September 1999 - openSUSE Security - openSUSE Mailing Lists

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

multi-services server securing
by Gediminas Grigas 16 Aug '00

16 Aug '00

Hello there, I feel erroneusly (?) secure after .host.denyed in.telnetd and in.sshd from everywhere except one pc, which is denying all exept keyboard. I belive that if i can keep hosts.deny and hosts.allow files safe, and from time to time patch most actual security holes i`ll be conditionaly safe. Em i wrong? Probably I do. I just cant imaginate how system can be cracked in lower stage, so that is my problem. I heard that inetd is very insecure, and some peoples using tcpd (or soundlike). I run harden_suse, but was forced to answer 8/10 to no, as my server should provide a lot of public services, and have world writible directories as well. And thats right - this script was developed not for systems like mine one. However i`ll run SuSE-firewall-3.0 script, to make my system even stronger. But thats all. I dont know what can i do else. I should keep folowing services open: httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd. So if you know how to keep them at minimal risk, or know some holes at those, i would be very gratefull for any info and/or tips. I dont ask to do work for me - link to good manual would be nice too. By the way i have SuSE 6.3 (2.2.13). Thanks in advice. Sincerely Yours, Gediminas Grigas mailto:gedas@kryptis.lt

5 5

ssh-authtication
by Security Webmaster OKDesign oHG 06 Dec '99

06 Dec '99

Hi folks, umm, I have a small problem. When setting up our server, I tried to get the best security as possible. Maybe I changed some config-file to fit our needs to allow ssh-logins only from specified users.(But I have no idea which file this was :-(( ) Now I want to allow another user to login using ssh. I made ssh-keygen for this user, entered the password, copied identity.pub to authorized_keys in the .ssh-directory. But when trying to login via ssh, servers sends permission denied. What else must be done ? TIA ---Stephan

3 2

PGP
by Scott McEachern 01 Dec '99

01 Dec '99

Does anyone know if PGP works with Netscape's Messenger? I was at the pgp site and it listed a lot of mail clients, no Netscape. -- mailto:scott.mceachern@sympatico.ca On the side of the software box, in the "System requirements section", it said "Requires Windows 95 or better." So I installed Linux.

3 2

Re: Port 113?
by Jochen Lillich 18 Oct '99

18 Oct '99

Gerhard Sittig <Gerhard.Sittig(a)gmx.net> writes: > This is usually referenced from the remote host back to you when > you relay mail there. Is there smtp traffic in company with these > events? You might want to log them for investigation. It happens when I open a ssh connection to the web server. Then, the server tries to connect back to my workstations port 113. But I guess it's not wise just to open external connects to port 113 of all workstations I do ssh from? Also, another thing: ssh worked not until I permitted connects from the servers ssh port to my workstations. First, I just permitted traffic from my workstations' ssh port to the server (as does the SuSE firewall script), but then it won't connect. Is this normal behaviour? Thanks, Jochen -- *** Linux BBS: Die deutsche Website fuer Linux-News und -Infos *** http://www.linuxbbs.org/

4 3

masquerading & firewalling
by l41484＠alfa.ist.utl.pt 05 Oct '99

05 Oct '99

Has anyone been able to use masquerading & firewalling scripts that appeared on suse 6.2 (6.1??). I've configure MSQ_* variables on yast and then issued /etc/rc.d/masquerade the script runs, but NO masquerading is active. (for example /etc/rc.d/masquerade status shows empty masquerading rules). I don't want start learning ipchains now, since it will be once again discontinueted (SP?) on kernel 2.4 :-) Thanks. -- Tiago Pascoal (l41484(a)alfa.ist.utl.pt) FAX : +351-1-7273394 Politicamente incorrecto, e membro (nao muito) proeminente da geracao rasca. Recem empossado (engajado) cidadao da republica das bananas. Stewart's Law of Retroaction: It is easier to get forgiveness than permission.

4 3

Routing table
by Gregory Conron 30 Sep '99

30 Sep '99

Scenario: I have set Port Sentry up to determine when I am being scanned (I find it more sensitive to some scans than scanlogd). In addition to logging the port scan, it is set up to drop the route between myself and the scanner via "/sbin/route add -host [IP address] reject". I have no problem with this, -except-, when I go to add the route again (as I had to do recently with my ISP when they scanned this IP block for open servers), I get a double entry in the routing table (see below). I re-add the address using route add -host [IP Address] eth0 and it is added back to the table and mark as being up and accessable. However, the original rejected route is still there. When I go to delete this, it deletes the address I just entered, and then give an error if I attempt to delete it again. This is not causing any problems, but I would like to remove the duplicate entries. Cheers, GC %route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface ch1.hfxcable.co * 255.255.255.255 UH 0 0 0 eth0 ch1.hfxcable.co - 255.255.255.255 !H 0 - 0 - u25n100.hfx.and * 255.255.255.255 UH 0 0 0 eth0 u25n100.hfx.and - 255.255.255.255 !H 0 - 0 - -- Gregory Conron gconron(a)hfx.andara.com - email (902) 443-4562 - voicemail

1 0

Suse firewall?
by David Kramer 30 Sep '99

30 Sep '99

I have a Red Hat 5.2 firewall between my Mediaone/Roadrunner cablemodem and my hme network hub. I would like to convert it to Suse. Does Suse 6.2 come with the proper packages/kernel for two nics, especially if they are the same model? Does it include ipfwadm or ipchains? If not, can I use regular RPM's from RPMFIND for that? Does it use dhcpcd or pump (heard there were some problems with Mediaone and pump)? Can anyone point me towards a good site on how to do this with Suse? I use http://rlz.ne.mediaone.net to set up Red hat, but some of the stuff may be different. For instance, are all the DHCP scripts in the same place and named the same thing? Thanks in advance. -- ------------------------------------------------------------------- DDDD David Kramer david(a)kramer.ne.mediaone.net DK KD http://kramer.ne.mediaone.net DKK D DK KD HYDROGEN: A colorless, odorless gas which, DDDD given enough time, turns into people.

2 1

ping broadcast again
by alex medvedev 29 Sep '99

29 Sep '99

Hi, i can not ping broadcast or network addresses: getting return code -1: permission denied. i thought it was me (my setup) but yesterday my coworker did a new install of 6.1 and he was not able to ping these addresses either. Moreover, there is another bad problem with "ping": sometimes (when i ping some real address including localhost) it pings only once then hangs indefinitely. When i ^C it reports that 1 packet was transmitted and 1 packet recieved 0% packet loss. other communications are quite well. kernel is 2.2.12 if it is relevant, but i started seeing it since 2.2.x help requested, -alexm

2 1

RE: [suse-security] Permissions for Mail-only Users
by Micha Borrmann 29 Sep '99

29 Sep '99

I use /bin/false as shell and /dev/null as home directory Micha Borrmann Systemadministrator, CCSE INTERACTIVE Online Services I.O.S. GmbH Kedenburgstrasse 44 - 22041 Hamburg - Germany Hamburg-Muenchen-Wiesbaden E-Mail: mailto:mb@interact.de RIPE-Handle : MB1 URL : http://www.interact.de/ INTERNIC-Handle: MB16858 phone : +49.40.65699045 fax : +49.40.65699040 Reinventing Today's Communication > -----Original Message----- > From: Uwe Pilz [SMTP:U.Pilz@HTW-Zittau.DE] > Sent: Wednesday, September 29, 1999 3:58 PM > Cc: suse-security(a)suse.com > Subject: Re: [suse-security] Permissions for Mail-only Users > > Holger Will schrieb: > > > Hello, > > > > I have set up a box which will act as our Mail-Server. > > > > How should I set up the permissions for user which only are allowed to > > use mail on this System. > > (Sending by SMTP getting via popper) > > > > Which shell should I give them? Which would be the best home-directory? > > > > -- > > Holger Will > > > > -- > > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > > For additional commands, e-mail: suse-security-help(a)suse.com > > I used /bin/passwd (or a script with /bin/passwd; sleep 5 inside) as > shell and no home dir. > > > -- > Uwe Pilz mailto:U.Pilz@HTW-Zittau.DE > Tel.(+49)3583 61 1375 > Hochschule Zittau/Goerlitz (FH), Hochschulrechenzentrum > Th.-Koerner-Allee 16, D 02763 Zittau > > > > -- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com

1 0