Re: File transfer using ssh
- Original Message - From: Jason Thomas [EMAIL PROTECTED] To: Curt Howland [EMAIL PROTECTED] Cc: 'FEJF' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, August 23, 2001 7:54 AM Subject: Re: File transfer using ssh # copy file to remote machine and connect as current user scp afile.txt machine.domain: # copy file to remote machine and connect as specified user scp afile.txt [EMAIL PROTECTED]: # copy file from remote machien and connect as current user scp machine.domain:afile.txt . #copy file from remote machine and connect as specified user scp [EMAIL PROTECTED]:afile.txt . root? root?!?!??? ROOT! Humz.. bad idea, don't ya think? Jaan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 09:02:35AM +0200, Jaan Sarv wrote: root? root?!?!??? ROOT! first of all, example!! secondly, secure shell protocol, secure! third, sometimes when your lazy you just have too! Humz.. bad idea, don't ya think? Jaan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: File transfer using ssh
One point: All the Windows scp clients I've tried so far are password based, and my server allows only RSA key access, so they don't work. As soon as I got ssh working reliably, I turned off passwords, and de-un-selected telnet and ftp servers entirely. So ssh -l root is just as safe as any other way to get into the machine. The sshd_config file, however, has root account disabled. I guess I'm not entirely a sheep, ne? Curt- -Original Message- From: Sam Couter [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 23, 2001 17:13 To: [EMAIL PROTECTED] Subject: Re: File transfer using ssh Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? I don't allow telnet logins as root, but I'm quite happy to allow RSA authenticated root logins with SSH. Plus, su doesn't forward X connections. -- Sam Couter | Internet Engineer | http://www.topic.com.au/ [EMAIL PROTECTED]| tSA Consulting | OpenPGP key ID: DE89C75C, available on key servers OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 05:14:19PM +0900, Olaf Meeuwissen wrote: Philipp Schulte [EMAIL PROTECTED] writes: You should never be too lazy to log in as a user and su to root. Better yet, stick `PermitRootLogin no' in /etc/ssh/sshd_config. Sure, I always setup sshd like this. Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 06:13:04PM +1000, Sam Couter wrote: Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? I login as a user by RSA-authentification and then su to root. I don't allow telnet logins as root, but I'm quite happy to allow RSA authenticated root logins with SSH. Great, and if somebody compromises the machine where the private key for root is stored... Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh - poking fun...
hi ya On 23 Aug 2001, Olaf Meeuwissen wrote: Sam Couter [EMAIL PROTECTED] writes: Philipp Schulte [EMAIL PROTECTED] wrote: Plus, su doesn't forward X connections. Real sysadmins don't need X to admin! (duck) and certainly dont need webmin either...or any other gui... == == its fun to wtatch them say ... yeah but webmin can do this and that == and they find out it did it wrong and did it slowly and insecurely... == point to command line interface .. == no point for mouse clicks == and if they have to ask for root passwds...they dont need it... c ya alvin -- -- http://www.Linux10.org Linux 10th Anniversary Picnic/BBQ -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh problem
I've got the opposite problem after jumping up to Testing this week. I found ssh broke when I tried to connect to my masq server, which worked flawlessly when both boxes were Potato. Now, if I try to ssh to the Potato machine from the Woody machine using the hostname, it justs sits there. If I use the IP address the connect goes through, and then afterward I can connect using the hostname. So I wonder if the Woody package (or my original guess is the nsswitch is broken) in some way. Of course, Woody isn't ready for primetime yet! - Nate -- Wireless | Amateur Radio Station N0NB | None can love freedom Internet | [EMAIL PROTECTED] | heartily, but good Location | Bremen, Kansas USA EM19ov | men; the rest love not Wichita area exams; ham radio; Linux info @ | freedom, but license. http://www.qsl.net/n0nb/ | -- John Milton -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Ssh + chroot
On Thu, 23 Aug 2001 13:26:45 +0200 Michael Wood [EMAIL PROTECTED] wrote: I haven't been following the thread. Do you get the message as soon as you run sshd or just when someone tries to log in? I get the message when I try to do an scp from local to the chrooted host(as it must run scp in the chroot). But no problem with ssh or sftp. If you get the error when trying to start sshd, you can try something like this: strace sshd or strace -eopen sshd or strace sshd 21 | less etc. That might give you more of an idea of what sshd can't find. Thanks!!! It works, strace said me that I need to put /lib/libnss_files.so.2 and /lib/libnss_compat.so.2 Thanks to you Mickael and Nick and ... strace. So now here is the content of my chroot to make ssh,scp,sftp and some other stuff to work. If someone shows something he thinks it's a very bad idea to have it in a chroot, please let me know it. Manu. ./bin ./bin/bash ./bin/cat ./bin/chmod ./bin/cp ./bin/date ./bin/df ./bin/echo ./bin/grep ./bin/gunzip ./bin/gzip ./bin/hostname ./bin/ln ./bin/ls ./bin/mkdir ./bin/mv ./bin/rm ./bin/rmdir ./bin/tar ./bin/touch ./bin/uncompress ./bin/gdb ./lib ./lib/libncurses.so.5 ./lib/libdl.so.2 ./lib/libc.so.6 ./lib/ld-linux.so.2 ./lib/libpam.so.0 ./lib/libwrap.so.0 ./lib/libnsl.so.1 ./lib/libutil.so.1 ./lib/libcrypt.so.1 ./lib/libncurses.so.4 ./lib/libm.so.6 ./lib/libnss_files.so.2 ./lib/libnss_compat.so.2 ./usr ./usr/bin ./usr/bin/bzip2 ./usr/bin/emacs ./usr/bin/zip ./usr/bin/unzip ./usr/bin/zile ./usr/bin/scp ./usr/bin/psql ./usr/lib ./usr/lib/libbz2.so.0 ./usr/lib/sftp-server ./usr/lib/libz.so.1 ./usr/lib/libcrypto.so.0.9.5 ./usr/lib/menu ./usr/lib/menu/zile ./usr/lib/postgresql ./usr/lib/postgresql/bin ./usr/lib/postgresql/bin/psql ./usr/lib/libpq.so.2 ./usr/lib/libpq.so.2.0 ./usr/lib/libpq.so.2.1 ./usr/share ./usr/share/zile ./usr/share/zile/HELP ./usr/share/zile/FAQ ./usr/share/zile/LATEST_VERSION ./usr/share/zile/HELPWIN ./usr/share/zile/TUTORIAL ./usr/share/zile/AUTODOC ./etc ./etc/nsswitch.conf ./etc/terminfo ./etc/terminfo/a ./etc/terminfo/a/ansi ./etc/terminfo/d ./etc/terminfo/d/dumb ./etc/terminfo/l ./etc/terminfo/l/linux ./etc/terminfo/r ./etc/terminfo/r/rxvt-m ./etc/terminfo/r/rxvt ./etc/terminfo/s ./etc/terminfo/s/screen ./etc/terminfo/s/screen-w ./etc/terminfo/s/sun ./etc/terminfo/v ./etc/terminfo/v/vt100 ./etc/terminfo/v/vt102 ./etc/terminfo/v/vt220 ./etc/terminfo/v/vt52 ./etc/terminfo/x ./etc/terminfo/x/xterm ./etc/terminfo/x/xterm-xfree86 ./etc/terminfo/x/xterm-debian ./etc/terminfo/x/xterm-basic ./etc/terminfo/x/xterm-mono ./etc/terminfo/x/xterm-r5 ./etc/terminfo/x/xterm-color ./etc/terminfo/x/xterm-r6 ./etc/terminfo/x/xterm-vt220 ./etc/terminfo/m ./etc/terminfo/m/mach-bold ./etc/terminfo/m/mach ./etc/terminfo/m/mach-color ./etc/terminfo/p ./etc/terminfo/p/pcansi ./etc/passwd -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com PGP signature
Running root commands by http
Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Thanks. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com PGP signature
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 06:13:04PM +1000, Sam Couter wrote: Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? ssh try sshmitm in dsniff package ... :-)) key exchanging is not make it in a secure manner it's always better ssh and then su ( even if it's broken when your session is being logged with man in the middle attack ) because you can see in your logs which one became root ciao Samuele -- Samuele Tonon [EMAIL PROTECTED] Undergraduate Student of Computer Science at University of Bologna, Italy System administrator at Computer Science Lab's, University of Bologna, Italy Founder Member of A.A.H.T. UIN 3155609 Acid -- better living through chemistry. Timothy Leary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Running root commands by http
Hi, U could use sudo ? Excerpt from http://www.courtesan.com/sudo/ --- Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. --- and run it with a cgi or php or whatever. Hth On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Thanks. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- |_ | Jean Baptiste Lallement / / ZENI Corporationhttp://zeni.fr |___| Tel: 0 803 003 111 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Running root commands by http
Do u know webmin? http://webadmin.sourceforge.net/webmin/ Eric On Thu, 23 Aug 2001, Jean Baptiste Lallement wrote: Hi, U could use sudo ? Excerpt from http://www.courtesan.com/sudo/ --- Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. --- and run it with a cgi or php or whatever. Hth On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Thanks. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- |_ | Jean Baptiste Lallement / / ZENI Corporationhttp://zeni.fr |___| Tel: 0 803 003 111 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Running root commands by http
On Thu, 23 Aug 2001 15:21:32 +0200 Jean Baptiste Lallement [EMAIL PROTECTED] wrote: Hi, U could use sudo ? Excerpt from http://www.courtesan.com/sudo/ --- Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. Thanks, and what about sudo vs. super?? -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com PGP signature
Re: Running root commands by http
On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Failing everything else, you *could* use the email method. I guess that some (big?) procmail recipe should be able to call a script that: - de-crypts the mail and verifies that it is *your* signature (you weren't going to do things in plaintext, where you?) - executes any command - sends stdout/stderr back (encrypted again of course). But doing this for interactive commands would be difficult... tangentTCP/IP over email anyone?/tangent -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh PGP signature
Re: Running root commands by http
On Thu, Aug 23, 2001 at 03:21:23PM +0100, Karl E. Jorgensen wrote: Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Another possibility would be to install the Mindterm java applet. It will let you ssh into a host from any web browser. Once they're logged in, you can let them do admin stuff with setuid programs, or sudo, or something of that nature. -- Steven Barker [EMAIL PROTECTED] When you're dining out and you suspect something's wrong, you're probably right. PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Running root commands by http
Emmanuel Lacour ([EMAIL PROTECTED]) said: To be more explicit, it's on a mail relay in a dmz witch need to become if there's a very big problem on the internal mail server, THE smtp/pop server for this domain, for a few mails accounts. So the admin need to be able to create some accounts, delete them, and switch between to configs of postfix. That's all The reason the web based solution to this is not forthcoming is that this is not a web problem. The real solution is to hire trustworthy admins capable of learning the right way to admin their systems. I'm not trying to be a bastard, but since you asked this question on the a security list I'm giving you the solution to this problem that is the most professional and secure. Take the time you would have invested in programming this tool and simply document how to do these tasks with the tools already provided. Take the money you will save in doing this and buy some O'Reilly books for your team. Smart admins with an understanding of how systems really work will always be more valuable than untrusted admins with idiot proof tools. Just my $.02. /paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Package: ssh 1:1.2.3-9.3 (stable)
Simon Boulet [EMAIL PROTECTED] writes: Hi, I had some problems today with sshd. Here is what was reported in my log files: Aug 23 00:23:24 host01 kernel: VM: killing process sshd Aug 23 00:23:24 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:24:23 host01 kernel: VM: killing process sshd Aug 23 00:24:23 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:27:51 host01 kernel: VM: killing process sshd Aug 23 00:27:51 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:28:11 host01 kernel: VM: killing process sshd Aug 23 00:28:11 host01 kernel: swap_free: swap-space map bad (entry f000) Looks more like a problem with swap space than with ssh to me. Just happened to hit sshd. I was just wondering if ssh 1.2.3 was not quite old enough to release the ssh 1:2.5.2p2-3 (testing) package? Anyone can help or has any ideas of what went wrong tonight? Should I upgrade to sshd 2.5.2? Hopefully I have telnet still open and I was able to /etc/init.d/ssh restart and now it seems to work as normal. Having telnet around kind of defeats the purpose of ssh, not? You su to root on your telnet connection and your root password flies over the wire for all the snoop. Eek! -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
Philipp Schulte [EMAIL PROTECTED] writes: On Thu, Aug 23, 2001 at 05:08:48PM +1000, Jason Thomas wrote: On Thu, Aug 23, 2001 at 09:02:35AM +0200, Jaan Sarv wrote: root? root?!?!??? ROOT! first of all, example!! secondly, secure shell protocol, secure! That's supposed to be a joke, right? Just because something can be used in a secure manner doesn't mean you can't use it in a more insecure manner. third, sometimes when your lazy you just have too! You should never be too lazy to log in as a user and su to root. Better yet, stick `PermitRootLogin no' in /etc/ssh/sshd_config. -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
Sam Couter [EMAIL PROTECTED] writes: Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Eh, ssh in as user and su to root is what Phil is talking about ... Which one is easiest to crack? I don't allow telnet logins as root, but I'm quite happy to allow RSA authenticated root logins with SSH. su to root after ssh'ing and you will have a log entry telling you who su'd to root (assuming you're not tossing authpriv which you shouldn't to begin with) Plus, su doesn't forward X connections. Real sysadmins don't need X to admin! (duck) -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
Yeah.. try using scp. It should come along with ssh. At 02:13 PM 8/23/2001 +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 08:18:58AM -1000, Joseph Dane wrote: Alexander == Alexander List [EMAIL PROTECTED] writes: Alexander You might also consider the tip posted before to use rsync Alexander (rsync -e ssh) to transfer entire directory structures, or, since ssh will read from stdin, you can alter the old tar|tar trick to copy a directory tree: here$ cd srcdir here$ tar cf - . | ssh there 'cd dstdir; tar xf -' or even here$ tar cf - . | ssh there tar xCf dstdir - -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
UP2DATE
Hello people, I have a little question, I saw many Debian users get their system up2date using apt-get. But their versions of the applications are _the_ latest one, when I look at my system I seem to have, up2date, but older versions. Could anyone tell me what I can change to get the latest verions ? And what do I need to chang in /etc/apt/sources.list in the security line. Thanks in advance, A. de Slager. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: UP2DATE
=?x-user-defined?Q?--=3D=5B_..::_V=EDr=F9=A7_::.._=5D=3D--?= [EMAIL PROTECTED] writes: Hmm, can't say I'm overly fond of your email address, but ... I saw many Debian users get their system up2date using apt-get. But their versions of the applications are _the_ latest one, when I look at my system I seem to have, up2date, but older versions. Those folks are running unstable/testing. If you don't know how to get that in your sources.list, it's probably not for you. Could anyone tell me what I can change to get the latest verions ? For a purist setup: deb http://security.debian.org stable/updates main deb http://your debian mirror here/debian stable main deb http://your debian-non-US mirror here/debian-non-US stable non-US/main #deb http://your debian mirror here/debian testing main #deb http://your debian-non-US mirror here/debian-non-US testing non-US/main #deb http://your debian mirror here/debian unstable main #deb http://your debian-non-US mirror here/debian-non-US unstable non-US/main Where I've commented out testing and unstable so you don't shoot yourself in the foot unless you uncomment them. Feel free to add contrib, non-free, non-US/contrib and/or non-US/non-free as you see fit. And what do I need to chang in /etc/apt/sources.list in the security line. See above, first line of sources.list, covers non-US/main too. -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: Howdy all, Not debian specific, but this is the best batch of security minds I have access too so I figured I'd see if this interests anyone. I need to set up some Xterminal replacemnets - linux boxes that will mostly only be running netscape and ssh. They are going to be used for visiting staff/students/ect so they need a guest account with a bad password. Or, use kdm (instead of xdm). It lets you specify which users will be allowed to log in without typing their password. Thus, you leave the guest account with a strong password and don't tell it to anybody, but allow logins as guest from the console via kdm. (BTW, KDM is a decent replacement for XDM. It can launch whatever you want, not just kde.) This makes securing FTP, SSH, etc. a lot less worrisome. (you still might want to block the guest account out of a lot of stuff...) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Package: ssh 1:1.2.3-9.3 (stable)
Hi, I had some problems today with sshd. Here is what was reported in my log files: Aug 23 00:23:24 host01 kernel: VM: killing process sshd Aug 23 00:23:24 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:24:23 host01 kernel: VM: killing process sshd Aug 23 00:24:23 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:27:51 host01 kernel: VM: killing process sshd Aug 23 00:27:51 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:28:11 host01 kernel: VM: killing process sshd Aug 23 00:28:11 host01 kernel: swap_free: swap-space map bad (entry f000) I was just wondering if ssh 1.2.3 was not quite old enough to release the ssh 1:2.5.2p2-3 (testing) package? Anyone can help or has any ideas of what went wrong tonight? Should I upgrade to sshd 2.5.2? Hopefully I have telnet still open and I was able to /etc/init.d/ssh restart and now it seems to work as normal. Thanks a lot, Simon Boulet, [EMAIL PROTECTED]
File transfer using ssh
I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt-
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Try scp or sftp. They transfer files over ssh using the interfaces of rcp and ftp respectively. Neither require anything other than sshd to be running on the server. -- Steven Barker [EMAIL PROTECTED] If you can count your money, you don't have a billion dollars. -- J. Paul Getty PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc
Re: File transfer using ssh
Hi Curt, It sounds like you want sftp, which comes with SSHv2 and is a passable FTP clone for SSH ( not quite as advanced as say ncftp, but decent ). Also, you can send inividual files to an SSH server with the scp command. One last note : keep in mind that if you decide to tunnel FTP over SSH for some reason ( as some do ), FTP uses two TCP ports, not one : one for control ( commands ) and the other for data. HTH, Rob Helmer Namodn On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
scp On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ pgp4hDn9gdXmI.pgp Description: PGP signature
Re: File transfer using ssh
Curt Howland wrote: Is there a file transfer method for utilizing ssh? It's called 'scp' -- secure cp. You don't even need an ssh session up to use it: scp file [EMAIL PROTECTED]:/path will copy a file to /path on the machine site, using the specified user account. You will be prompted for a password if necessary (if, for instance, you don't have RSA credentials set up). Craig
Re: File transfer using ssh
Jason Thomas, on Donnerstag, 23. August 2001 07:29 wrote: scp short answer ;) - but as everbody sugests scp there is one thing i miss: tell Curt Howland where to get a windoze version of scp... ;) http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html fejf On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Backups are usefull. Most often when you don't have one ;)
RE: File transfer using ssh
Actually, the problem was from Debian to Debian, rather than windows anything. :^) The real one thing I miss would have been one or two real world command line examples, so I could make sense of the man page. Thank very much to everyone for replying, now all I have to do is get sound working, and Starcraft installed, and I'll be happy. :^) Curt- -Original Message- From: FEJF [mailto:[EMAIL PROTECTED] Sent: Thursday, August 23, 2001 14:38 To: Jason Thomas; Curt Howland Cc: 'debian-security@lists.debian.org' Subject: Re: File transfer using ssh Jason Thomas, on Donnerstag, 23. August 2001 07:29 wrote: scp short answer ;) - but as everbody sugests scp there is one thing i miss: tell Curt Howland where to get a windoze version of scp... ;) http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html fejf On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Backups are usefull. Most often when you don't have one ;)
Re: File transfer using ssh
hi ya and if you wanna try 'um all out... ( the windoze versions ) http://www.Linux-Consulting.com/Security/ssh.windows.txt ( teraterm and putty works nice and they're free ) c ya alvin On Thu, 23 Aug 2001, FEJF wrote: Jason Thomas, on Donnerstag, 23. August 2001 07:29 wrote: scp short answer ;) - but as everbody sugests scp there is one thing i miss: tell Curt Howland where to get a windoze version of scp... ;) http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html fejf On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Backups are usefull. Most often when you don't have one ;) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: File transfer using ssh
And it works, too. Arigato gozaimasu, mina-sama. Dewa mata, Curt- -Original Message- From: Craig Dickson [mailto:[EMAIL PROTECTED] Sent: Thursday, August 23, 2001 14:30 To: 'debian-security@lists.debian.org' Subject: Re: File transfer using ssh Curt Howland wrote: Is there a file transfer method for utilizing ssh? It's called 'scp' -- secure cp. You don't even need an ssh session up to use it: scp file [EMAIL PROTECTED]:/path will copy a file to /path on the machine site, using the specified user account. You will be prompted for a password if necessary (if, for instance, you don't have RSA credentials set up). Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
# copy file to remote machine and connect as current user scp afile.txt machine.domain: # copy file to remote machine and connect as specified user scp afile.txt [EMAIL PROTECTED]: # copy file from remote machien and connect as current user scp machine.domain:afile.txt . #copy file from remote machine and connect as specified user scp [EMAIL PROTECTED]:afile.txt . On Thu, Aug 23, 2001 at 02:41:28PM +0900, Curt Howland wrote: Actually, the problem was from Debian to Debian, rather than windows anything. :^) The real one thing I miss would have been one or two real world command line examples, so I could make sense of the man page. Thank very much to everyone for replying, now all I have to do is get sound working, and Starcraft installed, and I'll be happy. :^) Curt- -Original Message- From: FEJF [mailto:[EMAIL PROTECTED] Sent: Thursday, August 23, 2001 14:38 To: Jason Thomas; Curt Howland Cc: 'debian-security@lists.debian.org' Subject: Re: File transfer using ssh Jason Thomas, on Donnerstag, 23. August 2001 07:29 wrote: scp short answer ;) - but as everbody sugests scp there is one thing i miss: tell Curt Howland where to get a windoze version of scp... ;) http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html fejf On Thu, Aug 23, 2001 at 02:13:47PM +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Backups are usefull. Most often when you don't have one ;) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ pgpPsw7yfOja3.pgp Description: PGP signature
Re: File transfer using ssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob == Rob Helmer [EMAIL PROTECTED] writes: Rob Hi Curt, It sounds like you want sftp, which comes with SSHv2 and Rob is a passable FTP clone for SSH ( not quite as advanced as say Rob ncftp, but decent ). Or in OpenSSH version 2.5 (or thereabouts - I don't remember exactly) and later. The ssh in sid (2.9p2) has it, and I would guess that woody's version should have it too. If you must use potato, though, potato has an sftp package, but this is different from the sftp protocol used by ssh, and you may run into problems when you upgrade your ssh package (and indeed, sid's ssh conflicts with sftp, although sid has an hsftp package which seems to give the same functionality as sftp did). Rob Also, you can send inividual files to an SSH server with the scp Rob command. A fourth alternative is to use rsync through an ssh link. A fifth alternative, if you use emacs, is to get the TRAMP package, which is like ange-ftp on steroids. There's a tramp package in sid (and maybe woody), or you can download the source from http://ls6-www.informatik.uni-dortmund.de/~grossjoh/emacs/tramp.html Rob One last note : keep in mind that if you decide to tunnel FTP over Rob SSH for some reason ( as some do ), FTP uses two TCP ports, not one Rob : one for control ( commands ) and the other for data. Unless you use passive mode. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7hJqXZRhU33H9o38RAnUNAJ46PAdR8OD0ICnbnG6WXnvHILurwACgyzuH pOCQi4gmjklr63vUNJurM3s= =K/VZ -END PGP SIGNATURE-
Re: File transfer using ssh
On 22 Aug 2001, Hubert Chan wrote: Rob SSH for some reason ( as some do ), FTP uses two TCP ports, not one Rob : one for control ( commands ) and the other for data. Unless you use passive mode. of course ftp uses two channels in passive mode as well -- [-]
Re: File transfer using ssh
scp will also work for entire directory structures with the -r flag. But please read the manpage and try to understand it before bothering the security list. The SYNOPSIS section should be enough for your most urgent needs ;-) You might also consider the tip posted before to use rsync (rsync -e ssh) to transfer entire directory structures, especially if you want to do regular mirroring of stuff thats 90% identical. Rsync uses a quite sophisticated algorithm to only transfer the stuff that has actually changed. regards Alex -- Jede neue Erkenntnis muß zwei Hürden überwinden: das Vorurteil der Fachleute, und die Beharrlichkeit eingeschliffener Denksysteme. Herophilus
Re: Package: ssh 1:1.2.3-9.3 (stable)
Simon Boulet [EMAIL PROTECTED] writes: Hi, I had some problems today with sshd. Here is what was reported in my log files: Aug 23 00:23:24 host01 kernel: VM: killing process sshd Aug 23 00:23:24 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:24:23 host01 kernel: VM: killing process sshd Aug 23 00:24:23 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:27:51 host01 kernel: VM: killing process sshd Aug 23 00:27:51 host01 kernel: swap_free: swap-space map bad (entry f000) Aug 23 00:28:11 host01 kernel: VM: killing process sshd Aug 23 00:28:11 host01 kernel: swap_free: swap-space map bad (entry f000) Looks more like a problem with swap space than with ssh to me. Just happened to hit sshd. I was just wondering if ssh 1.2.3 was not quite old enough to release the ssh 1:2.5.2p2-3 (testing) package? Anyone can help or has any ideas of what went wrong tonight? Should I upgrade to sshd 2.5.2? Hopefully I have telnet still open and I was able to /etc/init.d/ssh restart and now it seems to work as normal. Having telnet around kind of defeats the purpose of ssh, not? You su to root on your telnet connection and your root password flies over the wire for all the snoop. Eek! -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development
Re: File transfer using ssh
- Original Message - From: Jason Thomas [EMAIL PROTECTED] To: Curt Howland [EMAIL PROTECTED] Cc: 'FEJF' [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Thursday, August 23, 2001 7:54 AM Subject: Re: File transfer using ssh # copy file to remote machine and connect as current user scp afile.txt machine.domain: # copy file to remote machine and connect as specified user scp afile.txt [EMAIL PROTECTED]: # copy file from remote machien and connect as current user scp machine.domain:afile.txt . #copy file from remote machine and connect as specified user scp [EMAIL PROTECTED]:afile.txt . root? root?!?!??? ROOT! Humz.. bad idea, don't ya think? Jaan
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 09:02:35AM +0200, Jaan Sarv wrote: root? root?!?!??? ROOT! first of all, example!! secondly, secure shell protocol, secure! third, sometimes when your lazy you just have too! Humz.. bad idea, don't ya think? Jaan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 05:08:48PM +1000, Jason Thomas wrote: On Thu, Aug 23, 2001 at 09:02:35AM +0200, Jaan Sarv wrote: root? root?!?!??? ROOT! first of all, example!! secondly, secure shell protocol, secure! That's supposed to be a joke, right? Just because something can be used in a secure manner doesn't mean you can't use it in a more insecure manner. third, sometimes when your lazy you just have too! You should never be too lazy to log in as a user and su to root. Phil
Re: File transfer using ssh
Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? I don't allow telnet logins as root, but I'm quite happy to allow RSA authenticated root logins with SSH. Plus, su doesn't forward X connections. -- Sam Couter | Internet Engineer | http://www.topic.com.au/ [EMAIL PROTECTED]| tSA Consulting | OpenPGP key ID: DE89C75C, available on key servers OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C pgpiIizofgt5M.pgp Description: PGP signature
Re: File transfer using ssh
Philipp Schulte [EMAIL PROTECTED] writes: On Thu, Aug 23, 2001 at 05:08:48PM +1000, Jason Thomas wrote: On Thu, Aug 23, 2001 at 09:02:35AM +0200, Jaan Sarv wrote: root? root?!?!??? ROOT! first of all, example!! secondly, secure shell protocol, secure! That's supposed to be a joke, right? Just because something can be used in a secure manner doesn't mean you can't use it in a more insecure manner. third, sometimes when your lazy you just have too! You should never be too lazy to log in as a user and su to root. Better yet, stick `PermitRootLogin no' in /etc/ssh/sshd_config. -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development
RE: File transfer using ssh
One point: All the Windows scp clients I've tried so far are password based, and my server allows only RSA key access, so they don't work. As soon as I got ssh working reliably, I turned off passwords, and de-un-selected telnet and ftp servers entirely. So ssh -l root is just as safe as any other way to get into the machine. The sshd_config file, however, has root account disabled. I guess I'm not entirely a sheep, ne? Curt- -Original Message- From: Sam Couter [mailto:[EMAIL PROTECTED] Sent: Thursday, August 23, 2001 17:13 To: debian-security@lists.debian.org Subject: Re: File transfer using ssh Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? I don't allow telnet logins as root, but I'm quite happy to allow RSA authenticated root logins with SSH. Plus, su doesn't forward X connections. -- Sam Couter | Internet Engineer | http://www.topic.com.au/ [EMAIL PROTECTED]| tSA Consulting | OpenPGP key ID: DE89C75C, available on key servers OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
Re: File transfer using ssh
Sam Couter [EMAIL PROTECTED] writes: Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Eh, ssh in as user and su to root is what Phil is talking about ... Which one is easiest to crack? I don't allow telnet logins as root, but I'm quite happy to allow RSA authenticated root logins with SSH. su to root after ssh'ing and you will have a log entry telling you who su'd to root (assuming you're not tossing authpriv which you shouldn't to begin with) Plus, su doesn't forward X connections. Real sysadmins don't need X to admin! (duck) -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 05:14:19PM +0900, Olaf Meeuwissen wrote: Philipp Schulte [EMAIL PROTECTED] writes: You should never be too lazy to log in as a user and su to root. Better yet, stick `PermitRootLogin no' in /etc/ssh/sshd_config. Sure, I always setup sshd like this. Phil
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 06:13:04PM +1000, Sam Couter wrote: Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? I login as a user by RSA-authentification and then su to root. I don't allow telnet logins as root, but I'm quite happy to allow RSA authenticated root logins with SSH. Great, and if somebody compromises the machine where the private key for root is stored... Phil
Re: File transfer using ssh
* Curt Howland ([EMAIL PROTECTED]) wrote: One point: All the Windows scp clients I've tried so far are password based, and my server allows only RSA key access, so they don't work. One remark. the cygwin tools include ssh, and do support RSA key access. Also the newer versions of putty include RSA access, and even has a key-gen en agent available. just my cent. --manu.
Re: File transfer using ssh - poking fun...
hi ya On 23 Aug 2001, Olaf Meeuwissen wrote: Sam Couter [EMAIL PROTECTED] writes: Philipp Schulte [EMAIL PROTECTED] wrote: Plus, su doesn't forward X connections. Real sysadmins don't need X to admin! (duck) and certainly dont need webmin either...or any other gui... == == its fun to wtatch them say ... yeah but webmin can do this and that == and they find out it did it wrong and did it slowly and insecurely... == point to command line interface .. == no point for mouse clicks == and if they have to ask for root passwds...they dont need it... c ya alvin -- -- http://www.Linux10.org Linux 10th Anniversary Picnic/BBQ --
Re: Ssh + chroot
Anyone having an Idea? Can't see that you got a response to this... you probably need the PAM stuff in the chroot (most likely just /etc/pam.d/ssh, but maybe /etc/pam.conf or other stuff in pam.d). Cheers, Nick -- Nick Phillips -- [EMAIL PROTECTED] You will wish you hadn't.
Re: Ssh + chroot
On Thu, 23 Aug 2001 11:19:58 +0100 Nick Phillips [EMAIL PROTECTED] wrote: Anyone having an Idea? Can't see that you got a response to this... you probably need the PAM stuff in the chroot (most likely just /etc/pam.d/ssh, but maybe /etc/pam.conf or other stuff in pam.d). Cheers, Thanks for this first response... I tried it (cp -r /etc/pam* /home/manu/etc/) but nothing happens, same error: unknown user 1012. Maybe do I need to put some programs corresponding to pam (I'm not very closed to pam use...). Of course it's a pam problem. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgppYnOyMScyA.pgp Description: PGP signature
Re: ssh problem
I've got the opposite problem after jumping up to Testing this week. I found ssh broke when I tried to connect to my masq server, which worked flawlessly when both boxes were Potato. Now, if I try to ssh to the Potato machine from the Woody machine using the hostname, it justs sits there. If I use the IP address the connect goes through, and then afterward I can connect using the hostname. So I wonder if the Woody package (or my original guess is the nsswitch is broken) in some way. Of course, Woody isn't ready for primetime yet! - Nate -- Wireless | Amateur Radio Station N0NB | None can love freedom Internet | [EMAIL PROTECTED] | heartily, but good Location | Bremen, Kansas USA EM19ov | men; the rest love not Wichita area exams; ham radio; Linux info @ | freedom, but license. http://www.qsl.net/n0nb/ | -- John Milton
Re: Ssh + chroot
On Thu, 23 Aug 2001 13:26:45 +0200 Michael Wood [EMAIL PROTECTED] wrote: I haven't been following the thread. Do you get the message as soon as you run sshd or just when someone tries to log in? I get the message when I try to do an scp from local to the chrooted host(as it must run scp in the chroot). But no problem with ssh or sftp. If you get the error when trying to start sshd, you can try something like this: strace sshd or strace -eopen sshd or strace sshd 21 | less etc. That might give you more of an idea of what sshd can't find. Thanks!!! It works, strace said me that I need to put /lib/libnss_files.so.2 and /lib/libnss_compat.so.2 Thanks to you Mickael and Nick and ... strace. So now here is the content of my chroot to make ssh,scp,sftp and some other stuff to work. If someone shows something he thinks it's a very bad idea to have it in a chroot, please let me know it. Manu. ./bin ./bin/bash ./bin/cat ./bin/chmod ./bin/cp ./bin/date ./bin/df ./bin/echo ./bin/grep ./bin/gunzip ./bin/gzip ./bin/hostname ./bin/ln ./bin/ls ./bin/mkdir ./bin/mv ./bin/rm ./bin/rmdir ./bin/tar ./bin/touch ./bin/uncompress ./bin/gdb ./lib ./lib/libncurses.so.5 ./lib/libdl.so.2 ./lib/libc.so.6 ./lib/ld-linux.so.2 ./lib/libpam.so.0 ./lib/libwrap.so.0 ./lib/libnsl.so.1 ./lib/libutil.so.1 ./lib/libcrypt.so.1 ./lib/libncurses.so.4 ./lib/libm.so.6 ./lib/libnss_files.so.2 ./lib/libnss_compat.so.2 ./usr ./usr/bin ./usr/bin/bzip2 ./usr/bin/emacs ./usr/bin/zip ./usr/bin/unzip ./usr/bin/zile ./usr/bin/scp ./usr/bin/psql ./usr/lib ./usr/lib/libbz2.so.0 ./usr/lib/sftp-server ./usr/lib/libz.so.1 ./usr/lib/libcrypto.so.0.9.5 ./usr/lib/menu ./usr/lib/menu/zile ./usr/lib/postgresql ./usr/lib/postgresql/bin ./usr/lib/postgresql/bin/psql ./usr/lib/libpq.so.2 ./usr/lib/libpq.so.2.0 ./usr/lib/libpq.so.2.1 ./usr/share ./usr/share/zile ./usr/share/zile/HELP ./usr/share/zile/FAQ ./usr/share/zile/LATEST_VERSION ./usr/share/zile/HELPWIN ./usr/share/zile/TUTORIAL ./usr/share/zile/AUTODOC ./etc ./etc/nsswitch.conf ./etc/terminfo ./etc/terminfo/a ./etc/terminfo/a/ansi ./etc/terminfo/d ./etc/terminfo/d/dumb ./etc/terminfo/l ./etc/terminfo/l/linux ./etc/terminfo/r ./etc/terminfo/r/rxvt-m ./etc/terminfo/r/rxvt ./etc/terminfo/s ./etc/terminfo/s/screen ./etc/terminfo/s/screen-w ./etc/terminfo/s/sun ./etc/terminfo/v ./etc/terminfo/v/vt100 ./etc/terminfo/v/vt102 ./etc/terminfo/v/vt220 ./etc/terminfo/v/vt52 ./etc/terminfo/x ./etc/terminfo/x/xterm ./etc/terminfo/x/xterm-xfree86 ./etc/terminfo/x/xterm-debian ./etc/terminfo/x/xterm-basic ./etc/terminfo/x/xterm-mono ./etc/terminfo/x/xterm-r5 ./etc/terminfo/x/xterm-color ./etc/terminfo/x/xterm-r6 ./etc/terminfo/x/xterm-vt220 ./etc/terminfo/m ./etc/terminfo/m/mach-bold ./etc/terminfo/m/mach ./etc/terminfo/m/mach-color ./etc/terminfo/p ./etc/terminfo/p/pcansi ./etc/passwd -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpv7fIFumzh8.pgp Description: PGP signature
Running root commands by http
Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Thanks. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpsV6XIarbrG.pgp Description: PGP signature
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 06:13:04PM +1000, Sam Couter wrote: Philipp Schulte [EMAIL PROTECTED] wrote: You should never be too lazy to log in as a user and su to root. su to root: 8 character password. ssh directly as root: 1024 bit RSA key. Which one is easiest to crack? ssh try sshmitm in dsniff package ... :-)) key exchanging is not make it in a secure manner it's always better ssh and then su ( even if it's broken when your session is being logged with man in the middle attack ) because you can see in your logs which one became root ciao Samuele -- Samuele Tonon [EMAIL PROTECTED] Undergraduate Student of Computer Science at University of Bologna, Italy System administrator at Computer Science Lab's, University of Bologna, Italy Founder Member of A.A.H.T. UIN 3155609 Acid -- better living through chemistry. Timothy Leary
Re: Running root commands by http
Hi, U could use sudo ? Excerpt from http://www.courtesan.com/sudo/ --- Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. --- and run it with a cgi or php or whatever. Hth On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Thanks. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- |_ | Jean Baptiste Lallement / / ZENI Corporationhttp://zeni.fr |___| Tel: 0 803 003 111
Re: Running root commands by http
Do u know webmin? http://webadmin.sourceforge.net/webmin/ Eric On Thu, 23 Aug 2001, Jean Baptiste Lallement wrote: Hi, U could use sudo ? Excerpt from http://www.courtesan.com/sudo/ --- Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. --- and run it with a cgi or php or whatever. Hth On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Thanks. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- |_ | Jean Baptiste Lallement / / ZENI Corporationhttp://zeni.fr |___| Tel: 0 803 003 111 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Running root commands by http
On Thu, 23 Aug 2001 09:46:52 -0400 (EDT) Eric LeBlanc [EMAIL PROTECTED] wrote: Do u know webmin? http://webadmin.sourceforge.net/webmin/ Of course, but I think it's not necessary to use an as big program for this purpose. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpf2wJGU5kZl.pgp Description: PGP signature
Re: Running root commands by http
On Thu, 23 Aug 2001 15:21:32 +0200 Jean Baptiste Lallement [EMAIL PROTECTED] wrote: Hi, U could use sudo ? Excerpt from http://www.courtesan.com/sudo/ --- Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. Thanks, and what about sudo vs. super?? -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpq7a6go0W0y.pgp Description: PGP signature
Re: Running root commands by http
On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Failing everything else, you *could* use the email method. I guess that some (big?) procmail recipe should be able to call a script that: - de-crypts the mail and verifies that it is *your* signature (you weren't going to do things in plaintext, where you?) - executes any command - sends stdout/stderr back (encrypted again of course). But doing this for interactive commands would be difficult... tangentTCP/IP over email anyone?/tangent -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh pgpokor9N91Qj.pgp Description: PGP signature
Re: Running root commands by http
On Thu, Aug 23, 2001 at 04:08:09PM +0200, Emmanuel Lacour wrote: Thanks, and what about sudo vs. super?? Super is different from sudo in that super's configuration file lists commands then the users that can run them while sudo's lists users then the commands that they can do -- |_ | Jean Baptiste Lallement / / ZENI Corporationhttp://zeni.fr |___| Tel: 0 803 003 111
Re: Running root commands by http
On Thu, 23 Aug 2001 15:21:23 +0100 Karl E. Jorgensen [EMAIL PROTECTED] wrote: Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Of course I prefer ssh!!! But that's not for me... Failing everything else, you *could* use the email method. I guess that some (big?) procmail recipe should be able to call a script that: - de-crypts the mail and verifies that it is *your* signature (you weren't going to do things in plaintext, where you?) - executes any command - sends stdout/stderr back (encrypted again of course). But doing this for interactive commands would be difficult... tangentTCP/IP over email anyone?/tangent Yes, that's not easy, but as it's on the same machine, maybe is it not really necessary to encrypt as theoriticaly there's no people connecting to this computer. To be more explicit, it's on a mail relay in a dmz witch need to become if there's a very big problem on the internal mail server, THE smtp/pop server for this domain, for a few mails accounts. So the admin need to be able to create some accounts, delete them, and switch between to configs of postfix. That's all -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpUxA0w8RJbs.pgp Description: PGP signature
Re: Running root commands by http
On Thu, Aug 23, 2001 at 03:21:23PM +0100, Karl E. Jorgensen wrote: Sounds like you're getting into doing normal remote admin of a box. But why over HTTP ? If you have network connectivity to it, ssh should do the job (ssh in as yourself and su/sudo to root?). If you can get to via HTTP (e.g. you're behind some company firewall?), then httptunnel might help. YMMV. But if you can get SSH over HTTP running, you should be able to use all the existing tools. Better than writing new tools from scratch... Another possibility would be to install the Mindterm java applet. It will let you ssh into a host from any web browser. Once they're logged in, you can let them do admin stuff with setuid programs, or sudo, or something of that nature. -- Steven Barker [EMAIL PROTECTED] When you're dining out and you suspect something's wrong, you're probably right. PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc
Re: Running root commands by http
Emmanuel Lacour ([EMAIL PROTECTED]) said: To be more explicit, it's on a mail relay in a dmz witch need to become if there's a very big problem on the internal mail server, THE smtp/pop server for this domain, for a few mails accounts. So the admin need to be able to create some accounts, delete them, and switch between to configs of postfix. That's all The reason the web based solution to this is not forthcoming is that this is not a web problem. The real solution is to hire trustworthy admins capable of learning the right way to admin their systems. I'm not trying to be a bastard, but since you asked this question on the a security list I'm giving you the solution to this problem that is the most professional and secure. Take the time you would have invested in programming this tool and simply document how to do these tasks with the tools already provided. Take the money you will save in doing this and buy some O'Reilly books for your team. Smart admins with an understanding of how systems really work will always be more valuable than untrusted admins with idiot proof tools. Just my $.02. /paul
Re: File transfer using ssh
Yeah.. try using scp. It should come along with ssh. At 02:13 PM 8/23/2001 +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: File transfer using ssh
Alexander == Alexander List [EMAIL PROTECTED] writes: Alexander You might also consider the tip posted before to use rsync Alexander (rsync -e ssh) to transfer entire directory structures, or, since ssh will read from stdin, you can alter the old tar|tar trick to copy a directory tree: here$ cd srcdir here$ tar cf - . | ssh there 'cd dstdir; tar xf -' -- joe
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 08:18:58AM -1000, Joseph Dane wrote: Alexander == Alexander List [EMAIL PROTECTED] writes: Alexander You might also consider the tip posted before to use rsync Alexander (rsync -e ssh) to transfer entire directory structures, or, since ssh will read from stdin, you can alter the old tar|tar trick to copy a directory tree: here$ cd srcdir here$ tar cf - . | ssh there 'cd dstdir; tar xf -' or even here$ tar cf - . | ssh there tar xCf dstdir - -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpVCUHhz2ADv.pgp Description: PGP signature
UP2DATE
Hello people, I have a little question, I saw many Debian users get their system up2date using apt-get. But their versions of the applications are _the_ latest one, when I look at my system I seem to have, up2date, but older versions. Could anyone tell me what I can change to get the latest verions ? And what do I need to chang in /etc/apt/sources.list in the security line. Thanks in advance, A. de Slager.
Re: UP2DATE
=?x-user-defined?Q?--=3D=5B_..::_V=EDr=F9=A7_::.._=5D=3D--?= [EMAIL PROTECTED] writes: Hmm, can't say I'm overly fond of your email address, but ... I saw many Debian users get their system up2date using apt-get. But their versions of the applications are _the_ latest one, when I look at my system I seem to have, up2date, but older versions. Those folks are running unstable/testing. If you don't know how to get that in your sources.list, it's probably not for you. Could anyone tell me what I can change to get the latest verions ? For a purist setup: deb http://security.debian.org stable/updates main deb http://your debian mirror here/debian stable main deb http://your debian-non-US mirror here/debian-non-US stable non-US/main #deb http://your debian mirror here/debian testing main #deb http://your debian-non-US mirror here/debian-non-US testing non-US/main #deb http://your debian mirror here/debian unstable main #deb http://your debian-non-US mirror here/debian-non-US unstable non-US/main Where I've commented out testing and unstable so you don't shoot yourself in the foot unless you uncomment them. Feel free to add contrib, non-free, non-US/contrib and/or non-US/non-free as you see fit. And what do I need to chang in /etc/apt/sources.list in the security line. See above, first line of sources.list, covers non-US/main too. -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development
Re: Logcheck+PortSentry
Stefan Srdic wrote: I've just installed PortSentry (from unstable for kernel 2.4support) and Logcheck (from testing) onto my Woody box. I have PortSentry configure to use the Netfilter logging and limit options to properly log port scan attemps from hostile host. Do any of you know how I can configure LogCheck to e-mail port scan attempts logged by PortSentry and Netfilter to a trusted user? Edit /etc/logcheck/logcheck.logfiles . -- Oohara Yuuma [EMAIL PROTECTED] Graduate-school of Science, Kyoto University PGP Key http://www.interq.or.jp/libra/oohara/pub-key.txt Key fingerprint = 6142 8D07 9C5B 159B C170 1F4A 40D6 F42E F464 A695 I always put away what I take. --- Ryuji Akai, Star a way