From owner-freebsd-security@freebsd.org Wed Sep 14 19:21:59 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 676F0BD6FC4; Wed, 14 Sep 2016 19:21:59 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EDC901B9E; Wed, 14 Sep 2016 19:21:58 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190c-5d3ff70000001b1f-9d-57d9a34e5785 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 78.77.06943.E43A9D75; Wed, 14 Sep 2016 15:21:51 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u8EJLn41002721; Wed, 14 Sep 2016 15:21:49 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u8EJLkHx009571 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 14 Sep 2016 15:21:49 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u8EJLkUA010070; Wed, 14 Sep 2016 15:21:46 -0400 (EDT) Date: Wed, 14 Sep 2016 15:21:46 -0400 (EDT) From: Benjamin Kaduk To: freebsd-security@freebsd.org cc: freebsd-current@freebsd.org Subject: Heimdal in base In-Reply-To: <86egfu9z0j.fsf@desk.des.no> Message-ID: References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no> <20151111181339.GE48728@zxy.spb.ru> <86io58flhk.fsf@desk.des.no> <20151111184448.GR31314@zxy.spb.ru> <86egfu9z0j.fsf@desk.des.no> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-ID: X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBKsWRmVeSWpSXmKPExsUixG6nruu/+Ga4wZmJrBZz3nxgsujZ9ITN gcljxqf5LAGMUVw2Kak5mWWpRfp2CVwZt14+YC34LFJx4sBylgbGeYJdjJwcEgImElNfv2Lr YuTiEBJoY5Lom/SGCcLZyCgxecU/RgjnEJPEnG0rWEFahAQaGCV+v+fvYuTgYBHQlpg1yxEk zCagIjHzzUY2EFtEQEGi69MPdhCbWUBe4v+Vy0wgtrCAhMSMlXMZQWxOAU2Jqx9PMoPYvAIO El8W9bJC7NrHLHFuSRdYQlRAR2L1/iksEEWCEidnPmGBGBogsezTLEYI20Giacoe5gmMgrOQ lM1CUjYLSRmErSvxZtVBJghbW+L+zTY2mJoFrVPZFjCyrWKUTcmt0s1NzMwpTk3WLU5OzMtL LdI11MvNLNFLTSndxAiKAE5Jnh2MZ954HWIU4GBU4uG9EXAzXIg1say4MvcQoyQHk5Io77r5 QCG+pPyUyozE4oz4otKc1OJDjBIczEoivEYgOd6UxMqq1KJ8mJQ0B4uSOG/XjAPhQgLpiSWp 2ampBalFMFkZDg4lCd7URUCNgkWp6akVaZk5JQhpJg5OkOE8QMMrQGp4iwsSc4sz0yHypxgV pcR5vUESAiCJjNI8uF5wgtrNpPqKURzoFWHeKyBVPMDkBtf9CmgwE9DgLWuugwwuSURISTUw BrTvZ/+i9zVt80vN+0ycpU1PeLfoTwl498HWK1Zwfsk1hqozzrH/ooNMdF4F8PncXnT12JfI lFXhs5vXR9yz+1U2uzfwX0NfVZ/wPIPrx6I0C9mmxytaSJ69PNU0IHf/6TXdLmsWWc61EXuf dPz8pL6vck1n17yZ42T8c2PV5+MznT0Z1KPUlFiKMxINtZiLihMBJ8cIKSsDAAA= Content-Type: TEXT/PLAIN; charset=ISO-8859-15 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2016 19:21:59 -0000 (was Re: OpenSSH HPN) [See https://lists.freebsd.org/pipermail/freebsd-security/2015-November/008747.h= tml for the bits that Dag-Erling skipped] On Fri, 13 Nov 2015, Dag-Erling Sm=F8rgrav wrote: > Benjamin Kaduk writes: > > Things seem to have slowed down a lot since the lead Heimdal developer > > got hired for Apple. [...] MIT employs developers whose job > > descriptions include being the krb5 release manager [...] Heimdal has > > changed plans to a 1.7 release [...] and since the developers in > > question are being paid to work on other things, there is no real > > timeline for the release. > > Given this state of affairs, it might not be unreasonable to consider > switching back for 11. There should be enough time, provided our > Kerberos maintainers have some spare cycles. Well, it's definitely too late for 11, now. But, Debian is preparing to remove their heimdal package entirely, imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D837728 I also can't find an archive of heimdal-discuss@sics.se that still works (now that gmane is gone), so I'll quote the relevant message from there, below. Maybe we should consider dropping heimdal for 12. -Ben %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: Wed, 14 Sep 2016 14:58:27 -0400 From: Andrew Bartlett To: heimdal-discuss@sics.se Subject: Heimdal to be removed from Debian shortly FYI: I'm sorry to say that per: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D834654 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D837728 Heimdal will shortly be removed from Debian. It is the view of those of us involved that inclusion of sensitive security software in the next stable release of Debian needs the normal pattern of maintained upstream releases, not just a git tree to take snapshots from. It is also being eased out of Samba, we will make further decisions once we get a build against MIT krb5 working. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.orgSamba Developer, Catalyst IT http://catalyst.net.nz/services/samba From owner-freebsd-security@freebsd.org Wed Sep 14 19:49:14 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF523BDAC6A for ; Wed, 14 Sep 2016 19:49:14 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp10.server.rpi.edu (gateway.canit.rpi.edu [128.113.2.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "canit.localdomain", Issuer "canit.localdomain" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9600D1226 for ; Wed, 14 Sep 2016 19:49:13 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp-auth2.server.rpi.edu (route.canit.rpi.edu [128.113.2.232]) by smtp10.server.rpi.edu (8.14.4/8.14.4/Debian-8) with ESMTP id u8EJk2DW026872 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Sep 2016 15:46:02 -0400 Received: from smtp-auth2.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth2.server.rpi.edu (Postfix) with ESMTP id 41DB018112; Wed, 14 Sep 2016 15:46:02 -0400 (EDT) Received: from [128.113.24.47] (gilead-qc124.netel.rpi.edu [128.113.124.17]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: drosih) by smtp-auth2.server.rpi.edu (Postfix) with ESMTPSA id 369041811F; Wed, 14 Sep 2016 15:46:02 -0400 (EDT) From: "Garance A Drosehn" To: "Ronald F. Guilmette" Cc: freebsd-security@freebsd.org Subject: Re: ftpd leaks info which might be useful to an attacker Date: Wed, 14 Sep 2016 15:46:01 -0400 Message-ID: <3B1B7AA4-5342-4682-ADB6-16C40F3A97E1@rpi.edu> In-Reply-To: <68595.1473800829@segfault.tristatelogic.com> References: <68595.1473800829@segfault.tristatelogic.com> MIME-Version: 1.0 X-Mailer: MailMate (1.9.5r5260) X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: 0.00 () [Hold at 10.10] X-CanIt-Incident-Id: 03RHvK2qe X-CanIt-Geo: ip=128.113.124.17; country=US; region=New York; city=Troy; latitude=42.7495; longitude=-73.5951; http://maps.google.com/maps?q=42.7495,-73.5951&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.230 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2016 19:49:14 -0000 On 13 Sep 2016, at 17:07, Ronald F. Guilmette wrote: > > One set of such decisions has to do with the following files: > > ~ftp/etc/group > ~ftp/etc/pwd.db > > Thinking about how the contents of these files affects the behavior of > the ftp DIR command caused me to realize that I actually would prefer > it if there were some some option available for ftpd which would cause > it to display only something like ---- where it currently attempts to > print either a user ID name or number or a group ID name or number. Those files completely under the control of the sysadmin (aka "you"), so you can put whatever you want in those files. In my case, I think I wrote a script which generates those two files from the real system files, but it changes the userid and group names. In my case I went with fake userid's which were the first-and-last letters of the real userid, followed by the UID. That way there's some helpful information there for the people who *do* have access to the passwd info for that machine, but there isn't much info for others. -- Garance Alistair Drosehn = drosih@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA