Re: fswcert
On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: > the "fswcert" tool, which is used to extract private key from > certificate was before in freeswan package. I was not able to find it in > 1.95 version of freeswan. Anyone knows why it has been removed ??? Because it's no longer needed. The Debian freeswan packages can use certs directly. Some stuff in /usr/share/doc/freeswan will help you figure out how to use them. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpDkfHDDn6lh.pgp Description: PGP signature
Re: fswcert
On Tuesday, 2002-04-09 at 00:03:20 -0400, Noah L. Meyerhans wrote: > On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: > > the "fswcert" tool, which is used to extract private key from > > certificate was before in freeswan package. I was not able to find it in > > 1.95 version of freeswan. Anyone knows why it has been removed ??? > > Because it's no longer needed. The Debian freeswan packages can use > certs directly. Some stuff in /usr/share/doc/freeswan will help you > figure out how to use them. > Here is an example: conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert left=%defaultroute leftsubnet=192.168.2.0/24 leftid="C=DE, ST=Bavaria, O=Octogon Gesellschaft fuer Computer-Dienstleistungen mbH, OU=Lupe's Home Office, [EMAIL PROTECTED]" The ID is in the certificate. Extract it like: openssl x509 -in certificate.pem -noout -text | sed -n -e 's/.*Subject: //p' Mail me directly if you need help setting this up. HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables not logging or dhcp-client lying?
Gabor Kovacs <[EMAIL PROTECTED]> writes: > Olaf Meeuwissen wrote: > > > Basically, I'd like to keep the setup as closed as possible so I make > > a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let > > the DHCPDISCOVER broadcast out (and a reply back in eventually, taking > > this one step at a time ;-). At least, that's what I thought I should > > do, but I noticed that packets are not logged! > > I think (but not sure) DHCP client is using (so called) raw sockets > which are below the layer where iptables is in the kernel. That's why > iptables is unable to see the packets. Looks like you are right. I set all built-in chains to LOG and a DROP policy (no other rules) and my interface configures fine. Once it is up there's an incessant stream of logged packets (mainly win-DoS hosts letting everyone know who and where they are by shouting all over the subnet and, occasionally, beyond). Oh well, I guess I can forget about making and plugging holes for the DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies. That makes my job easier, but I guess the docs then need a fix ;-) Thanks, -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: fswcert
On Fri, Apr 05, 2002 at 12:13:41PM +0200, Victor Vuillard wrote: > the "fswcert" tool, which is used to extract private key from > certificate was before in freeswan package. I was not able to find it in > 1.95 version of freeswan. Anyone knows why it has been removed ??? Because it's no longer needed. The Debian freeswan packages can use certs directly. Some stuff in /usr/share/doc/freeswan will help you figure out how to use them. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg06276/pgp0.pgp Description: PGP signature
unsubscribe
-- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- Forwarded message -- Date: Mon, 8 Apr 2002 23:45:44 +0200 (CEST) From: Bartłomiej Świercz <[EMAIL PROTECTED]> To: debian-security@lists.debian.org Subject: unsubscribe -- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
About umask for paranoids
Hello, I am using potato, from 6 month now, and well, I like it very much, but something is chocking me very much: some log files, some configuration files, and some "other things I don't expected" are world readable. So, I know, I could change it by hand. But it seems a generic behaviour of Debian, due to the default umask. Do you know if it is possible to change the defauld debian umask ? What would be then the effect over the installed packages ? Is it possible to set this default "paranoid" umask at instalation stage of Debian ? But then, would a lot of things be broken ? In what measure Debian packages rely on the default umask ?? I have been searching about this on the lists, google, etc..., and don't find any mention. So now in fact I am asking myself is my conception about umask security is good. Some related questions: By default, /root is world readable ? (I think I fixed this, but not sure) What umask "sees" apache or apache-ssl ? (I had to change some permissions of the logs...) In fact, I think that what is happening is normal: with the current default umask, you always have some "suprises"... Thank you !! :-) -- Saludos de Julián EA4ACL -.- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables not logging or dhcp-client lying?
Gabor Kovacs <[EMAIL PROTECTED]> writes: > Olaf Meeuwissen wrote: > > > Basically, I'd like to keep the setup as closed as possible so I make > > a hole in /etc/dhclient-enter-hooks during the PREINIT stage to let > > the DHCPDISCOVER broadcast out (and a reply back in eventually, taking > > this one step at a time ;-). At least, that's what I thought I should > > do, but I noticed that packets are not logged! > > I think (but not sure) DHCP client is using (so called) raw sockets > which are below the layer where iptables is in the kernel. That's why > iptables is unable to see the packets. Looks like you are right. I set all built-in chains to LOG and a DROP policy (no other rules) and my interface configures fine. Once it is up there's an incessant stream of logged packets (mainly win-DoS hosts letting everyone know who and where they are by shouting all over the subnet and, occasionally, beyond). Oh well, I guess I can forget about making and plugging holes for the DHCPDISCOVER (and probably DHCPREQUEST) requests and their replies. That makes my job easier, but I guess the docs then need a fix ;-) Thanks, -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: new www vulnerablity
The access request for "/..À¯../..À¯../cmd1.exe" indicates that this is some kind of Microsoft bug (no suprises there). I recieve plenty of probes like this a day, it's probably just some hacker running an automated script to check for vulnerable sites. Nothing to worry about unless you're running IIS ;-) On Mon, Apr 08, 2002 at 10:31:43PM +0200, James Nord wrote: > Hi, > > Is anyone aware of a vulnerablity that is characterised by the following > against a www server? > or is the ^E etc just a way of trying to hide the variuos attempts below? > > [Sat Apr 6 02:44:07 2002] [error] [client 24.101.140.253] Invalid > method in request ^E^A > [Sat Apr 6 02:44:07 2002] [error] [client 24.101.140.253] Invalid > method in request ^E^A^B > [Sat Apr 6 02:44:08 2002] [error] [client 24.101.140.253] Invalid > method in request ^A > [Sat Apr 6 02:44:09 2002] [error] [client 24.101.140.253] Invalid > method in request ^Z > [Sat Apr 6 02:44:12 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/invalidfilename.htm > [Sat Apr 6 02:44:12 2002] [error] [client 24.101.140.253] Options > ExecCGI is off in this directory: > /mnt/bigone/www/html/www.teilo.net/invalidfilename.cgi > [Sat Apr 6 02:44:13 2002] [error] [client 24.101.140.253] Invalid URI > in request GET /../invalidfilename.htm HTTP/1.0 > [Sat Apr 6 02:44:13 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/invalidfilename.htm > [Sat Apr 6 02:44:14 2002] [error] [client 24.101.140.253] Options > ExecCGI is off in this directory: > /mnt/bigone/www/html/www.teilo.net/invalidfilename.cgi > [Sat Apr 6 02:44:14 2002] [error] [client 24.101.140.253] Invalid URI > in request GET /../invalidfilename.htm HTTP/1.0 > [Sat Apr 6 02:44:15 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../sensepost.exe > [Sat Apr 6 02:44:15 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../sensepost.exe > [Sat Apr 6 02:44:16 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../cmd1.exe > > > Regards, > > /James > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- shiftee <[EMAIL PROTECTED]> PGP Key: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
new www vulnerablity
Hi, Is anyone aware of a vulnerablity that is characterised by the following against a www server? or is the ^E etc just a way of trying to hide the variuos attempts below? [Sat Apr 6 02:44:07 2002] [error] [client 24.101.140.253] Invalid method in request ^E^A [Sat Apr 6 02:44:07 2002] [error] [client 24.101.140.253] Invalid method in request ^E^A^B [Sat Apr 6 02:44:08 2002] [error] [client 24.101.140.253] Invalid method in request ^A [Sat Apr 6 02:44:09 2002] [error] [client 24.101.140.253] Invalid method in request ^Z [Sat Apr 6 02:44:12 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/invalidfilename.htm [Sat Apr 6 02:44:12 2002] [error] [client 24.101.140.253] Options ExecCGI is off in this directory: /mnt/bigone/www/html/www.teilo.net/invalidfilename.cgi [Sat Apr 6 02:44:13 2002] [error] [client 24.101.140.253] Invalid URI in request GET /../invalidfilename.htm HTTP/1.0 [Sat Apr 6 02:44:13 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/invalidfilename.htm [Sat Apr 6 02:44:14 2002] [error] [client 24.101.140.253] Options ExecCGI is off in this directory: /mnt/bigone/www/html/www.teilo.net/invalidfilename.cgi [Sat Apr 6 02:44:14 2002] [error] [client 24.101.140.253] Invalid URI in request GET /../invalidfilename.htm HTTP/1.0 [Sat Apr 6 02:44:15 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../sensepost.exe [Sat Apr 6 02:44:15 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../sensepost.exe [Sat Apr 6 02:44:16 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../cmd1.exe Regards, /James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- Forwarded message -- Date: Mon, 8 Apr 2002 23:45:44 +0200 (CEST) From: Bartłomiej Świercz <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: unsubscribe -- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
About umask for paranoids
Hello, I am using potato, from 6 month now, and well, I like it very much, but something is chocking me very much: some log files, some configuration files, and some "other things I don't expected" are world readable. So, I know, I could change it by hand. But it seems a generic behaviour of Debian, due to the default umask. Do you know if it is possible to change the defauld debian umask ? What would be then the effect over the installed packages ? Is it possible to set this default "paranoid" umask at instalation stage of Debian ? But then, would a lot of things be broken ? In what measure Debian packages rely on the default umask ?? I have been searching about this on the lists, google, etc..., and don't find any mention. So now in fact I am asking myself is my conception about umask security is good. Some related questions: By default, /root is world readable ? (I think I fixed this, but not sure) What umask "sees" apache or apache-ssl ? (I had to change some permissions of the logs...) In fact, I think that what is happening is normal: with the current default umask, you always have some "suprises"... Thank you !! :-) -- Saludos de Julián EA4ACL -.- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: >On Mon, Apr 08, 2002 at 08:51:50AM +0800, Marcel Welschbillig wrote: >> Just wanted to make it clear the the email i sent about Neomail was=20 >> purely to let other people know about a program that i thought was worth= >> mentioning, it had nothing to do with Ernie Miller and was not intended= >> to be SPAM. >Don't take my warning the wrong way. By all means, feel free to spread >the word on good opensource software. Please just keep it to >appropriate places and times (eg. debian-user) or in the course of a >on-topic discussion. I would have treated it as just another off-topic >message was it not for the fact that your message had already >previously been reported to razor.sourceforge.net as spam (which >probably means that debian-security was not the only mailing list you >posted it to). Since I did report the copy I got on debian-security with "spamassassin -r", in this case it is quite possible that the message was only sent to one list. If this had been sent to several lists, the razor tagging would have helped me sort it out into my "probable spam" area. I agree with netsnipe about keeping messages on topic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe
-- Pozdrowienia, Bartek. ### # Keep It Sipmle Stupid! # # http://sknauk.wpk.p.lodz.pl # ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: new www vulnerablity
The access request for "/..À¯../..À¯../cmd1.exe" indicates that this is some kind of Microsoft bug (no suprises there). I recieve plenty of probes like this a day, it's probably just some hacker running an automated script to check for vulnerable sites. Nothing to worry about unless you're running IIS ;-) On Mon, Apr 08, 2002 at 10:31:43PM +0200, James Nord wrote: > Hi, > > Is anyone aware of a vulnerablity that is characterised by the following > against a www server? > or is the ^E etc just a way of trying to hide the variuos attempts below? > > [Sat Apr 6 02:44:07 2002] [error] [client 24.101.140.253] Invalid > method in request ^E^A > [Sat Apr 6 02:44:07 2002] [error] [client 24.101.140.253] Invalid > method in request ^E^A^B > [Sat Apr 6 02:44:08 2002] [error] [client 24.101.140.253] Invalid > method in request ^A > [Sat Apr 6 02:44:09 2002] [error] [client 24.101.140.253] Invalid > method in request ^Z > [Sat Apr 6 02:44:12 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/invalidfilename.htm > [Sat Apr 6 02:44:12 2002] [error] [client 24.101.140.253] Options > ExecCGI is off in this directory: > /mnt/bigone/www/html/www.teilo.net/invalidfilename.cgi > [Sat Apr 6 02:44:13 2002] [error] [client 24.101.140.253] Invalid URI > in request GET /../invalidfilename.htm HTTP/1.0 > [Sat Apr 6 02:44:13 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/invalidfilename.htm > [Sat Apr 6 02:44:14 2002] [error] [client 24.101.140.253] Options > ExecCGI is off in this directory: > /mnt/bigone/www/html/www.teilo.net/invalidfilename.cgi > [Sat Apr 6 02:44:14 2002] [error] [client 24.101.140.253] Invalid URI > in request GET /../invalidfilename.htm HTTP/1.0 > [Sat Apr 6 02:44:15 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../sensepost.exe > [Sat Apr 6 02:44:15 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../sensepost.exe > [Sat Apr 6 02:44:16 2002] [error] [client 24.101.140.253] File does not > exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../cmd1.exe > > > Regards, > > /James > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- shiftee <[EMAIL PROTECTED]> PGP Key: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
new www vulnerablity
Hi, Is anyone aware of a vulnerablity that is characterised by the following against a www server? or is the ^E etc just a way of trying to hide the variuos attempts below? [Sat Apr 6 02:44:07 2002] [error] [client 24.101.140.253] Invalid method in request ^E^A [Sat Apr 6 02:44:07 2002] [error] [client 24.101.140.253] Invalid method in request ^E^A^B [Sat Apr 6 02:44:08 2002] [error] [client 24.101.140.253] Invalid method in request ^A [Sat Apr 6 02:44:09 2002] [error] [client 24.101.140.253] Invalid method in request ^Z [Sat Apr 6 02:44:12 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/invalidfilename.htm [Sat Apr 6 02:44:12 2002] [error] [client 24.101.140.253] Options ExecCGI is off in this directory: /mnt/bigone/www/html/www.teilo.net/invalidfilename.cgi [Sat Apr 6 02:44:13 2002] [error] [client 24.101.140.253] Invalid URI in request GET /../invalidfilename.htm HTTP/1.0 [Sat Apr 6 02:44:13 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/invalidfilename.htm [Sat Apr 6 02:44:14 2002] [error] [client 24.101.140.253] Options ExecCGI is off in this directory: /mnt/bigone/www/html/www.teilo.net/invalidfilename.cgi [Sat Apr 6 02:44:14 2002] [error] [client 24.101.140.253] Invalid URI in request GET /../invalidfilename.htm HTTP/1.0 [Sat Apr 6 02:44:15 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../sensepost.exe [Sat Apr 6 02:44:15 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../sensepost.exe [Sat Apr 6 02:44:16 2002] [error] [client 24.101.140.253] File does not exist: /mnt/bigone/www/html/www.teilo.net/..À¯../..À¯../cmd1.exe Regards, /James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
In article <20020408094142.GA3342@espresso> [EMAIL PROTECTED] writes: >On Mon, Apr 08, 2002 at 08:51:50AM +0800, Marcel Welschbillig wrote: >> Just wanted to make it clear the the email i sent about Neomail was=20 >> purely to let other people know about a program that i thought was worth= >> mentioning, it had nothing to do with Ernie Miller and was not intended= >> to be SPAM. >Don't take my warning the wrong way. By all means, feel free to spread >the word on good opensource software. Please just keep it to >appropriate places and times (eg. debian-user) or in the course of a >on-topic discussion. I would have treated it as just another off-topic >message was it not for the fact that your message had already >previously been reported to razor.sourceforge.net as spam (which >probably means that debian-security was not the only mailing list you >posted it to). Since I did report the copy I got on debian-security with "spamassassin -r", in this case it is quite possible that the message was only sent to one list. If this had been sent to several lists, the razor tagging would have helped me sort it out into my "probable spam" area. I agree with netsnipe about keeping messages on topic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
On Mon, Apr 08, 2002 at 08:51:50AM +0800, Marcel Welschbillig wrote: > Hi, > > Just wanted to make it clear the the email i sent about Neomail was > purely to let other people know about a program that i thought was worth > mentioning, it had nothing to do with Ernie Miller and was not intended > to be SPAM. > > Im sorry if i have caused you problems Ernie this is the last thing i > wanted to do. I thought that the reaction you got was a bit harsh. It's just that some of us get so much spam that we're likely to snap when our beloved lists get such postings. > In future i will keep my discoveries to my self ! Don't, just wait for an opportunity to vent your likings when asked for, like when someone asks for comments on good (web-) email progies, a reoccuring question on debian-user, so you don't have to wait that long either. Or slip it in when you post a solution to someone's mail problem, espescially if the problem would be a non-problem for Neomail. -- groetjes, carel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
On Mon, Apr 08, 2002 at 08:51:50AM +0800, Marcel Welschbillig wrote: > Hi, > > Just wanted to make it clear the the email i sent about Neomail was > purely to let other people know about a program that i thought was worth > mentioning, it had nothing to do with Ernie Miller and was not intended > to be SPAM. > > Im sorry if i have caused you problems Ernie this is the last thing i > wanted to do. I thought that the reaction you got was a bit harsh. It's just that some of us get so much spam that we're likely to snap when our beloved lists get such postings. > In future i will keep my discoveries to my self ! Don't, just wait for an opportunity to vent your likings when asked for, like when someone asks for comments on good (web-) email progies, a reoccuring question on debian-user, so you don't have to wait that long either. Or slip it in when you post a solution to someone's mail problem, espescially if the problem would be a non-problem for Neomail. -- groetjes, carel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Sun, Apr 07, 2002 at 10:36:17PM -0700, Luca Filipozzi wrote: > > this also allows crackers to access your userbase, unlike libpam-ldap, > > where you are not forced to allow userpassword read access to the > > database. The cracker just needs to hack this machine, read the password > > from config and voila, ur nt3w0rk has been 0wn3d! > > You don't need to put a binddn/bindpw into libnss-ldap if you make > userPassword readable by all. libnss-ldap can bind anonymously. It's > NIS-equivalent, however, so if the hashes are weak based on weak > passwords, a dictionary attack is possible (just like NIS). heh, in this case you would be screwed without root permissions, anyone could make lookups to your ldap database and crack any of your boxes =) anyways, it does not matter if it's a DN-binded or anonymous connection, the password would be visible to the user and it would be possible to break the password. although, you are absolutely right, the anonymous bind is the equivalent of NIS... > Also, if you were to use a binddn/bindpw, you wouldn't use the > rootdn/rootpw. why not? the basic use for rootdn is to allow root to change any password in the system. (or did you mean admin DN, and it's password) > Note for non-LDAP folk: userPassword is the hashed password, not the > cleartext password. ahh, good note... it's just too obvious for me, i forget that it's not that obvious to others =) anyways this discussion is going outside the scope of the thread, the point being, use LDAP, it's re-usable.. you can build bridges to NIS from ldap, you can use it as your global addressbook. to put it simply, LDAP+TLS a good solution for the user distribution. =) Sami -- -< Sami Haahtinen >- -[ Is it still a bug, if we have learned to live with it? ]- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >- pgpM5YbegKQZJ.pgp Description: PGP signature
TV/Uydu Yayinlarina Artik Sifre Kisitlamasi Yok! -byqybqic
Sayin Internet Kullanicisi, Turkiye'de yayin yapanlar basta olmak uzere, Dunya'daki tum sifreli TV kanallarini cozen ve basit bir TV kartiyla bu yayinlari bilgisayarinizdan size izleme olanagi saglayan, sifre kirici programlarin kayitli oldugu, DECODER CD (v2.0)" satisa sunulmustur (40 EURO + KDV). (Digital, Analog, d2Mac ve Nagra formatindaki tum yayinlar icindir) Garantilidir, odemeli olarak gonderilir. Detayli bilgi isteyenlere elektronik tanitim brosurlerimiz gonderilecektir "Net-Pa" Internet Marketing Center Ltd. Sti.® A. Menderes Cad. Atagun Is Merkezi, Kat: 4 Sakarya, TR TEL: 0 (264) 281 38 85 (PBX) ICQ: 572 98 144 Abdullah Güçlü, GSM: 0 (532) 310 49 16 (09:00-17:00) Germany: 0049 (172) 682 01 69 - Belgium: 0032 (494) 25 02 30 CC. A: 1-830 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
On Mon, Apr 08, 2002 at 08:51:50AM +0800, Marcel Welschbillig wrote: > Just wanted to make it clear the the email i sent about Neomail was > purely to let other people know about a program that i thought was worth > mentioning, it had nothing to do with Ernie Miller and was not intended > to be SPAM. Don't take my warning the wrong way. By all means, feel free to spread the word on good opensource software. Please just keep it to appropriate places and times (eg. debian-user) or in the course of a on-topic discussion. I would have treated it as just another off-topic message was it not for the fact that your message had already previously been reported to razor.sourceforge.net as spam (which probably means that debian-security was not the only mailing list you posted it to). Yours sincerely, Andrew "Netsnipe" Lau --- * Andrew 'Netsnipe' Lau DebianPlanet.org Editor & Comp.Sci, UNSW * * "apt-get into it" Debian GNU/Linux Maintainer * * * * GnuPG 1024D/2E8B68BD 0B77 73D0 4F3B F286 63F1 9F4A 9B24 C07D 2E8B 68BD * --- pgpE2SYUu4NaC.pgp Description: PGP signature
Re: NFS, password transparency, and security
On Sun, Apr 07, 2002 at 10:36:17PM -0700, Luca Filipozzi wrote: > > this also allows crackers to access your userbase, unlike libpam-ldap, > > where you are not forced to allow userpassword read access to the > > database. The cracker just needs to hack this machine, read the password > > from config and voila, ur nt3w0rk has been 0wn3d! > > You don't need to put a binddn/bindpw into libnss-ldap if you make > userPassword readable by all. libnss-ldap can bind anonymously. It's > NIS-equivalent, however, so if the hashes are weak based on weak > passwords, a dictionary attack is possible (just like NIS). heh, in this case you would be screwed without root permissions, anyone could make lookups to your ldap database and crack any of your boxes =) anyways, it does not matter if it's a DN-binded or anonymous connection, the password would be visible to the user and it would be possible to break the password. although, you are absolutely right, the anonymous bind is the equivalent of NIS... > Also, if you were to use a binddn/bindpw, you wouldn't use the > rootdn/rootpw. why not? the basic use for rootdn is to allow root to change any password in the system. (or did you mean admin DN, and it's password) > Note for non-LDAP folk: userPassword is the hashed password, not the > cleartext password. ahh, good note... it's just too obvious for me, i forget that it's not that obvious to others =) anyways this discussion is going outside the scope of the thread, the point being, use LDAP, it's re-usable.. you can build bridges to NIS from ldap, you can use it as your global addressbook. to put it simply, LDAP+TLS a good solution for the user distribution. =) Sami -- -< Sami Haahtinen >- -[ Is it still a bug, if we have learned to live with it? ]- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >- msg06267/pgp0.pgp Description: PGP signature
TV/Uydu Yayinlarina Artik Sifre Kisitlamasi Yok! -byqybqic
Sayin Internet Kullanicisi, Turkiye'de yayin yapanlar basta olmak uzere, Dunya'daki tum sifreli TV kanallarini cozen ve basit bir TV kartiyla bu yayinlari bilgisayarinizdan size izleme olanagi saglayan, sifre kirici programlarin kayitli oldugu, DECODER CD (v2.0)" satisa sunulmustur (40 EURO + KDV). (Digital, Analog, d2Mac ve Nagra formatindaki tum yayinlar icindir) Garantilidir, odemeli olarak gonderilir. Detayli bilgi isteyenlere elektronik tanitim brosurlerimiz gonderilecektir "Net-Pa" Internet Marketing Center Ltd. Sti.® A. Menderes Cad. Atagun Is Merkezi, Kat: 4 Sakarya, TR TEL: 0 (264) 281 38 85 (PBX) ICQ: 572 98 144 Abdullah Güçlü, GSM: 0 (532) 310 49 16 (09:00-17:00) Germany: 0049 (172) 682 01 69 - Belgium: 0032 (494) 25 02 30 CC. A: 1-830 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
On Mon, Apr 08, 2002 at 08:51:50AM +0800, Marcel Welschbillig wrote: > Just wanted to make it clear the the email i sent about Neomail was > purely to let other people know about a program that i thought was worth > mentioning, it had nothing to do with Ernie Miller and was not intended > to be SPAM. Don't take my warning the wrong way. By all means, feel free to spread the word on good opensource software. Please just keep it to appropriate places and times (eg. debian-user) or in the course of a on-topic discussion. I would have treated it as just another off-topic message was it not for the fact that your message had already previously been reported to razor.sourceforge.net as spam (which probably means that debian-security was not the only mailing list you posted it to). Yours sincerely, Andrew "Netsnipe" Lau --- * Andrew 'Netsnipe' Lau DebianPlanet.org Editor & Comp.Sci, UNSW * * "apt-get into it" Debian GNU/Linux Maintainer * * * * GnuPG 1024D/2E8B68BD 0B77 73D0 4F3B F286 63F1 9F4A 9B24 C07D 2E8B 68BD * --- msg06265/pgp0.pgp Description: PGP signature
subscribe
-- Florian Hinzmann private: [EMAIL PROTECTED] Debian: [EMAIL PROTECTED] PGP Key / ID: 1024D/B4071A65 Fingerprint : F9AB 00C1 3E3A 8125 DD3F DF1C DF79 A374 B407 1A65 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
Hi, Just thought I'd chip inn some support for LDAP. Also a kerberos pointer: www.bayour.com has a very good ldap+kerberos howto for debian written by Turbo Fredrikson. Also you should check out directory administrator for admining your directory. A simple ldap client for administrating ldap users. Now, the last thing: Does anyone have a URL for the SFS fileserver system? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Mon, Apr 08, 2002 at 08:23:17AM +0300, Sami Haahtinen wrote: > On Sun, Apr 07, 2002 at 08:14:26PM -0700, Luca Filipozzi wrote: > > Two choices (I like lists :) ): > > > > (1) use libpam-ldap: > > i recommend this. I also recommend this. > > (2) don't use libpam-ldap: > > You don't have to use libpam-ldap. You could just use > > libnss-ldap and have the ldap server transfer the password > > hashes to the workstations in the clear ... which is equivalent > > to NIS. You could also use libnss-ldap with SSL/TLS so that the > > hashes are transferred more securely (equivalent to NIS+). > > i don't recommend the above to anyone (do as i say, not as i do.. =) it > will cause problems, you are forced to enter the database access > password to the configuration, which you will then need to make readable > to root, which in turn forces you to use nscd. No, you don't. You can set the ACLs in slapd.conf for userPassword to 'by * read'. Sure, it's not a good choice. That's why I said that it is the equivalent of NIS. > this also allows crackers to access your userbase, unlike libpam-ldap, > where you are not forced to allow userpassword read access to the > database. The cracker just needs to hack this machine, read the password > from config and voila, ur nt3w0rk has been 0wn3d! You don't need to put a binddn/bindpw into libnss-ldap if you make userPassword readable by all. libnss-ldap can bind anonymously. It's NIS-equivalent, however, so if the hashes are weak based on weak passwords, a dictionary attack is possible (just like NIS). Also, if you were to use a binddn/bindpw, you wouldn't use the rootdn/rootpw. Note for non-LDAP folk: userPassword is the hashed password, not the cleartext password. Luca -- Luca Filipozzi, Debian Developer [dpkg] We are the apt. You will be packaged. Comply. gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
On Sun, Apr 07, 2002 at 08:14:26PM -0700, Luca Filipozzi wrote: > Two choices (I like lists :) ): > > (1) use libpam-ldap: i recommend this. Even though the current pam system is a pain to modify.. if you modify one file and it gets updated in the package it will nag about it.. you can't tell if it's a needed change or not, luckily i have heard rumours about new design for the pam system and i'm eagerly waiting for it to arrive =) > (2) don't use libpam-ldap: > You don't have to use libpam-ldap. You could just use > libnss-ldap and have the ldap server transfer the password > hashes to the workstations in the clear ... which is equivalent > to NIS. You could also use libnss-ldap with SSL/TLS so that the > hashes are transferred more securely (equivalent to NIS+). i don't recommend the above to anyone (do as i say, not as i do.. =) it will cause problems, you are forced to enter the database access password to the configuration, which you will then need to make readable to root, which in turn forces you to use nscd. There is nothing wrong with nscd, it's just plain stupid.. if you have a small database, there is no problem, but if you have a big database (max cached entries +1) you might start running in to trouble. apparently the caching mechanism is quite stupid and it can't just expire an entry becuse someone needs a new one.. =( this also allows crackers to access your userbase, unlike libpam-ldap, where you are not forced to allow userpassword read access to the database. The cracker just needs to hack this machine, read the password from config and voila, ur nt3w0rk has been 0wn3d! Sami -- -< Sami Haahtinen >- -[ Is it still a bug, if we have learned to live with it? ]- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >- pgpVDaoq2aJYv.pgp Description: PGP signature
Re: NFS, password transparency, and security
On Sun, Apr 07, 2002 at 09:22:12PM -0700, tony mancill wrote: > What if you use FreeS/WAN (or really, any sort of IPsec)? It can be set > up in a mode that's called "opportunistic encryption" that will use IPsec > for communication when it's available and allow other traffic to proceed > as normal. In this way, you won't care if things like LDAP (or even NIS) > pass passwords around in cleartext, just as long as the workstation <-> > file-server or authentication server connections are encrypted. Although > I haven't done it, you should be able to run the server services bound to > a specific IP that is only accessible via clients that have successfully > IPsec-attached. For the NFS traffic, opportunistic encryption seems like a very intersting idea. There's no way I would use libpam-ldap without knowing *for certain* that it was going over a TLS/SSL connection, however. Luca -- Luca Filipozzi, Debian Developer [dpkg] We are the apt. You will be packaged. Comply. gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
