I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
Ok, Microsoft Frontpages has several security flaws, but that does not
automatically mean that every request for _vti_<whatever> is done by a
hacker or a script-kiddy.
Have a look at the browser the client is using, if it's "MSFrontPage/X.Y"
then please don't worry. But do worry if it's the only request for a link
containing _vti* or if there is only one client (if it's not a proxy)
requesting this url.
Watch your system, but don't worry to much.
Von: Soeren Todt [mailto:email@example.com]
Gesendet: Donnerstag, 31. Mai 2001 15:30
An: suse-security(a)suse.com; Thorsten Marquardt
Betreff: Re: [suse-security] Strange apache log entry
----- Original Message -----
From: "Thorsten Marquardt" <thom(a)kaupp.chemie.uni-oldenburg.de>
Sent: Thursday, May 31, 2001 1:45 PM
Subject: [suse-security] Strange apache log entry
> my logfiles reports 404 requests to /_vti_bin/shtml.exe/_vti_rpc and
> Is this a kind of hacker attack?
Maybe you find it out by yourself using a search engine:
then you get results like this:
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com
SuSEfirewall 4.3-3 on SuSE 7.1
Zebra 0.91a opens ports for virtual terminals.
`netstat -anp` show these ports as (is it IPv6 notation?):
tcp 0 0 :::2604 :::* LISTEN
tcp 0 0 :::2601 :::* LISTEN
I guess SuSEfirewall doesn't discover these ports as listening and doesn't
close it, although
Also `SuSEfirewall -check` doesn't show these ports as unprotected.
We're using squid 2.2.stable5 as proxy on a SuSE 7.0 box and i would like ALL users to go through the proxy... I know we have some users that play with internet and disable their proxy parameters.... how can I ban "direct internet access" so only proxy
connections pass through (whatever is configure on users win stations) ?
while trying to use cipe with 7.1 I run in the following troubles:
The kernel module in the rpm of cipe is build for kernel version 2.4.0
but the 2.4-kernel on the distro is 2.4.0-4GB, so the module cannot be loaded.
Next I tried to build cipe from the corresponding spm and hoped the module
would be build for 2.4.0-4GB but it was copied to 2.4.0/misc and
insmod/modprobe still says: You are using kernel 2.4.0-4GB, this module is
for kernel 2.4.0, which is completely different :-(
Is it possible just to rename the kernel (and if yes, how to do this exactly)
or am I missing something while building cipe from th sources. (I used the
command rpm -bi cipe.spec)
Trying to use freeS/WAN I run in similar problems (module is for 2.2.18, I
used kernel-udpdate 2.2.19). Mostly I want to use cipe with Kernel 2.2.19.
BTW. In the last week I posted 2 or 3 other questions about VPN but didn't
get much answers. Are my questions too trivial or doesn't nobody on this list
uses vpns with linux?
Hoping for some hints
SRC GmbH, SysAd
my logfiles reports 404 requests to /_vti_bin/shtml.exe/_vti_rpc and similar.
Is this a kind of hacker attack?
bye bye (c) by Thom | Thorsten Marquardt
| EMail: THOM(a)kaupp.chemie.uni-oldenburg.de
| Member of the pzt project.
> Subject: [suse-security] Strange apache log entry
> my logfiles reports 404 requests to /_vti_bin/shtml.exe/_vti_rpc and
> Is this a kind of hacker attack?
NO, THIS IS NOT A KIND OF HACKER ATTACK.
Just somebody requesting a file that does not exist on your server.
Such files are ms frontpage files that exist in ms frontpage webs on
Dr. Bernhard Mueller
University of Berne
On Tuesday 29 May 2001 15:17, Pupeno wrote:
> Yes, I'll use an iptables simple script or not so simple, it doesn't
> matter, where should I place it and where should I call you (I'm an RH and
> Mdk experienced user an suse it's a bit diferent, and partialy lost, that's
> why I'm asking this).
There is a file /etc/rc.d/skeleton which can be used as a template for your firewall script.
You can copy it to /etc/rc.d/firewall and edit it to let it call your actual firewall script.
In the easiest form you just need the "start" command to work to start your firewall when
the system goes up and then leave it on forever. Then you can put "SXXfirewall" symlinks
into the various runlevels (depends on your SuSE Version, normally 2 + 3 or 3 + 5) which
point to your file. I would suggest to place several links, depending on your firewall script:
The first one before the network goes up to have protection from the start. (This will eventually
produce errors if you refer to certain interfaces in your script but it will set the policies at least)
The last call to your firewall script should be made when all interfaces are up.
If you have some interfaces that come up later (ppp,ippp) or if some ip-adresses change later
(dynamic address while dialing in) you have to call your firewall script again. (e.g. from within
/etc/ppp/ip-up). But that depends on your actual script, if it deals with that interfaces at all.
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been scanned
for the presence of computer viruses.
Anyone else have problems upgrading to man-2.3.10d69s-194.i386.rpm
on my 6.4 system:
# rpm -Uvh man-2.3.10d69s-191.i386.rpm
man ############unpacking of archive failed on file
/usr/bin/man: cpio: chown failed - Bad file descriptor
--and now i have no /usr/bin/man, how can i get it back? downgrade?
on my 7.0 system:
# rpm -Uvh man-2.3.10d69s-194.i386.rpm
man ############warning: can't chown /usr/bin/man
(Operation not permitted)
###############################warning: can't chown /var/cache/man
(Operation not permitted)
warning: can't chown /var/cache/man/X11R6 (Operation not permitted)
warning: can't chown /var/cache/man/X11R6/cat1 (Operation not permitted)
warning: can't chown /var/cache/man/X11R6/cat2 (Operation not permitted)
warning: can't chown /var/cache/man/X11R6/cat3 (Operation not permitted)
warning: can't chown /var/cache/man/X11R6/cat4 (Operation not permitted)
warning: can't chown /var/cache/man/X11R6/cat5 (Operation not permitted)
warning: can't chown /var/cache/man/X11R6/cat6 (Operation not permitted)
etc for every file in /var/cache/man
From: Roman Drahtmueller [mailto:firstname.lastname@example.org]
Sent: Tuesday, May 29, 2001 11:53 AM
Subject: SuSE Security Announcement: man (SuSE-SA:2001:019)
-----BEGIN PGP SIGNED MESSAGE-----
SuSE Security Announcement
Date: Tuesday, May 29th 2001 20:30 MEST
Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0, 7.1
Vulnerability Type: local privilege escalation
Severity (1-10): 4
SuSE default package: yes
Other affected systems: most linux systems shipping the mandb
Content of this advisory:
1) security vulnerability resolved: man
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
Two vulnerabilities have been found in the man package that is installed
by default in all SuSE Linux distributions. The first error is a format
string bug in the error handling routine of the man command that can
allow a local attacker to gain the privileges of the user "man" on SuSE
Linux systems (the man command in /usr/bin is installed setuid man).
After getting write access to the /usr/bin/man binary, an attacker can
place a cuckook's egg into the executable, waiting for root to view
The second problem is a segmentation fault that can be caused by the
options "-S ::: foo" to the man command. On other Linux distributions,
this problem has been found exploitable. On SuSE and Debian systems, the
code responsible for the bug is different from the one found in other
distributions and is not exploitable. We consider the existence of this
bug a beauty flaw that will be fixed in future releases of the SuSE
distribution, but the fix was not included in the man packages that can
be found on our ftp server.
Since the error() format string bug was discovered earlier than we
announced that the SuSE Linux distributions 6.0, 6.1 and 6.2 will be
discontinued, we also provide fixed packages for the said distributions
for the i386 Intel architecture. We strongly encourage our usership to
upgrade their systems to a newer distribution.
Both bugs are fixed in the upcoming release of SuSE Linux 7.2.
A temporary workaround (as discussed in earlier SuSE security
announcements) is to remove the setuid-bit of the /usr/bin/man file.
This will cause errors to be printed when viewing a manpage, because
the formatted manpages can't be saved to the /var/cache/man directories
any longer. The sideeffects of this workaround are of mostly cosmetical
nature on fast hardware.
If you changed the file modes of the man command binary using the
chmod 755 /usr/bin/man
, then please also change the occurrences of the same path in the files
/etc/permissions*, provided you have set the variable CHECK_PERMISSIONS
to "set" in /etc/rc.config.
Download the update package from locations described below and check the
authenticity of the rpm package file using a method as described in
section 3) of this security announcement.
Use the command `rpm -Uhv file.rpm' to apply the update.
In some rare cases, the older man package contains files that conflict
with the new version. This should not be considered a problem in this
particular case of the man packge; use the options "--nodeps --force"
i386 Intel Platform:
AXP Alpha Platform:
PPC Power PC Platform:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
Netscape before Version 4.77 contains a bug that allows a remote
contained in a viewed page. This code can be executed.
Update packages for the SuSE Linux distributions 6.3, 6.4, 7.0 and 7.1
can be found on our ftp server at
The packages are gpg-signed. See the section above about downloading
and verifying rpm packages.
The complexity of the netscape browser suggests by nature that more
security related problems will be found, we will not issue a dedicated
security announcement for the netscape package any more. Security-
inclined users may please see the future security announcements in
section 2) for information about security related problems with the
The gpg update package that can be found on our ftp server upgrade your
installation of gpg to the version 1.0.5. We have experienced stability
problems when the turkish locale was used.
We recommened our users to wait for the official SuSE Security
Announcement about gpg/gnupg before performing the upgrade since we
expect more changes to the package.
Most of the supported distributions have pine update packages in the
update area of the ftp server that update the pine package to version
4.33. Many vulnerabilities have been found in versions before 4.33,
and it is recommended to perform the upgrade.
Please note that not all packages have been built yet. See the update
directory for your distribution (like i386/update/7.0/n1) for pine-4.33
dex(a)raza-mexicana.org has found an exploitable buffer overflow bug in
the dsh program from the dqs package on SuSE Linux distributions.
To workaround the problem, do "chmod -s /usr/bin/dsh" and change the
files /etc/permissions* to reflect the change. If you do not need the
dqs package, then deinstall it (rpm -e dqs). We are working on update
packages that fix the problem.
Insecure temporary file handling is the cause for a new samba version
2.0.9 that can be found as rpm packages in the n1/ directory of your
distribution. It is recommended to install the update package if your
users have local shell access to your samba server (this bug is not
We are currently investigating some oddity in the behaviour of the
samba package and will send a security announcement as soon as we
have clarified the problems. The problems were present in earlier
releases/versions of the samba package as well. By consequence, the
installation of the update package is of low risk for the functionality
of your system.
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security(a)suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
a) gpg is installed
b) The package is signed using a certain key. The public part of
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build(a)suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
For general information or the frequently asked questions (faq)
send mail to:
SuSE's security contact is <security(a)suse.com>.
The <security(a)suse.com> public key is listed below.
Roman Drahtmueller <draht(a)suse.de>.
| Roman Drahtmüller <draht(a)suse.de> // "The best way to pay for a |
SuSE GmbH - Security Phone: // lovely moment is to enjoy it."
| Nürnberg, Germany +49-911-740530 // - Richard Bach |
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security(a)suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build(a)suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----