I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
>I have just read an Bell Labs anouncement, that they are going to release
>libsafe under GNU licence, and that some major Linux distros are going to
>be using it. SuSE was not amongst them, why is that? I think that libsafe would
>be a good echnacement against buffer overflow.
>Anouncement is on:
just because something new pops up please be careful with questions like
"when will you implement it?" ;-)
There are several questions to ask:
a) is it STABLE and does it NOT affect the stability of other programs?
b) does it bring additional security problems into the system?
c) is the security protection effective?
Well, of course the SuSE Security Team already reviewed libsafe.
Here are the answers:
a) unsure. it would have to be tested very intensive. this was not done yet.
b) the code might have vulnerabilities, however the protection gained is
higher even if a vulnerability would be present
c) okay, now the tough part:
libsafe is a dynamic library which is set in the environment which checks
several dangerous functions, which can be a security problem.
Because it is a dynamic library, it is NO protection against local
attackers, just against remote attackers on network services. (if an
attacker wants to attack a local suid file, he would just reset his library
path environment). Next thing: it does not check for all known
vulnerabilites. It even doesn't protect against all buffer overflows, It
just protects against *some* overflows. those which happen because of
insecure use of strcat/strcpy etc.
I can not remember a vulnerability in a network service for the last year
which this tool would have prevented. Therefore: as long as this tool is not
enhanced to also protect open/fopen calls against symlink/hardlink/pipe
attacks, several more buffer overflow types, system/exec* function
protection etc. it is not useful to use this tool.
I would rather propose to use the secumod module which comes with SuSE Linux
since 6.3 and maybe the secure-linux kernel patch from www.openwall.com -
these two tools enhance your security. (and btw, install seccheck,
hardensuse and firewals and use them - then your security is very high)
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
I feel erroneusly (?) secure after .host.denyed in.telnetd and
in.sshd from everywhere except one pc, which is denying all exept
keyboard. I belive that if i can keep hosts.deny and hosts.allow files
safe, and from time to time patch most actual security holes i`ll be
conditionaly safe. Em i wrong? Probably I do.
I just cant imaginate how system can be cracked in lower stage, so
that is my problem. I heard that inetd is very insecure, and some
peoples using tcpd (or soundlike).
I run harden_suse, but was forced to answer 8/10 to no, as my server
should provide a lot of public services, and have world writible
directories as well. And thats right - this script was developed not
for systems like mine one. However i`ll run SuSE-firewall-3.0 script,
to make my system even stronger. But thats all. I dont know what can i
do else. I should keep folowing services open:
httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd.
So if you know how to keep them at minimal risk, or know some holes at
those, i would be very gratefull for any info and/or tips.
I dont ask to do work for me - link to good manual would be nice too.
By the way i have SuSE 6.3 (2.2.13).
Thanks in advice.
Gediminas Grigas mailto:firstname.lastname@example.org
Instead of the file pop_msg.c, which should be patched as mentioned in the
advisory, it seems to be rather pop_uidl.c
---------- Forwarded message ----------
Date: Tue, 23 May 2000 09:43:33 -800
From: Prizm <prizm(a)RESENTMENT.ORG>
Subject: Qpopper 2.53 remote problem, user can gain gid=mail
I have attached to this message the advisory with full details +
exploit on this problem.
Experimenting with a firewall I compiled a monolithic kernel with
masquerading and without loadable module support so as to make it
impossible to subvert the kernel by a malicious module.
But alas, the special masq modules for irc and ftp and so forth are only
made and available as modules :(
This is handy, especially a modified ftp module that snoops passwords
would work for whatever-your-color-of-hat to do his thing.
So this brings security but partially hast the functionality of a
Is there a way to not make them a module but put them into my kernel?
Sell what you use, use what you sell.
is it possible to use OpenSSL/SSL to generate a certificate
that can be use by Netscape as a digital user id for encryption?
If yes, how?
Thanks in advance.
Two-a-Day at joesixpack.netwww.freenet.de/joesixpack keyid BF3DF9B4
It sounds like you have disablet icmp at your input or output chain.
Per R Laursen
From: Gerling, Stephan <gerling(a)kub.de>
To: 'suse-security(a)suse.com' <suse-security(a)suse.com>
Date: 25. maj 2000 13:20
Subject: [suse-security] IPCHAINS again (because first mail was digital
>I'am trying to set up an firewall with IPCHAINS.
>If the IPCHAINS-Script is not started, i kann do everything. (i use the
>script on an other
>maschine and it works very fine and i want to change the maschines)
>But now wenn i start the script, the rules are loaded, but i cannot ping to
>here the error messages
>ping wrote xxx.xxx.xxx.xxx 64 chars, ret=-1
>ping sendto :Operating is not permitted
>ip-forwarding is enabled.
>Has anyone an idea. I'm going sick about this
>regards, Stephan Gerling
>To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
>For additional commands, e-mail: suse-security-help(a)suse.com
Hello, to all.
I have an interesting problem.
I have installed Apache 1.3.12 with mod_ssl 2.6.3 php 3.0.16 , mysql and
The Configuration works well, but there is a strange phenomenon :
If i try to connect with : http://192.168.100.1/mrtg, i do not get any
If i try to connect with : https://192.168.100.1/mrtg i get a connect, but i
connect with http://192.168.100.1/mrtg/
So, if i supply the last slash, the Browser establishes the Connection....
I think this should work with both urls, because apache is configured with :
listen 80 listen 443
Any Idea ?
i just wanted to say that you should keep in mind that there are different
implementations for ping/traceroute.
windows clients are using icmp packets while linux is using udp packets on
port 33434+ (afair).
so just try to ping through your firewall from a windows client. it should
work if you set up
ipchains to masq icmp echo-request packets and accept incoming echo-replys.
Von: Gerling, Stephan [mailto:email@example.com]
Gesendet: Donnerstag, 25. Mai 2000 12:40
Betreff: [suse-security] IPChains
I'am trying to set up an firewall with IPCHAINS.
If the IPCHAINS-Script is not started, i kann do everything. (i use the same
script on an other
maschine and it works very fine and i want to change the maschines)
But now wenn i start the script, the rules are loaded, but i cannot ping to
here the error messages
ping wrote xxx.xxx.xxx.xxx 64 chars, ret=-1
ping sendto :Operating is not permitted
ip-forwarding is enabled.
Has anyone an idea. I'm going sick about this
regards, Stephan Gerling