> > Now the problem: I have only a cross-over cable from the router to
> > the firewall, so I cannot connect the backup firewall. Using
> > a switch is pointless: the switch may die too.
Switches are relatively easy to set up in failover configuration ( most
cisco gear supports it ) (well, the pro
On Tue, Nov 02, 2004 at 10:14:37AM -0200, Henrique de Moraes Holschuh wrote:
> (and if you are as paranoid as you
> should, you're using an agent that ASKS before doing any work).
Do you have such a thing? I would absolutely love an ssh agent that
only asks for pass-phrases as needed, times them
On Tue, Nov 02, 2004 at 08:55:24PM +0100, Raffaele D'Elia wrote:
(...)
I fail to see how this is a Debian-specific security issue, but I'll bite.
> Now the problem: I have only a cross-over cable from the router to the
> firewall, so I cannot connect the backup firewall.
> Using a switch is poi
also sprach Raffaele D'Elia <[EMAIL PROTECTED]> [2004.11.02.2055 +0100]:
> Now the problem: I have only a cross-over cable from the router to
> the firewall, so I cannot connect the backup firewall. Using
> a switch is pointless: the switch may die too.
The router may die.
Setting up a failover c
Hi all,
I have a firewall with 3 NICs (LAN,DMZ,ROUTER); this is a single point of
failure, of course! I've decided to build a backup firewall, with similar
hardware (just in case) and the same config.
Now the problem: I have only a cross-over cable from the router to the
firewall, so I cannot conn
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.11.02.1314 +0100]:
> It should not be possible to retrieve key material from the agent,
> ever. And the whole setup should not be vulnerable to replay
> attacks when using protocol 2 either.
>
> Are you *completely* sure of what you
also sprach Dariush Pietrzak <[EMAIL PROTECTED]> [2004.11.02.1053 +0100]:
> hmm, but in /tmp/ssh* there's just a socket... so when agent is gone, what
> good is that file?
Fine, so the other hosts are only accessible while you are logged
in. Should be enough to hijack them...
--
Please do not s
Regards,
Robert Vangel <[EMAIL PROTECTED]> - Tue, Nov 02, 2004:
> Can people please be more careful when creating new messages, not to hit
> reply to a message then removing everything & starting again.
Because it breaks the natural flow of conversation.
Why is top-posting so bad?
--
Loïc
On Tue, 02 Nov 2004, martin f krafft wrote:
> If you forward your agent (-A, or ForwardAgent yes), then the
> attacker now probably has access to all machines where the SSH key
> you used has access.
This goes agaist what I know about the agent. The attacker could *try* to
access the agent when i
- Original Message -
From: "Marcus Williams" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 02, 2004 1:05 PM
Subject: Re: Recommended firewall package?
>
>
> On 01/11/2004, Daniel Pittman wrote:
> > My recommendation is the 'firehol' package, found in testing/unstab
On 01/11/2004, Daniel Pittman wrote:
> My recommendation is the 'firehol' package, found in testing/unstable,
> and trivial to backport[1] to stable.
I'd second this - firehol is fantastic. Someone recommended it a while
ago in a lug mail list I was on and I thought I'd give it a once over.
Never
Can people please be more careful when creating new messages, not to hit
reply to a message then removing everything & starting again.
This does play up with clients that follow standards and do threading
through headers passed on by other compliant clients, rather than just
threading as-per subjec
-Original Message-
From: Vincent Tantardini <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Tue, 2 Nov 2004 08:03:43 +0100
Subject: ssh chroot on debian documentation
> Hello,
> I juste write a little documentation about how I create a chrooted
> environment
> for ssh, you can find the d
> Nope. It is true. Copy the appropriate /tmp/ssh* directory, chown
> it, set SSH_AUTH_SOCKET appropriately, and ssh away.
hmm, but in /tmp/ssh* there's just a socket... so when agent is gone, what
good is that file?
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4
also sprach Dariush Pietrzak <[EMAIL PROTECTED]> [2004.11.02.0947 +0100]:
> > If you forward your agent (-A, or ForwardAgent yes), then the
> > attacker now probably has access to all machines where the SSH key
> > you used has access.
> Is this indeed true? I was under an impression that ForwardAg
> Meanwhile, the only thing I have is looking at some offline backups and
> working remotely in the (compromised) environment. Right now I'm looking at
> the lsof output there, a curious entry from Apache shown by lsof:
>
> apache 3170 root memDEL0,5 0 /SYSV00
> If you forward your agent (-A, or ForwardAgent yes), then the
> attacker now probably has access to all machines where the SSH key
> you used has access.
Is this indeed true? I was under an impression that ForwardAgent works more
in challenge-response fashion?
And as far as X-forwarding goes -
> You could force the SSH client to *not* forward X11 with -x
> (the low-caps x char) regardless other client/server-side
> specifications. If you do not specify any other special
> forwarding (-L or -R) then there will be no forwarding.
Good, that was what I was hoping for. (Obviously, my
defaul
Greetings!
On Tue, 2 Nov 2004 08:59:07 +0200 (IST) Vassilii Khachaturov
<[EMAIL PROTECTED]> wrote:
> I have been doing ssh into the box. THe client is set up not to
> request the X forwarding by the default. When I try "ssh -v" now, I
> observe no X forwarding being established, whereas "ssh -X -v
also sprach Vassilii Khachaturov <[EMAIL PROTECTED]> [2004.11.02.0759 +0100]:
> I have been doing ssh into the box. THe client is set up not to
> request the X forwarding by the default. When I try "ssh -v" now,
> I observe no X forwarding being established, whereas "ssh -X -v"
> does establish X.
20 matches
Mail list logo