[SECURITY] [DSA-341-1] New liece packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 341-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman July 7th, 2003 http://www.debian.org/security/faq - -- Package: liece Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no liece, an IRC client for Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and liece, potentially with contents supplied by the attacker. For the stable distribution (woody) this problem has been fixed in version 2.0+0.20020217cvs-2.1. For the unstable distribution (sid) this problem has been fixed in version 2.0+0.20030527cvs-1. We recommend that you update your liece package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/l/liece/liece_2.0+0.20020217cvs-2.1.dsc Size/MD5 checksum: 651 5365a2832255484825d91a074a9002d5 http://security.debian.org/pool/updates/main/l/liece/liece_2.0+0.20020217cvs-2.1.diff.gz Size/MD5 checksum:23656 ae6f387c235a5d96095451b4af191f35 http://security.debian.org/pool/updates/main/l/liece/liece_2.0+0.20020217cvs.orig.tar.gz Size/MD5 checksum: 177906 e65904378f316bf91ff03778616cc1f2 Architecture independent components: http://security.debian.org/pool/updates/main/l/liece/liece_2.0+0.20020217cvs-2.1_all.deb Size/MD5 checksum: 172444 f8bbd4ad57ce0312d800bc2560317fc8 Alpha architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_alpha.deb Size/MD5 checksum:13586 0e4f1b0f79f18e7e945ed00ca11d7de7 ARM architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_arm.deb Size/MD5 checksum:12268 2db13830327fb7a57bd4a817b9355b87 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_i386.deb Size/MD5 checksum:12146 607efa3d30637343f27fa8f80878ea51 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_ia64.deb Size/MD5 checksum:15352 e9daa6803be3ce7b2347ee82aca66b4f HP Precision architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_hppa.deb Size/MD5 checksum:13294 d8ccec5776c8609395427df536895408 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_m68k.deb Size/MD5 checksum:11858 a9f45efebe7d434d2734372b1560f4ae Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_mips.deb Size/MD5 checksum:12426 e2aa7cbc34c648dbee47a09790adc04b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_mipsel.deb Size/MD5 checksum:12602 c37e26ff0c9c531c7973410f32ff1bcb PowerPC architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_powerpc.deb Size/MD5 checksum:12044 f56a5757cdb1dcf6b7d16e9bf9c86878 IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_s390.deb Size/MD5 checksum:12576 ec2bd8df278c3f8540bd2076fd03 Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/liece/liece-dcc_2.0+0.20020217cvs-2.1_sparc.deb Size/MD5 checksum:15046 6562f9c2ec923bf7f1ceec9b0204d2e3 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux)
[SECURITY] [DSA-342-1] New mozart packages fix unsafe mailcap configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 342-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman July 7th, 2003 http://www.debian.org/security/faq - -- Package: mozart Vulnerability : unsafe mailcap configuration Problem-Type : remote Debian-specific: yes mozart, a development platform based on the Oz language, includes MIME configuration data which specifies that Oz applications should be passed to the Oz interpreter for execution. This means that file managers, web browsers, and other programs which honor the mailcap file could automatically execute Oz programs downloaded from untrusted sources. Thus, a malicious Oz program could execute arbitrary code under the uid of a user running a MIME-aware client program if the user selected a file (for example, choosing a link in a web browser). For the stable distribution (woody) this problem has been fixed in version 1.2.3.20011204-3woody1. For the unstable distribution (sid) this problem has been fixed in version 1.2.5.20030212-2. We recommend that you update your mozart package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1.dsc Size/MD5 checksum: 737 db77a39aa2f010ec8834a711401f362b http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1.diff.gz Size/MD5 checksum:13985 dca9c9a8e6d7df6e8c8629f7a6c593c7 http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204.orig.tar.gz Size/MD5 checksum: 11750595 6dd46e253d42fb3b28f92fbe679f0cca Architecture independent components: http://security.debian.org/pool/updates/main/m/mozart/mozart-doc-html_1.2.3.20011204-3woody1_all.deb Size/MD5 checksum: 3715030 a9560d20cf60681d7e886ed67fafc39c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_i386.deb Size/MD5 checksum: 2603488 bf5ee9d14f658391b5b52635490b5f9b http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_i386.deb Size/MD5 checksum: 453818 38da640e3bc647ea2118caea3be5383a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_m68k.deb Size/MD5 checksum: 2693506 773a378bf0d495ff06377fa6447a5bdd http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_m68k.deb Size/MD5 checksum: 455708 cd8bbdea2e3cb0c78a3fb536349457f3 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_powerpc.deb Size/MD5 checksum: 2713842 a2fe0fbe15568cced1ab30ca3afbb5f5 http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_powerpc.deb Size/MD5 checksum: 461030 d0fb02a21bed8c59c23d1f2c4ba225e3 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mozart/mozart_1.2.3.20011204-3woody1_sparc.deb Size/MD5 checksum: 2616888 adf887815d1f6a8544ef89cce8967bb6 http://security.debian.org/pool/updates/main/m/mozart/mozart-contrib_1.2.3.20011204-3woody1_sparc.deb Size/MD5 checksum: 452178 8767035f4d1e4df343b5b38c8b2a91e0 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Cbf2ArxCt0PiXR4RArAIAJ49KsUNtlgceucdYee0r51L0XkpaACgqiOC Oks9PX/6unM1/+0cEUmEfrw= =Srm7 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
configure ssh-access
Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus -- Klaus Siegesleitner - [EMAIL PROTECTED] SysAdmin at CAME (Center of Applied Molecular Engineering) University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, 7 Jul 2003 11:08:38 +0200, [EMAIL PROTECTED] wrote: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! Thats probably because it does a reverse lookup on the connecting ip to see if it matches. It would need to look up every hostname in hosts.allow on each incoming connection to match a dynamic dns name. If you see what I mean. Has anybody ideas in this 2 problems? You could do what I do, allow anyone to connect but allow only public key authentication (and protocol 2). Alan. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 It's there, except that this option has been generalized a bit. Try ``AllowUsers [EMAIL PROTECTED]'' The man says: If the pattern takes the form [EMAIL PROTECTED] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. I think it'll solve your problem. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus -- Klaus Siegesleitner - [EMAIL PROTECTED] SysAdmin at CAME (Center of Applied Molecular Engineering) University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgp0.pgp Description: PGP signature
[mdz@debian.org: [SECURITY] [DSA-340-1] New x-face-el packages fix insecure temporary file creation]
The signature is bad at my end, and my end usually works so it looks like something mangled your message. -- Tom Goulet mail: [EMAIL PROTECTED] UID0 Unix Consultingweb: em.ca/uid0/ ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 340-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman July 6th, 2003 http://www.debian.org/security/faq - -- Package: x-face-el Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no NOTE: due to a combination of administrative problems, this advisory was erroneously released with the identifier DSA-338-1. DSA-338-1 correctly refers to an earlier advisory regarding proftpd. x-face-el, a decoder for images included inline in X-Face email headers, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and x-face-el, potentially with contents supplied by the attacker. For the stable distribution (woody) this problem has been fixed in version 1.3.6.19-1woody1. For the unstable distribution (sid) this problem has been fixed in version 1.3.6.23-1. We recommend that you update your x-face-el package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/x-face-el/x-face-el_1.3.6.19-1woody1.dsc Size/MD5 checksum: 591 f431ba4034b534290d29103076464020 http://security.debian.org/pool/updates/main/x/x-face-el/x-face-el_1.3.6.19-1woody1.diff.gz Size/MD5 checksum:21268 ba3e6ed17c8c03e8fab969909bcd8572 http://security.debian.org/pool/updates/main/x/x-face-el/x-face-el_1.3.6.19.orig.tar.gz Size/MD5 checksum:80666 b541ab8e216e9df76f45b8b26241debd Architecture independent components: http://security.debian.org/pool/updates/main/x/x-face-el/x-face-el_1.3.6.19-1woody1_all.deb Size/MD5 checksum: 101882 9773535a2bb5e0ce12c34bb0bd5b351a These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/CMR3ArxCt0PiXR4RApBzAJ0V+HXIVD7szxL3SdR05vsKk9WUIACfaXcu TFGwqzteQRUVJxN7znDXbYQ= =bZS3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ---End Message--- pgp0.pgp Description: PGP signature
Re: Strongest linux - kernel patches
Am 02:55 2003-07-03 +0200 hat Luis Gomez - InfoEmergencias geschrieben: On Miércoles, 2 de Julio de 2003 15:05, Preben Randhol wrote: What about: http://www.nsa.gov/selinux/ ? For the sake of God, how in hell can we associate nsa.gov with secure? Excuse me if I'm bullshitting, but I understand that those people who refuse to export strong criptography unless it contains backdoors, cannot be trusted at all. I may be wrong, but what the hell is their interest in providing the whole world with a secure system? I'd appreciate any comments or explanations on this. Thanks Does: deb http://www.nsa.gov/selinux/ woody main contrib non-free non-US work ??? ;-)) Then it will be a real joke !!! Michelle -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: configure ssh-access
Hello! -Original Message- From: Anne Carasik [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:05 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: configure ssh-access Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. I think this problem should not be solved with configuring sshd. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) In my eyes a combination of a sshd config solution and a iptables rule would properly do its joy quite safely. Yours, Mario -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
Le 12240ième jour après Epoch, Mario Ohnewald écrivait: Hello! -Original Message- From: Anne Carasik [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:05 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: configure ssh-access Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. I think this problem should not be solved with configuring sshd. Wrong... You can configure sshd to accept only login from recognized keys, and let the firewall open. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. So, on some case, you must wait 5 mins to connect ? A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) And what if dynamic host not correctly set ? Somebody getting your previous IP have 5 mins to accomplish some weird job. And it's 4.9 mins more than needed :) -- DOS: n., A small annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS. (from David Vicker's .plan) -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
[EMAIL PROTECTED] wrote: Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus Hi. I use this line: auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ssh.deny.login onerr=succeed in /etc/pam.d/ssh I then restrict users from logging in which i define in ssh.deny.login Maybe you can tweak a bit and have a script getting updated ip-adresses for your hosts? I dont know if pam can make use of it, just a suggestion. Kenneth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
configure ssh-access
Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus -- Klaus Siegesleitner - [EMAIL PROTECTED] SysAdmin at CAME (Center of Applied Molecular Engineering) University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg
Re: configure ssh-access
On Mon, 7 Jul 2003 11:08:38 +0200, [EMAIL PROTECTED] wrote: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! Thats probably because it does a reverse lookup on the connecting ip to see if it matches. It would need to look up every hostname in hosts.allow on each incoming connection to match a dynamic dns name. If you see what I mean. Has anybody ideas in this 2 problems? You could do what I do, allow anyone to connect but allow only public key authentication (and protocol 2). Alan.
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 It's there, except that this option has been generalized a bit. Try ``AllowUsers [EMAIL PROTECTED]'' The man says: If the pattern takes the form [EMAIL PROTECTED] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. I think it'll solve your problem. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: configure ssh-access
Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus -- Klaus Siegesleitner - [EMAIL PROTECTED] SysAdmin at CAME (Center of Applied Molecular Engineering) University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .-.__.``. Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -==.', Center for Advanced Computing Research ~`~~ pgpp9eUBMFMTt.pgp Description: PGP signature
[mdz@debian.org: [SECURITY] [DSA-340-1] New x-face-el packages fix insecure temporary file creation]
The signature is bad at my end, and my end usually works so it looks like something mangled your message. -- Tom Goulet mail: [EMAIL PROTECTED] UID0 Unix Consultingweb: em.ca/uid0/ ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 340-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman July 6th, 2003 http://www.debian.org/security/faq - -- Package: x-face-el Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no NOTE: due to a combination of administrative problems, this advisory was erroneously released with the identifier DSA-338-1. DSA-338-1 correctly refers to an earlier advisory regarding proftpd. x-face-el, a decoder for images included inline in X-Face email headers, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and x-face-el, potentially with contents supplied by the attacker. For the stable distribution (woody) this problem has been fixed in version 1.3.6.19-1woody1. For the unstable distribution (sid) this problem has been fixed in version 1.3.6.23-1. We recommend that you update your x-face-el package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/x-face-el/x-face-el_1.3.6.19-1woody1.dsc Size/MD5 checksum: 591 f431ba4034b534290d29103076464020 http://security.debian.org/pool/updates/main/x/x-face-el/x-face-el_1.3.6.19-1woody1.diff.gz Size/MD5 checksum:21268 ba3e6ed17c8c03e8fab969909bcd8572 http://security.debian.org/pool/updates/main/x/x-face-el/x-face-el_1.3.6.19.orig.tar.gz Size/MD5 checksum:80666 b541ab8e216e9df76f45b8b26241debd Architecture independent components: http://security.debian.org/pool/updates/main/x/x-face-el/x-face-el_1.3.6.19-1woody1_all.deb Size/MD5 checksum: 101882 9773535a2bb5e0ce12c34bb0bd5b351a These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/CMR3ArxCt0PiXR4RApBzAJ0V+HXIVD7szxL3SdR05vsKk9WUIACfaXcu TFGwqzteQRUVJxN7znDXbYQ= =bZS3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ---End Message--- pgpRccFxL6uiw.pgp Description: PGP signature
Re: Strongest linux - kernel patches
Am 02:55 2003-07-03 +0200 hat Luis Gomez - InfoEmergencias geschrieben: On Miércoles, 2 de Julio de 2003 15:05, Preben Randhol wrote: What about: http://www.nsa.gov/selinux/ ? For the sake of God, how in hell can we associate nsa.gov with secure? Excuse me if I'm bullshitting, but I understand that those people who refuse to export strong criptography unless it contains backdoors, cannot be trusted at all. I may be wrong, but what the hell is their interest in providing the whole world with a secure system? I'd appreciate any comments or explanations on this. Thanks Does: deb http://www.nsa.gov/selinux/ woody main contrib non-free non-US work ??? ;-)) Then it will be a real joke !!! Michelle
RE: configure ssh-access
Hello! -Original Message- From: Anne Carasik [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:05 PM To: [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Subject: Re: configure ssh-access Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. I think this problem should not be solved with configuring sshd. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) In my eyes a combination of a sshd config solution and a iptables rule would properly do its joy quite safely. Yours, Mario -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus
Re: configure ssh-access
Le 12240ième jour après Epoch, Mario Ohnewald écrivait: Hello! -Original Message- From: Anne Carasik [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:05 PM To: [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Subject: Re: configure ssh-access Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. I think this problem should not be solved with configuring sshd. Wrong... You can configure sshd to accept only login from recognized keys, and let the firewall open. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. So, on some case, you must wait 5 mins to connect ? A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) And what if dynamic host not correctly set ? Somebody getting your previous IP have 5 mins to accomplish some weird job. And it's 4.9 mins more than needed :) -- DOS: n., A small annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS. (from David Vicker's .plan) -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: configure ssh-access
[EMAIL PROTECTED] wrote: Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus Hi. I use this line: auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ssh.deny.login onerr=succeed in /etc/pam.d/ssh I then restrict users from logging in which i define in ssh.deny.login Maybe you can tweak a bit and have a script getting updated ip-adresses for your hosts? I dont know if pam can make use of it, just a suggestion. Kenneth
