Hello All, Sorry to annoy you, but POP3 doesn't recognize MD5 passwords. All other services are ok. POP3 works perfect for the users whose passwords were not changed yet (i.e. were not converted to MD5). Why should I want MD5 passwords? That's simple: we had a RedHat system using MD5 passwords and (i) we'd like to transfer all the users with their passwords to SuSE; (ii) the existing passwords are longer than 8 characters. Looks like I need further reading on the PAM, but maybe there's a proven approach? Thanks, -- Boris Kimel Webmaster and Network Administrator The Moscow Chemical Lyceum 4 Tamozhennyi Proezd Moscow, Russia. Phone: +7 095 1358941 Fax: +7 095 1355328 Email: kimel@1303.ru
Your pop should be PAM'ified, i.e. pop daemon goes to PAM, which handles
auth, rather then pop daemon going direct to /etc/passwd. It's simple.
servers should support PAM, otherwise you will have funfilled problems like
this.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
----- Original Message -----
From: "Boris Kimel"
Hello All,
Sorry to annoy you, but POP3 doesn't recognize MD5 passwords. All other services are ok. POP3 works perfect for the users whose passwords were not changed yet (i.e. were not converted to MD5).
Why should I want MD5 passwords? That's simple: we had a RedHat system using MD5 passwords and (i) we'd like to transfer all the users with their passwords to SuSE; (ii) the existing passwords are longer than 8 characters.
Looks like I need further reading on the PAM, but maybe there's a proven approach?
Thanks, -- Boris Kimel Webmaster and Network Administrator The Moscow Chemical Lyceum 4 Tamozhennyi Proezd Moscow, Russia. Phone: +7 095 1358941 Fax: +7 095 1355328 Email: kimel@1303.ru
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, Kurt. Sure my pop is PAMified (that's default). Only I don't know how to tell PAM to use MD5 for POP. There is /etc/pam.d/pop, but docs say nothing about it should be changed somehow. They say to add 'md5' parameter to all the protocols that can _change_ passwords, which is not the case for POP service. I'm reading... Thanks, -- Boris Kimel Webmaster and Network Administrator The Moscow Chemical Lyceum 4 Tamozhennyi Proezd Moscow, Russia. Phone: +7 095 1358941 Fax: +7 095 1355328 Email: kimel@1303.ru
Please send contents of your /etc/pam.d/pop On Thursday 24 January 2002 23:13, Boris Kimel wrote:
Hello All,
Sorry to annoy you, but POP3 doesn't recognize MD5 passwords. All other services are ok. POP3 works perfect for the users whose passwords were not changed yet (i.e. were not converted to MD5).
Why should I want MD5 passwords? That's simple: we had a RedHat system using MD5 passwords and (i) we'd like to transfer all the users with their passwords to SuSE; (ii) the existing passwords are longer than 8 characters.
Looks like I need further reading on the PAM, but maybe there's a proven approach?
Thanks,
-- Alex Levit
Dobry deni. make a copy of your /etc/pam.d/pop first, just in case :) then update your /etc/pam.d/pop, Replace all lines in that file with: #%PAM-1.0 auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_unix.so account required /lib/security/pam_deny.so password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so P.S. Make sure that #%PAM-1.0 is on the first line. You can also modify the current settings if they seem too relaxed to you. For example: you can take out nullok, but make sure everything works before you start playing with different settings. Nu schastlivo. :) On Saturday 26 January 2002 06:29, Alex Levit wrote:
Please send contents of your /etc/pam.d/pop
On Thursday 24 January 2002 23:13, Boris Kimel wrote:
Hello All,
Sorry to annoy you, but POP3 doesn't recognize MD5 passwords. All other services are ok. POP3 works perfect for the users whose passwords were not changed yet (i.e. were not converted to MD5).
Why should I want MD5 passwords? That's simple: we had a RedHat system using MD5 passwords and (i) we'd like to transfer all the users with their passwords to SuSE; (ii) the existing passwords are longer than 8 characters.
Looks like I need further reading on the PAM, but maybe there's a proven approach?
Thanks,
--- Alex Levit -- Excellent day to have a rotten day.
Hi everybody Im trying to improve security by making the minimal services to run on a 7.2 server, now, my question is how to make services run and stop on demand, like ssh or inetd. Is possible to make.. say a web page under ssl to launch and stop such services? or maybe a majordomo mail with the apropriate password? the idea is to have ONLY apache and sendmail running all the time, nothing more, then, run ftpd or ssh as needed, then stop it. Thanks __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
On Saturday 26 January 2002 06:19 am, Leonel Rivas wrote:
the idea is to have ONLY apache and sendmail running all the time, nothing more, then, run ftpd or ssh as needed, then stop it.
Thats backwards. Folks are far more likely to crach your webserve than a properly updated sshd. Leave sshd up all the time and use it to manage the other services. -- _________________________________ John Andersen / Juneau Alaska
Hi Leonel, I did it the following way: I run a small Perl daemon w/ root rights listening to a TCP Port on the loopback device. On my Apache-SSL are some PHP scripts you can acces after authentication (also done from PHP script on the HTTPS server. The PHP scripts start a small communication sequence to show the Perl daemon, that they are allowed to access (kind of protocol). After this, the PHP scripts are allowed to send commands to be executed w/ root rights from the daemon w/ a simple system() call. The "features" of this solution are: - The Perl daemon is only accessible via loopback device - You have to know the "protocol" of the daemon - The WebServer can be a standard Apache w/ SSL, running as which user you want it to - You don't have to play w/ suid, sudo etc. and ned not to toggle rights Same can be done w/ a special alias for your mail transport program, piped to a script which checks and prepares the mail and writes the needed content to a file. Then a daemon running as root checks e.g. every minute if this file exists and executes the content. Have fun, Ralf PS: I use it with an Apache listening to my internal network only (for administration), because I don't trust myself if this configuration is really secure, and I don't need to do things remotely w/o SSH.
Hi everybody
Im trying to improve security by making the minimal services to run on a 7.2 server, now, my question is how to make services run and stop on demand, like ssh or inetd. Is possible to make.. say a web page under ssl to launch and stop such services? or maybe a majordomo mail with the apropriate password? the idea is to have ONLY apache and sendmail running all the time, nothing more, then, run ftpd or ssh as needed, then stop it. Thanks
__________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hello Alex, Many thanks. Still I had no time to read about the details yet. And something tells me not to do the things I don't understand. After reading the PAM manual I should be able to read all the lines you sent me, and then, positively, thank you once more. Spasibo! Saturday, January 26, 2002, 5:58:49 PM, you wrote: AL> Dobry deni. AL> make a copy of your /etc/pam.d/pop first, just in case :) AL> then update your /etc/pam.d/pop, AL> Replace all lines in that file with: AL> #%PAM-1.0 AL> auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow AL> auth required /lib/security/pam_deny.so AL> account sufficient /lib/security/pam_unix.so AL> account required /lib/security/pam_deny.so AL> password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow AL> password required /lib/security/pam_deny.so AL> session required /lib/security/pam_limits.so AL> session required /lib/security/pam_unix.so AL> P.S. AL> Make sure that AL> #%PAM-1.0 AL> is on the first line. AL> You can also modify the current settings if they seem too relaxed to you. AL> For example: you can take out nullok, but make sure everything works AL> before you start playing with different settings. AL> Nu schastlivo. :) -- Best regards, Boris mailto:kimel@1303.ru
participants (6)
-
Alex Levit -
Boris Kimel -
John Andersen -
Kurt Seifried -
Leonel Rivas -
Ralf Koch