Re: How can I help ?

[Nate Duehr]

On Wed, Jun 14, 2000 at 02:43:07PM +0200, Wichert Akkerman wrote:
> A good free reimplementation of portsentry is something I would really
> like to see. Right now portsentry works reasonably, but it could really
> use a bunch of extra features.

Can't snort do almost everything portsentry does if configured with the
right plug-ins?  If I remember correctly, portsentry also keeps a
database and can do correlation of scans over long periods of time, but
that's the only thing I can think of that snort wouldn't do?

(Or did I *really* miss something and snort's non-free?  I can tell I
have too much on my mind right now, and probably shouldn't be asking
this because it's probably a really dumb question.)

-- 
Nate Duehr <[EMAIL PROTECTED]>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.


pgpsVterOMFvx.pgp
Description: PGP signature

Re: How can I help ?

[Nate Duehr]

On Wed, Jun 14, 2000 at 02:43:07PM +0200, Wichert Akkerman wrote:
> A good free reimplementation of portsentry is something I would really
> like to see. Right now portsentry works reasonably, but it could really
> use a bunch of extra features.

Can't snort do almost everything portsentry does if configured with the
right plug-ins?  If I remember correctly, portsentry also keeps a
database and can do correlation of scans over long periods of time, but
that's the only thing I can think of that snort wouldn't do?

(Or did I *really* miss something and snort's non-free?  I can tell I
have too much on my mind right now, and probably shouldn't be asking
this because it's probably a really dumb question.)

-- 
Nate Duehr <[EMAIL PROTECTED]>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.

 PGP signature

Re: How can I help ?

[Wichert Akkerman]

Previously Guido Guenther wrote:
> According to upstream we can't hope that he will put portsentry under a
> license which debian considers as free in the near future so a free
> reimplementation would be great. Portsentry is a nice peace of software
> but it's missing some crucial features such as a pid file or more
> flexible syntax in the hosts.ignore file (such as ignore
> host:port1,port2).

Also features like much more flexible configuration of when something
should be blocked, how long something should be blocked, interfaces and/or
addresses to listen on, etc. Lots of good things can be added.

If you start with something like ippl as a base it shouldn't even be
extremely hard to do.

Wichert.

-- 
   
 / Generally uninteresting signature - ignore at your convenience  \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


pgptyhc3KH7ZX.pgp
Description: PGP signature

Re: How can I help ?

[Wichert Akkerman]

Previously Alexander Hvostov wrote:
> Where might I find this?

http://www.msu.ru/pniam/pniam.html
ftp://ftp.nc.orc.ru/pub/Linux/pniam/pniam-0.02.tgz

Wichert.


-- 
   
 / Generally uninteresting signature - ignore at your convenience  \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


pgpFg9mqKum4q.pgp
Description: PGP signature

Re: How can I help ?

[Wichert Akkerman]

Previously Guido Guenther wrote:
> According to upstream we can't hope that he will put portsentry under a
> license which debian considers as free in the near future so a free
> reimplementation would be great. Portsentry is a nice peace of software
> but it's missing some crucial features such as a pid file or more
> flexible syntax in the hosts.ignore file (such as ignore
> host:port1,port2).

Also features like much more flexible configuration of when something
should be blocked, how long something should be blocked, interfaces and/or
addresses to listen on, etc. Lots of good things can be added.

If you start with something like ippl as a base it shouldn't even be
extremely hard to do.

Wichert.

-- 
   
 / Generally uninteresting signature - ignore at your convenience  \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

 PGP signature

Re: How can I help ?

[Wichert Akkerman]

Previously Alexander Hvostov wrote:
> Where might I find this?

http://www.msu.ru/pniam/pniam.html
ftp://ftp.nc.orc.ru/pub/Linux/pniam/pniam-0.02.tgz

Wichert.


-- 
   
 / Generally uninteresting signature - ignore at your convenience  \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

 PGP signature

Re: How can I help ?

[Alexander Hvostov]

Wichert,

Where might I find this?

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Wed, 14 Jun 2000, Wichert Akkerman wrote:

> Previously Alexander Hvostov wrote:
> > I have a better idea: an integrated 'user' command, which uses plugins to
> > access the actual database server (like PAM, but for writing to the
> > database rather than reading from it), and performs any of several
> > functions.
> 
> PNIAM might alreadyh do this, I haven't looked at it closely yet.
> 
> Wichert.
> 
> -- 
>
>  / Generally uninteresting signature - ignore at your convenience  \
> | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
> | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |
> 

Re: How can I help ?

[Alexander Hvostov]

Wichert,

Where might I find this?

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Wed, 14 Jun 2000, Wichert Akkerman wrote:

> Previously Alexander Hvostov wrote:
> > I have a better idea: an integrated 'user' command, which uses plugins to
> > access the actual database server (like PAM, but for writing to the
> > database rather than reading from it), and performs any of several
> > functions.
> 
> PNIAM might alreadyh do this, I haven't looked at it closely yet.
> 
> Wichert.
> 
> -- 
>
>  / Generally uninteresting signature - ignore at your convenience  \
> | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
> | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |
> 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: SMB passwords etc (was "How can I help ?")

[Freddie]

At 22:40 14/06/2000, Zak Kipling wrote:

On Wed, 14 Jun 2000, Sebastian Rittau wrote:

>> [stuff about encrypted SMB passwords]
>
> But using this option prevents you from using the global /etc/shadow
> file, which is problematic in some cases.

True. Samba has a "password sync" option to enable SMB password changes to
automatically update the unix password file too (though it can be
troublesome to get this working smoothly...)

I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it
would be feasible to make a stacked "password" module to do the reverse,
ie to update the SMB password (including optionally creating the entry in
the smbpasswd file if it doesn't exist) when the "passwd" command is used
to change the unix password.

A mechanism would obviously be required to prevent a loop situation when
both options are used simultaneously. If Samba carried out the actual SMB
password update via PAM, then this should allow for the required
flexibiliity, with either one or both off the unix/SMB password setting
modules used by passwd and smbd as desired. This would hopefully eliminate
the need for the "password sync" option with its dependence on the precise
prompt string produced by the "passwd" command.

--
Zak Kipling, E114 Wolfson Court, Clarkson Road, Cambridge, CB3 0EH.
Tel. (01223) 509524; pager 04325 361627; ICQ# 62661452; Ask for PGP key
Internet chat: telnet to zk201.girton.cam.ac.uk and log in as "talk".

"As long as the superstition that people should obey unjust laws exists,
so long will slavery exist." -- M. K. Gandhi



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


This was posted to samba-technical within the last few days:


From: Peter Samuelson <[EMAIL PROTECTED]>
To: Multiple recipients of list SAMBA-TECHNICAL
<[EMAIL PROTECTED]>
Subject: ANNOUNCE: pam_pwexport, Unix->SMB password changes
Date:   Tue, 13 Jun 2000 22:08:43 +1000


[[posted to samba-ntdom and samba-technical]]

More than one user has recently asked about Unix->Samba password sync.

You can go the *other* direction with those chat options in smb.conf,
and Samba even has an option `update encrypted' for using cleartext
passwords and populating the smbpasswd file when people change them.

But when a user executes `passwd' or `yppasswd' on the Unix system,
Samba has no way of knowing, so your NT password gets out of sync.

Until now.

For all you out there who use PAM-enabled Unix systems (that means most
flavors of Linux and Solaris, and recently HP-UX, and possibly others I
don't know about), you may wish to give this a shot:

  http://peter.cadcamlab.org/misc/pam_pwexport-0.0.tar.gz

It sits and snoops whenever a user enters or changes a password through
PAM, and sends the passwords off to be processed by an arbitrary
PAM-unaware executable.  That means:

* For all logins (ftp, ssh, telnet, pop3, etc) you can grab the
  password and use it to populate your local smbpasswd file.  This is
  akin to the smb.conf `update encrypted' option, useful for migration
  from a Unix environment to a mixed Unix/NT environment.

* For Unix password changes, you get both the old and new password, so
  you can either do the above, or update an NT domain controller (or
  remote Samba domain controller).  Assuming your NIS domain controller
  is PAM-aware, this should work for `yppasswd' as well.  (Untested.)

* Although I wrote it with Samba in mind, it is by no means specific to
  smbpasswd; other similar "password migration" scenarios should work
  just as well.

Like most PAM modules, it's not very hard to set up.  Included is an
example glue script for making it work with smbpasswd.

BUT: It's a 0.0 release and has only been tested on Linux-PAM.  It may
work on the other Unices, but I don't have Solaris and I haven't gotten
a chance to test on HP-UX yet.  It's also missing some error checking
and other polish.  (I'll gladly take patches.)

ALSO: pam_pwexport won't work properly without a small patch, included,
to fix a bug in Linux-PAM 0.72.

Enjoy.  I did.  (PAM modules are much easier to write than you think.)

Peter


Looks like what you're after :)

Freddie

Re: SMB passwords etc (was "How can I help ?")

[Sebastian Rittau]

On Wed, Jun 14, 2000 at 02:10:09PM +0100, Zak Kipling wrote:

> I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it
> would be feasible to make a stacked "password" module to do the reverse,
> ie to update the SMB password (including optionally creating the entry in
> the smbpasswd file if it doesn't exist) when the "passwd" command is used
> to change the unix password.

Yes. That would help a lot. We have a setup, for example, where all
account data (including the encrypted password) is stored in a
PostgreSQL database. Therefore it is not possible to compare this
encrypted password to the encrypted SMB password. And we don't want
a duplication of the password field in the database either.

> A mechanism would obviously be required to prevent a loop situation when
> both options are used simultaneously. If Samba carried out the actual SMB
> password update via PAM, then this should allow for the required
> flexibiliity, with either one or both off the unix/SMB password setting
> modules used by passwd and smbd as desired. This would hopefully eliminate
> the need for the "password sync" option with its dependence on the precise
> prompt string produced by the "passwd" command.

This loop protection is not really necessary since every program/daemon
can be configured separately.

 - Sebastian

Re: SMB passwords etc (was "How can I help ?")

[Freddie]

At 22:40 14/06/2000, Zak Kipling wrote:
>On Wed, 14 Jun 2000, Sebastian Rittau wrote:
>
> >> [stuff about encrypted SMB passwords]
> >
> > But using this option prevents you from using the global /etc/shadow
> > file, which is problematic in some cases.
>
>True. Samba has a "password sync" option to enable SMB password changes to
>automatically update the unix password file too (though it can be
>troublesome to get this working smoothly...)
>
>I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it
>would be feasible to make a stacked "password" module to do the reverse,
>ie to update the SMB password (including optionally creating the entry in
>the smbpasswd file if it doesn't exist) when the "passwd" command is used
>to change the unix password.
>
>A mechanism would obviously be required to prevent a loop situation when
>both options are used simultaneously. If Samba carried out the actual SMB
>password update via PAM, then this should allow for the required
>flexibiliity, with either one or both off the unix/SMB password setting
>modules used by passwd and smbd as desired. This would hopefully eliminate
>the need for the "password sync" option with its dependence on the precise
>prompt string produced by the "passwd" command.
>
>--
>Zak Kipling, E114 Wolfson Court, Clarkson Road, Cambridge, CB3 0EH.
>Tel. (01223) 509524; pager 04325 361627; ICQ# 62661452; Ask for PGP key
>Internet chat: telnet to zk201.girton.cam.ac.uk and log in as "talk".
>
>"As long as the superstition that people should obey unjust laws exists,
>so long will slavery exist." -- M. K. Gandhi
>
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

This was posted to samba-technical within the last few days:


From: Peter Samuelson <[EMAIL PROTECTED]>
To: Multiple recipients of list SAMBA-TECHNICAL
 <[EMAIL PROTECTED]>
Subject: ANNOUNCE: pam_pwexport, Unix->SMB password changes
Date:   Tue, 13 Jun 2000 22:08:43 +1000


[[posted to samba-ntdom and samba-technical]]

More than one user has recently asked about Unix->Samba password sync.

You can go the *other* direction with those chat options in smb.conf,
and Samba even has an option `update encrypted' for using cleartext
passwords and populating the smbpasswd file when people change them.

But when a user executes `passwd' or `yppasswd' on the Unix system,
Samba has no way of knowing, so your NT password gets out of sync.

Until now.

For all you out there who use PAM-enabled Unix systems (that means most
flavors of Linux and Solaris, and recently HP-UX, and possibly others I
don't know about), you may wish to give this a shot:

   http://peter.cadcamlab.org/misc/pam_pwexport-0.0.tar.gz

It sits and snoops whenever a user enters or changes a password through
PAM, and sends the passwords off to be processed by an arbitrary
PAM-unaware executable.  That means:

* For all logins (ftp, ssh, telnet, pop3, etc) you can grab the
   password and use it to populate your local smbpasswd file.  This is
   akin to the smb.conf `update encrypted' option, useful for migration
   from a Unix environment to a mixed Unix/NT environment.

* For Unix password changes, you get both the old and new password, so
   you can either do the above, or update an NT domain controller (or
   remote Samba domain controller).  Assuming your NIS domain controller
   is PAM-aware, this should work for `yppasswd' as well.  (Untested.)

* Although I wrote it with Samba in mind, it is by no means specific to
   smbpasswd; other similar "password migration" scenarios should work
   just as well.

Like most PAM modules, it's not very hard to set up.  Included is an
example glue script for making it work with smbpasswd.

BUT: It's a 0.0 release and has only been tested on Linux-PAM.  It may
work on the other Unices, but I don't have Solaris and I haven't gotten
a chance to test on HP-UX yet.  It's also missing some error checking
and other polish.  (I'll gladly take patches.)

ALSO: pam_pwexport won't work properly without a small patch, included,
to fix a bug in Linux-PAM 0.72.

Enjoy.  I did.  (PAM modules are much easier to write than you think.)

Peter


Looks like what you're after :)

Freddie


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Guido Guenther]

On Wed, Jun 14, 2000 at 02:43:07PM +0200, Wichert Akkerman wrote:
> Previously Thomas Guettler wrote:
> > I am in the same position. I have got some time left which
> > I could spent in an opensource project. Nearly all 
> > things I dream of are already working.
> 
> A good free reimplementation of portsentry is something I would really
> like to see. Right now portsentry works reasonably, but it could really
> use a bunch of extra features.
According to upstream we can't hope that he will put portsentry under a
license which debian considers as free in the near future so a free
reimplementation would be great. Portsentry is a nice peace of software
but it's missing some crucial features such as a pid file or more
flexible syntax in the hosts.ignore file (such as ignore
host:port1,port2).


-- 
GPG-Public Key: http://honk.physik.uni-konstanz.de/~agx/guenther.gpg.asc

SMB passwords etc (was "How can I help ?")

[Zak Kipling]

On Wed, 14 Jun 2000, Sebastian Rittau wrote:

>> [stuff about encrypted SMB passwords]
>
> But using this option prevents you from using the global /etc/shadow
> file, which is problematic in some cases.

True. Samba has a "password sync" option to enable SMB password changes to
automatically update the unix password file too (though it can be
troublesome to get this working smoothly...)

I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it
would be feasible to make a stacked "password" module to do the reverse,
ie to update the SMB password (including optionally creating the entry in
the smbpasswd file if it doesn't exist) when the "passwd" command is used
to change the unix password.

A mechanism would obviously be required to prevent a loop situation when
both options are used simultaneously. If Samba carried out the actual SMB
password update via PAM, then this should allow for the required
flexibiliity, with either one or both off the unix/SMB password setting
modules used by passwd and smbd as desired. This would hopefully eliminate
the need for the "password sync" option with its dependence on the precise
prompt string produced by the "passwd" command.

-- 
Zak Kipling, E114 Wolfson Court, Clarkson Road, Cambridge, CB3 0EH.
Tel. (01223) 509524; pager 04325 361627; ICQ# 62661452; Ask for PGP key
Internet chat: telnet to zk201.girton.cam.ac.uk and log in as "talk". 

"As long as the superstition that people should obey unjust laws exists,
so long will slavery exist." -- M. K. Gandhi

Re: How can I help ?

[Wichert Akkerman]

Previously Alexander Hvostov wrote:
> I have a better idea: an integrated 'user' command, which uses plugins to
> access the actual database server (like PAM, but for writing to the
> database rather than reading from it), and performs any of several
> functions.

PNIAM might alreadyh do this, I haven't looked at it closely yet.

Wichert.

-- 
   
 / Generally uninteresting signature - ignore at your convenience  \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


pgpWCN28IPDNA.pgp
Description: PGP signature

Re: How can I help ?

[Wichert Akkerman]

Previously Thomas Guettler wrote:
> I am in the same position. I have got some time left which
> I could spent in an opensource project. Nearly all 
> things I dream of are already working.

A good free reimplementation of portsentry is something I would really
like to see. Right now portsentry works reasonably, but it could really
use a bunch of extra features.

> Crossplattform userauthentication (win+unix),
> via LDAP.

Some people on the samba team are working on this already.

Wichert.

-- 
   
 / Generally uninteresting signature - ignore at your convenience  \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


pgpUGLQVE8gCN.pgp
Description: PGP signature

Re: SMB passwords etc (was "How can I help ?")

[Sebastian Rittau]

On Wed, Jun 14, 2000 at 02:10:09PM +0100, Zak Kipling wrote:

> I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it
> would be feasible to make a stacked "password" module to do the reverse,
> ie to update the SMB password (including optionally creating the entry in
> the smbpasswd file if it doesn't exist) when the "passwd" command is used
> to change the unix password.

Yes. That would help a lot. We have a setup, for example, where all
account data (including the encrypted password) is stored in a
PostgreSQL database. Therefore it is not possible to compare this
encrypted password to the encrypted SMB password. And we don't want
a duplication of the password field in the database either.

> A mechanism would obviously be required to prevent a loop situation when
> both options are used simultaneously. If Samba carried out the actual SMB
> password update via PAM, then this should allow for the required
> flexibiliity, with either one or both off the unix/SMB password setting
> modules used by passwd and smbd as desired. This would hopefully eliminate
> the need for the "password sync" option with its dependence on the precise
> prompt string produced by the "passwd" command.

This loop protection is not really necessary since every program/daemon
can be configured separately.

 - Sebastian


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Sebastian Rittau]

On Tue, Jun 13, 2000 at 03:46:12PM -0700, Ryan White wrote:

> As I recall after windows 95 the passwords are sent over the line
> encrypted. The encryption might be weak but they are not clear text
> anymore. 

> There is a switch in SMB to allow encrypted passwords. This is ON by
> default in debian (I believe)

But using this option prevents you from using the global /etc/shadow
file, which is problematic in some cases.

 - Sebastian

Re: How can I help ?

[Guido Guenther]

On Wed, Jun 14, 2000 at 02:43:07PM +0200, Wichert Akkerman wrote:
> Previously Thomas Guettler wrote:
> > I am in the same position. I have got some time left which
> > I could spent in an opensource project. Nearly all 
> > things I dream of are already working.
> 
> A good free reimplementation of portsentry is something I would really
> like to see. Right now portsentry works reasonably, but it could really
> use a bunch of extra features.
According to upstream we can't hope that he will put portsentry under a
license which debian considers as free in the near future so a free
reimplementation would be great. Portsentry is a nice peace of software
but it's missing some crucial features such as a pid file or more
flexible syntax in the hosts.ignore file (such as ignore
host:port1,port2).


-- 
GPG-Public Key: http://honk.physik.uni-konstanz.de/~agx/guenther.gpg.asc


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

SMB passwords etc (was "How can I help ?")

[Zak Kipling]

On Wed, 14 Jun 2000, Sebastian Rittau wrote:

>> [stuff about encrypted SMB passwords]
>
> But using this option prevents you from using the global /etc/shadow
> file, which is problematic in some cases.

True. Samba has a "password sync" option to enable SMB password changes to
automatically update the unix password file too (though it can be
troublesome to get this working smoothly...)

I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it
would be feasible to make a stacked "password" module to do the reverse,
ie to update the SMB password (including optionally creating the entry in
the smbpasswd file if it doesn't exist) when the "passwd" command is used
to change the unix password.

A mechanism would obviously be required to prevent a loop situation when
both options are used simultaneously. If Samba carried out the actual SMB
password update via PAM, then this should allow for the required
flexibiliity, with either one or both off the unix/SMB password setting
modules used by passwd and smbd as desired. This would hopefully eliminate
the need for the "password sync" option with its dependence on the precise
prompt string produced by the "passwd" command.

-- 
Zak Kipling, E114 Wolfson Court, Clarkson Road, Cambridge, CB3 0EH.
Tel. (01223) 509524; pager 04325 361627; ICQ# 62661452; Ask for PGP key
Internet chat: telnet to zk201.girton.cam.ac.uk and log in as "talk". 

"As long as the superstition that people should obey unjust laws exists,
so long will slavery exist." -- M. K. Gandhi



--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Wichert Akkerman]

Previously Alexander Hvostov wrote:
> I have a better idea: an integrated 'user' command, which uses plugins to
> access the actual database server (like PAM, but for writing to the
> database rather than reading from it), and performs any of several
> functions.

PNIAM might alreadyh do this, I haven't looked at it closely yet.

Wichert.

-- 
   
 / Generally uninteresting signature - ignore at your convenience  \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

 PGP signature

Re: How can I help ?

[Wichert Akkerman]

Previously Thomas Guettler wrote:
> I am in the same position. I have got some time left which
> I could spent in an opensource project. Nearly all 
> things I dream of are already working.

A good free reimplementation of portsentry is something I would really
like to see. Right now portsentry works reasonably, but it could really
use a bunch of extra features.

> Crossplattform userauthentication (win+unix),
> via LDAP.

Some people on the samba team are working on this already.

Wichert.

-- 
   
 / Generally uninteresting signature - ignore at your convenience  \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

 PGP signature

Re: How can I help ?

[Sebastian Rittau]

On Tue, Jun 13, 2000 at 03:46:12PM -0700, Ryan White wrote:

> As I recall after windows 95 the passwords are sent over the line
> encrypted. The encryption might be weak but they are not clear text
> anymore. 

> There is a switch in SMB to allow encrypted passwords. This is ON by
> default in debian (I believe)

But using this option prevents you from using the global /etc/shadow
file, which is problematic in some cases.

 - Sebastian


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Jonathan Miles]

> > and
> > - Pro active security sourcecode reading/fixing, like what the OpenBSD
> > people do.
>
> I wanted to start a project like that a while back.  I examined
> the OpenBSD patches to try to figure out exactly what they looked for.
> Unfortunately, between school and jobs, i haven't had the time to
> really delve into the subject or apply their techniques to Linux.

Take a look at the attached e-mail (dare I post this with OE ;) about a new
linux security auditing project.

--
Jon / [EMAIL PROTECTED]
--- Begin Message ---
This is a mission statement for a project under way and ready to get going.
The Linux Kernel Auditing Project (LKAP). 

The purpose of this project is self-explanatory. It's an attempt to audit the
Linux kernel for any security vulnerabilities and/or holes and/or possible 
vulnerabilities and/or possible holes, and of course without adding more bugs or
drawbacks to the existing kernels. The suggested kernels to be audited are 
2.0.x kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series.
The group and it's work shall be dealt and worked with via a mailing list. 

How to subscribe:

echo subscribe kernel-audit | mail [EMAIL PROTECTED]

I feel that this project should have been done a long time ago, not to imply 
that
the Linux kernel is insecure, but a case in which this project would've helped
would be the setuid() hole found on June 7 
which affected all 2.2.x kernels. This bug was patched in a matter of hours
(isn't open source great!). But here's the point, the flaw/function/hole 
should _NOT_ have existed in the first place. Which is where this project comes
into place. 

  There's a few things that differ from this project compared to a few others 
that are similar. 

1) To audit the kernel source code without affecting/breaking/disrupting any 
other
part of the kernel. These will not be additional patches you can downloads
(add-ons). This auditing is dealing with the current code in the source, not 
adding
or implementing new functions. 

2) To educate kernel developers/hackers on how to securely write code. It is
my hopes that kernel developers/hackers new and old will subscribe and post to 
this mailing list with questions and share information, 
and to simply get help with their code(e.g.: Could this function() cause a 
possible security hole or lead to an exploit ?"), this is the true power of
open source and GNU/Linux

3) To be ahead of the game... A perfect example of this are certain proprietary
Operating System developers who sit around and wait for a security bug to come 
to them 
and not go to find the bug themselves. Of course this needs no explanation as 
to why this
never works. I feel that kernel developers/hackers are down to earth and pretty
logical people and realize that Linux is _NOT_ perfect, that a lot of the code
they write, submit, and gets plugged into the kernel is not flawless and more
than likely could be improved for security reasons.

4) To provide an operating system to the public. I want to see a Linux where
the sysadmin doesn't have to watch his back all the time in fear of say some
new knfsd exploit or a way to fork()bomb his/her router via a simple mistake
in buffer.c 

5) To provide a safe Linux to the end-user.. Linux is slowly but surely becoming
a choice for the desktop user. Most of these users are walking into Linux with
no knowledge of what potential dangers lie at their finger tips and in their 
hard drive. Linux has proven to be one of the most secure operating systems, but
I feel as Linux becomes more popular with the general public this will change, 
that more kernel security holes and exploits will arise from nowhere and give 
us a very unpleasant reality check. 

And at last, this will be no easy project, security auditing never is. 
It takes man power, skill, and just plain aching time. But I believe if the
community gets together on this one, nothing will stop us and Linux will 
go on to become the #1 security-wise operating system to this date.

Sincerely 
Bryan Paxton

How to subscribe:

echo subscribe kernel-audit | mail [EMAIL PROTECTED]



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
--- End Message ---

Re: How can I help ?

[Nathan Paul Simons]

On Wed, Jun 14, 2000 at 09:23:54AM +0200, L. Besselink wrote:
> On Tue, 13 Jun 2000, Thomas Guettler wrote:
> If you ask me personally what things in Linux and/or Debian are most
> needed ? Those are two things:
> 
> - I/O performance. Linux just doesn't have as good an I/O performance as
> the BSD family.

You might be interested in the discussion going on over streaming
I/O performance on [EMAIL PROTECTED]

> and
> - Pro active security sourcecode reading/fixing, like what the OpenBSD
> people do.

I wanted to start a project like that a while back.  I examined
the OpenBSD patches to try to figure out exactly what they looked for.
Unfortunately, between school and jobs, i haven't had the time to 
really delve into the subject or apply their techniques to Linux.

> As you can see, only one is security related :/ I know it may sound a bit
> boring and I know Debian is probably the best Linux distribution in that
> field (well, they fix very fast anyway ;), but it is even more important
> then adding new things if you ask me.
> 
> This is just my personal opinion.
> 
> > 
> > One thing I am interested is, which ist AFAIK no
> > implemented yet:
> > Crossplattform userauthentication (win+unix),
> > via LDAP.
> > 

One thing you might take a look at while you're at it is adding
LDAP support to Netatalk.  I know at least one SysAdmin who was 
trying to get his whole network using LDAP, and Samba already has
support (according to a previous email I saw on this list), but he
needed a solution for his Macs as well.  I don't have his email 
here (he contacted me at work).

Nathan Paul Simons
http://www.nmt.edu/~npsimons/

Re: How can I help ?

[Alexander Hvostov]

Lennie,

There's all sorts of interesting tweaks you can do to Linux to fine-tune
its network behavior via /proc. I suggest you look into it.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Wed, 14 Jun 2000, L. Besselink wrote:

> On Wed, 14 Jun 2000, Alexander Hvostov wrote:
> 
> > Lennie,
> > 
> > Can you give me any more details than just that Linux I/O performance is
> > inferior to *BSD?
> 
> not much :/
> 
> All I can show is from my own experience.
> 
> Some time ago, I 'replaced' my home firewall 486 Debian installation with
> OpenBSD (just to try it out a bit) and it improved my network performance
> dramatically (no I don't have hard facts at hand). I think it has/had
> something to do with mtu discovery or something, because I'm connected
> with an @home cable modem and to be honest there systems have had problems
> in the past and still do and with OpenBSD I think it's been doing a lot
> better job, somehow. I think it's mtu discovery because sometimes if the
> cable is down, I get back cutdown ping's to the gateway. So some of it
> get's trough but not all somehow, it's really strange. Also this new OS
> seems more speedy then the previous, although I can not back this with
> facts either (I forgot to run something like bonnie to find out).
> 
> Also I keep reading on the Linux kernel mailinglist that they are not too
> happy about current performance yet. ;) So maybe this also says something
> as I'm sure they have a good view on things.
> 
> Did this help ?
> 
> > 
> > Regards,
> > 
> > Alex.
> > 
> 
> Same to ya,
>   Lennie.
> 
> -
> New things are always on the horizon.
> 

Re: How can I help ?

[L. Besselink]

On Wed, 14 Jun 2000, Alexander Hvostov wrote:

> Lennie,
> 
> Can you give me any more details than just that Linux I/O performance is
> inferior to *BSD?

not much :/

All I can show is from my own experience.

Some time ago, I 'replaced' my home firewall 486 Debian installation with
OpenBSD (just to try it out a bit) and it improved my network performance
dramatically (no I don't have hard facts at hand). I think it has/had
something to do with mtu discovery or something, because I'm connected
with an @home cable modem and to be honest there systems have had problems
in the past and still do and with OpenBSD I think it's been doing a lot
better job, somehow. I think it's mtu discovery because sometimes if the
cable is down, I get back cutdown ping's to the gateway. So some of it
get's trough but not all somehow, it's really strange. Also this new OS
seems more speedy then the previous, although I can not back this with
facts either (I forgot to run something like bonnie to find out).

Also I keep reading on the Linux kernel mailinglist that they are not too
happy about current performance yet. ;) So maybe this also says something
as I'm sure they have a good view on things.

Did this help ?

> 
> Regards,
> 
> Alex.
> 

Same to ya,
Lennie.

-
New things are always on the horizon.

Re: How can I help ?

[Alexander Hvostov]

Lennie,

Can you give me any more details than just that Linux I/O performance is
inferior to *BSD?

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Wed, 14 Jun 2000, L. Besselink wrote:

> On Tue, 13 Jun 2000, Thomas Guettler wrote:
> 
> > I am in the same position. I have got some time left which
> > I could spent in an opensource project. Nearly all 
> > things I dream of are already working.
> > So that I don't know where to join.
> > And Mozilla ist too big.
> > And like Florian I am interested in security.
> > 
> > If someone knows where to start, please give
> > us a hint.
> > I know some C, C++, Perl, Shell, Java, XML.
> 
> If you ask me personally what things in Linux and/or Debian are most
> needed ? Those are two things:
> 
> - I/O performance. Linux just doesn't have as good an I/O performance as
> the BSD family.
> and
> - Pro active security sourcecode reading/fixing, like what the OpenBSD
> people do.
> 
> As you can see, only one is security related :/ I know it may sound a bit
> boring and I know Debian is probably the best Linux distribution in that
> field (well, they fix very fast anyway ;), but it is even more important
> then adding new things if you ask me.
> 
> This is just my personal opinion.
> 
> > 
> > One thing I am interested is, which ist AFAIK no
> > implemented yet:
> > Crossplattform userauthentication (win+unix),
> > via LDAP.
> > 
> 
> But ofcourse I have no problem with anyone adding new and great features.
> ;)
> 
> 
> 
> Hope this made sence and not just noice,
>   Lennie.
> 
> -
> New things are always on the horizon.
> 
> 
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

Re: How can I help ?

[L. Besselink]

On Tue, 13 Jun 2000, Thomas Guettler wrote:

> I am in the same position. I have got some time left which
> I could spent in an opensource project. Nearly all 
> things I dream of are already working.
> So that I don't know where to join.
> And Mozilla ist too big.
> And like Florian I am interested in security.
> 
> If someone knows where to start, please give
> us a hint.
> I know some C, C++, Perl, Shell, Java, XML.

If you ask me personally what things in Linux and/or Debian are most
needed ? Those are two things:

- I/O performance. Linux just doesn't have as good an I/O performance as
the BSD family.
and
- Pro active security sourcecode reading/fixing, like what the OpenBSD
people do.

As you can see, only one is security related :/ I know it may sound a bit
boring and I know Debian is probably the best Linux distribution in that
field (well, they fix very fast anyway ;), but it is even more important
then adding new things if you ask me.

This is just my personal opinion.

> 
> One thing I am interested is, which ist AFAIK no
> implemented yet:
> Crossplattform userauthentication (win+unix),
> via LDAP.
> 

But ofcourse I have no problem with anyone adding new and great features.
;)



Hope this made sence and not just noice,
Lennie.

-
New things are always on the horizon.

Re: How can I help ?

[Jonathan Miles]

> > and
> > - Pro active security sourcecode reading/fixing, like what the OpenBSD
> > people do.
>
> I wanted to start a project like that a while back.  I examined
> the OpenBSD patches to try to figure out exactly what they looked for.
> Unfortunately, between school and jobs, i haven't had the time to
> really delve into the subject or apply their techniques to Linux.

Take a look at the attached e-mail (dare I post this with OE ;) about a new
linux security auditing project.

--
Jon / Cybah@IRCNet



This is a mission statement for a project under way and ready to get going.
The Linux Kernel Auditing Project (LKAP). 

The purpose of this project is self-explanatory. It's an attempt to audit the
Linux kernel for any security vulnerabilities and/or holes and/or possible 
vulnerabilities and/or possible holes, and of course without adding more bugs or
drawbacks to the existing kernels. The suggested kernels to be audited are 
2.0.x kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series.
The group and it's work shall be dealt and worked with via a mailing list. 

How to subscribe:

echo subscribe kernel-audit | mail [EMAIL PROTECTED]

I feel that this project should have been done a long time ago, not to imply that
the Linux kernel is insecure, but a case in which this project would've helped
would be the setuid() hole found on June 7 
which affected all 2.2.x kernels. This bug was patched in a matter of hours
(isn't open source great!). But here's the point, the flaw/function/hole 
should _NOT_ have existed in the first place. Which is where this project comes
into place. 

  There's a few things that differ from this project compared to a few others 
that are similar. 

1) To audit the kernel source code without affecting/breaking/disrupting any other
part of the kernel. These will not be additional patches you can downloads
(add-ons). This auditing is dealing with the current code in the source, not adding
or implementing new functions. 

2) To educate kernel developers/hackers on how to securely write code. It is
my hopes that kernel developers/hackers new and old will subscribe and post to 
this mailing list with questions and share information, 
and to simply get help with their code(e.g.: Could this function() cause a 
possible security hole or lead to an exploit ?"), this is the true power of
open source and GNU/Linux

3) To be ahead of the game... A perfect example of this are certain proprietary
Operating System developers who sit around and wait for a security bug to come to them 
and not go to find the bug themselves. Of course this needs no explanation as to why 
this
never works. I feel that kernel developers/hackers are down to earth and pretty
logical people and realize that Linux is _NOT_ perfect, that a lot of the code
they write, submit, and gets plugged into the kernel is not flawless and more
than likely could be improved for security reasons.

4) To provide an operating system to the public. I want to see a Linux where
the sysadmin doesn't have to watch his back all the time in fear of say some
new knfsd exploit or a way to fork()bomb his/her router via a simple mistake
in buffer.c 

5) To provide a safe Linux to the end-user.. Linux is slowly but surely becoming
a choice for the desktop user. Most of these users are walking into Linux with
no knowledge of what potential dangers lie at their finger tips and in their 
hard drive. Linux has proven to be one of the most secure operating systems, but
I feel as Linux becomes more popular with the general public this will change, 
that more kernel security holes and exploits will arise from nowhere and give 
us a very unpleasant reality check. 

And at last, this will be no easy project, security auditing never is. 
It takes man power, skill, and just plain aching time. But I believe if the
community gets together on this one, nothing will stop us and Linux will 
go on to become the #1 security-wise operating system to this date.

Sincerely 
Bryan Paxton

How to subscribe:

echo subscribe kernel-audit | mail [EMAIL PROTECTED]



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/

Re: How can I help ?

[Nathan Paul Simons]

On Wed, Jun 14, 2000 at 09:23:54AM +0200, L. Besselink wrote:
> On Tue, 13 Jun 2000, Thomas Guettler wrote:
> If you ask me personally what things in Linux and/or Debian are most
> needed ? Those are two things:
> 
> - I/O performance. Linux just doesn't have as good an I/O performance as
> the BSD family.

You might be interested in the discussion going on over streaming
I/O performance on [EMAIL PROTECTED]

> and
> - Pro active security sourcecode reading/fixing, like what the OpenBSD
> people do.

I wanted to start a project like that a while back.  I examined
the OpenBSD patches to try to figure out exactly what they looked for.
Unfortunately, between school and jobs, i haven't had the time to 
really delve into the subject or apply their techniques to Linux.

> As you can see, only one is security related :/ I know it may sound a bit
> boring and I know Debian is probably the best Linux distribution in that
> field (well, they fix very fast anyway ;), but it is even more important
> then adding new things if you ask me.
> 
> This is just my personal opinion.
> 
> > 
> > One thing I am interested is, which ist AFAIK no
> > implemented yet:
> > Crossplattform userauthentication (win+unix),
> > via LDAP.
> > 

One thing you might take a look at while you're at it is adding
LDAP support to Netatalk.  I know at least one SysAdmin who was 
trying to get his whole network using LDAP, and Samba already has
support (according to a previous email I saw on this list), but he
needed a solution for his Macs as well.  I don't have his email 
here (he contacted me at work).

Nathan Paul Simons
http://www.nmt.edu/~npsimons/


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Alexander Hvostov]

Lennie,

There's all sorts of interesting tweaks you can do to Linux to fine-tune
its network behavior via /proc. I suggest you look into it.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Wed, 14 Jun 2000, L. Besselink wrote:

> On Wed, 14 Jun 2000, Alexander Hvostov wrote:
> 
> > Lennie,
> > 
> > Can you give me any more details than just that Linux I/O performance is
> > inferior to *BSD?
> 
> not much :/
> 
> All I can show is from my own experience.
> 
> Some time ago, I 'replaced' my home firewall 486 Debian installation with
> OpenBSD (just to try it out a bit) and it improved my network performance
> dramatically (no I don't have hard facts at hand). I think it has/had
> something to do with mtu discovery or something, because I'm connected
> with an @home cable modem and to be honest there systems have had problems
> in the past and still do and with OpenBSD I think it's been doing a lot
> better job, somehow. I think it's mtu discovery because sometimes if the
> cable is down, I get back cutdown ping's to the gateway. So some of it
> get's trough but not all somehow, it's really strange. Also this new OS
> seems more speedy then the previous, although I can not back this with
> facts either (I forgot to run something like bonnie to find out).
> 
> Also I keep reading on the Linux kernel mailinglist that they are not too
> happy about current performance yet. ;) So maybe this also says something
> as I'm sure they have a good view on things.
> 
> Did this help ?
> 
> > 
> > Regards,
> > 
> > Alex.
> > 
> 
> Same to ya,
>   Lennie.
> 
> -
> New things are always on the horizon.
> 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[L. Besselink]

On Wed, 14 Jun 2000, Alexander Hvostov wrote:

> Lennie,
> 
> Can you give me any more details than just that Linux I/O performance is
> inferior to *BSD?

not much :/

All I can show is from my own experience.

Some time ago, I 'replaced' my home firewall 486 Debian installation with
OpenBSD (just to try it out a bit) and it improved my network performance
dramatically (no I don't have hard facts at hand). I think it has/had
something to do with mtu discovery or something, because I'm connected
with an @home cable modem and to be honest there systems have had problems
in the past and still do and with OpenBSD I think it's been doing a lot
better job, somehow. I think it's mtu discovery because sometimes if the
cable is down, I get back cutdown ping's to the gateway. So some of it
get's trough but not all somehow, it's really strange. Also this new OS
seems more speedy then the previous, although I can not back this with
facts either (I forgot to run something like bonnie to find out).

Also I keep reading on the Linux kernel mailinglist that they are not too
happy about current performance yet. ;) So maybe this also says something
as I'm sure they have a good view on things.

Did this help ?

> 
> Regards,
> 
> Alex.
> 

Same to ya,
Lennie.

-
New things are always on the horizon.


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Alexander Hvostov]

Lennie,

Can you give me any more details than just that Linux I/O performance is
inferior to *BSD?

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Wed, 14 Jun 2000, L. Besselink wrote:

> On Tue, 13 Jun 2000, Thomas Guettler wrote:
> 
> > I am in the same position. I have got some time left which
> > I could spent in an opensource project. Nearly all 
> > things I dream of are already working.
> > So that I don't know where to join.
> > And Mozilla ist too big.
> > And like Florian I am interested in security.
> > 
> > If someone knows where to start, please give
> > us a hint.
> > I know some C, C++, Perl, Shell, Java, XML.
> 
> If you ask me personally what things in Linux and/or Debian are most
> needed ? Those are two things:
> 
> - I/O performance. Linux just doesn't have as good an I/O performance as
> the BSD family.
> and
> - Pro active security sourcecode reading/fixing, like what the OpenBSD
> people do.
> 
> As you can see, only one is security related :/ I know it may sound a bit
> boring and I know Debian is probably the best Linux distribution in that
> field (well, they fix very fast anyway ;), but it is even more important
> then adding new things if you ask me.
> 
> This is just my personal opinion.
> 
> > 
> > One thing I am interested is, which ist AFAIK no
> > implemented yet:
> > Crossplattform userauthentication (win+unix),
> > via LDAP.
> > 
> 
> But ofcourse I have no problem with anyone adding new and great features.
> ;)
> 
> 
> 
> Hope this made sence and not just noice,
>   Lennie.
> 
> -
> New things are always on the horizon.
> 
> 
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[L. Besselink]

On Tue, 13 Jun 2000, Thomas Guettler wrote:

> I am in the same position. I have got some time left which
> I could spent in an opensource project. Nearly all 
> things I dream of are already working.
> So that I don't know where to join.
> And Mozilla ist too big.
> And like Florian I am interested in security.
> 
> If someone knows where to start, please give
> us a hint.
> I know some C, C++, Perl, Shell, Java, XML.

If you ask me personally what things in Linux and/or Debian are most
needed ? Those are two things:

- I/O performance. Linux just doesn't have as good an I/O performance as
the BSD family.
and
- Pro active security sourcecode reading/fixing, like what the OpenBSD
people do.

As you can see, only one is security related :/ I know it may sound a bit
boring and I know Debian is probably the best Linux distribution in that
field (well, they fix very fast anyway ;), but it is even more important
then adding new things if you ask me.

This is just my personal opinion.

> 
> One thing I am interested is, which ist AFAIK no
> implemented yet:
> Crossplattform userauthentication (win+unix),
> via LDAP.
> 

But ofcourse I have no problem with anyone adding new and great features.
;)



Hope this made sence and not just noice,
Lennie.

-
New things are always on the horizon.




--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Alexander Hvostov]

Michael,

I have a better idea: an integrated 'user' command, which uses plugins to
access the actual database server (like PAM, but for writing to the
database rather than reading from it), and performs any of several
functions. Some examples:

# user add joe
Enter password:
Repeat password:
User joe added.
# user delete joe
Really delete user joe? [y/n] y
Delete home directory? [y/n] y
User joe deleted.
# group --database=ldap create lusers
Group lusers created.
# user --database=ldap add joe
Enter password:
Repeat password:
User joe added.
# group --database=ldap add joe lusers
User joe added to group lusers.
# group --database=ldap delete lusers
Really delete group lusers? [y/n] y
Group lusers deleted.
# user --database=ldap list
root:0:...
...
# group --database=ldap list
wheel:0:...
...
# user --help
Usage: user [options] command [parameters]

Options:
  --database=db Specify a database to use. See user(8) for more.
  --uid=n   Specify a UID number to use when creating a user.
  --system  Adds a system user, rather than a normal user.
  --no-passwd   Does not ask to set a password when creating a user.
  --home=dirSpecify the new user's home directory.
  --helpThis help screen.

Commands:
  add   Adds a new user.
  deleteDeletes a user.
  list  Lists existing users.
# group --help
Usage: group [options] command [parameters]

Options:
  --database=db Specify a database to use. See group(8) for more.
  --passwd  Specify the new group's password, so users can gain access
to the group by entering the password.
  --gid=n   Specify a GID number to use when creating a group.

Commands:
  createCreates a new group.
  deleteDeletes a group.
  add   Adds an existing user to an existing group.
  list  Lists existing groups.
#

You guys get the idea?

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Wed, 14 Jun 2000, Michael Vogt wrote:

> On Tue, Jun 13, 2000 at 03:54:25PM +0200, Thomas Guettler wrote:
> > I am in the same position. I have got some time left which
> > I could spent in an opensource project. Nearly all 
> > things I dream of are already working.
> > So that I don't know where to join.
> > And Mozilla ist too big.
> > And like Florian I am interested in security.
> > 
> > If someone knows where to start, please give
> > us a hint.
> > I know some C, C++, Perl, Shell, Java, XML.
> > 
> > One thing I am interested is, which ist AFAIK no
> > implemented yet:
> > Crossplattform userauthentication (win+unix),
> > via LDAP.
> For the unix side, please have a look at libpam-ldap and libnss-ldap. I made
> some patches against the stock debian package to support debconf for these
> modules. I think better LDAP support for debian would be a very good 
> thing(tm).
> (If someone is interessed in the patches, please have a look at 
>  http://master.debian.org/~mvo/ldap. I am very interessed in feedback).
> 
> What I really miss is a LDAP enabled user-manager. If someone would working
> on that... :)
> 
> 
> bye
>  Michael
> 
> -- 
> GPG Fingerprint = EA71 B296 4597 4D8B 343E  821E 9624 83E1 5662 C734
>  /"\ o
>  \ / ASCII RIBBON CAMPAIGN  /|\
>   XAGAINST HTML MAIL >>
>  / \ o
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

RE: How can I help ?

[Alexander Hvostov]

Ryan,

It may be encrypted, but it isn't public-key encrypted or anything like
that. Anyone with a packet analyzer (ngrep will do it) can just send the
encrypted password to the server, so it's just as good as having the
cleartext password.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Tue, 13 Jun 2000, Ryan White wrote:

> 
> As I recall after windows 95 the passwords are sent over the line
> encrypted. The encryption might be weak but they are not clear text
> anymore. 
> 
> There is a switch in SMB to allow encrypted passwords. This is ON by
> default in debian (I believe)
> 
> -Ryan
> 
> On Tue, 13 Jun 2000, Alexander Hvostov wrote:
> 
> > Ronny and all,
> > 
> > If you want to use LDAP, I suggest you do LDAP over SSL/TLS. The current
> > OpenLDAP doesn't support it natively, but I believe there's a patch, and
> > of course there's always wrappers like stunnel.
> > 
> > Of course, if you want to use user authentication from Windows, using PAM
> > is more or less out of the question. LDAP, of course, is not, and neither
> > is SSL/TLS.
> > 
> > By the way, Samba already is able to use LDAP for authentication, though
> > it's not too great, last I checked. Maybe you fellows could work on
> > it?
> > 
> > Finally, if any of you have any knowledge of programming Windows drivers,
> > I suggest you write a replacement and/or hack for the "Client for
> > Microsoft Networks" driver, so that it can talk to Samba over SSL/TLS,
> > which would be a very nice thing to have. (I hate the idea of sending my
> > password in the clear over a SMB connection...)
> > 
> > Regards,
> > 
> > Alex.
> > 
> > ---
> > PGP/GPG Fingerprint:
> >   EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9
> > 
> > -BEGIN GEEK CODE BLOCK-
> > Version: 3.12
> > GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
> > O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
> > G e-- h++ r--- y
> > --END GEEK CODE BLOCK--
> > 
> > On Tue, 13 Jun 2000, Ronny Adsetts wrote:
> > 
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA1
> > > 
> > > 
> > > > One thing I am interested is, which ist AFAIK no
> > > > implemented yet:
> > > > Crossplattform userauthentication (win+unix),
> > > > via LDAP.
> > > 
> > > This is a great idea. I am willing to help if pointed in the right
> > > direction. I guess using PAM and Samba together with LDAP might be a
> > > place to start.
> > > 
> > > Have perl, shell (bash) and some c skills, but always willing to
> > > learn.
> > > 
> > > Ronny Adsetts
> > > 
> > > -BEGIN PGP SIGNATURE-
> > > Version: PGP 6.5.1i for non-commercial use 
> > > 
> > > iQA/AwUBOUawvP4+LjEVAJSfEQJMUQCcDdBLxD1S7fkYhM9sniPedA1G3+cAoO57
> > > hMtR+4P+qMsMXS5sNEc5Tyvq
> > > =jQaV
> > > -END PGP SIGNATURE-
> > > 
> > > 
> > > --  
> > > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > > 
> > 
> > 
> > --  
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > 
> 

Re: How can I help ?

[Alexander Hvostov]

Michael,

I have a better idea: an integrated 'user' command, which uses plugins to
access the actual database server (like PAM, but for writing to the
database rather than reading from it), and performs any of several
functions. Some examples:

# user add joe
Enter password:
Repeat password:
User joe added.
# user delete joe
Really delete user joe? [y/n] y
Delete home directory? [y/n] y
User joe deleted.
# group --database=ldap create lusers
Group lusers created.
# user --database=ldap add joe
Enter password:
Repeat password:
User joe added.
# group --database=ldap add joe lusers
User joe added to group lusers.
# group --database=ldap delete lusers
Really delete group lusers? [y/n] y
Group lusers deleted.
# user --database=ldap list
root:0:...
...
# group --database=ldap list
wheel:0:...
...
# user --help
Usage: user [options] command [parameters]

Options:
  --database=db Specify a database to use. See user(8) for more.
  --uid=n   Specify a UID number to use when creating a user.
  --system  Adds a system user, rather than a normal user.
  --no-passwd   Does not ask to set a password when creating a user.
  --home=dirSpecify the new user's home directory.
  --helpThis help screen.

Commands:
  add   Adds a new user.
  deleteDeletes a user.
  list  Lists existing users.
# group --help
Usage: group [options] command [parameters]

Options:
  --database=db Specify a database to use. See group(8) for more.
  --passwd  Specify the new group's password, so users can gain access
to the group by entering the password.
  --gid=n   Specify a GID number to use when creating a group.

Commands:
  createCreates a new group.
  deleteDeletes a group.
  add   Adds an existing user to an existing group.
  list  Lists existing groups.
#

You guys get the idea?

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Wed, 14 Jun 2000, Michael Vogt wrote:

> On Tue, Jun 13, 2000 at 03:54:25PM +0200, Thomas Guettler wrote:
> > I am in the same position. I have got some time left which
> > I could spent in an opensource project. Nearly all 
> > things I dream of are already working.
> > So that I don't know where to join.
> > And Mozilla ist too big.
> > And like Florian I am interested in security.
> > 
> > If someone knows where to start, please give
> > us a hint.
> > I know some C, C++, Perl, Shell, Java, XML.
> > 
> > One thing I am interested is, which ist AFAIK no
> > implemented yet:
> > Crossplattform userauthentication (win+unix),
> > via LDAP.
> For the unix side, please have a look at libpam-ldap and libnss-ldap. I made
> some patches against the stock debian package to support debconf for these
> modules. I think better LDAP support for debian would be a very good thing(tm).
> (If someone is interessed in the patches, please have a look at 
>  http://master.debian.org/~mvo/ldap. I am very interessed in feedback).
> 
> What I really miss is a LDAP enabled user-manager. If someone would working
> on that... :)
> 
> 
> bye
>  Michael
> 
> -- 
> GPG Fingerprint = EA71 B296 4597 4D8B 343E  821E 9624 83E1 5662 C734
>  /"\ o
>  \ / ASCII RIBBON CAMPAIGN  /|\
>   XAGAINST HTML MAIL >>
>  / \ o
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Michael Vogt]

On Tue, Jun 13, 2000 at 03:54:25PM +0200, Thomas Guettler wrote:
> I am in the same position. I have got some time left which
> I could spent in an opensource project. Nearly all 
> things I dream of are already working.
> So that I don't know where to join.
> And Mozilla ist too big.
> And like Florian I am interested in security.
> 
> If someone knows where to start, please give
> us a hint.
> I know some C, C++, Perl, Shell, Java, XML.
> 
> One thing I am interested is, which ist AFAIK no
> implemented yet:
> Crossplattform userauthentication (win+unix),
> via LDAP.
For the unix side, please have a look at libpam-ldap and libnss-ldap. I made
some patches against the stock debian package to support debconf for these
modules. I think better LDAP support for debian would be a very good thing(tm).
(If someone is interessed in the patches, please have a look at 
 http://master.debian.org/~mvo/ldap. I am very interessed in feedback).

What I really miss is a LDAP enabled user-manager. If someone would working
on that... :)


bye
 Michael

-- 
GPG Fingerprint = EA71 B296 4597 4D8B 343E  821E 9624 83E1 5662 C734
 /"\ o
 \ / ASCII RIBBON CAMPAIGN  /|\
  XAGAINST HTML MAIL >>
 / \ o

RE: How can I help ?

[Alexander Hvostov]

Ryan,

It may be encrypted, but it isn't public-key encrypted or anything like
that. Anyone with a packet analyzer (ngrep will do it) can just send the
encrypted password to the server, so it's just as good as having the
cleartext password.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Tue, 13 Jun 2000, Ryan White wrote:

> 
> As I recall after windows 95 the passwords are sent over the line
> encrypted. The encryption might be weak but they are not clear text
> anymore. 
> 
> There is a switch in SMB to allow encrypted passwords. This is ON by
> default in debian (I believe)
> 
> -Ryan
> 
> On Tue, 13 Jun 2000, Alexander Hvostov wrote:
> 
> > Ronny and all,
> > 
> > If you want to use LDAP, I suggest you do LDAP over SSL/TLS. The current
> > OpenLDAP doesn't support it natively, but I believe there's a patch, and
> > of course there's always wrappers like stunnel.
> > 
> > Of course, if you want to use user authentication from Windows, using PAM
> > is more or less out of the question. LDAP, of course, is not, and neither
> > is SSL/TLS.
> > 
> > By the way, Samba already is able to use LDAP for authentication, though
> > it's not too great, last I checked. Maybe you fellows could work on
> > it?
> > 
> > Finally, if any of you have any knowledge of programming Windows drivers,
> > I suggest you write a replacement and/or hack for the "Client for
> > Microsoft Networks" driver, so that it can talk to Samba over SSL/TLS,
> > which would be a very nice thing to have. (I hate the idea of sending my
> > password in the clear over a SMB connection...)
> > 
> > Regards,
> > 
> > Alex.
> > 
> > ---
> > PGP/GPG Fingerprint:
> >   EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9
> > 
> > -BEGIN GEEK CODE BLOCK-
> > Version: 3.12
> > GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
> > O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
> > G e-- h++ r--- y
> > --END GEEK CODE BLOCK--
> > 
> > On Tue, 13 Jun 2000, Ronny Adsetts wrote:
> > 
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA1
> > > 
> > > 
> > > > One thing I am interested is, which ist AFAIK no
> > > > implemented yet:
> > > > Crossplattform userauthentication (win+unix),
> > > > via LDAP.
> > > 
> > > This is a great idea. I am willing to help if pointed in the right
> > > direction. I guess using PAM and Samba together with LDAP might be a
> > > place to start.
> > > 
> > > Have perl, shell (bash) and some c skills, but always willing to
> > > learn.
> > > 
> > > Ronny Adsetts
> > > 
> > > -BEGIN PGP SIGNATURE-
> > > Version: PGP 6.5.1i for non-commercial use 
> > > 
> > > iQA/AwUBOUawvP4+LjEVAJSfEQJMUQCcDdBLxD1S7fkYhM9sniPedA1G3+cAoO57
> > > hMtR+4P+qMsMXS5sNEc5Tyvq
> > > =jQaV
> > > -END PGP SIGNATURE-
> > > 
> > > 
> > > --  
> > > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > > 
> > 
> > 
> > --  
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > 
> 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: How can I help ?

[Ryan White]

As I recall after windows 95 the passwords are sent over the line
encrypted. The encryption might be weak but they are not clear text
anymore. 

There is a switch in SMB to allow encrypted passwords. This is ON by
default in debian (I believe)

-Ryan

On Tue, 13 Jun 2000, Alexander Hvostov wrote:

> Ronny and all,
> 
> If you want to use LDAP, I suggest you do LDAP over SSL/TLS. The current
> OpenLDAP doesn't support it natively, but I believe there's a patch, and
> of course there's always wrappers like stunnel.
> 
> Of course, if you want to use user authentication from Windows, using PAM
> is more or less out of the question. LDAP, of course, is not, and neither
> is SSL/TLS.
> 
> By the way, Samba already is able to use LDAP for authentication, though
> it's not too great, last I checked. Maybe you fellows could work on
> it?
> 
> Finally, if any of you have any knowledge of programming Windows drivers,
> I suggest you write a replacement and/or hack for the "Client for
> Microsoft Networks" driver, so that it can talk to Samba over SSL/TLS,
> which would be a very nice thing to have. (I hate the idea of sending my
> password in the clear over a SMB connection...)
> 
> Regards,
> 
> Alex.
> 
> ---
> PGP/GPG Fingerprint:
>   EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9
> 
> -BEGIN GEEK CODE BLOCK-
> Version: 3.12
> GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
> O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
> G e-- h++ r--- y
> --END GEEK CODE BLOCK--
> 
> On Tue, 13 Jun 2000, Ronny Adsetts wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > 
> > > One thing I am interested is, which ist AFAIK no
> > > implemented yet:
> > > Crossplattform userauthentication (win+unix),
> > > via LDAP.
> > 
> > This is a great idea. I am willing to help if pointed in the right
> > direction. I guess using PAM and Samba together with LDAP might be a
> > place to start.
> > 
> > Have perl, shell (bash) and some c skills, but always willing to
> > learn.
> > 
> > Ronny Adsetts
> > 
> > -BEGIN PGP SIGNATURE-
> > Version: PGP 6.5.1i for non-commercial use 
> > 
> > iQA/AwUBOUawvP4+LjEVAJSfEQJMUQCcDdBLxD1S7fkYhM9sniPedA1G3+cAoO57
> > hMtR+4P+qMsMXS5sNEc5Tyvq
> > =jQaV
> > -END PGP SIGNATURE-
> > 
> > 
> > --  
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > 
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

Re: How can I help ?

[Michael Vogt]

On Tue, Jun 13, 2000 at 03:54:25PM +0200, Thomas Guettler wrote:
> I am in the same position. I have got some time left which
> I could spent in an opensource project. Nearly all 
> things I dream of are already working.
> So that I don't know where to join.
> And Mozilla ist too big.
> And like Florian I am interested in security.
> 
> If someone knows where to start, please give
> us a hint.
> I know some C, C++, Perl, Shell, Java, XML.
> 
> One thing I am interested is, which ist AFAIK no
> implemented yet:
> Crossplattform userauthentication (win+unix),
> via LDAP.
For the unix side, please have a look at libpam-ldap and libnss-ldap. I made
some patches against the stock debian package to support debconf for these
modules. I think better LDAP support for debian would be a very good thing(tm).
(If someone is interessed in the patches, please have a look at 
 http://master.debian.org/~mvo/ldap. I am very interessed in feedback).

What I really miss is a LDAP enabled user-manager. If someone would working
on that... :)


bye
 Michael

-- 
GPG Fingerprint = EA71 B296 4597 4D8B 343E  821E 9624 83E1 5662 C734
 /"\ o
 \ / ASCII RIBBON CAMPAIGN  /|\
  XAGAINST HTML MAIL >>
 / \ o


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: How can I help ?

[Alexander Hvostov]

Ronny and all,

If you want to use LDAP, I suggest you do LDAP over SSL/TLS. The current
OpenLDAP doesn't support it natively, but I believe there's a patch, and
of course there's always wrappers like stunnel.

Of course, if you want to use user authentication from Windows, using PAM
is more or less out of the question. LDAP, of course, is not, and neither
is SSL/TLS.

By the way, Samba already is able to use LDAP for authentication, though
it's not too great, last I checked. Maybe you fellows could work on
it?

Finally, if any of you have any knowledge of programming Windows drivers,
I suggest you write a replacement and/or hack for the "Client for
Microsoft Networks" driver, so that it can talk to Samba over SSL/TLS,
which would be a very nice thing to have. (I hate the idea of sending my
password in the clear over a SMB connection...)

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Tue, 13 Jun 2000, Ronny Adsetts wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> > One thing I am interested is, which ist AFAIK no
> > implemented yet:
> > Crossplattform userauthentication (win+unix),
> > via LDAP.
> 
> This is a great idea. I am willing to help if pointed in the right
> direction. I guess using PAM and Samba together with LDAP might be a
> place to start.
> 
> Have perl, shell (bash) and some c skills, but always willing to
> learn.
> 
> Ronny Adsetts
> 
> -BEGIN PGP SIGNATURE-
> Version: PGP 6.5.1i for non-commercial use 
> 
> iQA/AwUBOUawvP4+LjEVAJSfEQJMUQCcDdBLxD1S7fkYhM9sniPedA1G3+cAoO57
> hMtR+4P+qMsMXS5sNEc5Tyvq
> =jQaV
> -END PGP SIGNATURE-
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

RE: How can I help ?

[Ronny Adsetts]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


> One thing I am interested is, which ist AFAIK no
> implemented yet:
> Crossplattform userauthentication (win+unix),
> via LDAP.

This is a great idea. I am willing to help if pointed in the right
direction. I guess using PAM and Samba together with LDAP might be a
place to start.

Have perl, shell (bash) and some c skills, but always willing to
learn.

Ronny Adsetts

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.1i for non-commercial use 

iQA/AwUBOUawvP4+LjEVAJSfEQJMUQCcDdBLxD1S7fkYhM9sniPedA1G3+cAoO57
hMtR+4P+qMsMXS5sNEc5Tyvq
=jQaV
-END PGP SIGNATURE-

RE: How can I help ?

[Ryan White]

As I recall after windows 95 the passwords are sent over the line
encrypted. The encryption might be weak but they are not clear text
anymore. 

There is a switch in SMB to allow encrypted passwords. This is ON by
default in debian (I believe)

-Ryan

On Tue, 13 Jun 2000, Alexander Hvostov wrote:

> Ronny and all,
> 
> If you want to use LDAP, I suggest you do LDAP over SSL/TLS. The current
> OpenLDAP doesn't support it natively, but I believe there's a patch, and
> of course there's always wrappers like stunnel.
> 
> Of course, if you want to use user authentication from Windows, using PAM
> is more or less out of the question. LDAP, of course, is not, and neither
> is SSL/TLS.
> 
> By the way, Samba already is able to use LDAP for authentication, though
> it's not too great, last I checked. Maybe you fellows could work on
> it?
> 
> Finally, if any of you have any knowledge of programming Windows drivers,
> I suggest you write a replacement and/or hack for the "Client for
> Microsoft Networks" driver, so that it can talk to Samba over SSL/TLS,
> which would be a very nice thing to have. (I hate the idea of sending my
> password in the clear over a SMB connection...)
> 
> Regards,
> 
> Alex.
> 
> ---
> PGP/GPG Fingerprint:
>   EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9
> 
> -BEGIN GEEK CODE BLOCK-
> Version: 3.12
> GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
> O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
> G e-- h++ r--- y
> --END GEEK CODE BLOCK--
> 
> On Tue, 13 Jun 2000, Ronny Adsetts wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > 
> > > One thing I am interested is, which ist AFAIK no
> > > implemented yet:
> > > Crossplattform userauthentication (win+unix),
> > > via LDAP.
> > 
> > This is a great idea. I am willing to help if pointed in the right
> > direction. I guess using PAM and Samba together with LDAP might be a
> > place to start.
> > 
> > Have perl, shell (bash) and some c skills, but always willing to
> > learn.
> > 
> > Ronny Adsetts
> > 
> > -BEGIN PGP SIGNATURE-
> > Version: PGP 6.5.1i for non-commercial use 
> > 
> > iQA/AwUBOUawvP4+LjEVAJSfEQJMUQCcDdBLxD1S7fkYhM9sniPedA1G3+cAoO57
> > hMtR+4P+qMsMXS5sNEc5Tyvq
> > =jQaV
> > -END PGP SIGNATURE-
> > 
> > 
> > --  
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > 
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: How can I help ?

[Alexander Hvostov]

Ronny and all,

If you want to use LDAP, I suggest you do LDAP over SSL/TLS. The current
OpenLDAP doesn't support it natively, but I believe there's a patch, and
of course there's always wrappers like stunnel.

Of course, if you want to use user authentication from Windows, using PAM
is more or less out of the question. LDAP, of course, is not, and neither
is SSL/TLS.

By the way, Samba already is able to use LDAP for authentication, though
it's not too great, last I checked. Maybe you fellows could work on
it?

Finally, if any of you have any knowledge of programming Windows drivers,
I suggest you write a replacement and/or hack for the "Client for
Microsoft Networks" driver, so that it can talk to Samba over SSL/TLS,
which would be a very nice thing to have. (I hate the idea of sending my
password in the clear over a SMB connection...)

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w
O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+
G e-- h++ r--- y
--END GEEK CODE BLOCK--

On Tue, 13 Jun 2000, Ronny Adsetts wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> > One thing I am interested is, which ist AFAIK no
> > implemented yet:
> > Crossplattform userauthentication (win+unix),
> > via LDAP.
> 
> This is a great idea. I am willing to help if pointed in the right
> direction. I guess using PAM and Samba together with LDAP might be a
> place to start.
> 
> Have perl, shell (bash) and some c skills, but always willing to
> learn.
> 
> Ronny Adsetts
> 
> -BEGIN PGP SIGNATURE-
> Version: PGP 6.5.1i for non-commercial use 
> 
> iQA/AwUBOUawvP4+LjEVAJSfEQJMUQCcDdBLxD1S7fkYhM9sniPedA1G3+cAoO57
> hMtR+4P+qMsMXS5sNEc5Tyvq
> =jQaV
> -END PGP SIGNATURE-
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: How can I help ?

[Ronny Adsetts]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


> One thing I am interested is, which ist AFAIK no
> implemented yet:
> Crossplattform userauthentication (win+unix),
> via LDAP.

This is a great idea. I am willing to help if pointed in the right
direction. I guess using PAM and Samba together with LDAP might be a
place to start.

Have perl, shell (bash) and some c skills, but always willing to
learn.

Ronny Adsetts

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.1i for non-commercial use 

iQA/AwUBOUawvP4+LjEVAJSfEQJMUQCcDdBLxD1S7fkYhM9sniPedA1G3+cAoO57
hMtR+4P+qMsMXS5sNEc5Tyvq
=jQaV
-END PGP SIGNATURE-


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How can I help ?

[Thomas Guettler]

I am in the same position. I have got some time left which
I could spent in an opensource project. Nearly all 
things I dream of are already working.
So that I don't know where to join.
And Mozilla ist too big.
And like Florian I am interested in security.

If someone knows where to start, please give
us a hint.
I know some C, C++, Perl, Shell, Java, XML.

One thing I am interested is, which ist AFAIK no
implemented yet:
Crossplattform userauthentication (win+unix),
via LDAP.

Florian Blaser wrote:
> 
> Greetings everybody !
> 
> I've read in the news from the debian site that the security team was kind of
> short of ressources and that some more people were needed. I would like to
> help, but I'm not actually a good security-specialist. I'm eager to learn, and
> would like to know what I can do or read to be helpfull to you. Is there
> anybody out there wishing to be my "mentor" ?
> 
> Thanks a lot for your answers !
> 
> Florian
> 
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

-- 
Thomas Guettler <[EMAIL PROTECTED]>
http://www.interface-business.de

Re: How can I help ?

[Thomas Guettler]

I am in the same position. I have got some time left which
I could spent in an opensource project. Nearly all 
things I dream of are already working.
So that I don't know where to join.
And Mozilla ist too big.
And like Florian I am interested in security.

If someone knows where to start, please give
us a hint.
I know some C, C++, Perl, Shell, Java, XML.

One thing I am interested is, which ist AFAIK no
implemented yet:
Crossplattform userauthentication (win+unix),
via LDAP.

Florian Blaser wrote:
> 
> Greetings everybody !
> 
> I've read in the news from the debian site that the security team was kind of
> short of ressources and that some more people were needed. I would like to
> help, but I'm not actually a good security-specialist. I'm eager to learn, and
> would like to know what I can do or read to be helpfull to you. Is there
> anybody out there wishing to be my "mentor" ?
> 
> Thanks a lot for your answers !
> 
> Florian
> 
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

-- 
Thomas Guettler <[EMAIL PROTECTED]>
http://www.interface-business.de


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

How can I help ?

[Florian Blaser]

Greetings everybody !

I've read in the news from the debian site that the security team was kind of
short of ressources and that some more people were needed. I would like to
help, but I'm not actually a good security-specialist. I'm eager to learn, and
would like to know what I can do or read to be helpfull to you. Is there
anybody out there wishing to be my "mentor" ?

Thanks a lot for your answers !

Florian

How can I help ?

[Florian Blaser]

Greetings everybody !

I've read in the news from the debian site that the security team was kind of
short of ressources and that some more people were needed. I would like to
help, but I'm not actually a good security-specialist. I'm eager to learn, and
would like to know what I can do or read to be helpfull to you. Is there
anybody out there wishing to be my "mentor" ?

Thanks a lot for your answers !

Florian


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]