Hi!
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
Thanks.
--
Farewell.
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
João Reis
-------------------------------------------------------
I want to do the following:
backup all my sensitive date from my main server, pack it into one file
and then get it transfered to my backup server.
That's fine but my problem is that those two machines aren't in the same
local network. So if I do not encrypt my data it would be (more or less)
visible to everybody on the net (who has some hacking knowledge). But as I
said this data is sensible (passwords, creditcards, ...)! So I thought of ssh
or scp BUT how to automate this process of backing up? I would have to specify
user AND password in my backup-script. How do specify a password for
ssh / scp in a script??
Plese Help!
Luke
> To: draht(a)suse.de
> Date: 31 Jul 01 11:35:18 GMT
> Subject: RE: Re: [suse-security] ip_conntrack_ftp
>
> I will be on vacation until August 16, 2001.
>
Just a brief note: I'm unsubscribing people who set up autoreplies that
send mails even if the owner of the mail account is not listed in the To:
or Cc: lines. If it doesn't get too much, I'll send some brief note to the
subscriber that he's been nuked.
For explanation: If you send a mail to suse-security(a)suse.de, the mail is
being received by a few thousand subscribers of the list. None of these
show up in the header: The recipient address is listed in the envelope of
the mail and is not visible while the mail is being transferred in SMTP
layer. So if you set up an autoreply that you are on vacation and drinking
Caipirinha on the beach, make sure that you only reply if your email
address appears in the To: or Cc: lines.
Thanks,
Roman.
--
- -
| Roman Drahtmüller <draht(a)suse.de> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| Nürnberg, Germany (Batman Costume warning label) |
- -
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Use public key authentication as opposed to hard coding the username
and password.
HTH
- -----Original Message-----
From: Lukas Feiler [mailto:lukas.feiler@endlos.at]
Sent: Tuesday, July 31, 2001 8:35 AM
To: suse-security(a)suse.com
Subject: [suse-security] automatic backups over ssh/scp
I want to do the following:
backup all my sensitive date from my main server, pack it into one
file
and then get it transfered to my backup server.
That's fine but my problem is that those two machines aren't in the
same
local network. So if I do not encrypt my data it would be (more or
less)
visible to everybody on the net (who has some hacking knowledge). But
as I
said this data is sensible (passwords, creditcards, ...)! So I
thought of ssh
or scp BUT how to automate this process of backing up? I would have
to specify
user AND password in my backup-script. How do specify a password for
ssh / scp in a script??
Plese Help!
Luke
- --
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO2ank/fthvTDkNu3EQKWWgCggExK9y2TjSrQkN1d0RKN3NoTVucAnRAb
BzjzlOPPbqo/JdMqZixzVCTI
=waJ0
-----END PGP SIGNATURE-----
Hi,
I had some reliability problems, too. I installed bind8-8.2.3-REL at our
SuSE 7.0 from the original sources and bind crashed at least once a day.
I never got a reason for this. But after installing the SuSE update rpm for
8.2.3 it never crashed again.
I don't know what the differences are and I don't care...
So I you are running a SuSE system try to install their package.
Hth,
Oliver
-----Ursprüngliche Nachricht-----
Von: Oyku Gencay [mailto:oykug@sbt.com.tr]
Gesendet: Dienstag, 31. Juli 2001 19:48
An: Schelstraete Bart
Cc: SuSE Security
Betreff: Re: [suse-security] DNS: BIND vs djbdns
Sorry for the error :) I intended to write "crashes" not "crashed". Both
BIND8 and 9 frequently (at least once in two days) crashes. BIND 4 was
unsecure, but not so unstable.
----- Original Message -----
From: Schelstraete Bart <bschelst(a)bru-hub.dhl.com>
To: Oyku Gencay <oykug(a)sbt.com.tr>
Cc: SuSE Security <suse-security(a)suse.de>
Sent: Tuesday, July 31, 2001 12:41 AM
Subject: Re: [suse-security] DNS: BIND vs djbdns
> Oyku Gencay wrote:
>
> >Hi,
> >
> >I'm wondering, does anyone of you are using djbdns
> >(http://cr.yp.to/djbdns.html) instead of BIND? What are your thoughts.
Apart
> >from being vulnerable, BIND frequently crashed.
> >
> BIND crashed? That's strange.........I never had any problems with
> running BIND.
> I think BIND is the most complete - stablest - nameserver.
>
> (If you don't mind the security issues )
>
> Bart
>
>
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
> For additional commands, e-mail: suse-security-help(a)suse.com
--
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com
maf king wrote:
> One thing to bear in mind with this approach : AFAIK the stock SuSE
7.2
> 2.4.4 kernel hasn't been patched to close the serious security hole in
> ip_conntrack_ftp, so if security is of any importance at all, and you
have
> to allow FTP, 2.2.19 is probably better.
I thought that problem only affected kernels <= 2.4.3. Looking at my
SuSE 7.2 system with a 2.4.4-4GB kernel (default), i see the following
in lines 352-355 of my
/usr/src/linux-2.4.4.SuSE/net/ipv4/netfilter/ip_conntrack_ftp.c:
----
/* Thanks to Cristiano Lincoln Mattos
<lincoln(a)cesar.org.br> for reporting this potential
problem (DMZ machines opening holes to internal
networks, or the packet filter itself). */
if (!loose) goto out;
----
So I would say that this problem has been taken care of... Could someone
from SuSE please confirm this?
Thanks,
Sergi
Helo Stefan, helo folks,
Stefan, probably you remember my problem about proxy squid - iptables on
kernel 2.4.0 in June.
Yesterday I find in /usr/share/doc/packages/iptables/Kown_bugs these:"
Connection tracking doesn`t wait very log for reply FIN, meaning that
half-closed pipes can time out early ( seen frequendly squid ).
I use to download Kernel 2.4.4 and updated my System. Well, it`s works
how it have to work.
So I wasn`t wrong but the kernel ore iptables in release.
lol best regards
--
Dirk Ertl
networktechnican
fon : +49 179/492 63 59
mailto : dirk(a)ertl-bln.de
-------------------------------------------
Hi,
I'm wondering, does anyone of you are using djbdns
(http://cr.yp.to/djbdns.html) instead of BIND? What are your thoughts. Apart
from being vulnerable, BIND frequently crashed.
Regards,
Oyku
Hi,
I meant some features of the 2.2.x -kernels. I tried to set up a firewall
with ipchains and the firewall-introduction from
www2.little-idiot.de/firewall.
A recognized, that a RedHat kernel have more features enabled that were
necessary for building up a firewall with ipchains. That's what I mean.
MfG.
Stefan Walther
stefan_walther(a)gehag-dsk.de
dienst.: +4930/89786448
Funk: +49172/3943961
Hi,
On Tue, Jul 31, Stefan_Walther(a)gehag-dsk.de wrote:
> thats right. But I use a 2.4.7 from kernel.org on my SuSE system. I think
> the patch is applied to this version. I take this kernel, because I
> recognized that some featurs I need are not implemented in the SuSE
> kernels.
What is missing in the SuSE kernels that exists in stock kernels?
We never remove any functionality from Linus' kernels, so I'm very curious
what you're referring to.
> MfG.
>
> Stefan Walther
Hubert Mantel
--
To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
For additional commands, e-mail: suse-security-help(a)suse.com
Hi,
thats right. But I use a 2.4.7 from kernel.org on my SuSE system. I think
the patch is applied to this version. I take this kernel, because I
recognized that some featurs I need are not implemented in the SuSE
kernels.
MfG.
Stefan Walther
stefan_walther(a)gehag-dsk.de
dienst.: +4930/89786448
Funk: +49172/3943961
One thing to bear in mind with this approach : AFAIK the stock SuSE 7.2
2.4.4 kernel hasn't been patched to close the serious security hole in
ip_conntrack_ftp, so if security is of any importance at all, and you have
to allow FTP, 2.2.19 is probably better.
just my 2 cents.
Maf.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Maf. King
Standby Exhibition Services
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It is easier to do a job right than to explain why you didn't."
- Martin Van Buren
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~