SuSE security reputation, etc..

Len Rose

2 Aug 2000 2 Aug '00

17:07

It would be really great if SuSE could gain a reputation as being the most secure Linux implementation that exists today. Something like OpenBSD's reputation would be excellent, and from what I've seen SuSE could achieve this if they tried. I saw this on the mysql mailing list, and I'm sure others will see it there first, but just in case: http://www.abcnews.go.com/sections/tech/FredMoody/moody.html It really sucks that SuSE wasn't even mentioned. Len

Show replies by date

Martin Leweling

2 Aug 2 Aug

18:19

New subject: [suse-security] SuSE security reputation, etc..

Hello, On Wed, 02 Aug 2000, Len Rose wrote:

...

It would be really great if SuSE could gain a reputation as being the most secure Linux implementation that exists today. Something like OpenBSD's reputation would be excellent, and from what I've seen SuSE could achieve this if they tried.

I saw this on the mysql mailing list, and I'm sure others will see it there first, but just in case:

http://www.abcnews.go.com/sections/tech/FredMoody/moody.html

It really sucks that SuSE wasn't even mentioned.

Len

The bugtraq vulnerability report can be found on http://www.securityfocus.com/vdb/stats.html Please read the above report, and come to the following conclusions: 1. The abcnews article you mentioned really is a stupid rant which is absolutely not worth discussing. Packed with lies, with some numbers completely made up, and counting linux vulnerabilities multiple times to make Linux look bad compared to Microsoft. Besides, the author is a well-known, if not infamous, Microsoft addict. I really hope this article does not spawn a thread in this mailing list ... 2. SuSE does fairly well when compared to the other two distros which are mentioned in the report (Debian and Red Hat), even if you consider that SuSE is shipping a lot more packages (and, besides, is also shipping a lot more than OpenBSD). That said, I like your suggestion of making SuSE the most secure Linux distro, so let's go on discussing real security issues ... ;-) Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany E-Mail (work): lewelin@uni-muenster.de

ksemat＠wawa.eahd.or.ug

19:12

New subject: [suse-security] SuSE security reputation, etc..

...

That said, I like your suggestion of making SuSE the most secure Linux distro, so let's go on discussing real security issues ... ;-) That said and done I have a problem. Someone broke into my system and acquired root rights. I heard him say that it was a problem with the suse shell. Any ideas? At the time I was still running 6.1 though now I run 6.4. A check in his home directory shows only crack and I know that my root password does not fit the criteria looked at by crack since it contains a mixture of numbers letters and ascii characters. more over it is not based on any word at all and therefore makes no sense. I would also love to know how I can find any trojan horses he may have installed since I know that he had a number of root kits and such.

Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany E-Mail (work): lewelin@uni-muenster.de

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Noah ksemat@eahd.or.ug

Roman Drahtmueller

3 Aug 3 Aug

09:32

New subject: [suse-security] SuSE security reputation, etc..

[...]

...

...
That said, I like your suggestion of making SuSE the most secure Linux distro, so let's go on discussing real security issues ... ;-) That said and done I have a problem. Someone broke into my system and acquired root rights. I heard him say that it was a problem with the suse shell. Any ideas? At the time I was still running 6.1 though now I run 6.4. A check in his home directory shows only crack and I know that my root password does not fit the criteria looked at by crack since it contains a mixture of numbers letters and ascii characters. more over it is not based on any word at all and therefore makes no sense. I would also love to know how I can find any trojan horses he may have installed since I know that he had a number of root kits and such. [...] Noah ksemat@eahd.or.ug

Difficult to tell... more information is necessary to even guess what was going on. Vendors provide newer versions of their software (regardless if GNU/Linux or commercial) because bugs get fixed (and reincorporated, yes...) and features get added. A vanilla 6.1 without any updates is open to several vulnerabilities. If connected to a network, your host needs attention every now and then. Thanks, Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

Frank Hart

2 Aug 2 Aug

18:31

New subject: [suse-security] SuSE security reputation, etc..

Len Rose wrote:

...

http://www.abcnews.go.com/sections/tech/FredMoody/moody.html It really sucks that SuSE wasn't even mentioned.

What really sucked was that this article is a total piece of crap. Based on the number of vulnerability's mr. Moody qualified a total OS. Also he adds the vulnerabilities of every linux distro but that is nonsence, cause there's a big chance a vulnerablility found in eg RedHat also affects SuSE. -- SuSE Linux 6.4 -o) | Like the ski resort of girls looking for Kernel 2.2.16 /\ | husbands and husbands looking for girls, the on a i686 _\_v | situation is not as symmetrical as it might mailto:frhart@home.nl | seem. -- Alan McKay

ksemat＠wawa.eahd.or.ug

18:49

New subject: [suse-security] SuSE security reputation, etc..

This article is really biased a careful read through it and one will definitely notice that he has a definite bias towards microsoft products. I think one should remind him that on top of the usual security fixes one should count the regular viruses all microsoft users have to guard against. Plus the fact that at least to do he exploits in linux one has to be good and know exactly what you're doing unlike windows where any knowledge free person can use the discovered exploits. On Wed, 2 Aug 2000, Frank Hart wrote:

...

Date: Wed, 02 Aug 2000 20:31:50 +0200 From: Frank Hart Cc: suse-security@suse.com Subject: Re: [suse-security] SuSE security reputation, etc..

Len Rose wrote:

...
http://www.abcnews.go.com/sections/tech/FredMoody/moody.html It really sucks that SuSE wasn't even mentioned.

What really sucked was that this article is a total piece of crap. Based on the number of vulnerability's mr. Moody qualified a total OS. Also he adds the vulnerabilities of every linux distro but that is nonsence, cause there's a big chance a vulnerablility found in eg RedHat also affects SuSE.

-- SuSE Linux 6.4 -o) | Like the ski resort of girls looking for Kernel 2.2.16 /\ | husbands and husbands looking for girls, the on a i686 _\_v | situation is not as symmetrical as it might mailto:frhart@home.nl | seem. -- Alan McKay

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Noah ksemat@eahd.or.ug

Thilo Bangert

21:45

New subject: [suse-security] SuSE security reputation, etc..

First of all it seems, that moody is a little visually impaired. (This has been said) Second, one needs to mention all the bugs Microsoft fixes without the public being aware of such. Just today there has been a post on bugtraq proclaiming a w*n2k bug. It took microsoft *4* minutes to post a message, saying that a patch for excactly this vulnerability was available. Looks like they announce things as they get public. Besides I don't want to know how many bugs win2ksp1 fixes (its 87 megs big!) greetz thilo

Kurt Seifried

21:45

New subject: [suse-security] SuSE security reputation, etc..

In response to that abc article on linux security Might note I just did a similar article, and I specifically made it a point that you CANNOT use the bugtraq "stats" as a reliable way of gauging vendor security performance. Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/

Gerhard Sittig

3 Aug 3 Aug

18:42

New subject: [suse-security] SuSE security reputation, etc..

On Wed, Aug 02, 2000 at 23:45 +0200, Thilo Bangert wrote:

...

Second, one needs to mention all the bugs Microsoft fixes without the public being aware of such. Just today there has been a post on bugtraq proclaiming a w*n2k bug. It took microsoft *4* minutes to post a message, saying that a patch for excactly this vulnerability was available.

Not that I'm sure how this one went, but it's usual (I hope so) and good habit to talk to an author before blaming him in public when finding security related bugs. So the problem report *and* a work around or real fix update come together with still due credit to whoever had which part in this. Everything else will leave the _users_ behind with a vulnerable system and no cure, while kiddies and other idiots know where to go to and burgle in. It's about thinking before taking wild action. :)

...

Besides I don't want to know how many bugs win2ksp1 fixes (its 87 megs big!)

This could be mostly due to the delivery being done in binary form. The source diff might be tiny, but when it's in the base and almost every executable is involved, ... Not that I'm a Windows fan (the ones knowing me know better:), but there might be valid reasons. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.

Eduardo Carriles

9 Aug 9 Aug

13:08

New subject: [suse-security] SuSE security reputation, etc.. [Thread STATS]

Hi Friends, [FYI] I did just to inform you, and as a small exercise, some manual processing on posts to this _thread_ and those where the [STATS] found as of today.

...

...
Now i understand Zack Brown from "Kernel Traffic" (kt@linuxcare.com)<< Great job Zack!!

[STATS] (Counts only): ___________________________________________________ Thread name = ** [suse-security] SuSE security reputation, etc.. Thread broken 2 times by: OKDesign oHG Security Webmaster security@okdesign.de (Followers obey) as new names = ** AW: [suse-security] SuSE security reputation, etc.. ** AW: AW: [suse-security] SuSE security reputation, etc.. ___________________________________________________ On Wed, 2 Aug 2000 13:07:34 -0400 - Thread started by: Len Rose On Mon, 7 Aug 2000 18:10:02 -0400 Thread closed by: dproc@dol.net On Wed, 9 Aug 2000 15:05:00 +0200 Thread [STATS]. ___________________________________________________ [COUNTERS] Posts - Name / eMail ___________________________________________________ 5 - ksemat@wawa.eahd.or.ug 5 - Roman Drahtmueller 4 - Kurt Seifried 4 - rhoerbe@netpromote.co.at 3 - dproc@dol.net 2 - David T-G 2 - Eduardo Carriles 2 - Gerhard Sittig 2 - Lenz Grimmer 2 - OKDesign oHG Security Webmaster 1 - Artemios G. Voyiatzis 1 - Avi Schwartz 1 - Benjamin Janson 1 - devel@master.kparker.org 1 - Frank Hart 1 - Gerd Bitzer 1 - Herman Knief 1 - Len Rose 1 - Markus Gaugusch 1 - Martin Leweling 1 - nix@cotse.com 1 - Petri Sirkkala 1 - Simon 1 - Simone Grabstein 1 - Thilo Bangert 1 - Thomas Forbriger 1 - Volker Kuhlmann ___________________________________________________ 48 Total Posts ___________ Enjoy!! =`8) -- Best regards, Eduardo Carriles [-- Better a smile than a flame --] (Long time SuSE-Linux [preferred distro] user). [-- Se me nota mucho? -- Notices me much?] [-- Have a lot of fun...]

Roman Drahtmueller

14:08

New subject: RFC: - moderation -

...

From: Eduardo Carriles To: SuSE Security Mail List Date: Wed, 09 Aug 2000 15:08:48 +0200 Subject: Re: [suse-security] SuSE security reputation, etc.. [Thread STATS] Reply-To: sofronia@teleline.es

Hi Friends,

[FYI] I did just to inform you, and as a small exercise, some manual processing on posts to this _thread_ and those where the [STATS] found as of today.

Hi Eduardo, We certainly appreciate your eagerness wrt to the statistics you posted, as it is quite interesting to look at. However, this is a rather administrative subject, and it doesn't belong here, as much as questions about SuSE's support for packages where the license has changed or things that are actually subject to reading an FAQ. Subscribers might have noticed the increasing amount of non-security related material in the list, as well as increasing volume every day or the other. This brings up the question if the list should go moderated or not. Taking the risk that the follow-ups will cause a considerable amount of noise on the list, this question needs an answer. I'd like to hear your thoughts about the idea as well as the list policy. It is designed to be very open and targets the list to become more valuable as an information source and discussion platform, with a small noise ratio and an acceptable volume. Please feel free to answer personally to me if you don't wish your name to be published with your opinion. --------------------------------------- * Spam gets blackholed. * Postings that are not related to security will not pass. Exception: Sometimes threads evolve and provide valuable information around an issue that is not closely related to security. * Postings with commercial nature such as announcements of new versions of commercial software in the security field will pass but will be marked as such with an addition in the Subject: line in the header. * Postings with critical content, regardless of the critizism's target, be it SuSE, another Linux vendor or even hardware manufacturers, _will_ be posted. It is needless to say that the claim of being independent requires this allegation. * As usual, postings will _not_ be modified, authors are responsible for the content. If you post something, be aware that something that has been written and published can't be redrawn easily. Polite style almost always provides the basis for productive critizism, harsh accusations make people angry. *** * I want to point out that moderation does _not_ equal to censorship! In some (hopefully) rare (f.ex. when a thread becomes too far off-topic or a flamewar blazes) cases it might be neccessary to kill a thread, or to collect the last responses for a thread and post them in a single mail. *** * Meta-postings (concerning the list) will always be answered but might not pass. If the posting addresses the list policy, it _must_ pass. Postings would be chained into the list in the same sequence as they arrive. Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

Yuri Robbers

14:43

New subject: one-time passwords

Hi, I want to implement one-time passwords for newly created or updated accounts, so that, when I, as sys-admin, set a password on a user account, the user has to change it immediately upon logging in for teh first time, after which the newly chosen password obeys teh regular aging rules as set up in YaST. Could someone tell me how to do this, or point me to some relevant info? Thanks a lot! Yuri. -------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------

OKDesign oHG Security Webmaster

17:03

New subject: AW: [suse-security] one-time passwords

Sorry, butthis is a typical case to answer with RTFM ! :-)) man usermod is your friend ! --- -------------------------------------------- Stephan M. Ott // OKDesign oHG Internet-Providing und Netzwerkmanagement smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 mobil 0171-8351130 ... oder ... 0171-7858064 --------------------------------------------

...

-----Ursprungliche Nachricht----- Von: Yuri Robbers [mailto:yuri@rulbii.leidenuniv.nl] Gesendet: Mittwoch, 9. August 2000 16:44 An: suse-security@suse.de Betreff: [suse-security] one-time passwords

Hi,

I want to implement one-time passwords for newly created or updated accounts, so that, when I, as sys-admin, set a password on a user account, the user has to change it immediately upon logging in for teh first time, after which the newly chosen password obeys teh regular aging rules as set up in YaST. Could someone tell me how to do this, or point me to some relevant info?

Thanks a lot!

Yuri.

-------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Yuri Robbers

19:05

New subject: AW: [suse-security] one-time passwords

Hi, On Wed, 9 Aug 2000, OKDesign oHG Security Webmaster wrote:

...

Sorry, butthis is a typical case to answer with RTFM ! :-))

man usermod is your friend !

Thanks for your reply. But as a matter of fact I have Read a whole bunch of FM's, including "man usermod". Unfortunately usermod does something completely different from what I want to implement: the only limit it can set on a password is an expiry date. What I need is a password that can be used only for the _first_ ever login of a user. After logging in the user would be presented with a query for a new password, which is henceforth used in the normal way (the expiries and stuff for this are already in place and working). I hope my question is clearer now :o) Kind regards, Yuri.

...

...
Hi,

I want to implement one-time passwords for newly created or updated accounts, so that, when I, as sys-admin, set a password on a user account, the user has to change it immediately upon logging in for teh first time, after which the newly chosen password obeys teh regular aging rules as set up in YaST. Could someone tell me how to do this, or point me to some relevant info?

Thanks a lot!

Yuri.

-------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------

OKDesign oHG Security Webmaster

19:30

New subject: AW: AW: [suse-security] one-time passwords

...

Thanks for your reply. But as a matter of fact I have Read a whole bunch of FM's, including "man usermod".

Unfortunately usermod does something completely different from what I want to implement: the only limit it can set on a password is an expiry date.

What I need is a password that can be used only for the _first_ ever login of a user. After logging in the user would be presented with a query for a new password, which is henceforth used in the normal way (the expiries and stuff for this are already in place and working).

I hope my question is clearer now :o)

Hi, okay, it seems as if I misunderstood. Well, the only way to do this that comes to my mind is to define the shell of this user to automatically run a script when he logs in. This script should ask for a new password, install this, and then change the shell back to the normal shell, so this script isn't started again at the next login. Maybe there is a different way, maybe even easier, but this is how I would try the trick... Hope that helps... --- -------------------------------------------- Stephan M. Ott // OKDesign oHG Internet-Providing und Netzwerkmanagement smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 mobil 0171-8351130 ... oder ... 0171-7858064 --------------------------------------------

Yuri Robbers

19:41

New subject: AW: AW: [suse-security] one-time passwords

Hi! On Wed, 9 Aug 2000, OKDesign oHG Security Webmaster wrote:

...

okay, it seems as if I misunderstood. Well, the only way to do this that comes to my mind is to define the shell of this user to automatically run a script when he logs in. This script should ask for a new password, install this, and then change the shell back to the normal shell, so this script isn't started again at the next login. Maybe there is a different way, maybe even easier, but this is how I would try the trick...

Hope that helps...

Thanks a lot. Even if there is a different and better way, this should do teh trick perfectly. I'll write such a script. Cheers! Yuri. -------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------

Gerd Bitzer

10 Aug 10 Aug

06:19

New subject: AW: AW: [suse-security] one-time passwords

Hi, in HP/UX once several special characters were possible in the password field to enforce special behaviour. As far as I can remember "*" means disable the account, "?" means enforce the user to type in a new password when he logs in the next time. Maybe this is also possible with Linux. HtH Yuri Robbers wrote:

...

Hi!

On Wed, 9 Aug 2000, OKDesign oHG Security Webmaster wrote:

...
okay, it seems as if I misunderstood. Well, the only way to do this that comes to my mind is to define the shell of this user to automatically run a script when he logs in. This script should ask for a new password, install this, and then change the shell back to the normal shell, so this script isn't started again at the next login. Maybe there is a different way, maybe even easier, but this is how I would try the trick...

Hope that helps...

Thanks a lot. Even if there is a different and better way, this should do teh trick perfectly. I'll write such a script.

Cheers!

Yuri.

-------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

engelbert.gruber＠ssg.co.at

08:05

New subject: AW: AW: [suse-security] one-time passwords

would n´t man chage do ? -- --- Engelbert Gruber --- SSG Fintl,Gruber,Lassnig nic-hdl: EG2803-RIPE A6140 Telfs Untermarkt 9 Tel. ++43-5262-64727 ---

Andreas Kreuzinger

11 Aug 11 Aug

14:11

New subject: AW: AW: [suse-security] one-time passwords

Hi ! On Wed, 9 Aug 2000, Yuri Robbers wrote:

...

On Wed, 9 Aug 2000, OKDesign oHG Security Webmaster wrote: [ one-time passwords ] Thanks a lot. Even if there is a different and better way, this should do teh trick perfectly. I'll write such a script.

You can try logdaemon (written by Wietse Venema. If you know TCP-Wrapper, that's also his work.): Wietse's ftp area: ftp://ftp.porcupine.org/pub/security/index.html logdaemon README: ftp://ftp.porcupine.org/pub/security/logdaemon-5.8.README logdaemon: ftp://ftp.porcupine.org/pub/security/logdaemon-5.8.tar.gz BTW: Starting with version 4.0 FreeBSD includes this in his login program. It works fine. And it worked before 4.0, too. :) So it should make no trouble on other *nix platforms. There is a second one you can try: http://freshmeat.net/appindex/1999/07/29/933264854.html [...snip...] The S/KEY one-time password system provides authentication over networks that are subject to eavesdropping/replay attacks. This system has several advantages compared with other one-time or multi-use authentication systems. The user's secret password never crosses the network during login, or when executing other commands requiring authentication such as the UNIX passwd or su commands. No secret information is stored anywhere, including the host being protected, and the underlying algorithm may be (and it fact, is) public knowledge. The remote end of this system can run on any locally available computer. The host end could be integrated into any application requiring authentication. [...snip...] If you need more, try a search engine and type in logdaemon or "one time password" and you will get enough answer. ;) BTW: RFC 1760: The S/KEY One-Time Password System. N. Haller. February 1995. RFC 2289: A One-Time Password System. N. Haller, C. Metz, P. Nesser, M. Straw. February 1998. RFC 2444: The One-Time-Password SASL Mechanism. C. Newman. October 1998. If you need the RFCs, take a look at http://bambam.informatik.uni-oldenburg.de/RFC/main.html. mfg andy -- Informationen zum oesterreichischen Usenet http://www.usenet.at/ Verein fuer Internet-BEnutzer Oesterreichs (.AT) http://www.vibe.at/ I am from Austria - but I did not vote for Joerg Haider and the FPOE.

Jan.Trippler＠t-online.de

9 Aug 9 Aug

20:04

New subject: [suse-security] one-time passwords

On Mit, Aug 09, 2000 at 09:05:17 +0200, Yuri Robbers wrote:

...

What I need is a password that can be used only for the _first_ ever login of a user. After logging in the user would be presented with a query for a new password, which is henceforth used in the normal way (the expiries and stuff for this are already in place and working).

I hope my question is clearer now :o)

Yes, indeed :-) An idea (untested): Create the user with your one way password and change the third field in the /etc/shadow (days since Jan 1, 1970 that password was last changed) in a way, that the password is expired. Then the user is forced to change this password at his next login. I performed a little test: It works but you have to check the seventh field in /etc/shadow. The password must be expired but the account has to be valid. Jan I hope you understood my english ;-)

Yuri Robbers

20:17

New subject: [suse-security] one-time passwords

Hi! On Wed, 9 Aug 2000, Jan Trippler wrote:

...

On Mit, Aug 09, 2000 at 09:05:17 +0200, Yuri Robbers wrote:

...
What I need is a password that can be used only for the _first_ ever login of a user. After logging in the user would be presented with a query for a new password, which is henceforth used in the normal way (the expiries and stuff for this are already in place and working).

I hope my question is clearer now :o)

Yes, indeed :-)

An idea (untested): Create the user with your one way password and change the third field in the /etc/shadow (days since Jan 1, 1970 that password was last changed) in a way, that the password is expired. Then the user is forced to change this password at his next login.

I performed a little test: It works but you have to check the seventh field in /etc/shadow. The password must be expired but the account has to be valid.

Hmm... sounds good too.... I'll play around with it.

...

Jan

I hope you understood my english ;-)

no problem at all! Cheers! Yuri. -------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------

OKDesign oHG Security Webmaster

17:13

New subject: AW: [suse-security] RFC: - moderation -

Hello, Roman about your idea with the moderated list: In some points I must agree to what you said, but IMHO we should try to keep this list open and not moderated. On the other side, if the postings about non-security-related topics and similar things keep on, I must also agree that moderation of the list is the only way to get these things away from the list. So, people, please try to focus on security-related topics when posting to this list and handle all other things in private email ! ... just my 2 cents ... --- -------------------------------------------- Stephan M. Ott // OKDesign oHG Internet-Providing und Netzwerkmanagement smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 mobil 0171-8351130 ... oder ... 0171-7858064 --------------------------------------------

...

-----Ursprüngliche Nachricht----- Von: Roman Drahtmueller [mailto:draht@suse.de] Gesendet: Mittwoch, 9. August 2000 16:08 An: suse-security@suse.de Betreff: [suse-security] RFC: - moderation -

...
From: Eduardo Carriles To: SuSE Security Mail List Date: Wed, 09 Aug 2000 15:08:48 +0200 Subject: Re: [suse-security] SuSE security reputation, etc.. [Thread STATS] Reply-To: sofronia@teleline.es

Hi Friends,

[FYI] I did just to inform you, and as a small exercise, some manual processing on posts to this _thread_ and those where the [STATS] found as of today.

Hi Eduardo,

We certainly appreciate your eagerness wrt to the statistics you posted, as it is quite interesting to look at.

However, this is a rather administrative subject, and it doesn't belong here, as much as questions about SuSE's support for packages where the license has changed or things that are actually subject to reading an FAQ.

Subscribers might have noticed the increasing amount of non-security related material in the list, as well as increasing volume every day or the other. This brings up the question if the list should go moderated or not.

Taking the risk that the follow-ups will cause a considerable amount of noise on the list, this question needs an answer. I'd like to hear your thoughts about the idea as well as the list policy. It is designed to be very open and targets the list to become more valuable as an information source and discussion platform, with a small noise ratio and an acceptable volume.

Please feel free to answer personally to me if you don't wish your name to be published with your opinion.

--------------------------------------- * Spam gets blackholed.

* Postings that are not related to security will not pass. Exception: Sometimes threads evolve and provide valuable information around an issue that is not closely related to security.

* Postings with commercial nature such as announcements of new versions of commercial software in the security field will pass but will be marked as such with an addition in the Subject: line in the header.

* Postings with critical content, regardless of the critizism's target, be it SuSE, another Linux vendor or even hardware manufacturers, _will_ be posted. It is needless to say that the claim of being independent requires this allegation.

* As usual, postings will _not_ be modified, authors are responsible for the content. If you post something, be aware that something that has been written and published can't be redrawn easily. Polite style almost always provides the basis for productive critizism, harsh accusations make people angry.

*** * I want to point out that moderation does _not_ equal to censorship! In some (hopefully) rare (f.ex. when a thread becomes too far off-topic or a flamewar blazes) cases it might be neccessary to kill a thread, or to collect the last responses for a thread and post them in a single mail. ***

* Meta-postings (concerning the list) will always be answered but might not pass. If the posting addresses the list policy, it _must_ pass.

Postings would be chained into the list in the same sequence as they arrive.

Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Jan.Trippler＠t-online.de

18:56

New subject: [suse-security] RFC: - moderation -

On Mit, Aug 09, 2000 at 07:13:29 +0200, OKDesign oHG Security Webmaster wrote:

...

about your idea with the moderated list: [...]

So, people, please try to focus on security-related topics when posting to this list and handle all other things in private email !

I agree with a moderated list! Guess it would also prevent us from full quotings, broken threads ... and leave this list better readable. SCNR Jan

Kurt Seifried

19:18

New subject: [suse-security] RFC: - moderation -

Generally as mailing lists approach a certain size/popularity they must be moderated. Even if 99% of the people on the list follow etiquette perfectly, never post off topic, etc, etc that stills leaves %1 who will. If you list has over 1000 people this quickly leads to high degree of noise, which seems to usually follow a self amplifying pattern. As people post more off topic questions and get a response (people trying to be helpful and all) it encourages other to post off topic, as well there are more responses, some of which are not really needed (me too!). Like a lot of security professionals I receieve a lot of email in an average day (100-200), even if I only scan them and do not reply/etc that's still a lot of time. Moderation ensurses (to a much more certain degree) that the emails I receive from this list will be worth reading and useful. As SuSE pointed out this will not mean censorship (and I have yet to see a professional security mailing list where that was ever a complaint, and I'm on over 20 =), it simply means the wheat will be seperated from the chaff so we don't have to. Kurt

8660

Age (days ago)

8669

Last active (days ago)

List overview

Download

23 comments

15 participants

participants (15)

Andreas Kreuzinger
Eduardo Carriles
engelbert.gruber＠ssg.co.at
Frank Hart
Gerd Bitzer
Gerhard Sittig
Jan.Trippler＠t-online.de
ksemat＠wawa.eahd.or.ug
Kurt Seifried
Len Rose
Martin Leweling
OKDesign oHG Security Webmaster
Roman Drahtmueller
Thilo Bangert
Yuri Robbers