I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
>I have just read an Bell Labs anouncement, that they are going to release
>libsafe under GNU licence, and that some major Linux distros are going to
>be using it. SuSE was not amongst them, why is that? I think that libsafe would
>be a good echnacement against buffer overflow.
>Anouncement is on:
just because something new pops up please be careful with questions like
"when will you implement it?" ;-)
There are several questions to ask:
a) is it STABLE and does it NOT affect the stability of other programs?
b) does it bring additional security problems into the system?
c) is the security protection effective?
Well, of course the SuSE Security Team already reviewed libsafe.
Here are the answers:
a) unsure. it would have to be tested very intensive. this was not done yet.
b) the code might have vulnerabilities, however the protection gained is
higher even if a vulnerability would be present
c) okay, now the tough part:
libsafe is a dynamic library which is set in the environment which checks
several dangerous functions, which can be a security problem.
Because it is a dynamic library, it is NO protection against local
attackers, just against remote attackers on network services. (if an
attacker wants to attack a local suid file, he would just reset his library
path environment). Next thing: it does not check for all known
vulnerabilites. It even doesn't protect against all buffer overflows, It
just protects against *some* overflows. those which happen because of
insecure use of strcat/strcpy etc.
I can not remember a vulnerability in a network service for the last year
which this tool would have prevented. Therefore: as long as this tool is not
enhanced to also protect open/fopen calls against symlink/hardlink/pipe
attacks, several more buffer overflow types, system/exec* function
protection etc. it is not useful to use this tool.
I would rather propose to use the secumod module which comes with SuSE Linux
since 6.3 and maybe the secure-linux kernel patch from www.openwall.com -
these two tools enhance your security. (and btw, install seccheck,
hardensuse and firewals and use them - then your security is very high)
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
I must be able to telnet from a terminal (not a console) as a root without
In solaris i could do that editing /etc/default/login file,but i can't find
it on this
How can i do ?
recently at the place where i work a collegue came up with an idea to use nfs
over vpn to sync our webservers. i have not done much work with either, and i
have two questions about it. first, is this a practical solution? and second,
im a bit stumped about resources on the subject (i do have nfs documentation,
but not much of vpn resources, and nothing on how to combine the two).
sorry is this question might seem trivial/stupid, any help/opinion is
greatly appreciated : )
just stepped on this option to type "linux init=/bin/sh" at
the boot prompt, which gives me a root shell. For me, that's
really a security problem: We have some computers here which
we cannot protect with boot-passwords because they have to
come up automatically after a power drop.
Can I somehow disable this possibility of passing an alternative
init-parameter for my SuSE 6.4?
Dipl.-Inform. Frank Steiner mailto:email@example.com
Lehrstuhl f. Programmiersprachen mailto:firstname.lastname@example.org
CAU Kiel, Olshausenstraße 40 Phone: +49 431 880-7265, Fax: -7613
D-24098 Kiel, Germany http://www.informatik.uni-kiel.de/~fst/
at the moment I have the following Setup:
Firewall(SuSE 6.2) -- Webserver(SuSE 6.3) -- Proxy (SuSE 6.3)
The firewall serves as a packet filter. The Web-/Mailserver and the Proxy
are each connected via an public ip. The clients from the internal network
are all masqueraded with the proxy ip, even if one of the clients do not use
Is it possible to have all public ip´s connected to the firewall´s ethernet
device from which they are routed to the webserver and proxy(and the clients
on the internal network as well). My approach is to have only the firewall
directly connected to the internet and to give even the web-/mailserver and
the proxy only internal ip adresses. I think this would be more secure?!
Sorry for my bad english and my (not) understanding of firewalls and
Thanks in advance
Is the SuSE FTP-Proxy used mainly for inbound connections, as it warns you
that if do not specify a destination FTP-Server the FTP-Proxy service will
# Where to redirect incoming FTP traffic. This destination
# will be used if a client has not set its own target.
# WARNING: ftp-proxy will refuse to run if this directive
# is not set.
# DestinationAddress server.domain.tld<Quote>
Are you able to set the "DestinationAddress" to a FTP Server sitting on a
private network address. For example your DMZ was a private network i.e.
Is it possible to setup the FTP-Proxy for outbound connections only or is
IP-Masquerade safe enough for outbound ftp connections.
Thanks in advance
Hi I have a lot of mail servers trying to connect to my identd port (113)
when sending mail to me.
The problem comes about because the firewall silently drops the SYN packet.
The e-mail server is expecting an immediate SYN-ACK (identd supported) or
RST (identd not supported), but when the firewall drops the packet it keeps
trying until the connection times out.
How do you reconfigure the firewall to RST all those connections the
incomming smtp requests on the identd port (113)
Thanks in advance
I downloaded kernel 2.2.16 from ftp.suse.com to upgrade the 2.2.14 that
came with my 6.4 however when I try to upgrade using rpm -Uvh I get a host
of errors about conflicts with existing files like /boot/vmlinuz config.h
and so on.
Even if I use the option --force it does not work.
For the source I had to use
rpm -Uvh --nodeps --force lx_suse.rpm in order for it to be installed at
all. When I try this with the k_eide.rpm I get a message about a bad file
descriptor. Can anyone help me with this?