August 2000 - openSUSE Security - openSUSE Mailing Lists

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

Re: is SuSE going to implement libsafe?
by marc＠suse.de 18 Feb '01

18 Feb '01

Hi, >I have just read an Bell Labs anouncement, that they are going to release >libsafe under GNU licence, and that some major Linux distros are going to >be using it. SuSE was not amongst them, why is that? I think that libsafe would >be a good echnacement against buffer overflow. > >Anouncement is on: >http://www.bell-labs.com/news/2000/april/20/1.html just because something new pops up please be careful with questions like "when will you implement it?" ;-) There are several questions to ask: a) is it STABLE and does it NOT affect the stability of other programs? b) does it bring additional security problems into the system? c) is the security protection effective? Well, of course the SuSE Security Team already reviewed libsafe. Here are the answers: a) unsure. it would have to be tested very intensive. this was not done yet. b) the code might have vulnerabilities, however the protection gained is higher even if a vulnerability would be present c) okay, now the tough part: libsafe is a dynamic library which is set in the environment which checks several dangerous functions, which can be a security problem. Because it is a dynamic library, it is NO protection against local attackers, just against remote attackers on network services. (if an attacker wants to attack a local suid file, he would just reset his library path environment). Next thing: it does not check for all known vulnerabilites. It even doesn't protect against all buffer overflows, It just protects against *some* overflows. those which happen because of insecure use of strcat/strcpy etc. summary: I can not remember a vulnerability in a network service for the last year which this tool would have prevented. Therefore: as long as this tool is not enhanced to also protect open/fopen calls against symlink/hardlink/pipe attacks, several more buffer overflow types, system/exec* function protection etc. it is not useful to use this tool. I would rather propose to use the secumod module which comes with SuSE Linux since 6.3 and maybe the secure-linux kernel patch from www.openwall.com - these two tools enhance your security. (and btw, install seccheck, hardensuse and firewals and use them - then your security is very high) Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc(a)suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C

5 4

telnet as a root on a suse 6.3 suse server
by Francesco Masiello 02 Jan '01

02 Jan '01

I must be able to telnet from a terminal (not a console) as a root without using su. In solaris i could do that editing /etc/default/login file,but i can't find it on this Operating System. How can i do ? Thanks

8 7

Netscape update RPM and axp
by Stefan Suurmeijer 13 Sep '00

13 Sep '00

Hi SuSE I need to update a few servers running SuSE 6.3 for AXP. I wanted to update the old netscape version, but noticed there is no rpm available under the AXP directory (for any version). Is there an RPM available for Alpha, or do I need to update all servers manually? Stefan ========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer(a)let.rug.nl E-mail (private): stefan(a)symbolica.nl ========================================== Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown

2 3

sparc
by semat＠wawa.eahd.or.ug 05 Sep '00

05 Sep '00

Hello everyone, Please I realise this is off topic so please address your answers to me off list. Is there suse linux for sparc platform? I have a sparc box and suse is really my preferred distro so if it supports it I will be very happy to get it. Otherwise I have to use redhat.

4 7

AW: [suse-security] Popper verbosity
by Klug, Boris 04 Sep '00

04 Sep '00

Hi! this does NOT work. You have to uncomment the output lines in the popper code and recompile it. -- i.A. Dipl.-Inf. Boris Klug, boris.klug(a)ibs-ag.de, http://www.ibs-ag.de/ IBS AG engineering consulting software, The Quality Company Rathausstraße 56, 56203 Höhr-Grenzhausen, Fon: 02624/9180-0, Fax: -200 > -----Ursprüngliche Nachricht----- > Von: Roman Drahtmueller [mailto:draht@suse.de] > Gesendet: Montag, 21. August 2000 14:30 > An: Jürgen Bloß > Cc: suse-security(a)suse.com > Betreff: Re: [suse-security] Popper verbosity > > > > Hi. > > > > How can I stop the popper from logging every user access, > even when the > > user did only check to see if there were any new mails. This seems > > hardly the kind of information that needs to be logged every time... > > > > Bye, > > > > Jürgen > > According to the manpage, just remove the "-s" from the line in > /etc/inetd.conf and restart/hangup inetd. > > Roman. > -- > - > - > | Roman Drahtmüller <draht(a)suse.de> // > "Caution: Cape does | > SuSE GmbH - Security Phone: // not enable > user to fly." > | Nürnberg, Germany +49-911-740530 // (Batman Costume > warning label) | > - > - > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com >

4 5

Total system update
by RoMaN SoFt / LLFB !! 04 Sep '00

04 Sep '00

Hi SuSE: I have recently installed 6.4 version and I want to secure my machine. Is there any way for *auto*-updating *all* (installed) RPM's via SuSE web? Which URL should I use to get the more recent Updates for my distro? I think this is a FAQ, I have RTFM... but I want no silly mistakes, so I prefer asking here and get always updated info :-) Thanks folks! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman(a)madrid.com http://bart.us.es/~roman ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

5 5

Book wanted: Linux security
by Roman Blöth 04 Sep '00

04 Sep '00

Dear reader, I'm looking for a _good_ book on linux system security (something like one of these "hacker guides"). If you could recommend a book your answer would greatly be appreciated. Best regards, Roman Blöth. -- gosub communications GbR | Fredersdorferstr. 10 | 10243 Berlin | Germany phone: [+49] (-30) 29 66 88 81 | fax: [+49] (-30) 29 66 88 84 | http://www.gosub.de

4 3

SuSE distro bundled crypto
by Corvin Russell 31 Aug '00

31 Aug '00

No feedback from feedback(a)suse.de... so here goes. Will SuSE be shipping the full sec series, as bundled in the German/UK versions, with the US version? Aside from the fact that AFAIK it was never illegal to import crypto, patent considerations aside (and September is nigh...), into the US, and that therefore SuSE should have been able to bundle the same sec series all along, the US has recently relaxed crypto regulations. Meanwhile we here in Canada have never had them, nor do US laws apply to crypto exported to Canada, but still we had to get the crippled US distribution (yes, to answer a previous question, there is a US distribution), thus defeating the purpose of getting the software on relatively secure, easily rebooted pristine media, and forcing us to spend unnecessary time searching and downloading stuff. After I grumbled, SuSE GMBH kindly shipped me a free UK version on a one-time only basis, but they won't do that again, for me or anyone, I am sure. So, will SuSE 7.0 US edition ship with security or not? If not, please say so on the package and the website. And BTW, FreeBSD 4.0 shipped with all the crypto packages bundled. There is some lame question about whether you live in the US/Canada or not, but otherwise they are all there and as far as I can tell there is nothing to stop you from lying, and no one at FreeBSD seems to have gotten in trouble. Best, Corvin

1 0

migrating user database from SuSE 6.4 to 7.0
by jan meyer 31 Aug '00

31 Aug '00

Hi, I would like to migrate the user database (50 users) from my SuSE 6.4 Server to SuSE 7.0. I'm using the default SuSE password mechanism. Does anybody know some hints, tips, links or tools on how to do this ? Thanks jan.meyer

3 2