May 2000 - openSUSE Security - openSUSE Mailing Lists

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

Re: is SuSE going to implement libsafe?
by marc＠suse.de 18 Feb '01

18 Feb '01

Hi, >I have just read an Bell Labs anouncement, that they are going to release >libsafe under GNU licence, and that some major Linux distros are going to >be using it. SuSE was not amongst them, why is that? I think that libsafe would >be a good echnacement against buffer overflow. > >Anouncement is on: >http://www.bell-labs.com/news/2000/april/20/1.html just because something new pops up please be careful with questions like "when will you implement it?" ;-) There are several questions to ask: a) is it STABLE and does it NOT affect the stability of other programs? b) does it bring additional security problems into the system? c) is the security protection effective? Well, of course the SuSE Security Team already reviewed libsafe. Here are the answers: a) unsure. it would have to be tested very intensive. this was not done yet. b) the code might have vulnerabilities, however the protection gained is higher even if a vulnerability would be present c) okay, now the tough part: libsafe is a dynamic library which is set in the environment which checks several dangerous functions, which can be a security problem. Because it is a dynamic library, it is NO protection against local attackers, just against remote attackers on network services. (if an attacker wants to attack a local suid file, he would just reset his library path environment). Next thing: it does not check for all known vulnerabilites. It even doesn't protect against all buffer overflows, It just protects against *some* overflows. those which happen because of insecure use of strcat/strcpy etc. summary: I can not remember a vulnerability in a network service for the last year which this tool would have prevented. Therefore: as long as this tool is not enhanced to also protect open/fopen calls against symlink/hardlink/pipe attacks, several more buffer overflow types, system/exec* function protection etc. it is not useful to use this tool. I would rather propose to use the secumod module which comes with SuSE Linux since 6.3 and maybe the secure-linux kernel patch from www.openwall.com - these two tools enhance your security. (and btw, install seccheck, hardensuse and firewals and use them - then your security is very high) Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc(a)suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C

5 4

multi-services server securing
by Gediminas Grigas 16 Aug '00

16 Aug '00

Hello there, I feel erroneusly (?) secure after .host.denyed in.telnetd and in.sshd from everywhere except one pc, which is denying all exept keyboard. I belive that if i can keep hosts.deny and hosts.allow files safe, and from time to time patch most actual security holes i`ll be conditionaly safe. Em i wrong? Probably I do. I just cant imaginate how system can be cracked in lower stage, so that is my problem. I heard that inetd is very insecure, and some peoples using tcpd (or soundlike). I run harden_suse, but was forced to answer 8/10 to no, as my server should provide a lot of public services, and have world writible directories as well. And thats right - this script was developed not for systems like mine one. However i`ll run SuSE-firewall-3.0 script, to make my system even stronger. But thats all. I dont know what can i do else. I should keep folowing services open: httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd. So if you know how to keep them at minimal risk, or know some holes at those, i would be very gratefull for any info and/or tips. I dont ask to do work for me - link to good manual would be nice too. By the way i have SuSE 6.3 (2.2.13). Thanks in advice. Sincerely Yours, Gediminas Grigas mailto:gedas@kryptis.lt

5 5

Qpopper 2.53 remote problem, user can gain gid=mail (fwd)
by Peter Münster 06 Jun '00

06 Jun '00

Instead of the file pop_msg.c, which should be patched as mentioned in the advisory, it seems to be rather pop_uidl.c Cheers, Peter -- Peter Münster http://gmv.spm.univ-rennes1.fr/~peter/ ---------- Forwarded message ---------- Date: Tue, 23 May 2000 09:43:33 -800 From: Prizm <prizm(a)RESENTMENT.ORG> To: BUGTRAQ(a)SECURITYFOCUS.COM Subject: Qpopper 2.53 remote problem, user can gain gid=mail I have attached to this message the advisory with full details + exploit on this problem. Prizm/b0f,

6 6

masquerading and a monolithic kernel
by Arjen Runsink 05 Jun '00

05 Jun '00

L.S. Experimenting with a firewall I compiled a monolithic kernel with masquerading and without loadable module support so as to make it impossible to subvert the kernel by a malicious module. But alas, the special masq modules for irc and ftp and so forth are only made and available as modules :( This is handy, especially a modified ftp module that snoops passwords would work for whatever-your-color-of-hat to do his thing. So this brings security but partially hast the functionality of a disconnected system.:) Is there a way to not make them a module but put them into my kernel? BB, Arjen -- Sell what you use, use what you sell.

4 5

[suse-security]: Netscape certificate
by Timo Schulz 02 Jun '00

02 Jun '00

Hi, is it possible to use OpenSSL/SSL to generate a certificate that can be use by Netscape as a digital user id for encryption? If yes, how? Thanks in advance. Timo -- Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4

2 1

Re: [suse-security] IPCHAINS again (because first mail was digital signed)
by Per R Laursen 02 Jun '00

02 Jun '00

It sounds like you have disablet icmp at your input or output chain. Kind regards Per R Laursen http://www.websecure.dk -----Original Message----- From: Gerling, Stephan <gerling(a)kub.de> To: 'suse-security(a)suse.com' <suse-security(a)suse.com> Date: 25. maj 2000 13:20 Subject: [suse-security] IPCHAINS again (because first mail was digital signed) >Hi list, >I'am trying to set up an firewall with IPCHAINS. >If the IPCHAINS-Script is not started, i kann do everything. (i use the same >script on an other >maschine and it works very fine and i want to change the maschines) >But now wenn i start the script, the rules are loaded, but i cannot ping to >the outside >here the error messages >ping wrote xxx.xxx.xxx.xxx 64 chars, ret=-1 >ping sendto :Operating is not permitted >ip-forwarding is enabled. >Has anyone an idea. I'm going sick about this >regards, Stephan Gerling > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com >For additional commands, e-mail: suse-security-help(a)suse.com > >

2 1

Apache mod_ssl problem
by Harald Scharf 01 Jun '00

01 Jun '00

Hello, to all. I have an interesting problem. I have installed Apache 1.3.12 with mod_ssl 2.6.3 php 3.0.16 , mysql and sybase support. The Configuration works well, but there is a strange phenomenon : If i try to connect with : http://192.168.100.1/mrtg, i do not get any connect. If i try to connect with : https://192.168.100.1/mrtg i get a connect, but i CAN connect with http://192.168.100.1/mrtg/ So, if i supply the last slash, the Browser establishes the Connection.... WHY ? I think this should work with both urls, because apache is configured with : listen 80 listen 443 Any Idea ? tia Harald Scharf

3 2

chroot manual
by Dirk.Nitka＠ages.de 31 May '00

31 May '00

Hi, does anybody know, where to find a description, how to direct a user to a chrooted shell upon login ? I couldn't find much info about chroot at all. Thanks Dirk

1 0

AW: [suse-security] IPChains
by Bauer, Juergen 30 May '00

30 May '00

hi folks, i just wanted to say that you should keep in mind that there are different implementations for ping/traceroute. windows clients are using icmp packets while linux is using udp packets on port 33434+ (afair). so just try to ping through your firewall from a windows client. it should work if you set up ipchains to masq icmp echo-request packets and accept incoming echo-replys. greets jb -----Ursprüngliche Nachricht----- Von: Gerling, Stephan [mailto:gerling@kub.de] Gesendet: Donnerstag, 25. Mai 2000 12:40 An: 'suse-security(a)suse.com' Betreff: [suse-security] IPChains Hi list, I'am trying to set up an firewall with IPCHAINS. If the IPCHAINS-Script is not started, i kann do everything. (i use the same script on an other maschine and it works very fine and i want to change the maschines) But now wenn i start the script, the rules are loaded, but i cannot ping to the outside here the error messages ping wrote xxx.xxx.xxx.xxx 64 chars, ret=-1 ping sendto :Operating is not permitted ip-forwarding is enabled. Has anyone an idea. I'm going sick about this regards, Stephan Gerling

8 16