Re: utilisateur backup

2002-07-22 Thread Sam Vilain 
Boris Daix [EMAIL PROTECTED] wrote:

- Can I safely give an SSH key to my backup user without any
  passphrase so that it could be automated via cron ?

You can use `ssh-keygen -f single_action_key' to create a key for remote 
execution of scripts.

On the remote end, add this key to the `.ssh/authorized_keys' file.  You should 
add a forced command so that only one command may be executed with that key.

For rsync(1), you need to capture the exact switches of the rsync server
command.  To do this, you can use this script on the destination server:

#!/usr/bin/perl
open CAPTURE, $ENV{HOME}/capture.log;
print CAPTURE @ARGV\n;
close CAPTURE;

Then add --rsync-path=/path/to/script to your rsync command line.  This
will leave something similar to the following in the destination
~/capture.log:

--server -vlgtpr --partial . yourhost

So, you would use an authorized_keys entry like this (all one line):

command=rsync --server -vlogDtpr --partial . 
yourhost,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,1024 
35 23...2334 Server backup key

For more complete security, you could add a `chroot' jail to the above
command.

- Is amanda appropriate for this task and would it be more secure
  to use it instead ?
- If it is unsecure, how would I do such backups without having to
  enter passpgrase/passwd ?

System backups are always an easy entry point, very often they contain
things like secret keys to encryption, etc that will allow a malicious
user to pretend to be the machine that they have access to the backups of.
 Protect your backups carefully!
--
   Sam Vilain, [EMAIL PROTECTED] WWW: http://sam.vilain.net/
7D74 2A09 B2D3 C30F F78E  GPG: http://sam.vilain.net/sam.asc
278A A425 30A9 05B5 2F13

Real Programmers don't write in Fortran.  Fortran is for wimp   
engineers who wear white socks.  They get excited over finite state
analysis and nuclear reactor simulation.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Recent fun on Debian-Security

2002-07-22 Thread Fabien Penso 

Sat, 20 Jul 2002 09:38:44 +0200, tu as dit : 

  Le Friday 19 July 2002 à 13:08:07 -0400, Phillip Hofmeister a écrit:

[...]

  Sush a system of real-time blacklist mainted by email already exist for
  french users, see http://perso.linuxfr.org/nospam/spam.html. A robot is
  listening an email address, it receives GPG signed emails with copies of
  spam mail and command to add an email or a domain in the blacklist.
  Anyone can listen to the list and reproduce the robot actions on it own
  MTA access files or regulary download the files directly on
  http://perso.linuxfr.org/nospam/user.txt and
  http://perso.linuxfr.org/nospam/domain.txt.

  Maybe this robot could be reused, see with [EMAIL PROTECTED]

Hi.

I can give away the sources of the perl robot which does that. Simple,
you do add the name which appear in the gpg key, then people sign the
message with a command to add / remove an entry.

Mail me if you are interested.

-- 
Fabien Penso [EMAIL PROTECTED] | LinuxFr a toujours besoin de :
http://perso.LinuxFr.org/penso/  | http://linuxFr.org/dons/


pgppL09DIlCqW.pgp
Description: PGP signature

OTP telnet

2002-07-22 Thread Artur R. Czechowski 
Dear All
I write to you instead of submitting bug/wish because this is related
to more than one package. This letter is related to packages login
and telnetd and have security issues.

I would like to configure telnet to login only using One Time Passwords.
It looks simple: install opie packagaes (server, client and pam modules),
disable pasword login and add OTP login to /etc/pam.d/login. But there is one
problem: it also changes behavior of login from console. *getty spawns the same
/bin/login as telnetd and wants from user an OTP password, not a unix password.

Temporary sollution is:
auth   sufficient pam_unix.so
auth   sufficient pam_opie.so
auth   required   pam_deny.so
(as described in libpam-opie)
but it still allows users to login via telnet using unix password.

I have an idea for discussion: is it possible to create two /bin/login
instances (i.e. /bin/login and /bin/login-telnet) which differs only
by used PAM entry? There could be also one /bin/login symlinked
as /bin/login-sth.
If called as /bin/login login entry in PAM is checked. If called as
/bin/login-sth sth entry is checked.

It would also require changes in telnetd code. New name/path of login program
must be hardcoded. Also there should be an option to set this name/path from
command line.

If you think this idea is ok notify me, please. I will try to write patch for
it.

Regards
Artur Czechowski

Disclaimer: 
Feel free to cite/forward this email if you find it useful.
-- 
Artur Czechowski
JMC Sp. z o.o.
e-mail: [EMAIL PROTECTED]
Tel.: (0 22) 825 23 24, tel./fax.: (0 22) 825 95 58


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Unidentified subject!

2002-07-22 Thread Ralf Koop 

unsubscribe


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

SMTP RCPT TO overflow

2002-07-22 Thread Dale Amon 
Does anyone know what causes the snort warning about

SMTP RCPT TO overflow

I presume it is not an actual attack because I've seen
it happening between almost all of my mail systems, even
isolated ones. I use exim of course. I would presume 
this is a false positive, but what tweaks it and is 
there a way to untweak it?



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Want to Make a million!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

2002-07-22 Thread Joe 

 
Want to make a million bucks this year?
Me too but it's probably not going happen!
 
However if your looking for the opportunity to
make a couple thousand a week,
working form home, with your pc, we need to talk.
 
If you're over 18 and a US resident,
 
Just Click REPLY
 
Send me your Name, State,
Complete telephone number,
and the best time to contact you.
 
I will personally speak with you within 48 hours.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SMTP RCPT TO overflow

2002-07-22 Thread jh 
On Mon, Jul 22, 2002 at 18:11:48 +0100, Dale Amon [EMAIL PROTECTED] wrote:
 Does anyone know what causes the snort warning about
 
   SMTP RCPT TO overflow

There has been recent talk about this siganture on snort-signatures
mailing list, actually.

 I presume it is not an actual attack because I've seen
 it happening between almost all of my mail systems, even
 isolated ones. I use exim of course. I would presume
 this is a false positive, but what tweaks it and is
 there a way to untweak it?

Take a look at:
http://marc.theaimsgroup.com/?w=2r=1s=SMTP+RCPT+TO+overflowq=t

or more specifcally:
http://marc.theaimsgroup.com/?l=snort-sigsm=102704170806018w=2

-- 
It's God.  No, not Richard Stallman, or Linus Torvalds, but God.
(By Matt Welsh)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SMTP RCPT TO overflow

2002-07-22 Thread Dale Amon 
On Mon, Jul 22, 2002 at 03:48:36PM -0500, jh wrote:
 There has been recent talk about this siganture on snort-signatures
 mailing list, actually.
 Take a look at:
 http://marc.theaimsgroup.com/?w=2r=1s=SMTP+RCPT+TO+overflowq=t
 or more specifcally:
 http://marc.theaimsgroup.com/?l=snort-sigsm=102704170806018w=2

Thanks. Read them and the gist of it was pretty much as I thought,
a bad rule that gets triggered by normal operations. 

I'll be dropping it from my config.




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]