Re: Crypto File System-Problems Creating One

[Mark Janssen]

On 6/9/05, Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > losetup -e aes-256 /dev/loop0 /dev/hda10
> 
> What do you have defined in modules?
> 
> alias cipher-16 rijndael
> 
> You also need the cryptoloop module in order to name ciphers by name. Try -E
> 16 instead.

You need to do something like this:
sudo cryptsetup -c aes -y create SomeUniqueName /dev/hda10
sudo mount /dev/mapper/SomeUniqueName /mountpoint



-- 
Mark Janssen  --  maniac(at)maniac.nl  --  pgp: 0x357D2178 |   ,''`.  | 
Unix / Linux Open-Source and Internet Consultant @ Snow.nl |  : :' :  | 
Maniac.nl  MarkJanssen.nl  NerdNet.nl  Unix.nl |  `. `'   | 
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet |`-|

Re: ptrace vulnerability?

[Mark Janssen]

gt;task_dumpable = 0;
+   task_unlock(task);
+
+   ret = arch_kernel_thread(fn, arg, flags);
+
+   /* never reached in child process, only in parent */
+   current->task_dumpable = old_task_dumpable;
+
+   return ret;
+}
+
 /*
  *  Ok, this is the main fork-routine. It copies the system process
  * information (task[nr]) and sets up the necessary registers. It also
diff -purN linux.orig/kernel/ptrace.c linux/kernel/ptrace.c
--- linux.orig/kernel/ptrace.c  Thu Mar 13 12:01:46 2003
+++ linux/kernel/ptrace.c   Thu Mar 13 13:47:16 2003
@@ -21,6 +21,10 @@
  */
 int ptrace_check_attach(struct task_struct *child, int kill)
 {
+   mb();
+   if (!is_dumpable(child))
+   return -EPERM;
+
if (!(child->ptrace & PT_PTRACED))
return -ESRCH;
 
@@ -57,7 +61,7 @@ int ptrace_attach(struct task_struct *ta
(current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
goto bad;
rmb();
-   if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE))
+   if (!is_dumpable(task) && !capable(CAP_SYS_PTRACE))
goto bad;
/* the same process cannot be attached many times */
if (task->ptrace & PT_PTRACED)
@@ -123,6 +127,8 @@ int access_process_vm(struct task_struct
/* Worry about races with exit() */
task_lock(tsk);
mm = tsk->mm;
+   if (!is_dumpable(tsk) || (&init_mm == mm))
+   mm = NULL;
if (mm)
atomic_inc(&mm->mm_users);
task_unlock(tsk);
diff -purN linux.orig/kernel/sys.c linux/kernel/sys.c
--- linux.orig/kernel/sys.c Thu Mar 13 12:01:57 2003
+++ linux/kernel/sys.c  Thu Mar 13 13:41:25 2003
@@ -1286,7 +1286,7 @@ asmlinkage long sys_prctl(int option, un
error = put_user(current->pdeath_signal, (int *)arg2);
break;
case PR_GET_DUMPABLE:
-   if (current->mm->dumpable)
+   if (is_dumpable(current))
error = 1;
break;
case PR_SET_DUMPABLE:
@@ -1294,7 +1294,8 @@ asmlinkage long sys_prctl(int option, un
error = -EINVAL;
break;
}
-   current->mm->dumpable = arg2;
+   if (is_dumpable(current))
+   current->mm->dumpable = arg2;
break;
case PR_SET_UNALIGN:
 #ifdef SET_UNALIGN_CTL



-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl

Re: ptrace vulnerability?

[Mark Janssen]

task);
+
+   ret = arch_kernel_thread(fn, arg, flags);
+
+   /* never reached in child process, only in parent */
+   current->task_dumpable = old_task_dumpable;
+
+   return ret;
+}
+
 /*
  *  Ok, this is the main fork-routine. It copies the system process
  * information (task[nr]) and sets up the necessary registers. It also
diff -purN linux.orig/kernel/ptrace.c linux/kernel/ptrace.c
--- linux.orig/kernel/ptrace.c  Thu Mar 13 12:01:46 2003
+++ linux/kernel/ptrace.c   Thu Mar 13 13:47:16 2003
@@ -21,6 +21,10 @@
  */
 int ptrace_check_attach(struct task_struct *child, int kill)
 {
+   mb();
+   if (!is_dumpable(child))
+   return -EPERM;
+
if (!(child->ptrace & PT_PTRACED))
return -ESRCH;
 
@@ -57,7 +61,7 @@ int ptrace_attach(struct task_struct *ta
(current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
goto bad;
rmb();
-   if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE))
+   if (!is_dumpable(task) && !capable(CAP_SYS_PTRACE))
goto bad;
/* the same process cannot be attached many times */
if (task->ptrace & PT_PTRACED)
@@ -123,6 +127,8 @@ int access_process_vm(struct task_struct
/* Worry about races with exit() */
task_lock(tsk);
mm = tsk->mm;
+   if (!is_dumpable(tsk) || (&init_mm == mm))
+   mm = NULL;
if (mm)
atomic_inc(&mm->mm_users);
task_unlock(tsk);
diff -purN linux.orig/kernel/sys.c linux/kernel/sys.c
--- linux.orig/kernel/sys.c Thu Mar 13 12:01:57 2003
+++ linux/kernel/sys.c  Thu Mar 13 13:41:25 2003
@@ -1286,7 +1286,7 @@ asmlinkage long sys_prctl(int option, un
error = put_user(current->pdeath_signal, (int *)arg2);
break;
case PR_GET_DUMPABLE:
-   if (current->mm->dumpable)
+   if (is_dumpable(current))
error = 1;
break;
case PR_SET_DUMPABLE:
@@ -1294,7 +1294,8 @@ asmlinkage long sys_prctl(int option, un
error = -EINVAL;
break;
}
-   current->mm->dumpable = arg2;
+   if (is_dumpable(current))
+   current->mm->dumpable = arg2;
break;
case PR_SET_UNALIGN:
 #ifdef SET_UNALIGN_CTL



-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security.debian.org down?

[Mark Janssen]

On Mon, 2003-03-10 at 21:41, Jeremy Drake wrote:
> I can ping security.debian.org, but cannot use http or ftp.  It just 
> hangs.  non-us.debian.org is the same box, and having the same troubles.  
> Is this just me?

Yeah... i;ve noticed this too... hopefully someone can check into it :)
I use it as one of my main debian mirrors, since it's only 5 hops away
from me :)

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl

Re: security.debian.org down?

[Mark Janssen]

On Mon, 2003-03-10 at 21:41, Jeremy Drake wrote:
> I can ping security.debian.org, but cannot use http or ftp.  It just 
> hangs.  non-us.debian.org is the same box, and having the same troubles.  
> Is this just me?

Yeah... i;ve noticed this too... hopefully someone can check into it :)
I use it as one of my main debian mirrors, since it's only 5 hops away
from me :)

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: question about SSH / IPTABLES

[Mark Janssen]

On Thu, 2003-01-23 at 12:24, Iñaki Martínez wrote:
>  I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want them to be able to use SSH from that server.
>  So i client can access the server via SSH, but s/he CAN NOT ssh to other
> servers from my server...

I'm sure it's possible to (try) and do this using some ip-tables magic
or by just removing the ssh binary from the system. This will however
not prevent them from doing this, since they can place their own ssh
client on the system and connect to other systems over ports you do not
expect (like sshd's running on port 80, 443 or random port numbers)

Why do you want to disallow people to ssh out of your system, while
allowing them to ssh into it ???

You can never block anyone who _wants_ to do something

-- 
Mark Janssen <[EMAIL PROTECTED]>
Saiko Internet Technologies

Re: question about SSH / IPTABLES

[Mark Janssen]

On Thu, 2003-01-23 at 12:24, Iñaki Martínez wrote:
>  I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want them to be able to use SSH from that server.
>  So i client can access the server via SSH, but s/he CAN NOT ssh to other
> servers from my server...

I'm sure it's possible to (try) and do this using some ip-tables magic
or by just removing the ssh binary from the system. This will however
not prevent them from doing this, since they can place their own ssh
client on the system and connect to other systems over ports you do not
expect (like sshd's running on port 80, 443 or random port numbers)

Why do you want to disallow people to ssh out of your system, while
allowing them to ssh into it ???

You can never block anyone who _wants_ to do something

-- 
Mark Janssen <[EMAIL PROTECTED]>
Saiko Internet Technologies


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ssh "banner"

[Mark Janssen]

On Fri, 2002-10-18 at 14:58, [EMAIL PROTECTED] wrote:

> SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
> 
> How can I disable the message ?

You can limit it somewhat (by editing source), but the protocol needs
the version string, so you can't change it without breaking
compatibility.

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl

Re: Automatic Debian security updates, an Implementation

[Mark Janssen]

On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
> I don't understand the need for this.
> 
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not 
> sufficient to keep a debian system secure and updated?

It'll get to you when you have 200+ debian systems spread across the
internet in different cities, timezones and administrative domains :)

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl

Re: ssh "banner"

[Mark Janssen]

On Fri, 2002-10-18 at 14:58, [EMAIL PROTECTED] wrote:

> SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
> 
> How can I disable the message ?

You can limit it somewhat (by editing source), but the protocol needs
the version string, so you can't change it without breaking
compatibility.

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Automatic Debian security updates, an Implementation

[Mark Janssen]

On Fri, 2002-10-18 at 14:24, R. Bradley Tilley wrote:
> I don't understand the need for this.
> 
> Can someone explain why 'apt-get update && apt-get dist-upgrade' is not 
> sufficient to keep a debian system secure and updated?

It'll get to you when you have 200+ debian systems spread across the
internet in different cities, timezones and administrative domains :)

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Business Proposal (Urgent)

[Mark Janssen]

On Tue, 2002-09-24 at 09:07, Brad Corsello wrote:
> 
> I propose that we accept Dr. Adams's proposal and use the windfall to fund 
> Debian development.  Who wants to put up the money for his "fees?"
> 
> >From: "Dr. Kola Adams" <[EMAIL PROTECTED]>
> >Reply-To: "Dr. Kola Adams" <[EMAIL PROTECTED]>
> >To: 
> >Subject: Business Proposal (Urgent)
> >Date: Tue, 24 Sep 2002 05:55:21 -0700

I suggest you first read:
http://home.rica.net/alphae/419coal/

Which clearly describes the working of this scam... Just ignore it, or
send it on to the relevant government agency...

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl

Re: Business Proposal (Urgent)

[Mark Janssen]

On Tue, 2002-09-24 at 09:07, Brad Corsello wrote:
> 
> I propose that we accept Dr. Adams's proposal and use the windfall to fund 
> Debian development.  Who wants to put up the money for his "fees?"
> 
> >From: "Dr. Kola Adams" <[EMAIL PROTECTED]>
> >Reply-To: "Dr. Kola Adams" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Subject: Business Proposal (Urgent)
> >Date: Tue, 24 Sep 2002 05:55:21 -0700

I suggest you first read:
http://home.rica.net/alphae/419coal/

Which clearly describes the working of this scam... Just ignore it, or
send it on to the relevant government agency...

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

OpenSSH 3.4 released... should FIX problems

[Mark Janssen]

Head over to OpenSSH.com

They have just released version 3.4, which should fix some overflow
problems and adds lot's of new checks against dubious input.

Advisories and updates on the various pages there.

Mark Janssen
Syconos IT Consultancy




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

[Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

[Mark Janssen]

>From what I understand, the advisory below is for the security issue
we've been buggering over for the last 2-3 days.

As I understand it, there is no need to upgrade to openssh 3.3 and use
priv-sep code, when we turn of the various challenge-response systems
discussed below (BSD-AUTH and SKEY).

AFAIK many people don't need these (What does BSD-Auth do on debian)
so we should be safe with the old 3.0.2/3.1 SSH packages and these
options removed from the default install ???

Can anyone shed any light on this...


-Forwarded Message-

From: X-Force <[EMAIL PROTECTED]>
To: bugtraq@securityfocus.com
Subject: ISS Advisory: OpenSSH Remote Challenge Vulnerability
Date: 26 Jun 2002 09:56:07 -0400

-BEGIN PGP SIGNED MESSAGE-

Internet Security Systems Security Advisory
June 26, 2002

OpenSSH Remote Challenge Vulnerability

Synopsis:

ISS X-Force has discovered a serious vulnerability in the default
installation of OpenSSH on the OpenBSD operating system. OpenSSH is a
free version of the SSH (Secure Shell) communications suite and is used
as a secure replacement for protocols such as Telnet, Rlogin, Rsh, and
Ftp. OpenSSH employs end-to-end encryption (including all passwords) and
is resistant to network monitoring, eavesdropping, and connection
hijacking attacks. X-Force is aware of active exploit development for
this vulnerability.

Impact:

OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be
vulnerable to a remote, superuser compromise.

Affected Versions:

OpenBSD 3.0
OpenBSD 3.1
FreeBSD-Current
OpenSSH 3.0-3.2.3

OpenSSH version 3.3 implements "privilege separation" which mitigates
the risk of a superuser compromise. Prior to the release of this
advisory, ISS and OpenBSD encouraged all OpenSSH users to upgrade to
version 3.3. Versions of FreeBSD-Current built between March 18, 2002
and June 23, 2002 are vulnerable to remote superuser compromise.
Privilege separation was implemented in FreeBSD-Current on June 23,
2002.

Note: OpenSSH is included in many operating system distributions,
networking equipment, and security appliances. Refer to the following
address for information about vendors that implement OpenSSH:
http://www.openssh.com/users.html

Description:

A vulnerability exists within the "challenge-response" authentication
mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2
protocol, verifies a user's identity by generating a challenge and
forcing the user to supply a number of responses. It is possible for a
remote attacker to send a specially-crafted reply that triggers an
overflow. This can result in a remote denial of service attack on the
OpenSSH daemon or a complete remote compromise. The OpenSSH daemon runs
with superuser privilege, so remote attackers can gain superuser access
by exploiting this vulnerability.

OpenSSH supports the SKEY and BSD_AUTH authentication options. These are
compile-time options. At least one of these options must be enabled
before the OpenSSH binaries are compiled for the vulnerable condition to
be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled.
The SKEY and BSD_AUTH options are not enabled by default in many
distributions. However, if these options are explicitly enabled, that
build of OpenSSH may be vulnerable.

Recommendations:

Internet Scanner X-Press Update 6.13 includes a check, OpenSshRunning,
to detect potentially vulnerable installations of OpenSSH. XPU 6.13 is
available from the ISS Download Center at: http://www.iss.net/download.
For questions about downloading and installing this XPU, email
[EMAIL PROTECTED]

ISS X-Force recommends that system administrators disable unused OpenSSH
authentication mechanisms. Administrators can remove this vulnerability
by disabling the Challenge-Response authentication parameter within the
OpenSSH daemon configuration file. This filename and path is typically:
/etc/ssh/sshd_config. To disable this parameter, locate the
corresponding line and change it to the line below:

ChallengeResponseAuthentication no

The "sshd" process must be restarted for this change to take effect.
This workaround will permanently remove the vulnerability. X-Force
recommends that administrators upgrade to OpenSSH version 3.4
immediately. This version implements privilege separation, contains a
patch to block this vulnerability, and contains many additional pro-
active security fixes. Privilege separation was designed to limit
exposure to known and unknown vulnerabilities. Visit
http://www.openssh.com for more information.

Additional Information:

ISS X-Force and Black Hat consulting will host a presentation titled,
"Professional Source Code Auditing" at Black Hat Briefings USA 2002. The
presentation will explore advanced source code auditing techniques as
well as secure development best-practices. Please refer to
http://www.blackhat.com and
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd for
more information.

Credits:

The vulnerability described in this a

Re: [SECURITY] [DSA-134-2] Unknown OpenSSH remote vulnerability

[Mark Janssen]

On Tue, 2002-06-25 at 18:27, Tycho Fruru wrote:
> In the "recommended" config it would be something like "/var/empty", not
> writable by the sshd user.  I don't have a system handy to verify
> whether the package does the right thing here though.

The debian package chroots to the empty and root:root owned dir
/var/run/sshd

I myself changed this to root:sys, but that shouldn't really matter.

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


signature.asc
Description: This is a digitally signed message part

Re: DSA-134-1

[Mark Janssen]

On Tue, 2002-06-25 at 18:11, Phillip Hofmeister wrote:
> *TECHNICALLY* every login is root.  Getty runs as root and then gives up root
> to the authenticated user once PAM gives the okay...Does this mean the user
> can break back into root?  If the exit their shell (Ctrl + D, or pick your 
> choice
> of logout method...) then Getty immediately respawns

No... getty exec's a shell (or a login actually) and when this exits
the inetd restarts the getty. :)

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


signature.asc
Description: This is a digitally signed message part

Re: [SECURITY] [DSA-134-2] Unknown OpenSSH remote vulnerability

[Mark Janssen]

On Tue, 2002-06-25 at 15:57, Kruskal wrote:
> Has anyone applied this update yet?  I did so on a potato box, enabled
> priv separation in the sshd config file and restarted sshd.  I saw
> that a user called sshd was created.  However, when I ssh'ed in, I
> didn't see any processes owned by sshd.  In fact, the ssh daemon
> process was still owned by root.

I noticed this as well.. and decided to roll my own version, and include
a patch for setproctitle support, this to aide debugging.

It in fact does work, but the 'sshd' process from the 'sshd' user only
exists before login.

If you connect to the ssh daemon it will fork off this process, if you
do a ps-listing at this stage you will see it. As soon as you log in,
this process will be replaced by a process running as your user account.

You can also see that the 'priv' process (running as root) will be
chrooted in /var/run/sshd

This was/is all in woody, but I suspect potato to act the same :)

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ssh and password authentication

[Mark Janssen]

On Tue, 2002-06-25 at 15:35, Florent Rougon wrote:
> But the default sshd_config in the openssh-3.0.2p1 package has a comment
> indicating the contrary:
> 
> ,
> | # To disable tunneled clear text passwords, change to no here!
> | PasswordAuthentication yes
> `
> 
> and according to that comment, the default setting would be insecure...

Nope... it's just the way you read it... It's a tunnelled clear-text
password, meaning the 'clear-text' password is transmitted trough the
tunnel. The tunnel is encrypted. It just means that the password will be
visible to roots on both ends of the tunnel, but not to anyone in
between.

So it's quite safe ;)

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: SSH2 Encryption

[Mark Janssen]

On Mon, 2002-06-10 at 19:13, Jeff Bonner wrote:
> Questions:
> 
> 1) Are all those ciphers actually available in my SSH package?

Run the ssh daemon with debugging on (2 levels or more) and check the
output:

sshd -d -d -d -p 
ssh -v -p  127.0.0.1

Look at all the pretty output...


debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL
 PROTECTED]
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,[EMAIL
 PROTECTED]
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 


> 2) The SHA1-96 hash should be better than MD5-96, correct?

I'll make no statements about that...

> 3) Any reason you *wouldn't* want to use compression in SSH?

If you are using it over fast networks or slow systems... as opposed to
using it over modems and fast systems... It all depends on your
requirements.

Also, if using ssh for file-transfer or allready compressed files,
compressing them again will only cost cpu cycles...



signature.asc
Description: This is a digitally signed message part

Re: Generating Mail passwords

[Mark Janssen]

On Fri, 2002-05-24 at 15:04, Lars Roland Kristiansen wrote:
> Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian
> mail server. I have 200 users and whant some new more secure passwords
> (not to long though). Is there a simple way to generate
> secure passwords so i can use them with adduser 

pwgen or one of the other password generation tools with the right
options. :)

apt-cache show pwgen

Description: Automatic Password generation
 pwgen generates random, meaningless but pronounceable passwords.
Depending
 on how the program was installed, these words contain either only
 lowercase letters, or upper and lower case mixed, or digits thrown
 in. Uppercase letters and digits are placed in a way that eases
 remembering their position when memorizing only the word.

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl


signature.asc
Description: This is a digitally signed message part

Re: Generating Mail passwords

[Mark Janssen]

On Fri, 2002-05-24 at 15:04, Lars Roland Kristiansen wrote:
> Hi i have configuret postfix, pop-before-smpt and ipop3 (ssl). On a debian
> mail server. I have 200 users and whant some new more secure passwords
> (not to long though). Is there a simple way to generate
> secure passwords so i can use them with adduser 

pwgen or one of the other password generation tools with the right
options. :)

apt-cache show pwgen

Description: Automatic Password generation
 pwgen generates random, meaningless but pronounceable passwords.
Depending
 on how the program was installed, these words contain either only
 lowercase letters, or upper and lower case mixed, or digits thrown
 in. Uppercase letters and digits are placed in a way that eases
 remembering their position when memorizing only the word.

-- 
Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178
Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl



signature.asc
Description: This is a digitally signed message part

Re: how to unsubscribe.

[Mark Janssen]

On Fri, 2002-04-26 at 09:58, Trancom wrote:
> how to unsubscribe.

> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Look here 

Or Here \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: how to unsubscribe.

[Mark Janssen]

On Fri, 2002-04-26 at 09:58, Trancom wrote:
> how to unsubscribe.

> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Look here 

Or Here \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH 3.1

[Mark Janssen]

On Sun, 2002-04-07 at 14:34, Peter Lieven wrote:
> Is there any reason why there is no OpenSSH 3.1 package for debian available 
> yet?
> is the "OpenSSH_3.0.2p1" version avaiable in the testing/unstable tree 
> already patched
> against the "March 7, 2002: Off-by-one error in the channel code" security 
> hole?

Yes, it was fixed in debian package Openssh_3.0.2p1-8 (maybe allready in
7, but that had other problems)

Debian usually patches the (security) bug, without going straight to the
new upstream release, but only upgrading the package number

-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH 3.1

[Mark Janssen]

On Sun, 2002-04-07 at 14:34, Peter Lieven wrote:
> Is there any reason why there is no OpenSSH 3.1 package for debian available yet?
> is the "OpenSSH_3.0.2p1" version avaiable in the testing/unstable tree already 
>patched
> against the "March 7, 2002: Off-by-one error in the channel code" security hole?

Yes, it was fixed in debian package Openssh_3.0.2p1-8 (maybe allready in
7, but that had other problems)

Debian usually patches the (security) bug, without going straight to the
new upstream release, but only upgrading the package number

-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: scp and sftp

[Mark Janssen]

On Mon, 2002-04-01 at 18:41, Jon McCain wrote:
> Chris Reeves wrote:
> > 
> > Why not change the users' shell to /usr/bin/menu?
> > 
> 
> Because they need to be able to transfer files to their home
> directories.  If you do this, then ftp,pscp,etc won't work.  My original
> goal was to allow them transfer files to/from home directory with
> something besides ftp (since they are going over the internet) but not
> allow them to change to directories above the home.  Proftp allowed me
> to chroot them to the home but scp/sftp does not.

Like I said in a previous post. SSH/SFTP/SCP will allow the same kind of
chroot-ing proftp does, using the chroot-patch for openssh. You'll have
to compile sshd yourself, and place some bins/libs in the user's
homedirs (maybe hardlinks to some generic skeleton dir)

Here is my ssh/chroot setup:

. == chrooted users homedir:

./bin:
total 660
drwxr-xr-x2 root root 4096 Mar 18 13:36 .
drwxr-xr-x8 guestguest4096 Mar 15 16:53 ..
-r-xr-xr-x1 root root   531160 Feb  6 22:36 bash
-r-xr-xr-x1 root root43916 Nov 29 13:19 ls
-r-xr-xr-x1 root root16684 Nov 29 13:19 mkdir
-rwxr-xr-x1 root root23960 Mar 18 13:36 more
-r-xr-xr-x1 root root 9916 Jul 26  2001 pwd
-r-xr-xr-x1 root root24780 Nov 29 13:19 rm
lrwxrwxrwx1 root root4 Mar 30 16:29 sh -> bash

./etc:
total 24
drwxr-xr-x2 root root 4096 Mar 15 16:13 .
drwxr-xr-x8 guestguest4096 Mar 15 16:53 ..
-rw-r--r--1 root root   54 Mar 15 13:23 group
-rw-r--r--1 root root  428 Mar 15 15:56 hosts
-rw-r--r--1 root root   44 Mar 15 15:53 passwd
-rw-r--r--1 root root   52 Mar 15 13:23 shells

./lib:
total 1848
drwxr-xr-x2 root root 4096 Mar 18 13:37 .
drwxr-xr-x8 guestguest4096 Mar 15 16:53 ..
-rwxr-xr-x1 root root92511 Mar 15 12:49 ld-linux.so.2
-rwxr-xr-x1 root root  1170812 Mar 15 12:49 libc.so.6
-rw-r--r--1 root root20900 Mar 15 13:01 libcrypt.so.1
-rw-r--r--1 root root 9436 Mar 15 12:49 libdl.so.2
-rw-r--r--1 root root   248132 Mar 15 12:48 libncurses.so.5
-rw-r--r--1 root root71332 Mar 15 13:00 libnsl.so.1
-rw-r--r--1 root root34144 Mar 15 16:10
libnss_files.so.2
-rw-r--r--1 root root29420 Mar 15 12:57 libpam.so.0
-rw-r--r--1 root root   105498 Mar 15 12:51 libpthread.so.0
-rw-r--r--1 root root25596 Mar 15 12:51 librt.so.1
-rw-r--r--1 root root 7760 Mar 15 12:59 libutil.so.1
-rw-r--r--1 root root24328 Mar 15 12:57 libwrap.so.0

./usr:
total 16
drwxr-xr-x4 root root 4096 Mar 15 13:00 .
drwxr-xr-x8 guestguest4096 Mar 15 16:53 ..
drwxr-xr-x2 root root 4096 Mar 15 15:55 bin
drwxr-xr-x2 root root 4096 Mar 15 15:37 lib

./usr/bin:
total 340
drwxr-xr-x2 root root 4096 Mar 15 15:55 .
drwxr-xr-x4 root root 4096 Mar 15 13:00 ..
-rwxr-xr-x1 root root10332 Mar 15 15:55 env
-rwxr-xr-x1 root root13052 Mar 15 13:13 id
-r-xr-xr-x1 root root25432 Mar 15 12:40 scp
-rwxr-xr-x1 root root43768 Mar 15 15:15 sftp
-r-sr-xr-x1 root root   218456 Mar 15 12:40 ssh
-rwxr-xr-x1 root root 9692 Mar 15 13:17 tty

./usr/lib:
total 852
drwxr-xr-x2 root root 4096 Mar 15 15:37 .
drwxr-xr-x4 root root 4096 Mar 15 13:00 ..
-rw-r--r--1 root root   771088 Mar 15 13:01
libcrypto.so.0.9.6
-rw-r--r--1 root root54548 Mar 15 13:00 libz.so.1
-rwxr-xr-x1 root root23096 Mar 15 15:37 sftp-server

Some of these can probably be removed in your case, (i also allow some
local commands, not only sftp/scp)

Just make sure all these files are owned by root (or some other user)
and not writable by the chrooted user.

> I can use vpn to let them safely use ftp over the internet.  That's only
> way they can use ftp since the firewall blocks ftp from the internet. 
> But that stills leaves the scp "hole".

Fixed :)

The chroot-patch is at: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes
or:
http://www.cag.lcs.mit.edu/~raoul/


-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]


signature.asc
Description: This is a digitally signed message part

Re: scp and sftp

[Mark Janssen]

On Mon, 2002-04-01 at 18:41, Jon McCain wrote:
> Chris Reeves wrote:
> > 
> > Why not change the users' shell to /usr/bin/menu?
> > 
> 
> Because they need to be able to transfer files to their home
> directories.  If you do this, then ftp,pscp,etc won't work.  My original
> goal was to allow them transfer files to/from home directory with
> something besides ftp (since they are going over the internet) but not
> allow them to change to directories above the home.  Proftp allowed me
> to chroot them to the home but scp/sftp does not.

Like I said in a previous post. SSH/SFTP/SCP will allow the same kind of
chroot-ing proftp does, using the chroot-patch for openssh. You'll have
to compile sshd yourself, and place some bins/libs in the user's
homedirs (maybe hardlinks to some generic skeleton dir)

Here is my ssh/chroot setup:

. == chrooted users homedir:

./bin:
total 660
drwxr-xr-x2 root root 4096 Mar 18 13:36 .
drwxr-xr-x8 guestguest4096 Mar 15 16:53 ..
-r-xr-xr-x1 root root   531160 Feb  6 22:36 bash
-r-xr-xr-x1 root root43916 Nov 29 13:19 ls
-r-xr-xr-x1 root root16684 Nov 29 13:19 mkdir
-rwxr-xr-x1 root root23960 Mar 18 13:36 more
-r-xr-xr-x1 root root 9916 Jul 26  2001 pwd
-r-xr-xr-x1 root root24780 Nov 29 13:19 rm
lrwxrwxrwx1 root root4 Mar 30 16:29 sh -> bash

./etc:
total 24
drwxr-xr-x2 root root 4096 Mar 15 16:13 .
drwxr-xr-x8 guestguest4096 Mar 15 16:53 ..
-rw-r--r--1 root root   54 Mar 15 13:23 group
-rw-r--r--1 root root  428 Mar 15 15:56 hosts
-rw-r--r--1 root root   44 Mar 15 15:53 passwd
-rw-r--r--1 root root   52 Mar 15 13:23 shells

./lib:
total 1848
drwxr-xr-x2 root root 4096 Mar 18 13:37 .
drwxr-xr-x8 guestguest4096 Mar 15 16:53 ..
-rwxr-xr-x1 root root92511 Mar 15 12:49 ld-linux.so.2
-rwxr-xr-x1 root root  1170812 Mar 15 12:49 libc.so.6
-rw-r--r--1 root root20900 Mar 15 13:01 libcrypt.so.1
-rw-r--r--1 root root 9436 Mar 15 12:49 libdl.so.2
-rw-r--r--1 root root   248132 Mar 15 12:48 libncurses.so.5
-rw-r--r--1 root root71332 Mar 15 13:00 libnsl.so.1
-rw-r--r--1 root root34144 Mar 15 16:10
libnss_files.so.2
-rw-r--r--1 root root29420 Mar 15 12:57 libpam.so.0
-rw-r--r--1 root root   105498 Mar 15 12:51 libpthread.so.0
-rw-r--r--1 root root25596 Mar 15 12:51 librt.so.1
-rw-r--r--1 root root 7760 Mar 15 12:59 libutil.so.1
-rw-r--r--1 root root24328 Mar 15 12:57 libwrap.so.0

./usr:
total 16
drwxr-xr-x4 root root 4096 Mar 15 13:00 .
drwxr-xr-x8 guestguest4096 Mar 15 16:53 ..
drwxr-xr-x2 root root 4096 Mar 15 15:55 bin
drwxr-xr-x2 root root 4096 Mar 15 15:37 lib

./usr/bin:
total 340
drwxr-xr-x2 root root 4096 Mar 15 15:55 .
drwxr-xr-x4 root root 4096 Mar 15 13:00 ..
-rwxr-xr-x1 root root10332 Mar 15 15:55 env
-rwxr-xr-x1 root root13052 Mar 15 13:13 id
-r-xr-xr-x1 root root25432 Mar 15 12:40 scp
-rwxr-xr-x1 root root43768 Mar 15 15:15 sftp
-r-sr-xr-x1 root root   218456 Mar 15 12:40 ssh
-rwxr-xr-x1 root root 9692 Mar 15 13:17 tty

./usr/lib:
total 852
drwxr-xr-x2 root root 4096 Mar 15 15:37 .
drwxr-xr-x4 root root 4096 Mar 15 13:00 ..
-rw-r--r--1 root root   771088 Mar 15 13:01
libcrypto.so.0.9.6
-rw-r--r--1 root root54548 Mar 15 13:00 libz.so.1
-rwxr-xr-x1 root root23096 Mar 15 15:37 sftp-server

Some of these can probably be removed in your case, (i also allow some
local commands, not only sftp/scp)

Just make sure all these files are owned by root (or some other user)
and not writable by the chrooted user.

> I can use vpn to let them safely use ftp over the internet.  That's only
> way they can use ftp since the firewall blocks ftp from the internet. 
> But that stills leaves the scp "hole".

Fixed :)

The chroot-patch is at: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes
or:
http://www.cag.lcs.mit.edu/~raoul/


-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]



signature.asc
Description: This is a digitally signed message part

Re: scp and sftp

[Mark Janssen]

On Sun, 2002-03-31 at 05:24, Jon McCain wrote:
> I've been playing around with the scp and sftp components of putty and
> noticed what I consider a security hole.  Winscp does the same thing. 
> The user can change to directories above their home.  Is there a way to
> chroot them like you can in an ftp config file?  I don't see anything in
> the sshd config files.  If you can't, how can I disable the scp
> functionality?  I'm not talking about scp from the linux box.  The users
> don't have shell access so that's not a problem.  I'm referring to
> remote people using a scp client to access my linux machine.  You can
> disable sftp ability by removing the sftp-server program but the scp
> server part seems to be part of sshd.

There is a chroot patch for SSH. You can find it in the Bug tracking
system (I added it there a few weeks ago).
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes

If you apply that patch to your SSHd and modify the /etc/passwd file by
using the special token '/./' in the user's homedir he will be chrooted
at the token.

Example:

joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash

Now joeuser will be chrooted to /home/joe

This works for SSH and SCP / SFTP etc of course.

Mark Janssen



> 
> I did not see anything about this issue on the openssh web site. 
> Anybody got any suggestions?
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: scp and sftp

[Mark Janssen]

On Sun, 2002-03-31 at 05:24, Jon McCain wrote:
> I've been playing around with the scp and sftp components of putty and
> noticed what I consider a security hole.  Winscp does the same thing. 
> The user can change to directories above their home.  Is there a way to
> chroot them like you can in an ftp config file?  I don't see anything in
> the sshd config files.  If you can't, how can I disable the scp
> functionality?  I'm not talking about scp from the linux box.  The users
> don't have shell access so that's not a problem.  I'm referring to
> remote people using a scp client to access my linux machine.  You can
> disable sftp ability by removing the sftp-server program but the scp
> server part seems to be part of sshd.

There is a chroot patch for SSH. You can find it in the Bug tracking
system (I added it there a few weeks ago).
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes

If you apply that patch to your SSHd and modify the /etc/passwd file by
using the special token '/./' in the user's homedir he will be chrooted
at the token.

Example:

joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash

Now joeuser will be chrooted to /home/joe

This works for SSH and SCP / SFTP etc of course.

Mark Janssen



> 
> I did not see anything about this issue on the openssh web site. 
> Anybody got any suggestions?
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apache-ssl/woody cannot handle password protected keys?

[Mark Janssen]

On Mon, 2002-02-25 at 15:30, Thomas Gebhardt wrote:
> Hi,
> 
> just upgraded a host from potato to woody, I observed that
> my apache-ssl failed to work.

Here comes the trick... it does work...
> # /usr/sbin/apache-sslctl start
> Reading key for server :443
> Enter PEM pass phrase:

You are supposed to type in the passphrase at this point...
within the 5-10 seconds that are provided to you in the script

It's supposed to be getting the passphrase from somewhere... and YOU
need to type it here. :)

> Launching... /usr/lib/apache-ssl/gcache
> pid=22730
> /usr/sbin/apache-sslctl start: httpsd started
> 
-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]

Re: apache-ssl/woody cannot handle password protected keys?

[Mark Janssen]

On Mon, 2002-02-25 at 15:30, Thomas Gebhardt wrote:
> Hi,
> 
> just upgraded a host from potato to woody, I observed that
> my apache-ssl failed to work.

Here comes the trick... it does work...
> # /usr/sbin/apache-sslctl start
> Reading key for server :443
> Enter PEM pass phrase:

You are supposed to type in the passphrase at this point...
within the 5-10 seconds that are provided to you in the script

It's supposed to be getting the passphrase from somewhere... and YOU
need to type it here. :)

> Launching... /usr/lib/apache-ssl/gcache
> pid=22730
> /usr/sbin/apache-sslctl start: httpsd started
> 
-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @
SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id:
357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl]
SyConOS.[com|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: I want to test my firewall from the outside

[Mark Janssen]

On Thu, 2002-02-14 at 16:20, Cristian Ionescu-Idbohrn wrote:

Greetings,

Yes, I would like to do that.
Any good tools you folks would recommand?


Nmap from a dial-up connection... or login to some unix host and nmap from there...



Maniac



(Or... just throw your IP into the internet... and let the rest of the world probe your ports)

Re: I want to test my firewall from the outside

[Mark Janssen]

On Thu, 2002-02-14 at 16:20, Cristian Ionescu-Idbohrn wrote:

Greetings,

Yes, I would like to do that.
Any good tools you folks would recommand?


Nmap from a dial-up connection... or login to some unix host and nmap from there...



Maniac



(Or... just throw your IP into the internet... and let the rest of the world probe your ports)

Re: How to modify SSH2 prompt message?

[Mark Janssen]

On Thu, Feb 07, 2002 at 09:46:41AM +0800,  wrote:
> Hello,
> 
> Running Woody (2.4.17-1) and ssh (3.0.2p1-6). 
> When I telnet to the box, it prompts me: 
>   SSH-2.0-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-6. Protocol mismatch..

Are you telnetting to the SSH port (or running SSH on the telnet port).
You can't get rid of this message (unless you also use a modified
client.) The message is part of the protocol, and it is required that
SSH servers specify their version.
You could modify the string... (removing or altering the OpenSSH part).
But the SSH-2.0- part is mandatory !!

-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl]

Re: How to modify SSH2 prompt message?

[Mark Janssen]

On Thu, Feb 07, 2002 at 09:46:41AM +0800,  wrote:
> Hello,
> 
> Running Woody (2.4.17-1) and ssh (3.0.2p1-6). 
> When I telnet to the box, it prompts me: 
>   SSH-2.0-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-6. Protocol mismatch..

Are you telnetting to the SSH port (or running SSH on the telnet port).
You can't get rid of this message (unless you also use a modified
client.) The message is part of the protocol, and it is required that
SSH servers specify their version.
You could modify the string... (removing or altering the OpenSSH part).
But the SSH-2.0- part is mandatory !!

-- 
Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: portscans and sniffing

[Mark Janssen]

On Mon, Jan 21, 2002 at 10:36:18AM +0100, [EMAIL PROTECTED] wrote:
> Hi all.
> 
> I have startet a Security Company in Germany an now i have e few questions.

First try learning how to write :)
> 
> Are ftp anonymous scans illegal?

That depends on what country the system is located in, but generally it
is considere illegal to portscan or attemt to access systems you are not
authorized to access. However there is hardly any enforcement of these
rules.

> if it is, can i get an license to do penetrations test?

I suggest you only scan systems you are authorized to scan by their
respective owners (your clients) and keep well away from other people's
boxes.

Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl]


pgprUazjdWeOD.pgp
Description: PGP signature

Re: portscans and sniffing

[Mark Janssen]

On Mon, Jan 21, 2002 at 10:36:18AM +0100, [EMAIL PROTECTED] wrote:
> Hi all.
> 
> I have startet a Security Company in Germany an now i have e few questions.

First try learning how to write :)
> 
> Are ftp anonymous scans illegal?

That depends on what country the system is located in, but generally it
is considere illegal to portscan or attemt to access systems you are not
authorized to access. However there is hardly any enforcement of these
rules.

> if it is, can i get an license to do penetrations test?

I suggest you only scan systems you are authorized to scan by their
respective owners (your clients) and keep well away from other people's
boxes.

Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT
E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178
Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl]



msg05430/pgp0.pgp
Description: PGP signature

Re: MTAs

[Mark Janssen]

On Wed, Nov 21, 2001 at 12:56:53PM +0200, Juha J?ykk? wrote:
> >>   On the other hand, if exim is run from inetd (as I do), does it
> >> still need to be suid root? Since inetd runs root anyway, there should
> bit from exim. Now my original question was: does it (exim) still need
> to be suid root? And the question still remains and depends (solely?)
> on whether it still can communicate with inetd. Inetd runs exim with

I would assume no setuid-root exim is needed for it to communicate with
inetd.

> mail's priviledges so giving mail access to any necessary directories
> is enough for exim to function - unless there are issues with the
> permissions of /var/spool/mail/.
> Now another question: are there?

As long as /var/spool/mail/* is writable/owned by the 'mail' user I do
not see a problem here.

Also check /var/spool/mqueue... if also using outgoing e-mail

-- 
Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]  GnuPG Key Id: 357D2178
http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]

Re: MTAs

[Mark Janssen]

On Wed, Nov 21, 2001 at 12:56:53PM +0200, Juha J?ykk? wrote:
> >>   On the other hand, if exim is run from inetd (as I do), does it
> >> still need to be suid root? Since inetd runs root anyway, there should
> bit from exim. Now my original question was: does it (exim) still need
> to be suid root? And the question still remains and depends (solely?)
> on whether it still can communicate with inetd. Inetd runs exim with

I would assume no setuid-root exim is needed for it to communicate with
inetd.

> mail's priviledges so giving mail access to any necessary directories
> is enough for exim to function - unless there are issues with the
> permissions of /var/spool/mail/.
> Now another question: are there?

As long as /var/spool/mail/* is writable/owned by the 'mail' user I do
not see a problem here.

Also check /var/spool/mqueue... if also using outgoing e-mail

-- 
Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]  GnuPG Key Id: 357D2178
http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSSH 3, DEBIAN 2.2 and PAM authentication

[Mark Janssen]

On Mon, Nov 12, 2001 at 02:21:11PM +0100, Carsten Nottebohm wrote:
> Looks fine to me.
> I think OpenSSH uses /etc/pam.d/sshd (Note the "d" in the end). Try renaming 
> your pam config file.

To be exact, SSH uses whatever the binary is named. So if you name it
opensshd it'll use /etc/pam.d/opensshd. If you name it sshd it will use
/etc/pam.d/sshd etc :)

That's what I read last week in some docs on the OpenSSH site :)

Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]  GnuPG Key Id: 357D2178
http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]

Re: OpenSSH 3, DEBIAN 2.2 and PAM authentication

[Mark Janssen]

On Mon, Nov 12, 2001 at 02:21:11PM +0100, Carsten Nottebohm wrote:
> Looks fine to me.
> I think OpenSSH uses /etc/pam.d/sshd (Note the "d" in the end). Try renaming your 
>pam config file.

To be exact, SSH uses whatever the binary is named. So if you name it
opensshd it'll use /etc/pam.d/opensshd. If you name it sshd it will use
/etc/pam.d/sshd etc :)

That's what I read last week in some docs on the OpenSSH site :)

Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]  GnuPG Key Id: 357D2178
http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: FTP and security

[Mark Janssen]

On Thu, Nov 08, 2001 at 04:57:22PM -0500, Adam Spickler wrote:
> Is there a decent Windows FTP application that supports sftp?  Unfortunately, 
> I have to use Windows at work.  :/

cygwin includes openssh... and the sftp it has supports everything you
need.

-- 
Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]  GnuPG Key Id: 357D2178
http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]


pgpPkXtSjAs6m.pgp
Description: PGP signature

Re: FTP and security

[Mark Janssen]

On Thu, Nov 08, 2001 at 04:57:22PM -0500, Adam Spickler wrote:
> Is there a decent Windows FTP application that supports sftp?  Unfortunately, I have 
>to use Windows at work.  :/

cygwin includes openssh... and the sftp it has supports everything you
need.

-- 
Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]  GnuPG Key Id: 357D2178
http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]



msg04095/pgp0.pgp
Description: PGP signature

Re: shared root account

[Mark Janssen]

On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote:
>   I have a bit of a situation: I have a handful of linux machines
> (almost all with different distributions and kernels and software -
..
> time (we all know keeping up security is a fulltime job). Obviously to
> install patches etc I, also, need root privileges.
>   This poses a problem if I am not to remember all those different
> root passwords and without making all the passwords the same! How can
> that _safely_ be accomplished? There are versions of su, sudo etc) that
> do not ask passwords, there are suid binaries but which is _THE_ way

You could also use SSH to accomplish this. Set it up so you log in with
RSA/DSA key's (and no passwords) and authenticate with your key's passphrase.
You will become root on the machine, and you'll be able to use your own
passphrase, as will the other 'root's on the machine, each his own keypair and
passphrase

(Put the public key in the .authorized_keys file for the root user)
TUrn on RSA/DSA authentication and 'allow root login'

Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]  GnuPG Key Id: 357D2178
http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]

Re: shared root account

[Mark Janssen]

On Fri, Jul 06, 2001 at 12:15:43PM +0300, Juha J?ykk? wrote:
>   I have a bit of a situation: I have a handful of linux machines
> (almost all with different distributions and kernels and software -
..
> time (we all know keeping up security is a fulltime job). Obviously to
> install patches etc I, also, need root privileges.
>   This poses a problem if I am not to remember all those different
> root passwords and without making all the passwords the same! How can
> that _safely_ be accomplished? There are versions of su, sudo etc) that
> do not ask passwords, there are suid binaries but which is _THE_ way

You could also use SSH to accomplish this. Set it up so you log in with
RSA/DSA key's (and no passwords) and authenticate with your key's passphrase.
You will become root on the machine, and you'll be able to use your own
passphrase, as will the other 'root's on the machine, each his own keypair and
passphrase

(Put the public key in the .authorized_keys file for the root user)
TUrn on RSA/DSA authentication and 'allow root login'

Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]  GnuPG Key Id: 357D2178
http: maniac.nl, unix-god.[net|org], markjanssen.[com|net|org|nl]


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: SSH and RSA

[Mark Janssen]

On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote:
> Hi all,
> 
> Recently I was made administrator over a dozen Solaris boxen 
> The prior admin was offsite and used ssh with rsa keys to access the boxes.
> He allowed root login, and used the RSA key functionality to keep the root
> password safe.
> I am not as mature as he was regarding ssh  and have only used
> ssh as a plug in replacement to telnet,  p/w during
> ssh-keygen> and simply access the boxes as follows: ssh -l  
> then I login using the normal p/w that is local to the box. I have found 
> that he did
> not need to transmit the local password over the tunnel, but rather used 
> RSA to
> verify his identity, but I can't find documentation on how to do it. 
>  Security> does anyone have any information on how I can implement the 
> same safeguards? Or where I can at least find some documentation on 
> practical ssh implementation.

Ok... check your /etc/ssh/sshd_options file
You need to enable some options with RSA in their name, they are all there,
only commented out by default.

Next you need to go to your user's .ssh directory (the user/system you want
to ssh to... so root on your solaris boxes) and create a file called
authorized_keys (check the local sshd manual page for exact name, it will
differer between implementations) and append your public key to it so:

cat my-public-key >> ~/.ssh/authorized_keys

Then you should be able to login with your key and key passphrase, and not
the local account password.

I just tried it on my local system and it works great (using teraterm ssh
on windows to my debian linux box)

Here's the line from the sshd_options file:
RSAAuthentication yes


More info can be found in the sshd_options file and the manual page for
sshd (not ssh) ;)

Have fun...

> 
> As always, You guys are great, thanks in advance for the help,
> 
> 
> ~duane
> 

-- 
Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178
http: markjanssen.homeip.net and markjanssen.[com|net|org|nl]
Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode


pgpjNnQjA5cs0.pgp
Description: PGP signature

Re: SSH and RSA

[Mark Janssen]

On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote:
> Hi all,
> 
> Recently I was made administrator over a dozen Solaris boxen 
> The prior admin was offsite and used ssh with rsa keys to access the boxes.
> He allowed root login, and used the RSA key functionality to keep the root
> password safe.
> I am not as mature as he was regarding ssh  and have only used
> ssh as a plug in replacement to telnet,  p/w during
> ssh-keygen> and simply access the boxes as follows: ssh -l  
> then I login using the normal p/w that is local to the box. I have found 
> that he did
> not need to transmit the local password over the tunnel, but rather used 
> RSA to
> verify his identity, but I can't find documentation on how to do it. 
>  Security> does anyone have any information on how I can implement the 
> same safeguards? Or where I can at least find some documentation on 
> practical ssh implementation.

Ok... check your /etc/ssh/sshd_options file
You need to enable some options with RSA in their name, they are all there,
only commented out by default.

Next you need to go to your user's .ssh directory (the user/system you want
to ssh to... so root on your solaris boxes) and create a file called
authorized_keys (check the local sshd manual page for exact name, it will
differer between implementations) and append your public key to it so:

cat my-public-key >> ~/.ssh/authorized_keys

Then you should be able to login with your key and key passphrase, and not
the local account password.

I just tried it on my local system and it works great (using teraterm ssh
on windows to my debian linux box)

Here's the line from the sshd_options file:
RSAAuthentication yes


More info can be found in the sshd_options file and the manual page for
sshd (not ssh) ;)

Have fun...

> 
> As always, You guys are great, thanks in advance for the help,
> 
> 
> ~duane
> 

-- 
Mark Janssen Unix Consultant @ SyConOS IT
E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178
http: markjanssen.homeip.net and markjanssen.[com|net|org|nl]
Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode

 PGP signature

Re: Configuring ssh

[Mark Janssen]

On Mon, 6 Nov 2000, Karsten Mueller wrote:

> > The latest version of CygWin toolkit contains OpenSSH 2.0pl1...
> > along with all the other unix tools for win32... so you can just
> > run ssh (including tunnels and other advanced features most term-emulators
> > with ssh don't have) from your bash shell.
> 
> Nice to hear. I found nothing about it on http://sources.redhat.com/cygwin/.
> Please tell me where I can download the stuff.

Just get the installer it's find the mirrors and download it from
there.

The installer can be found here:
ftp://sunsite.org.uk/Mirrors/sourceware.cygnus.com/pub/cygwin/setup.exe

Or on other sites... just search with google...

Mark Janssen  Unix Consultant
Unix Support Nederland / PSInet Netherlands
E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178
http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl
Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode

Re: Configuring ssh

[Mark Janssen]

On Mon, 6 Nov 2000, Karsten Mueller wrote:

> > The latest version of CygWin toolkit contains OpenSSH 2.0pl1...
> > along with all the other unix tools for win32... so you can just
> > run ssh (including tunnels and other advanced features most term-emulators
> > with ssh don't have) from your bash shell.
> 
> Nice to hear. I found nothing about it on http://sources.redhat.com/cygwin/.
> Please tell me where I can download the stuff.

Just get the installer it's find the mirrors and download it from
there.

The installer can be found here:
ftp://sunsite.org.uk/Mirrors/sourceware.cygnus.com/pub/cygwin/setup.exe

Or on other sites... just search with google...

Mark Janssen  Unix Consultant
Unix Support Nederland / PSInet Netherlands
E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178
http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl
Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Configuring ssh

[Mark Janssen]

> > Login with a ssh client with RSA support, like mindterm.
> 
> SecureCRT is a good client although it is commercial.

The latest version of CygWin toolkit contains OpenSSH 2.0pl1...
along with all the other unix tools for win32... so you can just
run ssh (including tunnels and other advanced features most term-emulators
with ssh don't have) from your bash shell.

Mark Janssen  Unix Consultant
Unix Support Nederland / PSInet Netherlands
E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178
http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl
Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode

Re: Configuring ssh

[Mark Janssen]

> > Login with a ssh client with RSA support, like mindterm.
> 
> SecureCRT is a good client although it is commercial.

The latest version of CygWin toolkit contains OpenSSH 2.0pl1...
along with all the other unix tools for win32... so you can just
run ssh (including tunnels and other advanced features most term-emulators
with ssh don't have) from your bash shell.

Mark Janssen  Unix Consultant
Unix Support Nederland / PSInet Netherlands
E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178
http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl
Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: SECURITY PROBLEM: autofs [all versions]

[Mark Janssen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1




On Sat, 1 Jul 2000, Thor wrote:

> huh ? and you call this an xploit ?
> 
> if you have physical access to the console and floppy drive you can always 
> start with a boot + root floppy, mount the hard disk and modify the 
> mounted /etc/passwd file ... this is an old trick, usefull when you 
> loose the root password ;-)

Yes, that's correct, but there's a huge difference in an exploit that
needs a reboot (boot+root floppy) to work or one that works without
putting off any simple monitoring tools. A vi'd passwordfile isn't checked
for every other minute... a reboot doesn't go around unnoticed...

Mark Janssen  Unix Consultant
Unix Support Nederland / PSInet Netherlands
E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178
http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl
Fax/VoiceMail: +31 20 8757555
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
Filter: gpg4pine 4.0 (http://azzie.robotics.net)

iD8DBQE5XbkWb6urvDV9IXgRAiMEAJ9tsNTHh/brv5jO1mbMmdiU2ndtyQCfYSEX
OGZaPO7airhlgetmJ/gqGHk=
=OBIz
-END PGP SIGNATURE-

Re: SECURITY PROBLEM: autofs [all versions]

[Mark Janssen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1




On Sat, 1 Jul 2000, Thor wrote:

> huh ? and you call this an xploit ?
> 
> if you have physical access to the console and floppy drive you can always 
> start with a boot + root floppy, mount the hard disk and modify the 
> mounted /etc/passwd file ... this is an old trick, usefull when you 
> loose the root password ;-)

Yes, that's correct, but there's a huge difference in an exploit that
needs a reboot (boot+root floppy) to work or one that works without
putting off any simple monitoring tools. A vi'd passwordfile isn't checked
for every other minute... a reboot doesn't go around unnoticed...

Mark Janssen  Unix Consultant
Unix Support Nederland / PSInet Netherlands
E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178
http: markjanssen.homeip.net www.markjanssen.nl www.maniac.nl
Fax/VoiceMail: +31 20 8757555
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
Filter: gpg4pine 4.0 (http://azzie.robotics.net)

iD8DBQE5XbkWb6urvDV9IXgRAiMEAJ9tsNTHh/brv5jO1mbMmdiU2ndtyQCfYSEX
OGZaPO7airhlgetmJ/gqGHk=
=OBIz
-END PGP SIGNATURE-


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]