openSUSE Security July 2001

security@lists.opensuse.org

141 participants
150 discussions

SSH Authentication
by Joao Reis 18 Nov '02

18 Nov '02

Hi! I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password. In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. This second solution is a good solution or that brings other security problems ? Thanks. -- Farewell. "Keep your friends close, but your enemies closer." "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

2 1

automatic backups over ssh/scp
by Lukas Feiler 19 Sep '01

19 Sep '01

I want to do the following: backup all my sensitive date from my main server, pack it into one file and then get it transfered to my backup server. That's fine but my problem is that those two machines aren't in the same local network. So if I do not encrypt my data it would be (more or less) visible to everybody on the net (who has some hacking knowledge). But as I said this data is sensible (passwords, creditcards, ...)! So I thought of ssh or scp BUT how to automate this process of backing up? I would have to specify user AND password in my backup-script. How do specify a password for ssh / scp in a script?? Plese Help! Luke

14 30

Administrativa: auto-replies
by Roman Drahtmueller 09 Aug '01

09 Aug '01

> To: draht(a)suse.de > Date: 31 Jul 01 11:35:18 GMT > Subject: RE: Re: [suse-security] ip_conntrack_ftp > > I will be on vacation until August 16, 2001. > Just a brief note: I'm unsubscribing people who set up autoreplies that send mails even if the owner of the mail account is not listed in the To: or Cc: lines. If it doesn't get too much, I'll send some brief note to the subscriber that he's been nuked. For explanation: If you send a mail to suse-security(a)suse.de, the mail is being received by a few thousand subscribers of the list. None of these show up in the header: The recipient address is listed in the envelope of the mail and is not visible while the mail is being transferred in SMTP layer. So if you set up an autoreply that you are on vacation and drinking Caipirinha on the beach, make sure that you only reply if your email address appears in the To: or Cc: lines. Thanks, Roman. -- - - | Roman Drahtmüller <draht(a)suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -

4 3

RE: [suse-security] automatic backups over ssh/scp
by James Wilkus 01 Aug '01

01 Aug '01

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Use public key authentication as opposed to hard coding the username and password. HTH - -----Original Message----- From: Lukas Feiler [mailto:lukas.feiler@endlos.at] Sent: Tuesday, July 31, 2001 8:35 AM To: suse-security(a)suse.com Subject: [suse-security] automatic backups over ssh/scp I want to do the following: backup all my sensitive date from my main server, pack it into one file and then get it transfered to my backup server. That's fine but my problem is that those two machines aren't in the same local network. So if I do not encrypt my data it would be (more or less) visible to everybody on the net (who has some hacking knowledge). But as I said this data is sensible (passwords, creditcards, ...)! So I thought of ssh or scp BUT how to automate this process of backing up? I would have to specify user AND password in my backup-script. How do specify a password for ssh / scp in a script?? Plese Help! Luke - -- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO2ank/fthvTDkNu3EQKWWgCggExK9y2TjSrQkN1d0RKN3NoTVucAnRAb BzjzlOPPbqo/JdMqZixzVCTI =waJ0 -----END PGP SIGNATURE-----

4 4

AW: [suse-security] DNS: BIND vs djbdns
by Schoenwaelder Oliver 31 Jul '01

31 Jul '01

Hi, I had some reliability problems, too. I installed bind8-8.2.3-REL at our SuSE 7.0 from the original sources and bind crashed at least once a day. I never got a reason for this. But after installing the SuSE update rpm for 8.2.3 it never crashed again. I don't know what the differences are and I don't care... So I you are running a SuSE system try to install their package. Hth, Oliver -----Ursprüngliche Nachricht----- Von: Oyku Gencay [mailto:oykug@sbt.com.tr] Gesendet: Dienstag, 31. Juli 2001 19:48 An: Schelstraete Bart Cc: SuSE Security Betreff: Re: [suse-security] DNS: BIND vs djbdns Sorry for the error :) I intended to write "crashes" not "crashed". Both BIND8 and 9 frequently (at least once in two days) crashes. BIND 4 was unsecure, but not so unstable. ----- Original Message ----- From: Schelstraete Bart <bschelst(a)bru-hub.dhl.com> To: Oyku Gencay <oykug(a)sbt.com.tr> Cc: SuSE Security <suse-security(a)suse.de> Sent: Tuesday, July 31, 2001 12:41 AM Subject: Re: [suse-security] DNS: BIND vs djbdns > Oyku Gencay wrote: > > >Hi, > > > >I'm wondering, does anyone of you are using djbdns > >(http://cr.yp.to/djbdns.html) instead of BIND? What are your thoughts. Apart > >from being vulnerable, BIND frequently crashed. > > > BIND crashed? That's strange.........I never had any problems with > running BIND. > I think BIND is the most complete - stablest - nameserver. > > (If you don't mind the security issues ) > > Bart > > > > > -- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com -- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

3 2

Re: [suse-security] kernel 2.4: ipchains and ip_masq_ftp
by Sergi Puso Gallart 31 Jul '01

31 Jul '01

maf king wrote: > One thing to bear in mind with this approach : AFAIK the stock SuSE 7.2 > 2.4.4 kernel hasn't been patched to close the serious security hole in > ip_conntrack_ftp, so if security is of any importance at all, and you have > to allow FTP, 2.2.19 is probably better. I thought that problem only affected kernels <= 2.4.3. Looking at my SuSE 7.2 system with a 2.4.4-4GB kernel (default), i see the following in lines 352-355 of my /usr/src/linux-2.4.4.SuSE/net/ipv4/netfilter/ip_conntrack_ftp.c: ---- /* Thanks to Cristiano Lincoln Mattos <lincoln(a)cesar.org.br> for reporting this potential problem (DMZ machines opening holes to internal networks, or the packet filter itself). */ if (!loose) goto out; ---- So I would say that this problem has been taken care of... Could someone from SuSE please confirm this? Thanks, Sergi

1 0

Finally Squid and iptables Kern 2.4.0
by Dirk Ertl 31 Jul '01

31 Jul '01

Helo Stefan, helo folks, Stefan, probably you remember my problem about proxy squid - iptables on kernel 2.4.0 in June. Yesterday I find in /usr/share/doc/packages/iptables/Kown_bugs these:" Connection tracking doesn`t wait very log for reply FIN, meaning that half-closed pipes can time out early ( seen frequendly squid ). I use to download Kernel 2.4.4 and updated my System. Well, it`s works how it have to work. So I wasn`t wrong but the kernel ore iptables in release. lol best regards -- Dirk Ertl networktechnican fon : +49 179/492 63 59 mailto : dirk(a)ertl-bln.de -------------------------------------------

1 0

DNS: BIND vs djbdns
by Oyku Gencay 31 Jul '01

31 Jul '01

Hi, I'm wondering, does anyone of you are using djbdns (http://cr.yp.to/djbdns.html) instead of BIND? What are your thoughts. Apart from being vulnerable, BIND frequently crashed. Regards, Oyku

7 7

Re: [suse-security] kernel 2.4: ipchains and ip_masq_ftp
by Stefan_Walther＠gehag-dsk.de 31 Jul '01

31 Jul '01

Hi, I meant some features of the 2.2.x -kernels. I tried to set up a firewall with ipchains and the firewall-introduction from www2.little-idiot.de/firewall. A recognized, that a RedHat kernel have more features enabled that were necessary for building up a firewall with ipchains. That's what I mean. MfG. Stefan Walther stefan_walther(a)gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961 Hi, On Tue, Jul 31, Stefan_Walther(a)gehag-dsk.de wrote: > thats right. But I use a 2.4.7 from kernel.org on my SuSE system. I think > the patch is applied to this version. I take this kernel, because I > recognized that some featurs I need are not implemented in the SuSE > kernels. What is missing in the SuSE kernels that exists in stock kernels? We never remove any functionality from Linus' kernels, so I'm very curious what you're referring to. > MfG. > > Stefan Walther Hubert Mantel -- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

1 0

Re: [suse-security] kernel 2.4: ipchains and ip_masq_ftp
by Stefan_Walther＠gehag-dsk.de 31 Jul '01

31 Jul '01

Hi, thats right. But I use a 2.4.7 from kernel.org on my SuSE system. I think the patch is applied to this version. I take this kernel, because I recognized that some featurs I need are not implemented in the SuSE kernels. MfG. Stefan Walther stefan_walther(a)gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961 One thing to bear in mind with this approach : AFAIK the stock SuSE 7.2 2.4.4 kernel hasn't been patched to close the serious security hole in ip_conntrack_ftp, so if security is of any importance at all, and you have to allow FTP, 2.2.19 is probably better. just my 2 cents. Maf. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3 2

Jump to page:

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security July 2001