I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
>I have just read an Bell Labs anouncement, that they are going to release
>libsafe under GNU licence, and that some major Linux distros are going to
>be using it. SuSE was not amongst them, why is that? I think that libsafe would
>be a good echnacement against buffer overflow.
>Anouncement is on:
just because something new pops up please be careful with questions like
"when will you implement it?" ;-)
There are several questions to ask:
a) is it STABLE and does it NOT affect the stability of other programs?
b) does it bring additional security problems into the system?
c) is the security protection effective?
Well, of course the SuSE Security Team already reviewed libsafe.
Here are the answers:
a) unsure. it would have to be tested very intensive. this was not done yet.
b) the code might have vulnerabilities, however the protection gained is
higher even if a vulnerability would be present
c) okay, now the tough part:
libsafe is a dynamic library which is set in the environment which checks
several dangerous functions, which can be a security problem.
Because it is a dynamic library, it is NO protection against local
attackers, just against remote attackers on network services. (if an
attacker wants to attack a local suid file, he would just reset his library
path environment). Next thing: it does not check for all known
vulnerabilites. It even doesn't protect against all buffer overflows, It
just protects against *some* overflows. those which happen because of
insecure use of strcat/strcpy etc.
I can not remember a vulnerability in a network service for the last year
which this tool would have prevented. Therefore: as long as this tool is not
enhanced to also protect open/fopen calls against symlink/hardlink/pipe
attacks, several more buffer overflow types, system/exec* function
protection etc. it is not useful to use this tool.
I would rather propose to use the secumod module which comes with SuSE Linux
since 6.3 and maybe the secure-linux kernel patch from www.openwall.com -
these two tools enhance your security. (and btw, install seccheck,
hardensuse and firewals and use them - then your security is very high)
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
I must be able to telnet from a terminal (not a console) as a root without
In solaris i could do that editing /etc/default/login file,but i can't find
it on this
How can i do ?
I need to update a few servers running SuSE 6.3 for AXP. I wanted to
update the old netscape version, but noticed there is no rpm available
under the AXP directory (for any version). Is there an RPM available for
Alpha, or do I need to update all servers manually?
University of Groningen
tel: (+31) 50 363 3423
fax: (+31) 50 363 7272
E-mail (business): s.m.suurmeijer(a)let.rug.nl
E-mail (private): stefan(a)symbolica.nl
Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
Please I realise this is off topic so please address your answers to me
off list. Is there suse linux for sparc platform? I have a sparc box and
suse is really my preferred distro so if it supports it I will be very
happy to get it. Otherwise I have to use redhat.
this does NOT work. You have to uncomment the output lines in the popper
code and recompile it.
i.A. Dipl.-Inf. Boris Klug, boris.klug(a)ibs-ag.de, http://www.ibs-ag.de/
IBS AG engineering consulting software, The Quality Company
Rathausstraße 56, 56203 Höhr-Grenzhausen, Fon: 02624/9180-0, Fax: -200
> -----Ursprüngliche Nachricht-----
> Von: Roman Drahtmueller [mailto:firstname.lastname@example.org]
> Gesendet: Montag, 21. August 2000 14:30
> An: Jürgen Bloß
> Cc: suse-security(a)suse.com
> Betreff: Re: [suse-security] Popper verbosity
> > Hi.
> > How can I stop the popper from logging every user access,
> even when the
> > user did only check to see if there were any new mails. This seems
> > hardly the kind of information that needs to be logged every time...
> > Bye,
> > Jürgen
> According to the manpage, just remove the "-s" from the line in
> /etc/inetd.conf and restart/hangup inetd.
> | Roman Drahtmüller <draht(a)suse.de> //
> "Caution: Cape does |
> SuSE GmbH - Security Phone: // not enable
> user to fly."
> | Nürnberg, Germany +49-911-740530 // (Batman Costume
> warning label) |
> To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
> For additional commands, e-mail: suse-security-help(a)suse.com
I have recently installed 6.4 version and I want to secure my
machine. Is there any way for *auto*-updating *all* (installed) RPM's
via SuSE web? Which URL should I use to get the more recent Updates
for my distro? I think this is a FAQ, I have RTFM... but I want no
silly mistakes, so I prefer asking here and get always updated info
** RoMaN SoFt / LLFB **
I'm looking for a _good_ book on linux system security (something like
one of these "hacker guides"). If you could recommend a book your answer
would greatly be appreciated.
gosub communications GbR | Fredersdorferstr. 10 | 10243 Berlin | Germany
phone: [+49] (-30) 29 66 88 81 | fax: [+49] (-30) 29 66 88 84 |
No feedback from feedback(a)suse.de... so here goes.
Will SuSE be shipping the full sec series, as bundled in the German/UK
versions, with the US version? Aside from the fact that AFAIK it was never
illegal to import crypto, patent considerations aside (and September is
nigh...), into the US, and that therefore SuSE should have been able to
bundle the same sec series all along, the US has recently relaxed crypto
regulations. Meanwhile we here in Canada have never had them, nor do US
laws apply to crypto exported to Canada, but still we had to get the
crippled US distribution (yes, to answer a previous question, there is a US
distribution), thus defeating the purpose of getting the software on
relatively secure, easily rebooted pristine media, and forcing us to spend
unnecessary time searching and downloading stuff.
After I grumbled, SuSE GMBH kindly shipped me a free UK version on a
one-time only basis, but they won't do that again, for me or anyone, I am sure.
So, will SuSE 7.0 US edition ship with security or not? If not, please say
so on the package and the website.
And BTW, FreeBSD 4.0 shipped with all the crypto packages bundled. There
is some lame question about whether you live in the US/Canada or not, but
otherwise they are all there and as far as I can tell there is nothing to
stop you from lying, and no one at FreeBSD seems to have gotten in trouble.
I would like to migrate the user database (50 users)
from my SuSE 6.4 Server to SuSE 7.0.
I'm using the default SuSE password mechanism.
Does anybody know some hints, tips, links or tools
on how to do this ?