) will be given the master.passwd > maps (hence the comment above about modifying the privileged port set). > Other operating systems' NIS implementations require the password fields > to be in the passwd maps, which are available to unprivileged users. Or one could put something like "*" or "krb5" in the password field and use Kerberos with NIS to obtain extra security in a cross-platform environnment. -T -- In the beginner's mind there are many possibilities. In the expert's mind there are few. - Suzuki-roshi From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 12:17:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30B6016A4B3 for ; Thu, 25 Sep 2003 12:17:07 -0700 (PDT) Received: from expresso.netweaver.net (expresso.netweaver.net [217.151.99.17]) by mx1.FreeBSD.org (Postfix) with SMTP id 7E00543FE5 for ; Thu, 25 Sep 2003 12:17:03 -0700 (PDT) (envelope-from lists@chrishowells.co.uk) Received: (qmail 11757 invoked from network); 25 Sep 2003 19:13:33 -0000 Received: from unknown (HELO ) (chris@chrishowells.co.uk@213.78.102.90) by 0 with SMTP; 25 Sep 2003 19:13:33 -0000 From: Chris Howells Organization: http://chrishowells.co.uk To: freebsd-security@freebsd.org Date: Thu, 25 Sep 2003 20:16:53 +0100 User-Agent: KMail/1.5.9 References: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> In-Reply-To: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> X-GPG-Fingerprint: 5863 DF82 C34D 7291 CC63 CA1B 17C2 2ED7 3379 5A2C MIME-Version: 1.0 Content-Disposition: inline Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <200309252016.58398.lists@chrishowells.co.uk> Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 19:17:07 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Thursday 25 September 2003 20:01, V. Jones wrote: > I administer a remote server and want to apply some of the security > patches. =A0(I assume this is the best way to go since I can't go into > single-user mode to use CVsup). Why do you want to go into single user mode to use cvsup anyway? I cvsup as= =20 normal, use screen(1) to do a compile (the box is headless so I check on th= e=20 compile periodically using ssh), and then only go into single user when I d= o=20 the 'make installworld'. =2D --=20 Cheers, Chris Howells -- chris@chrishowells.co.uk, howells@kde.org Web: http://chrishowells.co.uk, PGP ID: 0x33795A2C KDE/Qt/C++/PHP Developer: http://www.kde.org =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/cz8qF8Iu1zN5WiwRAh2xAJ46jWX6gqlUEipe2O0ngOL0ZdypFQCePW6m +o00iiNf/B2OdVSZLfCw0Eg=3D =3DWmI/ =2D----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 12:53:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C93216A4B3 for ; Thu, 25 Sep 2003 12:53:58 -0700 (PDT) Received: from amsfep11-int.chello.nl (amsfep11-int.chello.nl [213.46.243.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id E324543FF7 for ; Thu, 25 Sep 2003 12:53:56 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep11-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030925195354.BTBE4585.amsfep11-int.chello.nl@sitetronics.com>; Thu, 25 Sep 2003 21:53:54 +0200 Message-ID: <3F734780.7060506@sitetronics.com> Date: Thu, 25 Sep 2003 21:52:32 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> In-Reply-To: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 19:53:58 -0000 V. Jones wrote: >I administer a remote server and want to apply some of the security patches. (I assume this is the best way to go since I can't go into single-user mode to use CVsup). > > First: you can update your system without booting into single-user mode. I hope I don't get chewed out for suggesting this, but if there's nobody physically *at* your server to do the update for you, you're going to have to do it yourself (see below). >I have a couple of questions. First, I have installed one of the pgp ports to verify the patches. When I run it, I get this message: > > > >>File 'buffer46.patch.asc' has signature, but with no text. >>Text is assumed to be in file 'buffer46.patch'. >>signature not checked. >> Signature made 2003/09/17 18:02 GMT >> key does not meet validity threshold. >> >> > > > >>WARNING: Because this public key is not certified with a trusted >>signature, it is not known with high confidence that this public key >>actually belongs to: "(KeyID: 0xCA6CDFB2)". >> >> > >I guess that I need to do some additional set up to get pgp to validate this file. Can anyone tell me where to find a howto on this subject or tell me what to do? > > Sure. IIRC, this just means that you've not marked the person's (KeyID: 0xCA6CDFB2) signature as trusted. You'll need to connect to a keyserver and download the information about the person with KeyID: 0xCA6CDFB2. If you trust that you've the right data, you can mark said person as trusted. >Second, Do I have apply each patch, then run make after each patch, or can I apply all the patches and just run make once? > >Any other advice or suggestions on updating a remote system would be appreciated. > > You can apply all the patches and run make one time. If you're not interested in rebuilding the entire userland (and you're not installing newer versions of userland utilities that rely on an updated kernel), you can just run cvsup, download the source, and run make from within the desired directories. The handbook recommends that one drop into single user mode to build the world. While this is certainly best practice, it is by no means absolutely necessary. I administer several servers in up to nine time zones away from me and, whenever there's a security advisory, I either a) rebuild the entire userland and kernel if I've found enough things I need to change/tune at kernel level, or b) rebuild and install the affected patches (which may actually cause option a -- rebuilding the world -- to be a necessity). Again, building the world under single-user mode is a highly suggested best practice. It is by no means absolutely necessary and I've been doing it for a good while with no problems (never had a problem with it). I'd be glad to help you out with it privately, if you so wish. --Devon From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 13:13:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C44816A4B3 for ; Thu, 25 Sep 2003 13:13:56 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59DF144001 for ; Thu, 25 Sep 2003 13:13:53 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8PKDUgL053291; Thu, 25 Sep 2003 16:13:30 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h8PKDU8D053288; Thu, 25 Sep 2003 16:13:30 -0400 (EDT) Date: Thu, 25 Sep 2003 16:13:30 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "V. Jones" In-Reply-To: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 20:13:56 -0000 On Thu, 25 Sep 2003, V. Jones wrote: > I administer a remote server and want to apply some of the security > patches. (I assume this is the best way to go since I can't go into > single-user mode to use CVsup). I generally follow the following practice: cvsup in multiuser buildworld in multiuser buildkernel in multiuser These stages, other than impact on cpu, memory, disk i/o speed, and storage space, shouldn't interact with the running environment and so shouldn't be a problem. Then comes the slightly more tricky bit: I decide whether I'm willing to update while running multiuser. If I am: installkernel reboot installworld mergemaster reboot If I'm not, the procedure is much the same except that I boot only to single-user after the first reboot, mount -a, swapon, and proceed. Note that there are a number of risks and complications associated with the installworld and mergemaster steps, both in multiuser and singleuser mode. multiuser is typically more risky: for example, if mergemaster notices a change to MAKEDEV, it will prompt to recreate devices. DO NOT DO THIS ON A LIVE MULTIUSER SYSTEM. :-) If you do run it, it will reset all the permissions in /dev, leaving in-use ttys world readable and writable. This will permit unprivileged users to potentially sniff the I/O for more privileged users, send output to their display, etc. So it's fine in single-user, but not multi-user. Typically, that sort of change doesn't occur on the security/release branches, but will happen with moderate frequency as you track -STABLE. > I have a couple of questions. First, I have installed one of the pgp > ports to verify the patches. When I run it, I get this message: > > > File 'buffer46.patch.asc' has signature, but with no text. > > Text is assumed to be in file 'buffer46.patch'. > > signature not checked. > > Signature made 2003/09/17 18:02 GMT > > key does not meet validity threshold. > > > WARNING: Because this public key is not certified with a trusted > > signature, it is not known with high confidence that this public key > > actually belongs to: "(KeyID: 0xCA6CDFB2)". > > I guess that I need to do some additional set up to get pgp to validate > this file. Can anyone tell me where to find a howto on this subject or > tell me what to do? PGP relies on a "web of trust". Users sign each others identities to bind them to keys. Your local PGP keyring will hold any keys and signatures you've stuffed in there. PGP determines "trust" by building a path of signatures and validations between you and the target key. There are various parameters to determine the degree of transitivity to trust, etc. There's fairly extensive documentation of the PGP trust model on various web pages, but you can read the above warning as simply "There is no path of signatures between your trusted keys and the key used to sign this message/file". For the highest level of confidence, attend a USENIX or BSDCon key signing, and sign the security-officer key yourself once you've seen the fingerprint, etc. For lower levels of confidence, go to a key-signing event with someone who has signed the security-officer key, etc, etc. > Second, Do I have apply each patch, then run make after each patch, or > can I apply all the patches and just run make once? It depends a bit on the patches and the branch. If you're tracking a release/patch branch, you can cvsup forward to the head of the branch, then rebuild the identified components. Sometimes, patches and update activities coallesce well (unrelated change to unrelated binaries). Sometimes, less well -- you might have to make sure to build libraries before binaries, for example, or apply a series of sendmail or ssh patches in order. Cvsuping forward and rebuilding world and kernel is a reasonable answer for most people, and means you don't have to worry about the ordering. FYI, regarding your general interest in advice: the single best piece of advice for remotely administered systems is to get a serial console. That way if something gets messed up, you have a decent chance of being able to fix it. It means you have full access to single-user mode, you can select which kernel to run at boot, even have multiple root file systems (production, backup) and swap between them. It takes a lot of the risk out of upgrades by providing a good escape route if networking fails to come up properly, for example. With the recent ARP fix, there was a functional regression in the first version of the patch, which caused routing to fail under some circumstances. If you had access to a serial console for a remote box, you were fine because you could revert to the previous kernel once you noticed the problem. Otherwise, you might be out of luck... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 05:57:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20DBA16A4B3 for ; Fri, 26 Sep 2003 05:57:49 -0700 (PDT) Received: from mail.web.am (mail.web.am [217.113.0.66]) by mx1.FreeBSD.org (Postfix) with SMTP id 6A6A443FAF for ; Fri, 26 Sep 2003 05:51:54 -0700 (PDT) (envelope-from nm@web.am) Received: (qmail 7691 invoked from network); 26 Sep 2003 02:40:18 -0000 Received: from localhost (HELO WEBMailhttpwwwwebam) (127.0.0.1) by localhost with SMTP; 26 Sep 2003 02:40:18 -0000 Received: from client 217.113.1.123 for UebiMiau2.7 (webmail client); Fri, 26 Sep 2003 7:40:18 +0400 Date: Fri, 26 Sep 2003 7:40:18 +0400 From: "Gaspar Chilingarov" To: freebsd-security@freebsd.org X-Priority: 3 X-Mailer: WEB Mail http://www.web.am/ 0.1 X-Original-IP: 217.113.1.123 Content-Transfer-Encoding: 8bit X-MSMail-Priority: Medium Importance: Medium Content-Type: text/plain; charset="iso-8859-1"; MIME-Version: 1.0 Message-Id: <20030926125154.6A6A443FAF@mx1.FreeBSD.org> Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gaspar Chilingarov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 12:57:49 -0000 Probably this should included in the FAQ, very good and detailed answer... --------- Original Message -------- From: Robert Watson To: V. Jones Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Patch question Date: 26/09/03 00:15 > > > On Thu, 25 Sep 2003, V. Jones wrote: > > > I administer a remote server and want to apply some of the security > > patches. (I assume this is the best way to go since I can't go into > > single-user mode to use CVsup). > > I generally follow the following practice: > > cvsup in multiuser > buildworld in multiuser > buildkernel in multiuser > > These stages, other than impact on cpu, memory, disk i/o speed, and > storage space, shouldn't interact with the running environment and so > shouldn't be a problem. Then comes the slightly more tricky bit: I decide > whether I'm willing to update while running multiuser. If I am: > > installkernel > reboot > installworld > mergemaster > reboot > > If I'm not, the procedure is much the same except that I boot only to > single-user after the first reboot, mount -a, swapon, and proceed. > > Note that there are a number of risks and complications associated with > the installworld and mergemaster steps, both in multiuser and singleuser > mode. multiuser is typically more risky: for example, if mergemaster > notices a change to MAKEDEV, it will prompt to recreate devices. DO NOT > DO THIS ON A LIVE MULTIUSER SYSTEM. :-) If you do run it, it will reset > all the permissions in /dev, leaving in-use ttys world readable and > writable. This will permit unprivileged users to potentially sniff the > I/O for more privileged users, send output to their display, etc. So it's > fine in single-user, but not multi-user. Typically, that sort of change > doesn't occur on the security/release branches, but will happen with > moderate frequency as you track -STABLE. > > > I have a couple of questions. First, I have installed one of the pgp > > ports to verify the patches. When I run it, I get this message: > > > > > File 'buffer46.patch.asc' has signature, but with no text. > > > Text is assumed to be in file 'buffer46.patch'. > > > signature not checked. > > > Signature made 2003/09/17 18:02 GMT > > > key does not meet validity threshold. > > > > > WARNING: Because this public key is not certified with a trusted > > > signature, it is not known with high confidence that this public key > > > actually belongs to: "(KeyID: 0xCA6CDFB2)". > > > > I guess that I need to do some additional set up to get pgp to validate > > this file. Can anyone tell me where to find a howto on this subject or > > tell me what to do? > > PGP relies on a "web of trust". Users sign each others identities to bind > them to keys. Your local PGP keyring will hold any keys and signatures > you've stuffed in there. PGP determines "trust" by building a path of > signatures and validations between you and the target key. There are > various parameters to determine the degree of transitivity to trust, etc. > There's fairly extensive documentation of the PGP trust model on various > web pages, but you can read the above warning as simply "There is no path > of signatures between your trusted keys and the key used to sign this > message/file". For the highest level of confidence, attend a USENIX or > BSDCon key signing, and sign the security-officer key yourself once you've > seen the fingerprint, etc. For lower levels of confidence, go to a > key-signing event with someone who has signed the security-officer key, > etc, etc. > > > Second, Do I have apply each patch, then run make after each patch, or > > can I apply all the patches and just run make once? > > It depends a bit on the patches and the branch. If you're tracking a > release/patch branch, you can cvsup forward to the head of the branch, > then rebuild the identified components. Sometimes, patches and update > activities coallesce well (unrelated change to unrelated binaries). > Sometimes, less well -- you might have to make sure to build libraries > before binaries, for example, or apply a series of sendmail or ssh patches > in order. Cvsuping forward and rebuilding world and kernel is a > reasonable answer for most people, and means you don't have to worry about > the ordering. > > FYI, regarding your general interest in advice: the single best piece of > advice for remotely administered systems is to get a serial console. That > way if something gets messed up, you have a decent chance of being able to > fix it. It means you have full access to single-user mode, you can select > which kernel to run at boot, even have multiple root file systems > (production, backup) and swap between them. It takes a lot of the risk > out of upgrades by providing a good escape route if networking fails to > come up properly, for example. With the recent ARP fix, there was a > functional regression in the first version of the patch, which caused > routing to fail under some circumstances. If you had access to a serial > console for a remote box, you were fine because you could revert to the > previous kernel once you noticed the problem. Otherwise, you might be out > of luck... > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > > ________________________________________________ WEB ISP - leader in wireless/DSL/dialup services in Armenia. Go to http://www.web.am/ From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 06:06:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8040B16A4B3 for ; Fri, 26 Sep 2003 06:06:42 -0700 (PDT) Received: from www.computinginnovations.com (dsl081-142-072.chi1.dsl.speakeasy.net [64.81.142.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 678EE44030 for ; Fri, 26 Sep 2003 06:06:40 -0700 (PDT) (envelope-from derek@computinginnovations.com) Received: from p17.computinginnovations.com (dhcp-192-168-1-121.computinginnovations.com [192.168.1.121]) (authenticated bits=0)h8QD6cxn049644 for ; Fri, 26 Sep 2003 08:06:39 -0500 (CDT) Message-Id: <5.2.1.1.2.20030926080527.011d9f48@www.computinginnovations.com> X-Sender: derek@www.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.1 Date: Fri, 26 Sep 2003 08:06:32 -0500 To: freebsd-security@freebsd.org From: Derek Ragona Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 13:06:42 -0000 I have two servers one is: 5.1-RELEASE-p6 the other is: 5.1-RELEASE-p7 cvsup'd them both, neither will complete a buildworld, they both error trying to compile. Anyone got this to work on RELENG_5_1? -Derek At 07:07 AM 9/25/2003 -0700, FreeBSD Security Advisories wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >============================================================================= >FreeBSD-SA-03:14.arp Security Advisory > The FreeBSD Project > >Topic: denial of service due to ARP resource starvation > >Category: core >Module: sys >Announced: 2003-09-25 >Credits: Apple Product Security >Affects: All releases of FreeBSD > FreeBSD 4-STABLE prior to the correction date >Corrected: 2003-09-24 21:48:00 UTC (RELENG_4, 4.9-PRERELEASE) > 2003-09-25 13:33:01 UTC (RELENG_5_1, 5.1-RELEASE-p8) > 2003-09-25 13:33:29 UTC (RELENG_5_0, 5.0-RELEASE-p16) > 2003-09-25 13:34:14 UTC (RELENG_4_8, 4.8-RELEASE-p10) > 2003-09-25 13:34:31 UTC (RELENG_4_7, 4.7-RELEASE-p20) > 2003-09-25 13:34:52 UTC (RELENG_4_6, 4.6-RELEASE-p23) > 2003-09-25 13:35:18 UTC (RELENG_4_5, 4.5-RELEASE-p34) > 2003-09-25 13:35:33 UTC (RELENG_4_4, 4.4-RELEASE-p44) > 2003-09-25 13:35:48 UTC (RELENG_4_3, 4.3-RELEASE-p40) >FreeBSD only: NO > >For general information regarding FreeBSD Security Advisories, >including descriptions of the fields above, security branches, and the >following sections, please visit >. > >0. Revision History > >v1.0 2003-09-23 Initial release. >v1.1 2003-09-25 Initial patch was incorrect. > >I. Background > >The Address Resolution Protocol (ARP) is fundamental to the operation >of IP with a variety of network technologies, such as Ethernet and >WLAN. It is used to map IP addresses to MAC addresses, which enables >hosts on a local network segment to communicate with each other >directly. These mappings are stored in the system's ARP cache. > >FreeBSD's ARP cache is implemented within the kernel routing table as >a set of routes for the address family in use that have the LLINFO >flag set. This is most commonly often AF_INET (for IPv4). Normally, >when a FreeBSD system receives an ARP request for a network address >configured on one of its interfaces from a system on a local network, >it adds a reciprocal ARP entry to the cache for the system from where >the request originated. Expiry timers are used to purge unused >entries from the ARP cache. A reference count is maintained for each >ARP entry. If the reciprocal ARP entry is not in use by an upper >layer protocol, the reference count will be zero. > >II. Problem Description > >Under certain circumstances, it is possible for an attacker to flood a >FreeBSD system with spoofed ARP requests, causing resource starvation >which eventually results in a system panic. (The critical condition >is that a route exists for the apparent source of the ARP request. >This is always the case if the system has a default route configured >for that protocol family.) > >If a large number of ARP requests with different network protocol >addresses are sent in a small space of time, resource starvation can >result, as the arplookup() function does not delete unnecessary ARP >entries cached as the result of responding to an ARP request. > >NOTE WELL: Other BSD-derived systems may also be affected, as the >affected code dates well back to the CSRG branches. > >III. Impact > >An attacker on the local network may be able to cause the system to >hang or crash. The attacker must have physical access to the shared >network medium. In the case of a wireless network obtaining this >access may be trivial. Networks where proxy ARP is used to direct >traffic between LANs may be particularly vulnerable to the attack, >as the spoofed ARP requests could be bounced through to the target >via routers implementing proxy ARP. > >Because the attack operates at Layer 2, the use of strong encryption >technologies such as IPsec cannot protect a system against the attack. > >IV. Workaround > >There is no known workaround at this time. > >V. Solution > >Do one of the following: > >1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_1, >RELENG_5_0, RELENG_4_8, or RELENG_4_7 security branch dated after the >correction date. > >2) To patch your present system: > >The following patch has been verified to apply to FreeBSD 5-CURRENT, >4.9-PRERELEASE, and 4.8 systems. > >a) Download the relevant patch from the location below, and verify the >detached PGP signature using your PGP utility. > >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch.asc > >b) Execute the following commands as root: > ># cd /usr/src ># patch < /path/to/patch > >c) Rebuild your kernel as described in > >and reboot the system. > >VI. Correction details > >The following list contains the revision numbers of each file that was >corrected in FreeBSD. > >Branch Revision > Path >- ------------------------------------------------------------------------- >RELENG_4 > src/sys/netinet/if_ether.c 1.64.2.26 >RELENG_5_1 > src/UPDATING 1.251.2.10 > src/sys/conf/newvers.sh 1.50.2.10 > src/sys/netinet/if_ether.c 1.104.2.2 >RELENG_5_0 > src/UPDATING 1.229.2.22 > src/sys/conf/newvers.sh 1.48.2.17 > src/sys/netinet/if_ether.c 1.96.2.2 >RELENG_4_8 > src/UPDATING 1.73.2.80.2.12 > src/sys/conf/newvers.sh 1.44.2.29.2.11 > src/sys/netinet/if_ether.c 1.64.2.22.2.2 >RELENG_4_7 > src/UPDATING 1.73.2.74.2.23 > src/sys/conf/newvers.sh 1.44.2.26.2.22 > src/sys/netinet/if_ether.c 1.64.2.19.2.2 >RELENG_4_6 > src/UPDATING 1.73.2.68.2.52 > src/sys/conf/newvers.sh 1.44.2.23.2.40 > src/sys/netinet/if_ether.c 1.64.2.18.2.2 >RELENG_4_5 > src/UPDATING 1.73.2.50.2.51 > src/sys/conf/newvers.sh 1.44.2.20.2.35 > src/sys/netinet/if_ether.c 1.64.2.15.2.2 >RELENG_4_4 > src/UPDATING 1.73.2.43.2.52 > src/sys/conf/newvers.sh 1.44.2.17.2.43 > src/sys/netinet/if_ether.c 1.64.2.11.2.2 >RELENG_4_3 > src/UPDATING 1.73.2.28.2.39 > src/sys/conf/newvers.sh 1.44.2.14.2.29 > src/sys/netinet/if_ether.c 1.64.2.10.2.2 >- ------------------------------------------------------------------------- > >VII. References > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.3 (FreeBSD) > >iD8DBQE/cvNNFdaIBMps37IRAlIsAJ9Kj0u+ZUEOUcpqjl6hISvrALwGQgCfaG5m >jpFBTK86xjFNz4t43ZQtcOU= >=cfvr >-----END PGP SIGNATURE----- >_______________________________________________ >freebsd-security-notifications@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications >To unsubscribe, send any mail to >"freebsd-security-notifications-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 06:26:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35BF716A4B3 for ; Fri, 26 Sep 2003 06:26:16 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4743A44014 for ; Fri, 26 Sep 2003 06:26:15 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 86788654E7; Fri, 26 Sep 2003 14:26:14 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 14736-02-5; Fri, 26 Sep 2003 14:26:14 +0100 (BST) Received: from saboteur.dek.spc.org (unknown [81.3.72.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 97877654C3; Fri, 26 Sep 2003 14:26:13 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id D01402A; Fri, 26 Sep 2003 14:26:12 +0100 (BST) Date: Fri, 26 Sep 2003 14:26:12 +0100 From: Bruce M Simpson To: Derek Ragona Message-ID: <20030926132612.GD662@saboteur.dek.spc.org> Mail-Followup-To: Derek Ragona , freebsd-security@freebsd.org References: <5.2.1.1.2.20030926080527.011d9f48@www.computinginnovations.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.1.1.2.20030926080527.011d9f48@www.computinginnovations.com> cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:14.arp [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 13:26:16 -0000 Hi, On Fri, Sep 26, 2003 at 08:06:32AM -0500, Derek Ragona wrote: > cvsup'd them both, neither will complete a buildworld, they both error > trying to compile. > Anyone got this to work on RELENG_5_1? Please post full details of the problem you encountered. Responses to the effect of 'it doesn't work' are of no use to anybody. BMS From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 06:34:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3E3816A4B3 for ; Fri, 26 Sep 2003 06:34:55 -0700 (PDT) Received: from ns.mfn.sk (ns.mfn.sk [193.87.85.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BDC143FB1 for ; Fri, 26 Sep 2003 06:34:52 -0700 (PDT) (envelope-from kapalka@mfn.sk) Received: from mkapalka (PC_1021_kapalka [192.168.1.21]) by ns.mfn.sk (Postfix) with ESMTP id DC293223370 for ; Fri, 26 Sep 2003 15:34:28 +0200 (CEST) Date: Fri, 26 Sep 2003 15:34:54 +0200 From: Michal Kapalka X-Mailer: The Bat! (v1.62r) Organization: MFN X-Priority: 3 (Normal) Message-ID: <1672625889.20030926153454@mfn.sk> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: FreeBSD 5.1-p7 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Michal Kapalka List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 13:34:55 -0000 DR> I have two servers one is: DR> 5.1-RELEASE-p6 DR> the other is: DR> 5.1-RELEASE-p7 DR> cvsup'd them both, neither will complete a buildworld, they both error DR> trying to compile. DR> Anyone got this to work on RELENG_5_1? DR> -Derek hi on my test machine work 5.1-RELEASE-p7 FreeBSD-5_1# uname -a FreeBSD FreeBSD-5_1.mfn.sk 5.1-RELEASE-p7 FreeBSD 5.1-RELEASE-p7 #0: Fri Sep 26 16:12:25 CEST 2003 root@FreeBSD-5_1.mfn.sk:/usr/obj/usr/src/sys/test i386 --- work: Michal Kapalka Referent IT Martinska fakultna Nemocnica Kollarova 2 036 59 tel.: 043 / 4 203 166 http://www.mfn.sk michal.kapalka@mfn.sk, admin@mfn.sk ICQ : 345363722 IRC : fofo or fofo_ private: http://michal.kapalka.sk fofo@hysteria.sk, fofo@zilina.net From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 07:37:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2469616A4B3; Fri, 26 Sep 2003 07:37:29 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id A315043FFD; Fri, 26 Sep 2003 07:37:26 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id EC2EF3ABB35; Fri, 26 Sep 2003 16:39:35 +0200 (CEST) Date: Fri, 26 Sep 2003 16:39:35 +0200 From: Pawel Jakub Dawidek To: Robert Watson Message-ID: <20030926143935.GZ3179@garage.freebsd.pl> References: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="g9DrFxK9lbE4xtT+" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE-p3 i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org cc: "V. Jones" Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 14:37:29 -0000 --g9DrFxK9lbE4xtT+ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 25, 2003 at 04:13:30PM -0400, Robert Watson wrote: +> > I administer a remote server and want to apply some of the security +> > patches. (I assume this is the best way to go since I can't go into +> > single-user mode to use CVsup).=20 +>=20 +> I generally follow the following practice: +>=20 +> cvsup in multiuser +> buildworld in multiuser +> buildkernel in multiuser IMHO installkernel in multiuser is safe to as long as you don't need to load any kernel modules after this step. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --g9DrFxK9lbE4xtT+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBP3RPpz/PhmMH/Mf1AQHIcwP+LwfPEjGjKhR/AxM3tD1IVM8/++9B0fRS EFgE4wdkI/MRkExAYaV/S+i4ctXvlhm+bIQdT17oOKvb3fy8soScwXJvV0bKFDws WA2Q2UFoMKglMyV/xQzf8FOkmRdtlwZC+RljUDbkuXBUGH9uN1YYao/gjbXTAO8j viTPmD6/Yy0= =qOvc -----END PGP SIGNATURE----- --g9DrFxK9lbE4xtT+-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 08:36:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44E2716A4B3 for ; Fri, 26 Sep 2003 08:36:11 -0700 (PDT) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93FD343FEA for ; Fri, 26 Sep 2003 08:36:07 -0700 (PDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id DF27859CB4 for ; Fri, 26 Sep 2003 11:36:06 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 24741-07 for ; Fri, 26 Sep 2003 11:36:06 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by avscan2.sentex.ca (Postfix) with ESMTP id C7F5559CA1 for ; Fri, 26 Sep 2003 11:36:06 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p1/8.12.9) with ESMTP id h8QFa5dK062966 for ; Fri, 26 Sep 2003 11:36:05 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030926113652.07ffbe88@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 26 Sep 2003 11:38:54 -0400 To: security@freebsd.org From: Mike Tancsa In-Reply-To: <20030924153204.GE57702@madman.celabo.org> References: <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> <20030924142015.GC57288@madman.celabo.org> <20030924142717.GA9026@sheol.localdomain> <20030924153204.GE57702@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by Sentex Communications (avscan2/20030616p5) Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 15:36:11 -0000 Hi, Are there plans for an updated advisory ? In the mean time, I take it the same build instructions apply ? ---Mike At 11:32 AM 24/09/2003, Jacques A. Vidrine wrote: >On Wed, Sep 24, 2003 at 09:27:17AM -0500, D J Hawkey Jr wrote: > > On Sep 24, at 09:20 AM, Jacques A. Vidrine wrote: > > > > > > On Wed, Sep 24, 2003 at 11:16:03AM +0200, Sheldon Hearn wrote: > > > > On (2003/09/23 16:53), Haesu wrote: > > > > > > > > > Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD > > > > > 4.8/4.9 are not effected :) > > > > > > > > Since -CURRENT's using a modified OpenSSH_3.6.1p1, I don't think this > > > > issue affects FreeBSD at all. > > > > > > Unfortunately, it _does_ affect us. The PAM code in OpenSSH 3.7x was > > > taken from FreeBSD's PAM code. des@ is working the issue now. > > > > But just "portable", right? > >No, not just OpenSSH-portable. > > > Or are any "core" OpenSSHes across various > > FreeBSD releases also vulnerable? > >I'm only talking about the base system OpenSSH above (which is based >on OpenSSH-portable), but both `openssh' and `openssh-portable' in the >Ports Collection are likely affected, as they contain the same code >(brought in by the port maintainer). > >Cheers, >-- >Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal >nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 08:39:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3482216A4B3 for ; Fri, 26 Sep 2003 08:39:48 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AB0E44031 for ; Fri, 26 Sep 2003 08:39:45 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id A7E9054840; Fri, 26 Sep 2003 10:39:44 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 43B176D452; Fri, 26 Sep 2003 10:39:44 -0500 (CDT) Date: Fri, 26 Sep 2003 10:39:44 -0500 From: "Jacques A. Vidrine" To: Mike Tancsa Message-ID: <20030926153944.GA42409@madman.celabo.org> References: <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> <20030924142015.GC57288@madman.celabo.org> <20030924142717.GA9026@sheol.localdomain> <20030924153204.GE57702@madman.celabo.org> <6.0.0.22.0.20030926113652.07ffbe88@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.0.20030926113652.07ffbe88@209.112.4.2> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: security@freebsd.org Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 15:39:48 -0000 On Fri, Sep 26, 2003 at 11:38:54AM -0400, Mike Tancsa wrote: > Hi, > Are there plans for an updated advisory ? There will be a separate advisory, sorry for the delay. > In the mean time, I take > it the same build instructions apply ? Yep! Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 08:44:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB3FB16A4B3 for ; Fri, 26 Sep 2003 08:44:57 -0700 (PDT) Received: from tx0.oucs.ox.ac.uk (tx0.oucs.ox.ac.uk [129.67.1.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84B0944049 for ; Fri, 26 Sep 2003 08:44:51 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan0.oucs.ox.ac.uk ([129.67.1.162] helo=localhost) by tx0.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1A2um0-0005YR-F7 for security@freebsd.org; Fri, 26 Sep 2003 16:44:48 +0100 Received: from rx0.oucs.ox.ac.uk ([129.67.1.161]) by localhost (scan0.oucs.ox.ac.uk [129.67.1.162]) (amavisd-new, port 25) with ESMTP id 21169-05 for ; Fri, 26 Sep 2003 16:44:48 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx0.oucs.ox.ac.uk with smtp (Exim 4.20) id 1A2um0-0005YF-1i for security@freebsd.org; Fri, 26 Sep 2003 16:44:48 +0100 Received: (qmail 3976 invoked by uid 0); 26 Sep 2003 15:44:48 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.12915 secs); 26 Sep 2003 15:44:48 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.12915 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 26 Sep 2003 15:44:47 -0000 Message-Id: <5.0.2.1.1.20030926084025.02c962c8@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Fri, 26 Sep 2003 08:44:44 -0700 To: Mike Tancsa , security@freebsd.org From: Colin Percival In-Reply-To: <6.0.0.22.0.20030926113652.07ffbe88@209.112.4.2> References: <20030924153204.GE57702@madman.celabo.org> <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> <20030924142015.GC57288@madman.celabo.org> <20030924142717.GA9026@sheol.localdomain> <20030924153204.GE57702@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 15:44:57 -0000 At 11:38 26/09/2003 -0400, Mike Tancsa wrote: >Are there plans for an updated advisory ? Judging by UPDATING, this is going to be addressed in a new advisory (FreeBSD-SA-03:15.openssh). >In the mean time, I take it the same build instructions apply ? Almost. des bumped the version numbers in the config files, so you might want to mergemaster. (Or not; it seems rather pointless to me.) Colin Percival From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 09:01:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88A0716A4B3 for ; Fri, 26 Sep 2003 09:01:56 -0700 (PDT) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55E3343FF5 for ; Fri, 26 Sep 2003 09:01:55 -0700 (PDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id DFBE959C8E; Fri, 26 Sep 2003 12:01:54 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 28235-14; Fri, 26 Sep 2003 12:01:54 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by avscan2.sentex.ca (Postfix) with ESMTP id C7DD859C87; Fri, 26 Sep 2003 12:01:54 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p1/8.12.9) with ESMTP id h8QG1rdK063063; Fri, 26 Sep 2003 12:01:53 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030926120335.060a90f8@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 26 Sep 2003 12:04:30 -0400 To: Colin Percival , security@freebsd.org From: Mike Tancsa In-Reply-To: <5.0.2.1.1.20030926084025.02c962c8@popserver.sfu.ca> References: <20030924153204.GE57702@madman.celabo.org> <3F705D4D.4070404@tenebras.com> <20030923205318.GB3346@scylla.towardex.com> <20030924091603.GC22622@starjuice.net> <20030924142015.GC57288@madman.celabo.org> <20030924142717.GA9026@sheol.localdomain> <20030924153204.GE57702@madman.celabo.org> <5.0.2.1.1.20030926084025.02c962c8@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by Sentex Communications (avscan2/20030616p5) Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 16:01:56 -0000 At 11:44 AM 26/09/2003, Colin Percival wrote: >At 11:38 26/09/2003 -0400, Mike Tancsa wrote: >>In the mean time, I take it the same build instructions apply ? > > Almost. des bumped the version numbers in the config files, so you > might want to mergemaster. (Or not; it seems rather pointless to me.) Thanks, I figured that since the only diff was an added comment in sshd_config I would not bother to do so. ---Mike From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 12:41:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15A8916A4B3 for ; Fri, 26 Sep 2003 12:41:19 -0700 (PDT) Received: from admin.samurai.com (admin.samurai.com [205.207.28.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AAC543FBF for ; Fri, 26 Sep 2003 12:41:18 -0700 (PDT) (envelope-from bjf@admin.samurai.com) Received: by admin.samurai.com (Postfix, from userid 1000) id 24E013E3C; Fri, 26 Sep 2003 15:41:18 -0400 (EDT) Date: Fri, 26 Sep 2003 15:41:18 -0400 From: Bryan Fullerton To: security@freebsd.org Message-ID: <20030926194117.GF36931@bryanfullerton.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: PAM problem after openssh-portable 3.6.1p2_5 update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 19:41:19 -0000 Anyone else seeing this? Seems OK on 5.1-p2, but I'm getting the below errors on 4.8-p3. Sep 26 15:31:10 admin sshd[29166]: pam_set_item: NULL pam handle passed Sep 26 15:31:10 admin /kernel: pid 29166 (sshd), uid 0: exited on signal 11 I sent a PR, but as I can no longer ssh into the box (unless I switch back to the OS-supplied sshd) I'd like to get it fixed ASAP. :) Thanks, Bryan From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 13:31:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AB2416A4B3 for ; Fri, 26 Sep 2003 13:31:42 -0700 (PDT) Received: from bilver.wjv.com (user38.net339.fl.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B3C744028 for ; Fri, 26 Sep 2003 13:31:40 -0700 (PDT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by bilver.wjv.com (8.12.10/8.12.9) with ESMTP id h8QKVcAM088075 for ; Fri, 26 Sep 2003 16:31:38 -0400 (EDT) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.10/8.12.9/Submit) id h8QKVcCA088074 for freebsd-security@freebsd.org; Fri, 26 Sep 2003 16:31:38 -0400 (EDT) (envelope-from bv) Date: Fri, 26 Sep 2003 16:31:37 -0400 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20030926203137.GA87408@wjv.com> References: <20030926190215.3525416A4C3@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030926190215.3525416A4C3@hub.freebsd.org> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-4.5 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) Subject: Re: FreeBSD patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 20:31:42 -0000 In the last exciting episode of the freebsd-security-request@freebsd.org saga on Fri, Sep 26, 2003 at 12:02 , freebsd-security-request@freebsd.org as heard to say: > ------------------------------ > Message: 3 > Date: Thu, 25 Sep 2003 21:52:32 +0200 > From: "Devon H. O'Dell" > Subject: Re: FreeBSD Patch question [Much deleted - wjv] > The handbook recommends that one drop into single user mode to > build the world. While this is certainly best practice, it is > by no means absolutely necessary. Can you point this out - I've just looke at the handbook and I do NOT find anything like that in there. I see installworld in single, but not buildworld. This is from the handbook - note that it >recomends< installworld in single - though on my remote machines I've not had that luxury. ======================================== Beginning with version 2.2.5 of FreeBSD (actually, it was first created on the FreeBSD-CURRENT branch, and then retrofitted to FreeBSD-STABLE midway between 2.2.2 and 2.2.5) the world target has been split in two: buildworld and installworld. As the names imply, buildworld builds a complete new tree under /usr/obj, and installworld installs this tree on the current machine. This is very useful for 2 reasons. First, it allows you to do the build safe in the knowledge that no components of your running system will be affected. The build is ``self hosted''. Because of this, you can safely run buildworld on a machine running in multi-user mode with no fear of ill-effects. It is still recommended that you run the installworld part in single user mode, though. Secondly, it allows you to use NFS mounts to upgrade multiple machines on your network. If you have three machines, A, B and C that you want to upgrade, run make buildworld and make installworld on A. B and C should then NFS mount /usr/src and /usr/obj from A, and you can then run make installworld to install the results of the build on B and C. Although the world target still exists, you are strongly encouraged not to use it. ======================================== > End of freebsd-security Digest, Vol 27, Issue 4 Bill -- Bill Vermillion - bv @ wjv . com From owner-freebsd-security@FreeBSD.ORG Sat Sep 27 12:40:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2D8F16A4B3 for ; Sat, 27 Sep 2003 12:40:38 -0700 (PDT) Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E58743FDD for ; Sat, 27 Sep 2003 12:40:38 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from skeeter.psp.pas.earthlink.net ([207.217.78.186]) by harrier.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1A3Kvl-00035R-00 for freebsd-security@freebsd.org; Sat, 27 Sep 2003 12:40:37 -0700 Message-ID: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net> Date: Sat, 27 Sep 2003 15:40:35 -0400 (GMT-04:00) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Zoo Mail 1.0 Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "V. Jones" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2003 19:40:39 -0000 Thanks to everyone who responded - my question really had more to do with applying patches as they are presented in the various security advisories. It sounds like most of you don't do it that way; it sounds like you track freebsd-stable using cvsup. However, section 21.2.2.2 of the handbook seems to advise against doing this when all you want to do is apply security fixes: "While it is true that security fixes also go into the FreeBSD-STABLE branch, you do not need to track FreeBSD-STABLE to do this. Every security advisory for FreeBSD explains how to fix the problem for the releases it affects [1] , and tracking an entire development branch just for security reasons is likely to bring in a lot of unwanted changes as well." My intention is to apply the patches as instructed in the advisories. I'll resolve my issues with pgp so that I can validate the files first, then apply them one at a time. From owner-freebsd-security@FreeBSD.ORG Sat Sep 27 14:18:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97B9516A4B3 for ; Sat, 27 Sep 2003 14:18:43 -0700 (PDT) Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09EFE43FAF for ; Sat, 27 Sep 2003 14:18:42 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep14-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030927205631.BQRB4348.amsfep14-int.chello.nl@sitetronics.com>; Sat, 27 Sep 2003 22:56:31 +0200 Message-ID: <3F75F902.9040102@sitetronics.com> Date: Sat, 27 Sep 2003 22:54:26 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net> In-Reply-To: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2003 21:18:43 -0000 V. Jones wrote: >Thanks to everyone who responded - my question really had more to do with applying patches as they are presented in the various security advisories. It sounds like most of you don't do it that way; it sounds like you track freebsd-stable using cvsup. However, section 21.2.2.2 of the handbook seems to advise against doing this when all you want to do is apply security fixes: > >"While it is true that security fixes also go into the FreeBSD-STABLE branch, you do not need to track FreeBSD-STABLE to do this. Every security advisory for FreeBSD explains how to fix the problem for the releases it affects [1] , and tracking an entire development branch just for security reasons is likely to bring in a lot of unwanted changes as well." > >My intention is to apply the patches as instructed in the advisories. I'll resolve my issues with pgp so that I can validate the files first, then apply them one at a time. > > I do not track FreeBSD-STABLE (on my production boxes) and don't really advise people running production servers to run the -STABLE branch. FreeBSD-STABLE is another development branch; the stabilization branch, as it were. The handbook advises against it because it's a development branch and isn't meant for production servers. The most stable FreeBSD you can get is a -RELEASE snapshot. All security advisories are tracked for the -RELEASE snapshot. If you're tracking 4.8-RELEASE, you'd simply have RELENG_4_8 in your supfile. This is, as far as I've been able to tell in my past 5 years of experience with FreeBSD, the recommended way of doing things. Then again, I don't blame you for wanting to validate every patch :) --Devon From owner-freebsd-security@FreeBSD.ORG Sat Sep 27 15:50:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A18216A4B3 for ; Sat, 27 Sep 2003 15:50:01 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A28544014 for ; Sat, 27 Sep 2003 15:49:59 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id DA48665414; Sat, 27 Sep 2003 23:49:57 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31899-04-3; Sat, 27 Sep 2003 23:49:57 +0100 (BST) Received: from saboteur.dek.spc.org (lardystuffer.demon.co.uk [212.228.40.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 27B1265344; Sat, 27 Sep 2003 23:49:56 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 4DD183F; Sat, 27 Sep 2003 23:49:49 +0100 (BST) Date: Sat, 27 Sep 2003 23:49:49 +0100 From: Bruce M Simpson To: "V. Jones" Message-ID: <20030927224949.GB11185@saboteur.dek.spc.org> Mail-Followup-To: "V. Jones" , freebsd-security@freebsd.org References: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <11778415.1064691636010.JavaMail.root@skeeter.psp.pas.earthlink.net> cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2003 22:50:01 -0000 On Sat, Sep 27, 2003 at 03:40:35PM -0400, V. Jones wrote: > Thanks to everyone who responded - my question really had more to do with applying patches as they are presented in the various security advisories. It sounds like most of you don't do it that way; it sounds like you track freebsd-stable using cvsup. However, section 21.2.2.2 of the handbook seems to advise against doing this when all you want to do is apply security fixes: > > "While it is true that security fixes also go into the FreeBSD-STABLE branch, you do not need to track FreeBSD-STABLE to do this. Every security advisory for FreeBSD explains how to fix the problem for the releases it affects [1] , and tracking an entire development branch just for security reasons is likely to bring in a lot of unwanted changes as well." You can track a RELEASE branch instead, this is one reason for their existence. Only security-officer@ has the power to mandate that a patch be committed to a release branch after it has been released. This is what I do for my production machines. BMS