Re: [expert] how do I allow users to ftp in

[John Aldrich]

On Sun, 21 Nov 1999, you wrote:
> Chmouel Boudjnah wrote:
> 
> > what wuftp version you use ? i think i have fixed all these thing in
> > wu-ftpd-2.6-2mdk.
> 
> Where can I find it? I've look on the mdk ftp site and some mirrors and
> can't find 2.6-2.
> 
Try rpmfind.net.
John

Re: [expert] how do I allow users to ftp in

[Derek Simkowiak]

> -What would that be? I've enabled the MD5+shadow and reset my password
> -but I still can't ftp in as myself.

> Is the ftpd package installed?  It is not installed by default.

After you try logging in with FTP (and it fails), and error
message should be written to the file /var/log/messages.

Type in

tail /var/log/messages

...right after you have a failed FTP login and see what it says.

--Derek

Re: [expert] how do I allow users to ftp in

[Sheldon Lee Wen]

Chmouel Boudjnah wrote:

> what wuftp version you use ? i think i have fixed all these thing in
> wu-ftpd-2.6-2mdk.

Where can I find it? I've look on the mdk ftp site and some mirrors and
can't find 2.6-2.

-- 
==
Sheldon Lee Wenhttp://members.xoom.com/Lycadican 
"Superstition is a word the ignorant use to describe their ignorance."
  -- Sifu.
==

Re: [expert] how do I allow users to ftp in

[Stephen Carville]

Do you have ftpd commented out in /etc/inetd.conf?

Is the ftpd package installed?  It is not installed by default.

On Sun, 21 Nov 1999, you wrote:
-Steve,
-
-> Even IF you turn on MD5, you can still have legacy passwords in
-> /etc/passwd.  There's also a conversion utility to convert a legacy
-> passwd file to shadowed.
-
-What would that be? I've enabled the MD5+shadow and reset my password
-but I still can't ftp in as myself.

--
Stephen Carville

A well educated citizenry, being essential to the maintenance of a free
society, the right of the people, to keep and read books shall not be 
infringed.

Re: [expert] how do I allow users to ftp in

[John Aldrich]

On Sun, 21 Nov 1999, you wrote:
> > what wuftp version you use ? i think i have fixed all these thing in
> > wu-ftpd-2.6-2mdk.
> 
> Where can I get it? It's not on your ftp server or on a couple of the
> mirrors
> I checked.
> 
Have you tried looking in "cooker"??? Try going to www.rpmfind.net
and searcing for wu-ftpd-2.6-2mdk :-)
John

Re: [expert] how do I allow users to ftp in

[Sheldon Lee Wen]

Chmouel Boudjnah wrote:
> 
> Sheldon Lee Wen <[EMAIL PROTECTED]> writes:
> 
> > Steve,
> >
> > > Even IF you turn on MD5, you can still have legacy passwords in
> > > /etc/passwd.  There's also a conversion utility to convert a legacy
> > > passwd file to shadowed.
> >
> > What would that be? I've enabled the MD5+shadow and reset my password
> > but I still can't ftp in as myself.
> 
> what wuftp version you use ? i think i have fixed all these thing in
> wu-ftpd-2.6-2mdk.

Where can I get it? It's not on your ftp server or on a couple of the
mirrors
I checked.

> 
>   --Chmouel

-- 
==
Sheldon Lee Wenhttp://members.xoom.com/Lycadican 
"Superstition is a word the ignorant use to describe their ignorance."
  -- Sifu.
==

Re: [expert] how do I allow users to ftp in

[Sheldon Lee Wen]

Steve,

> Even IF you turn on MD5, you can still have legacy passwords in
> /etc/passwd.  There's also a conversion utility to convert a legacy
> passwd file to shadowed.

What would that be? I've enabled the MD5+shadow and reset my password
but I still can't ftp in as myself.

Sheldon.
-- 
==
Sheldon Lee Wenhttp://members.xoom.com/Lycadican 
"Superstition is a word the ignorant use to describe their ignorance."
  -- Sifu.
==

Re: [expert] how do I allow users to ftp in

[Derek Simkowiak]

> - Further testing is necessary to identify the exact cause of this
> -bug.
> 
> It should be fixed of course but why would anyone want to not use MD5
> and shadow passwords?

If you have a passwd file maintenance system with dozens (or
hundreds) of users, you may not want to force everybody to re-create their
passwords when you can just copy the old passwd file.

--Derek

Re: [expert] how do I allow users to ftp in

[Stephen Carville]

On Wed, 17 Nov 1999, you wrote:
-> I thought 'normal users' are by default allowed to ftp to their home
-> directory.
-
-   They are.  It breaks if you turn off MD5 and/or Shadowed
-passwords.
-
-   Further testing is necessary to identify the exact cause of this
-bug.

It should be fixed of course but why would anyone want to not use MD5
and shadow passwords?

--
Stephen Carville

A well educated citizenry, being essential to the maintenance of a free
society, the right of the people, to keep and read books shall not be 
infringed.

Re: [expert] how do I allow users to ftp in

[Derek Simkowiak]

I REPEAT: This is broken if you did not enable MD5 and/or Shadow password
support when you installed Mandrake.

See prior messages for details.

--Derek

On Wed, 17 Nov 1999, Stephen Carville wrote:

> On Wed, 17 Nov 1999, you wrote:
> -does the anonftp  allow for more than anonymous ftp?  
> 
> No and you probably shouldn't use anonymous ftp for this.
> 
> -I have been trying
> -to allow a user ftp access to a web directory and haven't been
> -successful.
> 
> Check that he had a password (ftp will not allow a user with no
> password in), is not listed in /etc/ftpusers, and the user's shell is
> listed in /etc/shells.
> 
> --
> Stephen Carville
> 
> A well educated citizenry, being essential to the maintenance of a free
> society, the right of the people, to keep and read books shall not be 
> infringed.
> 

Re: [expert] how do I allow users to ftp in

[Derek Simkowiak]

> I thought 'normal users' are by default allowed to ftp to their home
> directory.

They are.  It breaks if you turn off MD5 and/or Shadowed
passwords.

Further testing is necessary to identify the exact cause of this
bug.

--Derek

Re: [expert] how do I allow users to ftp in

[Derek Simkowiak]

I just finished a thread dealing with this.

The problem probably has something to do with PAM config.

This happened to me when I disabled MD5 and Shadow Passwords.  To fix the
problem, run "setup" as root, then change your Auth Config to enable MD5
and shadow passwords.

--Derek

 On Wed, 17 Nov 1999, Timothy Litwiller wrote:

> does the anonftp  allow for more than anonymous ftp?  I have been trying
> to allow a user ftp access to a web directory and haven't been
> successful.
> 

Re: [expert] how do I allow users to ftp in

[Stephen Carville]

On Wed, 17 Nov 1999, you wrote:
-does the anonftp  allow for more than anonymous ftp?  

No and you probably shouldn't use anonymous ftp for this.

-I have been trying
-to allow a user ftp access to a web directory and haven't been
-successful.

Check that he had a password (ftp will not allow a user with no
password in), is not listed in /etc/ftpusers, and the user's shell is
listed in /etc/shells.

--
Stephen Carville

A well educated citizenry, being essential to the maintenance of a free
society, the right of the people, to keep and read books shall not be 
infringed.

Re: [expert] how do I allow users to ftp in

[Herman Van Keer (softouch)]

Timothy Litwiller wrote:

> does the anonftp  allow for more than anonymous ftp?  I have been trying
> to allow a user ftp access to a web directory and haven't been
> successful.

I thought 'normal users' are by default allowed to ftp to their home
directory.
What is the problem:
Are they not able to login with their normal username or password?
Or can't they access the particular directory?

Their is a file /etc/ftpusers - regulating the access for ftp - Have a look
at that too.

TTYL
Herman

Re: [expert] how do I allow users to ftp in

[Stephen Carville]

On Thu, 18 Nov 1999, you wrote:
-Stephen Carville wrote:
-
-> The MD5 hash is a much stronger method at least in the sense it is
-> more resistant to dictionary attacks.  In some recent tests I did
-> using a PII-450 running Mandrake 6.0 and john the ripper, the MD5 hash
-> look about 10 times as long to yield as DES
-
-Can you give some information (or pointers to sites) for this one?

http://www.openwall.com/john/

-As far as I understand, you are 'breaking in into your own system' to check 'how
-strong it is'??

The story is a little involved so pull up a chair and relax.

A few months back, some PHB's collectively known as the
"Authentication Committee" got the bright idea to have a single
username and password for all users.  Being mostly clueless and/or
winbigots, their idea was to use NT authentication as the basis for
all authentication in the company.

My boss came and asked me what I thought about the idea.  I told him
they were nuts but it didn't affect me much since I am just a lowly
network administrator and my job is routers, switches, DNS, DHCP, and
a bit of perimeter security.  Internal access is not on my job list
and I don't buck the fools in power, I just change jobs when the get
too insufferable.  However, when the boss told me Committee wanted to
let users pick their own dialup and VPN passwords he got my
attention. We were issuing randomly generated passwords and
authenticating off our own radius server precisely because I don't
trust the average user to pick good passwords.

The boss asked how I could prove that our users pick really weak
passwords.  Easy, I use this nifty new tool I discovered called John
the Ripper.

So -- with the bosses permission -- I snarfed the NIS password file
(ypcat passwd >passwd.txt).  Then I leveraged my non-privileged
account (but physical access) to get me into one of the NT BDC's. 
There I used pwdump to grab the entire worldwide NT password database
(only one domain!)

I proceeded to check the UNIX file for obvious passwords and then
against a fairly large dictionary.  Not too many hours later I had a
about 65% of all the UNIX passwords. One really scary thing was that
over 400 employees had never changed their password from what they
were first issued!

Next I tried the same attack against the NT database.  The first
thing I noticed was that NT passwords dropped out much faster.  By a
factor of about a thousand.  Now I know why it was so easy but at the
time I could scarcely believe my eyes.  Out of curiosity I let the
program run in incremental mode (try ever possible combination)  and
27 days 16 hours and some minute later I had every NT password in the
company.

Then I tried it against the MD5 passwords on my Linux  the
dictionary search was 1/10 as fast as cracking the DES passwords. 
Made a believer out of me.

>From my tests I estimate that incremental mode on DES passwords
would take about 2000 years to complete on my workstation.  On MD5 I
estimate about 25,000 years.  (of course if I had big Beowulf cluster
I could do it a lot faster :-)

Eventually, handing out a list of the passwords for every person on
the Authentication Committee convinced them they weren't as clever as
they thought they were and they let us continue to issue random
passwords.

All of the above was completely aboveboard.  I did not hide what I
was doing and I kept my boss informed of everything I did.  This was
to prove a point about users and security not break into my employers
systems. It was also a lot of fun...

-Any other methods to check the server.
-I have my (private) server online (+/- online all the time - through dialin
-:-(   ), and want to check the security of it.
-(There is an internal network behind it)
-
-I know nmap scans the ports.

http://www.linuxgazette.com/issue47/lukas.html
http://www.replay.com/redhat/locked.html

Get ssh
ftp://ftp.zedz.net/pub/crypto/redhat/SRPMS/

--
Stephen Carville

A well educated citizenry, being essential to the maintenance of a free
society, the right of the people, to keep and read books shall not be 
infringed.

Re: [expert] how do I allow users to ftp in

[Steve Philp]

Derek Simkowiak wrote:
> 
> > Even IF you turn on MD5, you can still have legacy passwords in
> > /etc/passwd.  There's also a conversion utility to convert a legacy
> > passwd file to shadowed.
> 
> Can you tell me where to find this utility?  What is it called?

I believe it's called pwconv.  There should also be one called grpconv. 
Check the shadow-utils package for details.

-- 
Steve Philp
Network Administrator
Advance Packaging Corporation
[EMAIL PROTECTED]

Re: [expert] how do I allow users to ftp in

[Axalon Bloodstone]

On Thu, 18 Nov 1999, Derek Simkowiak wrote:

> > Even IF you turn on MD5, you can still have legacy passwords in
> > /etc/passwd.  There's also a conversion utility to convert a legacy
> > passwd file to shadowed.
> 
>   Can you tell me where to find this utility?  What is it called?

pwconv ? is what you seek
 
> Thank You,
> Derek Simkowiak
> [EMAIL PROTECTED]
> 
> 

Re: [expert] how do I allow users to ftp in

[Derek Simkowiak]

> Even IF you turn on MD5, you can still have legacy passwords in
> /etc/passwd.  There's also a conversion utility to convert a legacy
> passwd file to shadowed.

Can you tell me where to find this utility?  What is it called?

Thank You,
Derek Simkowiak
[EMAIL PROTECTED]

Re: [expert] how do I allow users to ftp in

[Herman Van Keer (softouch)]

Stephen Carville wrote:

> The MD5 hash is a much stronger method at least in the sense it is
> more resistant to dictionary attacks.  In some recent tests I did
> using a PII-450 running Mandrake 6.0 and john the ripper, the MD5 hash
> look about 10 times as long to yield as DES

Can you give some information (or pointers to sites) for this one?
As far as I understand, you are 'breaking in into your own system' to check 'how
strong it is'??
Any other methods to check the server.
I have my (private) server online (+/- online all the time - through dialin
:-(   ), and want to check the security of it.
(There is an internal network behind it)

I know nmap scans the ports.

Thanks,
Herman

>

>
>
> --
> Stephen Carville
> 
> A well educated citizenry, being essential to the maintenance of a free
> society, the right of the people, to keep and read books shall not be
> infringed.

Re: [expert] how do I allow users to ftp in

[Eric Dexter]

At 11:11 AM 11/18/1999 +0100, you wrote:
>:~>> It should be fixed of course but why would anyone want to not use MD5
>:~>> and shadow passwords?
>:~>
>:~>If you have a passwd file maintenance system with dozens (or
>:~>hundreds) of users, you may not want to force everybody to re-create their
>:~>passwords when you can just copy the old passwd file.
>
>What is a problem with copying the passwd+shadow? By the way, could
>someone explain me what are the MD5 passwords?  

MD5 is simply an encryption algorithym. Keeps you from having PLAIN TEXT
passwords in your /etc/passwd and /etc/shadow files.  AFAIK, it's just a
second layer of security.




-BEGIN GEEK CODE BLOCK-
Version: 3.12 - Decode at http://www.ebb.org/ungeek/
GCS/O d(-) s-: a- C+++ UL$ P+ L+++ E--- W++ N+++ o+ K- w
O- M-- V- PS+ PE Y+ PGP++ t- 5 X+ R- tv b- DI++ D++
G+ e h--- r+++ y+++
--END GEEK CODE BLOCK--

Re: [expert] how do I allow users to ftp in

[Singer XJ Wang]

On Thu, 18 Nov 1999, Denis Havlik wrote:

> :~>> It should be fixed of course but why would anyone want to not use MD5
> :~>> and shadow passwords?
> :~>
> :~>   If you have a passwd file maintenance system with dozens (or
> :~>hundreds) of users, you may not want to force everybody to re-create their
> :~>passwords when you can just copy the old passwd file.
> 
> What is a problem with copying the passwd+shadow? By the way, could
> someone explain me what are the MD5 passwords?  
> 

MD5 is a different cypto system. The origional password system invented by
the humble Thompson/Ritchie encodes 00 25 times with DES. It
uses you password as the DES key and then adds one of 4096 Random Salts.
However, DES is rather err, outdated. It was secure in the 60's and 70's
but now easily cracked. MD5 is a different crypo and it has a key length
of 128bits. [DES has 64bit keys]

Re: [expert] how do I allow users to ftp in

[Singer XJ Wang]

On Wed, 17 Nov 1999, Derek Simkowiak wrote:

> > -   Further testing is necessary to identify the exact cause of this
> > -bug.
> > 
> > It should be fixed of course but why would anyone want to not use MD5
> > and shadow passwords?
> 
>   If you have a passwd file maintenance system with dozens (or
> hundreds) of users, you may not want to force everybody to re-create their
> passwords when you can just copy the old passwd file.
> 
> --Derek
> 
> 
isn't it then that NIS passwords NIS into use?

Singer

Re: [expert] how do I allow users to ftp in

[Stephen Carville]

On Thu, 18 Nov 1999, you wrote:
-:~>> It should be fixed of course but why would anyone want to not use MD5
-:~>> and shadow passwords?
-:~>
-:~>If you have a passwd file maintenance system with dozens (or
-:~>hundreds) of users, you may not want to force everybody to re-create their
-:~>passwords when you can just copy the old passwd file.
-
-What is a problem with copying the passwd+shadow? By the way, could
-someone explain me what are the MD5 passwords?  

MD5 is a method for creating a cryptographic hash of an input value.
"Normal" UNIX passwords are encrypted using DES and a randomly
generated 2 byte salt value.  See man crypt for a brief discussion of
the process.

The MD5 hash is a much stronger method at least in the sense it is
more resistant to dictionary attacks.  In some recent tests I did
using a PII-450 running Mandrake 6.0 and john the ripper, the MD5 hash
look about 10 times as long to yield as DES.

--
Stephen Carville

A well educated citizenry, being essential to the maintenance of a free
society, the right of the people, to keep and read books shall not be 
infringed.

Re: [expert] how do I allow users to ftp in

[Steve Philp]

Derek Simkowiak wrote:
> 
> > - Further testing is necessary to identify the exact cause of this
> > -bug.
> >
> > It should be fixed of course but why would anyone want to not use MD5
> > and shadow passwords?
> 
> If you have a passwd file maintenance system with dozens (or
> hundreds) of users, you may not want to force everybody to re-create their
> passwords when you can just copy the old passwd file.

Even IF you turn on MD5, you can still have legacy passwords in
/etc/passwd.  There's also a conversion utility to convert a legacy
passwd file to shadowed.

-- 
Steve Philp
Network Administrator
Advance Packaging Corporation
[EMAIL PROTECTED]

Re: [expert] how do I allow users to ftp in

[Denis Havlik]

:~>> It should be fixed of course but why would anyone want to not use MD5
:~>> and shadow passwords?
:~>
:~> If you have a passwd file maintenance system with dozens (or
:~>hundreds) of users, you may not want to force everybody to re-create their
:~>passwords when you can just copy the old passwd file.

What is a problem with copying the passwd+shadow? By the way, could
someone explain me what are the MD5 passwords?  

D.

-
Mag. Denis Havlik  
University of Vienna||| e-mail: [EMAIL PROTECTED]
Austria(@ @)   tel: (++431) 4277/51179 
---oOO--(_)--OOo-