configuration problem with interaction of krb5 and kde screensaver
Greetings, our institute network uses afs and krb5 for home directories and user authentication. I got everything working, like logging as user (net) or root (local) in with wdm or ssh or on console, getting AFS-tokens automatically (for net-user, not for root). Here my problem: If i log in as user in KDE and then use the screensaver, i can not unlock my screen. As root this is possible. I think the configuration file is /etc/pam.d/kde. It looks like this: auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_unix.so shadow md5 nullok likeauth auth required /lib/security/pam_krb5.so use_first_pass Can anybody tell me the right configuration to cure this last problem, so that every computer on our institute can be upgraded to AFS and Kerberos ? Any pointers to documentation or suggestions on how to troubleshoot will be much appreciated. Please CC me as I am not subscribed. Many thanks, -- \|/ (o o) oOO**(_)**OOo--- Dietrich Schroff Institut fuer Physik Universitaet Mainz Tel.: +496131 3924075 Tel.: +496135 934917 (priv) WWW: www.uni-mainz.de/~dschroff Mail: [EMAIL PROTECTED] -- \|/ (o o) oOO**(_)**OOo--- Dietrich Schroff Institut fuer Physik Universitaet Mainz Tel.: +496131 3924075 Tel.: +496135 934917 (priv) WWW: www.uni-mainz.de/~dschroff Mail: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Kernel image 2.4.18-bf2.4
Greetings, I may have missed something on the lists, but I was doing my usual nightly reading and saw there are some vulnerabilities in kernel 2.4.18 on security focus, I was wondering if there is or will be patches for these vulnerabilities? http://online.securityfocus.com/bid/5539 http://online.securityfocus.com/bid/5178 http://online.securityfocus.com/bid/4259 Thanks. -doug -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: slapper countermeasures
[...] Indeed. A similar case to this is the Good Samaritan Act was abolished, or at least changed in Australia to the point that if some one was mown down by a bus and you pulled them off the road and they still died, you could be sued by the family for killing them. It's a load of crud, but it happens. Damn, I was hoping Australia could be a nice place to live in (when I get rich:-) _without_ the (imo) far to common: lets-take-all-the-bad-things-from-usa-and-implement-it-here-attitude. Hmm, why do I even bother... I've probably read to many mail about dmca,macrovision,... in to short time, sorry. Sincerely, Emil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSL update.. still giving me a Vulnerable status
Jeroen de Leeuw den Bouter [EMAIL PROTECTED] writes: No, it checks a large and a small overflow. Jeroen, have you restarted the httpd? If not, it is still running with the old library. I shut the whole apache down (both http and http-ssl). Oh, in this case, I am really interested in the data Lupe suggested to collect. There might be a false positive here. However, a clean woody installation results in the expected answer (even if Apache-SSL is used), so this is really worth close inspection. So far I've seen two other reports of such an inconsistency. The first one could be tracked down to a self-compiled Apache running on the machine, the second one is still open. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration problem with interaction of krb5 and kde screensaver
On Thu, Sep 19, 2002 at 08:44:18AM +0200, Dietrich Schroff wrote: Here my problem: If i log in as user in KDE and then use the screensaver, i can not unlock my screen. As root this is possible. I think the configuration file is /etc/pam.d/kde. It looks like this: auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_unix.so shadow md5 nullok likeauth auth required /lib/security/pam_krb5.so use_first_pass Try this instead: auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_krb5.so auth required /lib/security/pam_unix.so shadow md5 nullok likeauth use_first_pass Can anybody tell me the right configuration to cure this last problem, so that every computer on our institute can be upgraded to AFS and Kerberos ? Any pointers to documentation or suggestions on how to troubleshoot will be much appreciated. Please CC me as I am not subscribed. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
a.out apache exploit known?
Hi. Is there any known issue to a http request for a file named a.out? I was just wondering, because I had such a request today from a box which was in a .mil domain... he/she downloaded the source of slapper there, watched the index file (which is quite boring so far :)) and then tried to access a file a.out in the root of the webserver. Accident? Or anything that one should know of? Bye, Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: slapper countermeasures
Geoff Crompton wrote: (I've been trying to think of a reason that the owner of an infected box would not appreciate efforts to sanitize the box). simple gross stupidity I mean they didnt patch it on the first place... Mind you if you did fix it for them they would probably never notice. I have built machines for companies who refuse to pay me a small monthly retainer to patch (in one case a two year old box), as they see it Im just trying to make money on them. Conclusion they get what they deserve. Add that some moron like a public prosecutor would see you as easy meat/vigilanty and do you for all the crimes under the Sun he/she could think of. What happens if your patching breaks the box? or someone hi jacks your code and inserts a nasty payload? Conclusion, I often think sensible ppl are in a minority and getting smaller. regards Thing
Re: slapper countermeasures
- Original Message - From: thing [EMAIL PROTECTED] Subject: Re: slapper countermeasures Geoff Crompton wrote: (I've been trying to think of a reason that the owner of an infected box would not appreciate efforts to sanitize the box). Mind you if you did fix it for them they would probably never notice. Granted. I have built machines for companies who refuse to pay me a small monthly retainer to patch (in one case a two year old box), as they see it Im just trying to make money on them. I've had that happen to me a lot, but since Nimda / Code Red etc, most have changed their minds. Add that some moron like a public prosecutor would see you as easy meat/vigilanty and do you for all the crimes under the Sun he/she could think of. Indeed. A similar case to this is the Good Samaritan Act was abolished, or at least changed in Australia to the point that if some one was mown down by a bus and you pulled them off the road and they still died, you could be sued by the family for killing them. It's a load of crud, but it happens. Conclusion, I often think sensible ppl are in a minority and getting smaller. It's a matter of survival of the fittest. Touching another users machine without the authority or permission to do so, while it might be a good thing tm, is still too open to dangerous consequences. You've got to look after number 1, so just keep yourself patched, keep in contact with [EMAIL PROTECTED] and just keep plodding on :-)
Re: slapper countermeasures
Geoff Crompton [EMAIL PROTECTED] writes: (I've been trying to think of a reason that the owner of an infected box would not appreciate efforts to sanitize the box). The big problem is that it's possible your efforts actually damage important services or data that the virus didn't. Machines which are vulnerable to viruses are likely also set up in rather interesting ways. Unless you had detailed knowledge of how it was set up, you might break things while disabling the virus. -- Alan Shutko [EMAIL PROTECTED] - In a variety of flavors! Dedicated to better living through computers.
Re: slapper countermeasures
someone needs to fix thier anti-spam filter regards Thing Jaroslaw Tabor wrote: Your mail has been rejected by anti-spam filter
configuration problem with interaction of krb5 and kde screensaver
Greetings, our institute network uses afs and krb5 for home directories and user authentication. I got everything working, like logging as user (net) or root (local) in with wdm or ssh or on console, getting AFS-tokens automatically (for net-user, not for root). Here my problem: If i log in as user in KDE and then use the screensaver, i can not unlock my screen. As root this is possible. I think the configuration file is /etc/pam.d/kde. It looks like this: auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_unix.so shadow md5 nullok likeauth auth required /lib/security/pam_krb5.so use_first_pass Can anybody tell me the right configuration to cure this last problem, so that every computer on our institute can be upgraded to AFS and Kerberos ? Any pointers to documentation or suggestions on how to troubleshoot will be much appreciated. Please CC me as I am not subscribed. Many thanks, -- \|/ (o o) oOO**(_)**OOo--- Dietrich Schroff Institut fuer Physik Universitaet Mainz Tel.: +496131 3924075 Tel.: +496135 934917 (priv) WWW: www.uni-mainz.de/~dschroff Mail: [EMAIL PROTECTED] -- \|/ (o o) oOO**(_)**OOo--- Dietrich Schroff Institut fuer Physik Universitaet Mainz Tel.: +496131 3924075 Tel.: +496135 934917 (priv) WWW: www.uni-mainz.de/~dschroff Mail: [EMAIL PROTECTED]
Kernel image 2.4.18-bf2.4
Greetings, I may have missed something on the lists, but I was doing my usual nightly reading and saw there are some vulnerabilities in kernel 2.4.18 on security focus, I was wondering if there is or will be patches for these vulnerabilities? http://online.securityfocus.com/bid/5539 http://online.securityfocus.com/bid/5178 http://online.securityfocus.com/bid/4259 Thanks. -doug
Re: slapper countermeasures
[...] Indeed. A similar case to this is the Good Samaritan Act was abolished, or at least changed in Australia to the point that if some one was mown down by a bus and you pulled them off the road and they still died, you could be sued by the family for killing them. It's a load of crud, but it happens. Damn, I was hoping Australia could be a nice place to live in (when I get rich:-) _without_ the (imo) far to common: lets-take-all-the-bad-things-from-usa-and-implement-it-here-attitude. Hmm, why do I even bother... I've probably read to many mail about dmca,macrovision,... in to short time, sorry. Sincerely, Emil
Re: SSL update.. still giving me a Vulnerable status
Jeroen de Leeuw den Bouter [EMAIL PROTECTED] writes: No, it checks a large and a small overflow. Jeroen, have you restarted the httpd? If not, it is still running with the old library. I shut the whole apache down (both http and http-ssl). Oh, in this case, I am really interested in the data Lupe suggested to collect. There might be a false positive here. However, a clean woody installation results in the expected answer (even if Apache-SSL is used), so this is really worth close inspection. So far I've seen two other reports of such an inconsistency. The first one could be tracked down to a self-compiled Apache running on the machine, the second one is still open. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
Re: configuration problem with interaction of krb5 and kde screensaver
On Thu, Sep 19, 2002 at 08:44:18AM +0200, Dietrich Schroff wrote: Here my problem: If i log in as user in KDE and then use the screensaver, i can not unlock my screen. As root this is possible. I think the configuration file is /etc/pam.d/kde. It looks like this: auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_unix.so shadow md5 nullok likeauth auth required /lib/security/pam_krb5.so use_first_pass Try this instead: auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_krb5.so auth required /lib/security/pam_unix.so shadow md5 nullok likeauth use_first_pass Can anybody tell me the right configuration to cure this last problem, so that every computer on our institute can be upgraded to AFS and Kerberos ? Any pointers to documentation or suggestions on how to troubleshoot will be much appreciated. Please CC me as I am not subscribed. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B - key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \
a.out apache exploit known?
Hi. Is there any known issue to a http request for a file named a.out? I was just wondering, because I had such a request today from a box which was in a .mil domain... he/she downloaded the source of slapper there, watched the index file (which is quite boring so far :)) and then tried to access a file a.out in the root of the webserver. Accident? Or anything that one should know of? Bye, Mike
Re: SSL update.. still giving me a Vulnerable status
No, it checks a large and a small overflow. Jeroen, have you restarted the httpd? If not, it is still running with the old library. I shut the whole apache down (both http and http-ssl). Oh, in this case, I am really interested in the data Lupe suggested to collect. There might be a false positive here. However, a clean woody installation results in the expected answer (even if Apache-SSL is used), so this is really worth close inspection. So far I've seen two other reports of such an inconsistency. The first one could be tracked down to a self-compiled Apache running on the machine, the second one is still open. The following was happening : 1) the packages where the right version (dpkg reported them correct installed). 2) but the libs of the ssl packages where from the wrong version. 3) I did an apt-get dist-upgrade (again, even do I already had done that). 4) And there it went, catching the same ssl packages that he already installed. 5) I restarted apache / ssl just to be sure. 6) When checking the libs they were the correct version, when running the test program he gave the correct answere. So to analyse what could have been wrong. is that dpkg might have thought everything went ok for installation but it didn't But it is working correct, so I am a happy man !! Thanks for all the help, Jeroen de Leeuw den Bouter the world downunder.. but still on top. Net Ventures... the mayor league for internet broadcasts. www.netventures.com.au
