Re: 2.4.21 IPSEC problems
On Sun, Aug 31, 2003 at 09:42:35AM +0100, Dale Amon wrote:
>
> Interesting. Could this be the reason why I've been thus far
> unsuccessful getting racoon to set up encryption on a 2.6.0t4
> kernel? Using setkeys it's a nobrainger, but I've not been able
ipsec-tools 0.2.2-5 will definitely not work with 2.6.0-test4.
Even setkey only works to a certain extent.
See #203641.
Cheers,
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.4.21 IPSEC problems
On Sun, Aug 31, 2003 at 02:39:56PM +1000, Herbert Xu wrote: > In user space, we have: > > ipsec-tools: Needs a recompile to catch up with the kernel ABI. > isakmpd: As above. > freeswan: 2.01 needs my patch to work with the new stack. Interesting. Could this be the reason why I've been thus far unsuccessful getting racoon to set up encryption on a 2.6.0t4 kernel? Using setkeys it's a nobrainger, but I've not been able to get racoon to work as advertised. Quite literally as I used the example directly out of the Linux Advanced Routing HOWTO and it didn't work. If you're working on this I'd love some advice and I'd be happy to give you feedback on any 2.6.0t4 problems with the debian ipsec-tools on it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: KerberosV OpenLDAP and PAM
On Sun, 2003-08-31 at 00:57, Stephen Frost wrote: > * Matthijs Mohlmann ([EMAIL PROTECTED]) wrote: > > I use for authentication KerberosV. For all types of data i use OpenLDAP > > and for login on into a computer on a network i use PAM. > [...] > > Now i want this together. But i don't know how. I've read the > > documentation from PAM but i don't get it. > > > > What i want is the security of KerberosV and the Flexibility of > > OpenLDAP. > > If you want the security of Kerberos you shouldn't be using pam_krb5 > ever or having userPassword in OpenLDAP at all. > > > My configuration is now that in OpenLDAP is a attribute userPassword and > > this attribute points to the KerberosV database. > > This means that the password is sent in cleartext from the client to the > server, totally against the Kerberos security model which *never* allows > the password across in cleartext. > > What you need is to get Kerberized clients and servers and to remove > pam_krb5 from everything. > > Stephen Do you have another idea ? I want to login on my KerberosV server and then i have to type my password. I have my libpam-krb5 module only in /etc/pam.d/login and /etc/pam.d/gdm. Is there something else you can advice me to take ? I have also another problem with gdm. When i make the change to libnss-ldap.conf: -host server.active2.homelinux.org +uri ldaps://server.active2.homelinux.org/ Then gdm would not run. I've the debug option in gdm.conf on true but the logs don't say anything about the problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: loggin with iptables, syslog problem
On Sat, Aug 30, 2003 at 09:58:58PM +0200, Rudy Gevaert wrote: > Hello, > > But nothing gets logged to /var/log/iptabels... It does show in > dmesg... > How can I correctly redirect logs with level "debug" to the > /var/log/iptables file? perhaps it's not quite the answer you expected... I'm using syslog-ng becaus I found it much more adjustable. You can set up Rules with RegExps... Simply logging messages with log-level 'debug' may give you more entries in that special log-file than you might want! Gruss Horst. -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.4.21 IPSEC problems
On Sun, Aug 31, 2003 at 09:42:35AM +0100, Dale Amon wrote:
>
> Interesting. Could this be the reason why I've been thus far
> unsuccessful getting racoon to set up encryption on a 2.6.0t4
> kernel? Using setkeys it's a nobrainger, but I've not been able
ipsec-tools 0.2.2-5 will definitely not work with 2.6.0-test4.
Even setkey only works to a certain extent.
See #203641.
Cheers,
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: 2.4.21 IPSEC problems
Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote:
>
> Herbert, it would be a Very Good Thing if Debian sarge shipped IPSEC ready
> to go out-of-the-box (provided one installed the correct packages and
> configured them, I suppose).
>
> Are we at that stage yet? What is needed to get IPSEC as included in your
> kernel images to work out-of-the-box (after configured), without the need
> for anything not packaged in Debian?
We're almost there. The kernel side is ready as it is.
In user space, we have:
ipsec-tools: Needs a recompile to catch up with the kernel ABI.
isakmpd: As above.
freeswan: 2.01 needs my patch to work with the new stack.
Cheers,
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.4.21 IPSEC problems
On Sun, Aug 31, 2003 at 02:39:56PM +1000, Herbert Xu wrote: > In user space, we have: > > ipsec-tools: Needs a recompile to catch up with the kernel ABI. > isakmpd: As above. > freeswan: 2.01 needs my patch to work with the new stack. Interesting. Could this be the reason why I've been thus far unsuccessful getting racoon to set up encryption on a 2.6.0t4 kernel? Using setkeys it's a nobrainger, but I've not been able to get racoon to work as advertised. Quite literally as I used the example directly out of the Linux Advanced Routing HOWTO and it didn't work. If you're working on this I'd love some advice and I'd be happy to give you feedback on any 2.6.0t4 problems with the debian ipsec-tools on it.
Re: KerberosV OpenLDAP and PAM
On Sun, 2003-08-31 at 00:57, Stephen Frost wrote: > * Matthijs Mohlmann ([EMAIL PROTECTED]) wrote: > > I use for authentication KerberosV. For all types of data i use OpenLDAP > > and for login on into a computer on a network i use PAM. > [...] > > Now i want this together. But i don't know how. I've read the > > documentation from PAM but i don't get it. > > > > What i want is the security of KerberosV and the Flexibility of > > OpenLDAP. > > If you want the security of Kerberos you shouldn't be using pam_krb5 > ever or having userPassword in OpenLDAP at all. > > > My configuration is now that in OpenLDAP is a attribute userPassword and > > this attribute points to the KerberosV database. > > This means that the password is sent in cleartext from the client to the > server, totally against the Kerberos security model which *never* allows > the password across in cleartext. > > What you need is to get Kerberized clients and servers and to remove > pam_krb5 from everything. > > Stephen Do you have another idea ? I want to login on my KerberosV server and then i have to type my password. I have my libpam-krb5 module only in /etc/pam.d/login and /etc/pam.d/gdm. Is there something else you can advice me to take ? I have also another problem with gdm. When i make the change to libnss-ldap.conf: -host server.active2.homelinux.org +uri ldaps://server.active2.homelinux.org/ Then gdm would not run. I've the debug option in gdm.conf on true but the logs don't say anything about the problem.
Re: loggin with iptables, syslog problem
On Sat, Aug 30, 2003 at 09:58:58PM +0200, Rudy Gevaert wrote: > Hello, > > But nothing gets logged to /var/log/iptabels... It does show in > dmesg... > How can I correctly redirect logs with level "debug" to the > /var/log/iptables file? perhaps it's not quite the answer you expected... I'm using syslog-ng becaus I found it much more adjustable. You can set up Rules with RegExps... Simply logging messages with log-level 'debug' may give you more entries in that special log-file than you might want! Gruss Horst. -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who
