May 2003 - openSUSE Security - openSUSE Mailing Lists

Validity period of GPG-keys
by Jan Dirnberger 26 May '03

26 May '03

Hi! I'm working on a school project, including Public Key Infrastrucure (PKI). We are instructed to get out how long the validity period of a GPG-key should be set in a company or other organisations the info-material we collect is for. First I wanted to advise a unrestricted validity, but then I remembered that organisations or enterprises might have often changing memebers. So I'm caught between the devil and the deep blue sea what to advise... I tried to find out with Google, but there aren't any publications including these information. Thanks for any advises or experiences! Greetings, Jan PS: My english is quite bad but I hope all necessary information can be understood ;)

2 1

KMail and GPG
by Oliver Schwabedissen 26 May '03

26 May '03

Hello, I currently have a problem with signing and encrypting my email and have no idea what went wrong sudeenly... I installed GnuPG v1.2.2 last week, generated a key and configured KMail v1.5 (I'm running SuSE 8.0 with KDE 3.1) to use this key to sign all outgoing mail that has my standard identity in the From field. Two days later I installed "Ägypten" so that KMail is able to support OpenPGP and PGP/MIME. Everything was fine until last weekend, when KMail suddenly started to reject my passphrase saying I entered an invalid passphrase. I have no idea why KMail keeps rejecting it. I can encrypt and decrypt files using gpg on command line without problems, gpg accepts my passphrase. Somebody here with an idea what's wrong with KMail (or gpg)? I don't want to revoke the key and generate a new one... Bye, Oliver

2 2

.rhost everybody access
by Joao Reis 26 May '03

26 May '03

Hi to all. How do i give permission to rlogin to an account by everybody from any host. I tried "* *" and i didn't work Any suggestion? Thanks -- "Do or do not. There is no try" - Yoda João Reis -------------------------------------------------------

9 10

CA-2003-10 SunRPC XDR glibc updates still missing?
by Herbert Huber 25 May '03

25 May '03

I still have the impression that SuSE has not delivered an update for the Sun RPC XDR bug, which has been posted by CERT on Wed., 19 March 2003. This bug has been fixed by other linux distributors as weel as commercial UNIX flavours like AIX, solaris and IRIX weeks ago. So what's going on here ...? Should the LRZ migrate it's 280 Linux nodes to RedHat, because they are much faster in releasing updates? Or does SuSE propose us to migrate to SLES, because it will in future garantee really fast updates only for it's commercial product lines? Regards, H. Huber

2 1

Re: [SLE] Why does loopback encryption only work when loopback is compiled as a module
by Bo Jacobsen 24 May '03

24 May '03

When "loopback device support" and "Twofish encryption for loopback device" is compiled INTO the kernel, the "losetup -e twofish /dev/loop0 /encrypted-file" command fails with the error: "ioctl: LOOP_SET_STATUS: invalid argument" If they are compiled as modules, everything works OK. I have tred it with many versions of the SuSE kernels, and the result is always the same !. Any suggestions on how to get it to work. Thanks in advance Bo Jacobsen -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help(a)suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq(a)suse.com

1 0

Why does loopback encryption only work when loopback is compiled as a module
by Bo Jacobsen 24 May '03

24 May '03

When "loopback device support" and "Twofish encryption for loopback device" is compiled INTO the kernel, the "losetup -e twofish /dev/loop0 /encrypted-file" command fails with the error: "ioctl: LOOP_SET_STATUS: invalid argument" If they are compiled as modules, everything works OK. I have tred it with many versions of the SuSE kernels, and the result is always the same !. Any suggestions on how to get it to work. Thanks in advance Bo Jacobsen

1 0

Re: [suse-security] What's keeps changing my inet.d sequence (not entirely security related)
by John Andersen 24 May '03

24 May '03

On Wednesday 21 May 2003 01:11, Matt Gibson wrote: > To get it to apply the right sequence, check the "### BEGIN INIT INFO" > section of the script. If you specify in there that it depends on the > firewall (use the Required-Start line to specify whatever's in the Provides > line in the firewall script) then it should get automatically shuffled into > the right place. Check out the init.d and insserv man pages for more > details. Ah, now if that works it would be great. The man pages left the impression that only those services mentioned in the /etc/insserv.conf could be mentioned there And my tests with the following in the firewall script: # Provides: shorewall # Required-Start: $network vmware # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: starts and stops the shorewall firewall Were unsuccessfull in getting the thing to force vmware to load first. Infact the insserv -d command halted saying vmware was not enabled, yet chkconfig said it was. Maddening. If i manually set it and stay away from insserv it will stay put, but one trip thru yast and I have to adjust it again. thx anyway. -- _____________________________________ John Andersen

3 4

DMZ egress access problem
by maarten van den Berg 23 May '03

23 May '03

Hi, I have a bit of a problem connecting from DMZ to the outside world. I have a DMZ with real IP numbers (not masqueraded) and the corresponding routing setup (which is working just fine). I allow port 80 and 22 to the DMZ, which is working great too. But... The problem is that from a DMZ host one cannot download patches; no DMZ -> internet connection is allowed at all and I cannot find a (safe) solution. These are my settings: Outside net X.Y.Z.144/28 DMZ net X.Y.Z.160/28 LAN 192.168.1.0/24 My outside I/F is X.Y.Z.146. DMZ I/F is X.Y.Z.161 These are the relevant sections of SuSEfirewall I have configured FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0 eth2" FW_FORWARD="0/0,X.Y.Z.160/28,tcp,80 0/0,X.Y.Z.160/28,tcp,22 X.Y.Z.160/28,0/0" That last rule should allow access to internet, right ? But it doesn't. With a sniffer I see packets leaving the firewall and they come back to eth0 whereafter they disappear. So probably the rule that should allow it back (I mean the smart <established,related> rule) doesn't apply or it has a bug. If I add this bit it works,but then I open up the entire DMZ again (evil) 0/0,X.Y.Z.160/28 And since I cannot define SOURCE portnumbers in FW_FORWARD, only DEST portnumbers, I see no workaround. Because obviously the destination ports are random >1024 ports. The construct 0/0,tcp,80,X.Y.Z.160/28 is not allowed according to the docs. Or is it...? (And besides, that is not very safe since anyone could then spoof that source port number anyway) I can probably solve it by patching some things around inside the real firewallscript but that is not why I'm writing this... I wonder how you are _supposed_ to solve this in the proper way. Are my rules wrong, or do you all disregard the FW_FORWARD line entirely and do it all from one of the hooks in the FW_CUSTOMRULES file ? I searched these mailarchives but a solution is not easy to find. For one, just looking for "DMZ" obviously gives thousands of hits and more importantly everyone seems to use a masqueraded DMZ anyway (As do the SuSE examples) so that does not really apply to my situation. Any insights ? Maarten

3 3

Re: [suse-security] What's keeps changing my inet.d sequence
by John Andersen 23 May '03

23 May '03

On Thursday 22 May 2003 09:57, Arjen de Korte wrote: > On Thursday 22 May 2003 10:08, John Andersen wrote: > > I'm taking this off-list, since I can't find anything security related to > this thread... > > [ > ...] > > > I have a similar case. > > > > In my case, insserv insists on starting Shorewall AFTER vmware > > in spite of my having vmware as a pre-requsite to shorewall. > > So? This is correct. If you put vmware in the list of Required-Start, it > will place the link to the shorewall startup script AFTER the link to the > vmware startup script. Provided that you have used insserv to enter vmware > in the runlevel directories as well. I mis-typed. I meant to say that shorewall starts BEFORE vmware even though I have this in the Shorewall script: #### BEGIN INIT INFO # Provides: shorewall # Required-Start: $network vmware # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: starts and stops the shorewall firewall ### END INIT INFO ---- > > But the METHOD of changing the names (hence the order) of the > > runlevel scripts is all we are discussing, the fact that you MUST > > change the script name to change the order is a given. > > The name of the script has nothing to do with it. See for yourself in the > /var/log/boot.msg file. It is the (alphabetical) order of the links to the > scripts in /etc/init.d/rc?.d that matters. Yes, of course, I was referring to the names of the links, as I mentioned in the part you clipped where I said: As you know, the alphabetical order of the links in the /etc/init.d/rc?.d directory sets the order they are run. If those are wrong the Optimum way you make them right is setting the Required-Start list to include network and running insserv. I originally thought your first post implied that these orders should never be changed because of what you said: "I'm still not convinced of a valid reason to change the startup order." It now seems that we fully agree that changing the start up order is necessary and the method to do so involves manipulating the names of the links, either manually or via insserv My problem remains that insserv was failing to honor the Required-Start as listed in the above snip of my shorewall script However, while putting together this message I noticed that the vmware script has these lines in it... ### BEGIN INIT INFO # Provides: VMware # Required-Start: $network $syslog # Required-Stop: # Default-Start: 3 5 # Default-Stop: # Description: Manages the services needed to run VMware software ### END INIT INFO The name of the script is "vmware" and thats the name I used inside my shorewall script for the "Required-Start". But I just noticed that the CaPiTaLiZaTiOn of the vmware script name differs with its "Provides" list. Running some tests with the capitalization corrected shows that it does indeed work. Grep-ing the scripts, I see that the vmware script is the ONLY one where the "Provides" differs in capitilzation from the script name. A trap for the unwary. I stand corrected. I hope you don't mind me putting this BACK on the security list, because a) that's where I badmouthed insserv and so should post my retraction there, b) it has a chance of being picked up by google there and that might help the next guy, and c) one's firewall failing to start because of a capitalization error is a security issue in my eyes. -- _____________________________________ John Andersen

2 1

Routing table DOS: Can someone from SuSE comment on this?
by Frank Steiner 23 May '03

23 May '03

Hi, sorry that I ask again (like some other mails did before)! I know that the SuSE security people always have a lot of work. But it would be nice if we could get at least a short comment like "we are working on a bugfix" or "we are investigating if our kernel is vulnerable". Just to know if this is a problem in the SuSE kernel or not and if a fix is developed... Best regards, Frank -- Dipl.-Inform. Frank Steiner Mail: fst(a)bio.informatik.uni-muenchen.de Lehrstuhl f. Bioinformatik Mail: frank(a)familiesteiner.de LMU, Theresienstrasse 39 Phone: +49 89 2180-4049, Fax: -4054 80333 Muenchen, Germany http://www.informatik.uni-kiel.de/~fst/ * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *

2 1