Re: [ OT ] local packages vs official packages
On 27-Aug-01, 17:25 (CDT), Samu [EMAIL PROTECTED] wrote: hi, this is just a curiosity, i think is not so security related, aniway... So it should be on the debian-user list. if i made a package by my self, or from deb sources, of a package that already exist on to the debian db, and my local package is called as the official one, when i run then dselect or apt, they overwrite my local pkg for the official one. i have to explicity hold the local package to not to have overwritten. why ? they aren't checked only for the version number ? It shouldn't be upgrading if your version # (including the revision) is higher than that in the archive. My guess is that a new revision is showing up in the archive and thus being upgraded. The best way to prevent this is to use 'epochs' -- set your version to something like 3:1,2-1 in the changelog. Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Crypto
John DOE [EMAIL PROTECTED] wrote: Hello everybody, I want to have some information about what kind of cryptological benefits does my linux server offer to me . I searched linuxdoc.org but could not find a howo about linux cryptology. Could you please guide me to a web site or to a documentation site where I can start from the novice level and go up to the guru level ? Take a look at http://www.kerneli.org HTH Martin P.S.: It would be kind of you if you educate your mail user agent to start a new line after 72 characters. -- [EMAIL PROTECTED] innominate AG http://www.innominate.com tel: +49.30.308806-0 fax: -77 gpg: http://innominate.org/gpg/mpe.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Crypto
John DOE [EMAIL PROTECTED] writes: Hello everybody, I want to have some information about what kind of cryptological benefits does my linux server offer to me . I searched linuxdoc.org but could not find a howo about linux cryptology. Could you please guide me to a web site or to a documentation site where I can start from the novice level and go up to the guru level ? First, do you mean cryptography or cryptology? According to the handy web dictionaries, cryptology is the study of cryptography or cryptanalysis. So, as you implement cryptography on your machine, you can study cryptology to really get a grasp of how it works and what the limitations are. :) Really, though there are all kinds of resources for cryptography on the web. You might try searching Linux cryptography on the web. Also, I believe there is a link to a non-US site on www.kernel.org that has kernel specific cryptography information. And last, I recall that the PGP documentation had a very good introduction to cryptography. HTH, Brian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux LDAP problem
El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: Hey, I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login. Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. I think your problem is in your pam module configuration, I use something like that for auth: --- auth required pam_nologin.so auth sufficient pam_unix.so auth required pam_ldap.so use_first_pass --- With this setup the user is only asked once; if 'pam_unix' succeds the user is authorized and if it fails 'pam_ldap' tries to authenticate using the same password entered. Hope this helps. -- Sergio Talens-Oliag [EMAIL PROTECTED] Key fingerprint = 29DF 544F 1BD9 548C 8F15 86EF 6770 052B B8C1 FA69 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Sniffing SSH and HTTPS
Hi all... I have a small question. I found on SF a small tool, which may sniffing SSH and HTTPS (not tested). The Url is : http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? Greetings Jan -- One time, you all will be emulated by linux! Jan- Hendrik Palic Url:http://www.billgotchy.de; E-Mail: [EMAIL PROTECTED] -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL++ P+++ L+++ E W++ N+ o+ K- w--- O- M- V- PS++ PE Y+ PGP++ t--- 5- X+++ R-- tv- b++ DI-- D+++ G+++ e+++ h+ r++ z+ --END GEEK CODE BLOCK-- PGP signature
Re: Sniffing SSH and HTTPS
Jan-Hendrik Palic writes: http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? old ssh protocol v1.5 IS a security hole, you can snif it. I don't know any vulnerability for the last OpenSSH_2.9p2 or OpenSSH_2.5.2p2 (which is last in debian security's updates) ... for the moment. Remember there is no 100% secure software. Don't know for https, but that's not a surprise then. -- Davy Gigan System Network Administration University Of Caen (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Secure Network Filesystem
Hi there folks I'm planning a modification in the network of my departament here. We have a pretty standard lay-out with a DMZ and a screened subnet firewalling schema (two firewalls, one from outside to our DMZ and other from the DMZ to our Intranet). The point is: we are with new requirements of sharing some filesystems accross the network (Intranet and DMZ). I would like to know from you what is suggested in terms of use X security. I really would not like to use NFS. Any clues? Coda? Thamnks in advance -- :wq -- Sellaro Network Management Dept. Lantech Mobile -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sniffing SSH and HTTPS
Hi .. On Tue, Aug 28, 2001 at 06:44:59PM +0200, Davy Gigan wrote: Jan-Hendrik Palic writes: http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? old ssh protocol v1.5 IS a security hole, you can snif it. I don't know any vulnerability for the last OpenSSH_2.9p2 or OpenSSH_2.5.2p2 (which is last in debian security's updates) ... for the moment. Remember there is no 100% secure software. That' true. Don't know for https, but that's not a surprise then. Why? Greetings Jan -- One time, you all will be emulated by linux! Jan- Hendrik Palic Url:http://www.billgotchy.de; E-Mail: [EMAIL PROTECTED] -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL++ P+++ L+++ E W++ N+ o+ K- w--- O- M- V- PS++ PE Y+ PGP++ t--- 5- X+++ R-- tv- b++ DI-- D+++ G+++ e+++ h+ r++ z+ --END GEEK CODE BLOCK-- PGP signature
Re: Secure Network Filesystem
(2001-08-28) Alisson Sellaro sed : | Hi there folks | | I'm planning a modification in the network of my departament | here. We have a pretty standard lay-out with a DMZ and a | screened subnet firewalling schema (two firewalls, one from | outside to our DMZ and other from the DMZ to our Intranet). The | point is: we are with new requirements of sharing some | filesystems accross the network (Intranet and DMZ). | | I would like to know from you what is suggested in terms of use | X security. I really would not like to use NFS. Any clues? Coda? | | Thamnks in advance If you just want to just crypt the traffic, you can use tcfs, which is client side oriented, and that you use over NFS. Otherwise, you can do a VPN, with 2 or more box you buy, put between the cliens and the server. I don't have any name in minds, but I think you can find things like this in blackbox... Last but not the least, you can build a vpn using linux boxes and ipsec, using freeS/WAN (http://www.freeswan.org). That works fine. -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] I like cats, but I don't think I could eat a whole one. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure Network Filesystem
hi ya alisson for secure NFS stuff.. ( dont have any experience in its security/comfort level ) http://www.Linux-Sec.net/services.gwif.html ( go to the bottom of the page ) have fun alvin On Tue, 28 Aug 2001, Alisson Sellaro wrote: Hi there folks I'm planning a modification in the network of my departament here. We have a pretty standard lay-out with a DMZ and a screened subnet firewalling schema (two firewalls, one from outside to our DMZ and other from the DMZ to our Intranet). The point is: we are with new requirements of sharing some filesystems accross the network (Intranet and DMZ). I would like to know from you what is suggested in terms of use X security. I really would not like to use NFS. Any clues? Coda? Thamnks in advance -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sniffing SSH and HTTPS
hi ya and for the list of the rest of the sniffers to check out... http://www.Linux-Sec.net/Sniffer one of the boxes i had over the past 3 years was sniffed ... probably ssh-1.x series ... just didnt know how they did it 3 yrs ago - no damage done ... but a good trick... have fun alvin On Tue, 28 Aug 2001, Davy Gigan wrote: Jan-Hendrik Palic writes: http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? old ssh protocol v1.5 IS a security hole, you can snif it. I don't know any vulnerability for the last OpenSSH_2.9p2 or OpenSSH_2.5.2p2 (which is last in debian security's updates) ... for the moment. Remember there is no 100% secure software. Don't know for https, but that's not a surprise then. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Secure Network Filesystem
The point is: we are with new requirements of sharing some filesystems accross the network (Intranet and DMZ). I would like to know from you what is suggested in terms of use X security. I really would not like to use NFS. Any clues? Coda? How 'bout running a VPN between the networks then run NFS/whatever over the VPN? TTFN, Ronny -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure Network Filesystem
On Tue, Aug 28, 2001 at 02:31:20PM -0300, Alisson Sellaro wrote: I would like to know from you what is suggested in terms of use X security. I really would not like to use NFS. Any clues? Coda? SFS -- www.fs.net It wasn't a speed demon by any stretch of the imagination during my tests, but that may have been a local issue, and not related to SFS itself. But it has the advantages of looking like NFS to the client and server, but operating over the network in a cryptographically secure method. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sniffing SSH and HTTPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard == Richard [EMAIL PROTECTED] writes: [...] Richard There also an analasis of the ssh packetstream revealing the Richard number of chars in the passwd. Small clarification: this may reveal the number of characters in any password that you type _within_ the ssh session. This does not affect the password that you use to initially log in, as the whole password is sent in one packet. Of course, the attacker would need to know that you are typing in a password at that time. Richard Attacks can still be done when the fingerprint is unkown Richard (e.g. first connect to the box) Yes, and to answer the OP's second question (how to make ssh secure), copy the server's public key over a known secure channel (e.g. if you're at work, get the admin to stick it on a floppy for you), or get the fingerprint over a known secure channel (e.g. phone the admin and ask for the fingerprint). Richard or brute-force on fingerprint / rsa / dsa. And if you manage to brute-force the fingerprint/rsa/dsa, we've got problems. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jC/YZRhU33H9o38RAn3cAJ0eJvBKQTNOF0qgZMClw3m1ATXIyQCgn/tK Kc1P/7a20XqC6x8ntygGl8M= =unD0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux LDAP problem
On Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey wrote: Hey, I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login. Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. You might want to try asking on the PAM list, which I have the address for somewhere around here if you need it. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Linux LDAP problem
Hey, I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login. Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. Sunny Dubey PS: We are fully aware that novell does create linux/bsd based PAM_LDAP modules, the problem is that we are an education insititution .. and don't have the biggest wallet in the world, hehe :^). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Open SSL Certificate
Can anybody tell me how to create a Certificate Signature Request using openssl ?? I have tried /etc/ssl# openssl req openssl.cnf test But get the following error Using configuration from /usr/lib/ssl/openssl.cnf unable to load X509 request 857:error:02001002:system library:fopen:system lib:bss_file.c:103:fopen('/root/. oid','r') 857:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:105: 857:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:610: :o( Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Open SSL Certificate
The OpenSSL web site (http://www.openssl.org) has some rather good documentation on how to generate the certificates and setting up a CA... Jeremy On Wed, Aug 29, 2001 at 12:09:20PM +0800, Marcel Welschbillig wrote: Can anybody tell me how to create a Certificate Signature Request using openssl ?? I have tried /etc/ssl# openssl req openssl.cnf test But get the following error Using configuration from /usr/lib/ssl/openssl.cnf unable to load X509 request 857:error:02001002:system library:fopen:system lib:bss_file.c:103:fopen('/root/. oid','r') 857:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:105: 857:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:610: :o( Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Running root commands by http (END)
On Thu, 23 Aug 2001 11:09:59 -0500 Paul C. Nendick [EMAIL PROTECTED] wrote: The reason the web based solution to this is not forthcoming is that this is not a web problem. The real solution is to hire trustworthy admins capable of learning the right way to admin their systems. I'm not trying to be a bastard, but since you asked this question on the a security list I'm giving you the solution to this problem that is the most professional and secure. Take the time you would have invested in programming this tool and simply document how to do these tasks with the tools already provided. Take the money you will save in doing this and buy some O'Reilly books for your team. Smart admins with an understanding of how systems really work will always be more valuable than untrusted admins with idiot proof tools. Thanks, but if the sysadmin don't have many time to learn, I thinks it's better for him to give him a user frendly frontend which allow only what he needs. Like this, he can't do some errors by running some unknown commands which can lose him in the files tree or in a big stdout. Of course it makes me more time to do it, but he will save time and as he payed me for doing this... Well I thinks it's a very long discussion and with may issues ... and I got some problems to say it in English... So in this case I decided to make a php frontend (with auth and https) witch run a few commands as exactly as possible, and puted them into sudoers with many controls... I expect it will be enough. Thanks to all for contributions on this question. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpzZPjr1LXhQ.pgp Description: PGP signature
Crypto
Hello everybody, I want to have some information about what kind of cryptological benefits does my linux server offer to me . I searched linuxdoc.org but could not find a howo about linux cryptology. Could you please guide me to a web site or to a documentation site where I can start from the novice level and go up to the guru level ? Thanx _ Get your free e-mail account: http://www.petekmail.com
Linux LDAP problem
Hey, I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login. Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. Sunny Dubey PS: We are fully aware that novell does create linux/bsd based PAM_LDAP modules, the problem is that we are an education insititution .. and don't have the biggest wallet in the world, hehe :^).
Re: [ OT ] local packages vs official packages
On 27-Aug-01, 17:25 (CDT), Samu [EMAIL PROTECTED] wrote: hi, this is just a curiosity, i think is not so security related, aniway... So it should be on the debian-user list. if i made a package by my self, or from deb sources, of a package that already exist on to the debian db, and my local package is called as the official one, when i run then dselect or apt, they overwrite my local pkg for the official one. i have to explicity hold the local package to not to have overwritten. why ? they aren't checked only for the version number ? It shouldn't be upgrading if your version # (including the revision) is higher than that in the archive. My guess is that a new revision is showing up in the archive and thus being upgraded. The best way to prevent this is to use 'epochs' -- set your version to something like 3:1,2-1 in the changelog. Steve
Re: Crypto
John DOE [EMAIL PROTECTED] wrote: Hello everybody, I want to have some information about what kind of cryptological benefits does my linux server offer to me . I searched linuxdoc.org but could not find a howo about linux cryptology. Could you please guide me to a web site or to a documentation site where I can start from the novice level and go up to the guru level ? Take a look at http://www.kerneli.org HTH Martin P.S.: It would be kind of you if you educate your mail user agent to start a new line after 72 characters. -- [EMAIL PROTECTED] innominate AG http://www.innominate.com tel: +49.30.308806-0 fax: -77 gpg: http://innominate.org/gpg/mpe.gpg
Re: Crypto
John DOE [EMAIL PROTECTED] writes: Hello everybody, I want to have some information about what kind of cryptological benefits does my linux server offer to me . I searched linuxdoc.org but could not find a howo about linux cryptology. Could you please guide me to a web site or to a documentation site where I can start from the novice level and go up to the guru level ? First, do you mean cryptography or cryptology? According to the handy web dictionaries, cryptology is the study of cryptography or cryptanalysis. So, as you implement cryptography on your machine, you can study cryptology to really get a grasp of how it works and what the limitations are. :) Really, though there are all kinds of resources for cryptography on the web. You might try searching Linux cryptography on the web. Also, I believe there is a link to a non-US site on www.kernel.org that has kernel specific cryptography information. And last, I recall that the PGP documentation had a very good introduction to cryptography. HTH, Brian
Re: Linux LDAP problem
El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: Hey, I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login. Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. I think your problem is in your pam module configuration, I use something like that for auth: --- auth required pam_nologin.so auth sufficient pam_unix.so auth required pam_ldap.so use_first_pass --- With this setup the user is only asked once; if 'pam_unix' succeds the user is authorized and if it fails 'pam_ldap' tries to authenticate using the same password entered. Hope this helps. -- Sergio Talens-Oliag [EMAIL PROTECTED] Key fingerprint = 29DF 544F 1BD9 548C 8F15 86EF 6770 052B B8C1 FA69
Sniffing SSH and HTTPS
Hi all... I have a small question. I found on SF a small tool, which may sniffing SSH and HTTPS (not tested). The Url is : http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? Greetings Jan -- One time, you all will be emulated by linux! Jan- Hendrik Palic Url:http://www.billgotchy.de; E-Mail: [EMAIL PROTECTED] -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL++ P+++ L+++ E W++ N+ o+ K- w--- O- M- V- PS++ PE Y+ PGP++ t--- 5- X+++ R-- tv- b++ DI-- D+++ G+++ e+++ h+ r++ z+ --END GEEK CODE BLOCK-- pgp4R36eT7ytb.pgp Description: PGP signature
Re: Sniffing SSH and HTTPS
Jan-Hendrik Palic writes: http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? old ssh protocol v1.5 IS a security hole, you can snif it. I don't know any vulnerability for the last OpenSSH_2.9p2 or OpenSSH_2.5.2p2 (which is last in debian security's updates) ... for the moment. Remember there is no 100% secure software. Don't know for https, but that's not a surprise then. -- Davy Gigan System Network Administration University Of Caen (France)
Secure Network Filesystem
Hi there folks I'm planning a modification in the network of my departament here. We have a pretty standard lay-out with a DMZ and a screened subnet firewalling schema (two firewalls, one from outside to our DMZ and other from the DMZ to our Intranet). The point is: we are with new requirements of sharing some filesystems accross the network (Intranet and DMZ). I would like to know from you what is suggested in terms of use X security. I really would not like to use NFS. Any clues? Coda? Thamnks in advance -- :wq -- Sellaro Network Management Dept. Lantech Mobile
Re: Sniffing SSH and HTTPS
Hi .. On Tue, Aug 28, 2001 at 06:44:59PM +0200, Davy Gigan wrote: Jan-Hendrik Palic writes: http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? old ssh protocol v1.5 IS a security hole, you can snif it. I don't know any vulnerability for the last OpenSSH_2.9p2 or OpenSSH_2.5.2p2 (which is last in debian security's updates) ... for the moment. Remember there is no 100% secure software. That' true. Don't know for https, but that's not a surprise then. Why? Greetings Jan -- One time, you all will be emulated by linux! Jan- Hendrik Palic Url:http://www.billgotchy.de; E-Mail: [EMAIL PROTECTED] -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL++ P+++ L+++ E W++ N+ o+ K- w--- O- M- V- PS++ PE Y+ PGP++ t--- 5- X+++ R-- tv- b++ DI-- D+++ G+++ e+++ h+ r++ z+ --END GEEK CODE BLOCK-- pgpiAFPhsQZpm.pgp Description: PGP signature
Re: Sniffing SSH and HTTPS
Jan-Hendrik Palic writes: Don't know for https, but that's not a surprise then. Why? Because of the sentence below : 'Remember there is no 100% secure software.' ;-) -- Davy Gigan System Network Administration University Of Caen (France)
Re: Sniffing SSH and HTTPS
Jan-Hendrik Palic writes: Don't know for https, but that's not a surprise then. Why? https is based on ssl, so does ssh, if one can be sniffed, why wouln't it be same for the other ? I think (and i may (must) be wrong) that https sniffing is based on weakness of ssl when used in https (or use of 'magic' ?) ... -- Davy Gigan System Network Administration University Of Caen (France)
Re: Sniffing SSH and HTTPS
On Tue, 28 Aug 2001, Jan-Hendrik Palic wrote: Hi all... I have a small question. I found on SF a small tool, which may sniffing SSH and HTTPS (not tested). The Url is : http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? This tool preforms a man-in-the-middle attack (arp/dns poissening etc), ssh: A new ssh would loudly complain that the host-key fingerprint changed. (since the private part of the key remains unkown to ettercap preventing the use of this public key) There also an analasis of the ssh packetstream revealing the number of chars in the passwd. https: If the signed cert of a https server would also sign the pubkey, a browser could also refuse to accept a connectiong when this key isn't used in the sesionkey exchange. But I don't belive https brouwsers work this way. Attacks can still be done when the fingerprint is unkown (e.g. first connect to the box) or brute-force on fingerprint / rsa / dsa. [RicV]
Re: Secure Network Filesystem
(2001-08-28) Alisson Sellaro sed : | Hi there folks | | I'm planning a modification in the network of my departament | here. We have a pretty standard lay-out with a DMZ and a | screened subnet firewalling schema (two firewalls, one from | outside to our DMZ and other from the DMZ to our Intranet). The | point is: we are with new requirements of sharing some | filesystems accross the network (Intranet and DMZ). | | I would like to know from you what is suggested in terms of use | X security. I really would not like to use NFS. Any clues? Coda? | | Thamnks in advance If you just want to just crypt the traffic, you can use tcfs, which is client side oriented, and that you use over NFS. Otherwise, you can do a VPN, with 2 or more box you buy, put between the cliens and the server. I don't have any name in minds, but I think you can find things like this in blackbox... Last but not the least, you can build a vpn using linux boxes and ipsec, using freeS/WAN (http://www.freeswan.org). That works fine. -- VALLIET Emmanuel ! http://www.webmotion.com Webmotion Inc. ! mailto:[EMAIL PROTECTED] I like cats, but I don't think I could eat a whole one.
Re: Sniffing SSH and HTTPS
hi ya and for the list of the rest of the sniffers to check out... http://www.Linux-Sec.net/Sniffer one of the boxes i had over the past 3 years was sniffed ... probably ssh-1.x series ... just didnt know how they did it 3 yrs ago - no damage done ... but a good trick... have fun alvin On Tue, 28 Aug 2001, Davy Gigan wrote: Jan-Hendrik Palic writes: http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? old ssh protocol v1.5 IS a security hole, you can snif it. I don't know any vulnerability for the last OpenSSH_2.9p2 or OpenSSH_2.5.2p2 (which is last in debian security's updates) ... for the moment. Remember there is no 100% secure software. Don't know for https, but that's not a surprise then.
Re: Linux LDAP problem
On Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey wrote: Hey, I've got a slight problem, at school we run two major networks, one half is Novell Netware based, and the other half is unix based. We basically one centralized system of authentication, so that user don't have to remember two different passwords to use either system. We been trying to get linux to use ldap to authenticate with the novell ldap server, and have had no luck. We know the novell ldap server is fine, however something seems fishy with the linux side. The problem is that when using the PAM_LDAP modules, is that when a user tries to login, they are asked for a password twice, once the normal password, and the second one being the ldap based password. However, even if you type in the correct passwords, LDAP says permission denied, or authentication failed. What makes it really odd is how at the same time the novell netware server states it has seen the authenticated user, and even gives it an OK to login. Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. You might want to try asking on the PAM list, which I have the address for somewhere around here if you need it. -- Share and Enjoy.
RE: Secure Network Filesystem
The point is: we are with new requirements of sharing some filesystems accross the network (Intranet and DMZ). I would like to know from you what is suggested in terms of use X security. I really would not like to use NFS. Any clues? Coda? How 'bout running a VPN between the networks then run NFS/whatever over the VPN? TTFN, Ronny
Re: Secure Network Filesystem
On Tue, Aug 28, 2001 at 02:31:20PM -0300, Alisson Sellaro wrote: I would like to know from you what is suggested in terms of use X security. I really would not like to use NFS. Any clues? Coda? SFS -- www.fs.net It wasn't a speed demon by any stretch of the imagination during my tests, but that may have been a local issue, and not related to SFS itself. But it has the advantages of looking like NFS to the client and server, but operating over the network in a cryptographically secure method. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: Secure Network Filesystem
Ronny Adsetts wrote: The point is: we are with new requirements of sharing some filesystems accross the network (Intranet and DMZ). I would like to know from you what is suggested in terms of use X security. I really would not like to use NFS. Any clues? Coda? How 'bout running a VPN between the networks then run NFS/whatever over the VPN? TTFN, Ronny You could try coda or afs. I haven't used it but Im planning to try it. or SNFS? Karun
Re: Linux LDAP problem
On Tuesday, 2001-08-28 at 17:15:58 +0200, Sergio Talens-Oliag wrote: El Tue, Aug 28, 2001 at 09:23:47AM -0400, Sunny Dubey escribió: Anyone have any clue as to how to make it work? Are there any docs about getting Netware+linux+ldap to work? thanks for any info that you might pass along. have a nice day. I think your problem is in your pam module configuration, I use something like that for auth: --- auth required pam_nologin.so auth sufficient pam_unix.so auth required pam_ldap.so use_first_pass --- With this setup the user is only asked once; if 'pam_unix' succeds the user is authorized and if it fails 'pam_ldap' tries to authenticate using the same password entered. Hope this helps. Probably not. The hard part is figuring out which attributes this queries. I helped set this up, but the NDS was already muddled by other applications, so it's not clear. But there's a way: RTFS! :-) HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm|
Re: Crypto
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin == Martin Peikert [EMAIL PROTECTED] writes: Martin John DOE [EMAIL PROTECTED] wrote: Hello everybody, I want to have some information about what kind of cryptological benefits does my linux server offer to me . I searched linuxdoc.org but could not find a howo about linux cryptology. Could you please guide me to a web site or to a documentation site where I can start from the novice level and go up to the guru level ? Martin Take a look at http://www.kerneli.org The patches at kerneli have known problems (and haven't been updated for a while). There's been quite a lot of discussion about this on the linux-crypto list (archived at http://mail.nl.linux.org/linux-crypto/). I would suggest using the LoopAES package by Jaru Ruusu instead: http://loop-aes.sourceforge.net/loop-AES-v1.3d.tar.bz2 http://loop-aes.sourceforge.net/loop-AES-v1.3d.tar.bz2.sign http://loop-aes.sourceforge.net/PGP-public-key.asc If you're brave, you can also try the CVS version of cryptoapi by Herbert Riedel: http://sourceforge.net/projects/cryptoapi/ (cryptoapi is based on the kerneli sources, but modified to reduce the amount of kernel patching needed. The current version suffers the same above-mentioned problems as kerneli, but Herbert's been working on fixing them in the CVS version.) If you really want to use crypto under Linux, subscribe do the linux-crypto list. Aside from the usual flamewars and arrogant developers, it's quite informative. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jCv1ZRhU33H9o38RAjzgAKCvcWZzTYGUq8fGgi66of8PeoF9YACgoCwq iAs1NT+NrY2Q4px6kMyWsxc= =/u0H -END PGP SIGNATURE-
Re: [ OT ] local packages vs official packages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Samu == Samu [EMAIL PROTECTED] writes: Samu hi, this is just a curiosity, i think is not so security related, Samu aniway... if i made a package by my self, or from deb sources, of Samu a package that already exist on to the debian db, and my local Samu package is called as the official one, when i run then dselect or Samu apt, they overwrite my local pkg for the official one. i have to Samu explicity hold the local package to not to have overwritten. Samu why ? they aren't checked only for the version number ? If your package is the same version number as the official one, but are different (I guess different MD5 sums and/or size is how apt checks it), then apt will try to reinstall. Add an entry to the debian/changelog. For example, if the current release is 4.5-2 (just pulling a random number out of the air), then add an entry calling it 4.5-2.1 or something like that. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jC05ZRhU33H9o38RAsP9AKCk8X4eqGwpPyyfTZV1hLuSejvqMwCfYA5M XKfvX1Pg9SnFaRbde5h8ysk= =Cezj -END PGP SIGNATURE-
Re: Sniffing SSH and HTTPS
On Tue, Aug 28, 2001 at 06:44:59PM +0200, Davy Gigan wrote: Jan-Hendrik Palic writes: http://ettercap.sourceforge.net/ Is it possible? Are SSH und HTTPS connections unsecure and how do we make is secure than? old ssh protocol v1.5 IS a security hole, you can snif it. I don't know any vulnerability for the last OpenSSH_2.9p2 or OpenSSH_2.5.2p2 (which is last in debian security's updates) wrong, the latest ssh in debian's security updates (thus for potato) is Version: 1:1.2.3-9.3 the latest in unstable is 2.9p2, testing (woody) has 2.5.2p2, these are unreleased versions of debian though. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpvabTD2hvz8.pgp Description: PGP signature
Re: Sniffing SSH and HTTPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard == Richard [EMAIL PROTECTED] writes: [...] Richard There also an analasis of the ssh packetstream revealing the Richard number of chars in the passwd. Small clarification: this may reveal the number of characters in any password that you type _within_ the ssh session. This does not affect the password that you use to initially log in, as the whole password is sent in one packet. Of course, the attacker would need to know that you are typing in a password at that time. Richard Attacks can still be done when the fingerprint is unkown Richard (e.g. first connect to the box) Yes, and to answer the OP's second question (how to make ssh secure), copy the server's public key over a known secure channel (e.g. if you're at work, get the admin to stick it on a floppy for you), or get the fingerprint over a known secure channel (e.g. phone the admin and ask for the fingerprint). Richard or brute-force on fingerprint / rsa / dsa. And if you manage to brute-force the fingerprint/rsa/dsa, we've got problems. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jC/YZRhU33H9o38RAn3cAJ0eJvBKQTNOF0qgZMClw3m1ATXIyQCgn/tK Kc1P/7a20XqC6x8ntygGl8M= =unD0 -END PGP SIGNATURE-