Re: How can I help ?
Lennie, Can you give me any more details than just that Linux I/O performance is inferior to *BSD? Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Wed, 14 Jun 2000, L. Besselink wrote: On Tue, 13 Jun 2000, Thomas Guettler wrote: I am in the same position. I have got some time left which I could spent in an opensource project. Nearly all things I dream of are already working. So that I don't know where to join. And Mozilla ist too big. And like Florian I am interested in security. If someone knows where to start, please give us a hint. I know some C, C++, Perl, Shell, Java, XML. If you ask me personally what things in Linux and/or Debian are most needed ? Those are two things: - I/O performance. Linux just doesn't have as good an I/O performance as the BSD family. and - Pro active security sourcecode reading/fixing, like what the OpenBSD people do. As you can see, only one is security related :/ I know it may sound a bit boring and I know Debian is probably the best Linux distribution in that field (well, they fix very fast anyway ;), but it is even more important then adding new things if you ask me. This is just my personal opinion. One thing I am interested is, which ist AFAIK no implemented yet: Crossplattform userauthentication (win+unix), via LDAP. But ofcourse I have no problem with anyone adding new and great features. ;) snip Hope this made sence and not just noice, Lennie. - New things are always on the horizon. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How can I help ?
On Wed, 14 Jun 2000, Alexander Hvostov wrote: Lennie, Can you give me any more details than just that Linux I/O performance is inferior to *BSD? not much :/ All I can show is from my own experience. Some time ago, I 'replaced' my home firewall 486 Debian installation with OpenBSD (just to try it out a bit) and it improved my network performance dramatically (no I don't have hard facts at hand). I think it has/had something to do with mtu discovery or something, because I'm connected with an @home cable modem and to be honest there systems have had problems in the past and still do and with OpenBSD I think it's been doing a lot better job, somehow. I think it's mtu discovery because sometimes if the cable is down, I get back cutdown ping's to the gateway. So some of it get's trough but not all somehow, it's really strange. Also this new OS seems more speedy then the previous, although I can not back this with facts either (I forgot to run something like bonnie to find out). Also I keep reading on the Linux kernel mailinglist that they are not too happy about current performance yet. ;) So maybe this also says something as I'm sure they have a good view on things. Did this help ? Regards, Alex. snip Same to ya, Lennie. - New things are always on the horizon.
Re: How can I help ?
Lennie, There's all sorts of interesting tweaks you can do to Linux to fine-tune its network behavior via /proc. I suggest you look into it. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Wed, 14 Jun 2000, L. Besselink wrote: On Wed, 14 Jun 2000, Alexander Hvostov wrote: Lennie, Can you give me any more details than just that Linux I/O performance is inferior to *BSD? not much :/ All I can show is from my own experience. Some time ago, I 'replaced' my home firewall 486 Debian installation with OpenBSD (just to try it out a bit) and it improved my network performance dramatically (no I don't have hard facts at hand). I think it has/had something to do with mtu discovery or something, because I'm connected with an @home cable modem and to be honest there systems have had problems in the past and still do and with OpenBSD I think it's been doing a lot better job, somehow. I think it's mtu discovery because sometimes if the cable is down, I get back cutdown ping's to the gateway. So some of it get's trough but not all somehow, it's really strange. Also this new OS seems more speedy then the previous, although I can not back this with facts either (I forgot to run something like bonnie to find out). Also I keep reading on the Linux kernel mailinglist that they are not too happy about current performance yet. ;) So maybe this also says something as I'm sure they have a good view on things. Did this help ? Regards, Alex. snip Same to ya, Lennie. - New things are always on the horizon.
Re: How can I help ?
On Wed, Jun 14, 2000 at 09:23:54AM +0200, L. Besselink wrote: On Tue, 13 Jun 2000, Thomas Guettler wrote: If you ask me personally what things in Linux and/or Debian are most needed ? Those are two things: - I/O performance. Linux just doesn't have as good an I/O performance as the BSD family. You might be interested in the discussion going on over streaming I/O performance on [EMAIL PROTECTED] and - Pro active security sourcecode reading/fixing, like what the OpenBSD people do. I wanted to start a project like that a while back. I examined the OpenBSD patches to try to figure out exactly what they looked for. Unfortunately, between school and jobs, i haven't had the time to really delve into the subject or apply their techniques to Linux. As you can see, only one is security related :/ I know it may sound a bit boring and I know Debian is probably the best Linux distribution in that field (well, they fix very fast anyway ;), but it is even more important then adding new things if you ask me. This is just my personal opinion. One thing I am interested is, which ist AFAIK no implemented yet: Crossplattform userauthentication (win+unix), via LDAP. One thing you might take a look at while you're at it is adding LDAP support to Netatalk. I know at least one SysAdmin who was trying to get his whole network using LDAP, and Samba already has support (according to a previous email I saw on this list), but he needed a solution for his Macs as well. I don't have his email here (he contacted me at work). Nathan Paul Simons http://www.nmt.edu/~npsimons/
Re: How can I help ?
and - Pro active security sourcecode reading/fixing, like what the OpenBSD people do. I wanted to start a project like that a while back. I examined the OpenBSD patches to try to figure out exactly what they looked for. Unfortunately, between school and jobs, i haven't had the time to really delve into the subject or apply their techniques to Linux. Take a look at the attached e-mail (dare I post this with OE ;) about a new linux security auditing project. -- Jon / [EMAIL PROTECTED] ---BeginMessage--- This is a mission statement for a project under way and ready to get going. The Linux Kernel Auditing Project (LKAP). The purpose of this project is self-explanatory. It's an attempt to audit the Linux kernel for any security vulnerabilities and/or holes and/or possible vulnerabilities and/or possible holes, and of course without adding more bugs or drawbacks to the existing kernels. The suggested kernels to be audited are 2.0.x kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series. The group and it's work shall be dealt and worked with via a mailing list. How to subscribe: echo subscribe kernel-audit | mail [EMAIL PROTECTED] I feel that this project should have been done a long time ago, not to imply that the Linux kernel is insecure, but a case in which this project would've helped would be the setuid() hole found on June 7 which affected all 2.2.x kernels. This bug was patched in a matter of hours (isn't open source great!). But here's the point, the flaw/function/hole should _NOT_ have existed in the first place. Which is where this project comes into place. There's a few things that differ from this project compared to a few others that are similar. 1) To audit the kernel source code without affecting/breaking/disrupting any other part of the kernel. These will not be additional patches you can downloads (add-ons). This auditing is dealing with the current code in the source, not adding or implementing new functions. 2) To educate kernel developers/hackers on how to securely write code. It is my hopes that kernel developers/hackers new and old will subscribe and post to this mailing list with questions and share information, and to simply get help with their code(e.g.: Could this function() cause a possible security hole or lead to an exploit ?), this is the true power of open source and GNU/Linux 3) To be ahead of the game... A perfect example of this are certain proprietary Operating System developers who sit around and wait for a security bug to come to them and not go to find the bug themselves. Of course this needs no explanation as to why this never works. I feel that kernel developers/hackers are down to earth and pretty logical people and realize that Linux is _NOT_ perfect, that a lot of the code they write, submit, and gets plugged into the kernel is not flawless and more than likely could be improved for security reasons. 4) To provide an operating system to the public. I want to see a Linux where the sysadmin doesn't have to watch his back all the time in fear of say some new knfsd exploit or a way to fork()bomb his/her router via a simple mistake in buffer.c 5) To provide a safe Linux to the end-user.. Linux is slowly but surely becoming a choice for the desktop user. Most of these users are walking into Linux with no knowledge of what potential dangers lie at their finger tips and in their hard drive. Linux has proven to be one of the most secure operating systems, but I feel as Linux becomes more popular with the general public this will change, that more kernel security holes and exploits will arise from nowhere and give us a very unpleasant reality check. And at last, this will be no easy project, security auditing never is. It takes man power, skill, and just plain aching time. But I believe if the community gets together on this one, nothing will stop us and Linux will go on to become the #1 security-wise operating system to this date. Sincerely Bryan Paxton How to subscribe: echo subscribe kernel-audit | mail [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] Please read the FAQ at http://www.tux.org/lkml/ ---End Message---
Re: How can I help ?
On Tue, Jun 13, 2000 at 03:46:12PM -0700, Ryan White wrote: As I recall after windows 95 the passwords are sent over the line encrypted. The encryption might be weak but they are not clear text anymore. There is a switch in SMB to allow encrypted passwords. This is ON by default in debian (I believe) But using this option prevents you from using the global /etc/shadow file, which is problematic in some cases. - Sebastian
Re: How can I help ?
Previously Thomas Guettler wrote: I am in the same position. I have got some time left which I could spent in an opensource project. Nearly all things I dream of are already working. A good free reimplementation of portsentry is something I would really like to see. Right now portsentry works reasonably, but it could really use a bunch of extra features. Crossplattform userauthentication (win+unix), via LDAP. Some people on the samba team are working on this already. Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | pgpUGLQVE8gCN.pgp Description: PGP signature
Re: How can I help ?
Previously Alexander Hvostov wrote: I have a better idea: an integrated 'user' command, which uses plugins to access the actual database server (like PAM, but for writing to the database rather than reading from it), and performs any of several functions. PNIAM might alreadyh do this, I haven't looked at it closely yet. Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | pgpWCN28IPDNA.pgp Description: PGP signature
SMB passwords etc (was How can I help ?)
On Wed, 14 Jun 2000, Sebastian Rittau wrote: [stuff about encrypted SMB passwords] But using this option prevents you from using the global /etc/shadow file, which is problematic in some cases. True. Samba has a password sync option to enable SMB password changes to automatically update the unix password file too (though it can be troublesome to get this working smoothly...) I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it would be feasible to make a stacked password module to do the reverse, ie to update the SMB password (including optionally creating the entry in the smbpasswd file if it doesn't exist) when the passwd command is used to change the unix password. A mechanism would obviously be required to prevent a loop situation when both options are used simultaneously. If Samba carried out the actual SMB password update via PAM, then this should allow for the required flexibiliity, with either one or both off the unix/SMB password setting modules used by passwd and smbd as desired. This would hopefully eliminate the need for the password sync option with its dependence on the precise prompt string produced by the passwd command. -- Zak Kipling, E114 Wolfson Court, Clarkson Road, Cambridge, CB3 0EH. Tel. (01223) 509524; pager 04325 361627; ICQ# 62661452; Ask for PGP key Internet chat: telnet to zk201.girton.cam.ac.uk and log in as talk. As long as the superstition that people should obey unjust laws exists, so long will slavery exist. -- M. K. Gandhi
Re: How can I help ?
On Wed, Jun 14, 2000 at 02:43:07PM +0200, Wichert Akkerman wrote: Previously Thomas Guettler wrote: I am in the same position. I have got some time left which I could spent in an opensource project. Nearly all things I dream of are already working. A good free reimplementation of portsentry is something I would really like to see. Right now portsentry works reasonably, but it could really use a bunch of extra features. According to upstream we can't hope that he will put portsentry under a license which debian considers as free in the near future so a free reimplementation would be great. Portsentry is a nice peace of software but it's missing some crucial features such as a pid file or more flexible syntax in the hosts.ignore file (such as ignore host:port1,port2). -- GPG-Public Key: http://honk.physik.uni-konstanz.de/~agx/guenther.gpg.asc
Re: SMB passwords etc (was How can I help ?)
At 22:40 14/06/2000, Zak Kipling wrote: On Wed, 14 Jun 2000, Sebastian Rittau wrote: [stuff about encrypted SMB passwords] But using this option prevents you from using the global /etc/shadow file, which is problematic in some cases. True. Samba has a password sync option to enable SMB password changes to automatically update the unix password file too (though it can be troublesome to get this working smoothly...) I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it would be feasible to make a stacked password module to do the reverse, ie to update the SMB password (including optionally creating the entry in the smbpasswd file if it doesn't exist) when the passwd command is used to change the unix password. A mechanism would obviously be required to prevent a loop situation when both options are used simultaneously. If Samba carried out the actual SMB password update via PAM, then this should allow for the required flexibiliity, with either one or both off the unix/SMB password setting modules used by passwd and smbd as desired. This would hopefully eliminate the need for the password sync option with its dependence on the precise prompt string produced by the passwd command. -- Zak Kipling, E114 Wolfson Court, Clarkson Road, Cambridge, CB3 0EH. Tel. (01223) 509524; pager 04325 361627; ICQ# 62661452; Ask for PGP key Internet chat: telnet to zk201.girton.cam.ac.uk and log in as talk. As long as the superstition that people should obey unjust laws exists, so long will slavery exist. -- M. K. Gandhi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] This was posted to samba-technical within the last few days: begin quote From: Peter Samuelson [EMAIL PROTECTED] To: Multiple recipients of list SAMBA-TECHNICAL [EMAIL PROTECTED] Subject: ANNOUNCE: pam_pwexport, Unix-SMB password changes Date: Tue, 13 Jun 2000 22:08:43 +1000 [[posted to samba-ntdom and samba-technical]] More than one user has recently asked about Unix-Samba password sync. You can go the *other* direction with those chat options in smb.conf, and Samba even has an option `update encrypted' for using cleartext passwords and populating the smbpasswd file when people change them. But when a user executes `passwd' or `yppasswd' on the Unix system, Samba has no way of knowing, so your NT password gets out of sync. Until now. For all you out there who use PAM-enabled Unix systems (that means most flavors of Linux and Solaris, and recently HP-UX, and possibly others I don't know about), you may wish to give this a shot: http://peter.cadcamlab.org/misc/pam_pwexport-0.0.tar.gz It sits and snoops whenever a user enters or changes a password through PAM, and sends the passwords off to be processed by an arbitrary PAM-unaware executable. That means: * For all logins (ftp, ssh, telnet, pop3, etc) you can grab the password and use it to populate your local smbpasswd file. This is akin to the smb.conf `update encrypted' option, useful for migration from a Unix environment to a mixed Unix/NT environment. * For Unix password changes, you get both the old and new password, so you can either do the above, or update an NT domain controller (or remote Samba domain controller). Assuming your NIS domain controller is PAM-aware, this should work for `yppasswd' as well. (Untested.) * Although I wrote it with Samba in mind, it is by no means specific to smbpasswd; other similar password migration scenarios should work just as well. Like most PAM modules, it's not very hard to set up. Included is an example glue script for making it work with smbpasswd. BUT: It's a 0.0 release and has only been tested on Linux-PAM. It may work on the other Unices, but I don't have Solaris and I haven't gotten a chance to test on HP-UX yet. It's also missing some error checking and other polish. (I'll gladly take patches.) ALSO: pam_pwexport won't work properly without a small patch, included, to fix a bug in Linux-PAM 0.72. Enjoy. I did. (PAM modules are much easier to write than you think.) Peter end quote Looks like what you're after :) Freddie
Re: How can I help ?
Wichert, Where might I find this? Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Wed, 14 Jun 2000, Wichert Akkerman wrote: Previously Alexander Hvostov wrote: I have a better idea: an integrated 'user' command, which uses plugins to access the actual database server (like PAM, but for writing to the database rather than reading from it), and performs any of several functions. PNIAM might alreadyh do this, I haven't looked at it closely yet. Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |