openSUSE Security January 2005

security@lists.opensuse.org

93 participants
61 discussions

Apache SSL with SUSE 9.1
by Franck 07 Jan '05

07 Jan '05

Hi, i've a problem to activate SSL on my apache. All work fine on port 80 with virtualhost. 1/ Basic instalaltion of apache 2 with mod_php4 2/ /etc/sysconfig/apache2 => APACHE_SERVER_FLAGS="SSL" 3/ copy from vhost-ssl.template to test.conf 4/ In test.conf, only changed DocumentRoot to point to good path 5/ cd /usr/share/doc/packages/apache2; ./certificate.sh' as root. Answer all questions 6/ /etc/init.d/apache2 restart [Thu Jan 06 10:45:48 2005] [error] VirtualHost _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results Syntax OK Shutting down httpd2 (waiting for all children to terminate) done Starting httpd2 (prefork) [Thu Jan 06 10:45:49 2005] [error] VirtualHost _default_:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results Could anyone help me please ? Regards Franck

4 10

Yast system:/ kioslave security flaw?
by Mauricio Bahamonde 06 Jan '05

06 Jan '05

Hi, I'm running SuSe 9.2 and I have a user account in which I run KDE 3.4 CVS HEAD. I have discovered a serious security flaw probably related to a bug in Yast2 system:/ kioslave. If you go to system:/ on Konqueror -> Settings -> Yast2 Modules, and try to change anything, it doesn't asks you for a password , so any user can do modifications the system without having the root password at all. Please check http://bugs.kde.org/show_bug.cgi?id=96146 for more information on this bug. Greetings, -- Mauricio Bahamonde <elkrammer(a)kde.cl> We must learn our limits. We are all something, but none of us are everything. -- Blaise Pascal

2 4

[Request for Help] MBOX-Project seeks for Mboxes :-)
by Martin Mewes 06 Jan '05

06 Jan '05

Hallo zusammen, hi all, English first - Deutsch folgt: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After first problems my MBOX-Project [1] is running OK and now I search for content. First goal of the project is to install a central possibility to gather lost messages from mailing-lists which did not reach the recipient for various reasons (missconfigured eMail-Clients/-Servers [2], network-hickups). The testphase in 2004 was well and after little problems on the 01/01/2005 mailinglists are now archived properly. Second goal of the project will be to develop some (possibly perl-based) software which can be handled via eMail to get certain lost messages out of the archives attached to an eMail in a (zip||tar.gz||tar.bz2) to import them to your $mail_client. There is a mailing-list [3] and an empty CVS already. More info on this can be obtained by subscribing to the list. Back to point one. I am searching for complete editions of the years 2002, 2003 and 2004 of the following mailing-lists [4], mbox is prefeered (so no conversion is needed), but there is a conversion-script for maildir available as well. Some of the lists are complete already, but you know: Better check twice :-) Another important point is to have the eMail-Headers complete, so we can check them to find something unique (important for SuSE-Lists) in them. There are several options to give us your valued archives. a) I download them [5]. b) You will get a FTP-Account and upload them (scp possible) [5]. c) Via eMail to mm(a)mewes.tv as attachment (Maximum Size: 30 MB per eMail) [5] Kind regards and thanks for listening Christian Boltz (suse at cboltz dot de) Martin Mewes (mm at mewes dot de) ###################################################################### Nach anfänglichen Schwierigkeiten haben ich nun mein MBOX-Projekt [1] im Griff und suche nun Inhalt. Ziel des Projektes ist es erstmal eine zentrale Anlaufstelle für verlorengegangene Mailinglisten-Mails zu sein, die entweder aufgrund de/ver-konfigurierter Mailclients/-server [2], Netzwerkschluckauf oder sonstiger Dinge den Empfänger nicht erreicht haben. Die Testphase Ende 2004 verlief recht gut und nach kleineren Problemen am 01.01.2005 wird nun fleissig gesammelt und archiviert. Als nächstes starte ich nun mit bisher einem Mitstreiter die Programmierung einer (wahrscheinlich) Perl-Skript basierten Software, die man via eMail bedienen kann, um sich aus den gesammelten Archiven einzelne Mails als Anhang (zip||tar.gz||tar.bz2) einer eMail zusenden lassen kann. Hierfür existiert eine Mailingliste [3] und auch ein bisher leeres CVS. Mehr Infos dazu auf der Mailingliste. Aber zurück zu Punkt Eins. Ich suche komplette Edititionen der Jahre 2002, 2003 und 2004 der folgenden Mailinglisten [4} am liebsten im mbox-Format, damit ich diese nicht erst konvertieren muß. Für maildirs existiert ein Konverterskript. Für einige dieser Listen bin ich zwar komplett, aber doppelt geprüft ist besser :-) Wichtig ist mir weiterhin, daß die kompletten Header erhalten sind, damit wir prüfen können, welcher Header (vor allem für die SuSE-Listen) so eine Art "eindeutiges Merkmal" darstellt. Es gibt mehrere Möglichkeiten, mir diese Archive zukommen zu lassen. a) Ich lade diese bei Euch runter [5] b) Ihr bekommt einen FTP-Account und ladet diese direkt auf meinen Server hoch (scp möglich) [5]. c) Via eMail and mm(a)mewes.tv als Anhang (Begrenzung: 30 MB pro eMail) [5]. Danke für Eure Aufmerksamkeit ... Christian Boltz (mbox-archiv at cboltz dot de) Martin Mewes (mm at mewes dot de) [1] http://mbox.mewes.tv/ [2] Grund des Projektes / Reason of the project ;-) [3] http://mailman.mamemu.de/mailman/listinfo/mbox-archiv [4] * debian-announce * debian-changes * debian-devel * debian-devel-announce * debian-kde * debian-kernel * debian-mentors * debian-news * debian-news-german * debian-security * debian-security-announce * debian-user * debian-user-german * securityfocus-bugtraq * securityfocus-linux * securityfocus-ms * suse-autoinstall * suse-linux * suse-linux-e * suse-ot * suse-security * suse-security-announce * webadmin-list * webadmin-devel * webadmin-trans [5] Dateiname/Fielname (please): $listname-$year(-$month(-$day)).(zip||tar.gz||tar.bz2) bis dahin/kind regards Martin Mewes -- I'm not really out of the office. I'm just ignoring you.

1 0

password authentication in ssh
by Alex Angerhofer 06 Jan '05

06 Jan '05

Dear List, I have a question regarding password authentication in ssh. Recently I discovered that I couldn't log on to one of my boxes anymore from a Sun. The linux box is running SuSE 9.2 stock with the latest YOU update kernel: # uname -a Linux alex-1 2.6.8-24.10-smp #1 SMP Wed Dec 22 11:54:27 UTC 2004 i686 i686 i386 GNU/Linux The error output of ssh when trying to connect to this box is this: debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /ufl/chem/axa/aa/.ssh/identity debug1: Trying private key: /ufl/chem/axa/aa/.ssh/id_rsa debug1: Trying private key: /ufl/chem/axa/aa/.ssh/id_dsa debug1: No more authentication methods to try. Permission denied (publickey,keyboard-interactive). There is no problem ssh'ing into this box from another linux box called physical36. > uname -a Linux physical36 2.6.8-24.10-default #1 Wed Dec 22 11:54:27 UTC 2004 i686 athlon i386 GNU/Linux I also don't have a problem ssh'ing into physical36 from the Sun. So, I investigated the sshd_config files and they show the following differences between physical36 and alex-1 (see at the end of this message). Apparently, I have a different version of sshd_config on both machines. Yet, both machines feature the same version of openssh: > rpm -q openssh openssh-3.9p1-3 # rpm -q openssh openssh-3.9p1-3 What would be the safest way to remedy the problem and allow password authentication again upon an ssh request from the Sun while avoiding other potential problems that come with the apparently older version of sshd_config? Thank you very much for pointers. Best regards, Alex. diff between sshd_config on physical36 and alex-1: < # $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $ --- > # $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ 37a38 > #MaxAuthTries 6 54c55 < #PasswordAuthentication yes --- > PasswordAuthentication no 58c59 < ChallengeResponseAuthentication no --- > #ChallengeResponseAuthentication yes 63a65 > #KerberosGetAFSToken no 67c69 < #GSSAPICleanupCreds yes --- > #GSSAPICleanupCredentials yes 69,71c71,85 < # Set this to 'yes' to enable PAM authentication (via challenge-response) < # and session processing. Depending on your PAM configuration, this may < # bypass the setting of 'PasswordAuthentication' --- > # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication > # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included > # in this release. The use of 'gssapi' is deprecated due to the presence of > # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. > #GSSAPIEnableMITMAttack no > > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication mechanism. > # Depending on your PAM configuration, this may bypass the setting of > # PasswordAuthentication, PermitEmptyPasswords, and > # "PermitRootLogin without-password". If you just want the PAM account and > # session checks to run without PAM authentication, then enable this but set > # ChallengeResponseAuthentication=no 81c95 < #KeepAlive yes --- > #TCPKeepAlive yes 83c97 < UsePrivilegeSeparation no --- > #UsePrivilegeSeparation yes

1 0

"manually" updating PHP on Suse 9.1 (to PHP 4.3.10)
by Thomas Hochstein 05 Jan '05

05 Jan '05

I've got one or two questions egarding those still missing critical PHP updates. Suse 9.1, Apache2, mod_php 1. AFAIS, in Suse 9.1, most modules can be found in /usr/lib/php/extensions. Would it be sufficient to download PHP 4.3.10 from php.net, compile and install it into a different directory (--prefix), to get rid of the bugs? AFAIS, (un)serialize() and (un)pack() are part of the PHP core. 2. To "get back" to SuSe RPMs, is it sufficient to install the Suse apache2-mod_php-4 RPM as soon as it is available? (And perhaps to manually remove the install directoty from step 1 above). The RPM should overwrite /usr/lib/apache2-prefork/libphp4.so and all other newly installed files, I presume? Thanks for all comments - even if those questions *are* a little dumb, I fear. :) -thh

4 3

Microsoft exchange connector
by Riaz Ur Rahaman 05 Jan '05

05 Jan '05

Hi, I am running suse 9.2, does a microsoft exchange connector not come with ximian by default? It comes with Fedora..where can i get the connector from and download it. -- Riaz Ur Rahaman <riazrahaman(a)hp.com>

1 0

vpn -newbies
by shrikant poredi 05 Jan '05

05 Jan '05

Hi How do i confiure ipsec/vpn with sles 9 /i am getting this errors pls tell me where i am making mistake ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux FreeS/WAN U2.04/K(no kernel code presently loaded) Checking for KLIPS support in kernel [FAILED] Checking for RSA private key (/etc/ipsec.secrets) [FAILED] ipsec showhostkey: no pubkey line found -- key information old? Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [FAILED] Opportunistic Encryption DNS checks: Looking for TXT in forward map: cybervision [MISSING] Does the machine have at least one non-private address? [OK] Looking for TXT in reverse map: 46.84.65.219.in-addr.arpa. [MISS pls give me link for basic vpn funda also what is left and right and other keys thx

1 0

iptables: how to route specific ports different than default gateway?
by Markus Feilner 05 Jan '05

05 Jan '05

Hello List, Can I use iptables to route traffic to or from one port via a different gateway than the default? If so, which is the right target? iptables ... -j REDIRECT? Or should I use a different software for that? Because of dyndns i cannot use the routing table for that hosts... Thanks a lot!! -- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner(a)feilner-it.net web http://www.feilner-it.net

2 3

identd on a masq gateway, answering with hostnames?
by Lars O.Grobe 03 Jan '05

03 Jan '05

Hi! For a masquerading gw allowing internet access to authenticated users, I need an identd that answers ident-requests giving the (hashed) hostname and user-id of the client that connected to the requesting system. This is to make sure that in case of abuse, the responsible can be found and the admin of the gateway is not made responsible (as the connections come from the gateway ip address as seen from the server). I could provide the identd with the information which local ip (which will be masqued to the outside) belongs to which user. All that is some kind of an extension to an authenticating gateway. Is anyone using something like that, or does anyone know a solution? TIA, CU Lars.

2 2

Failed attempts, block address
by MB 02 Jan '05

02 Jan '05

Hi list, Been getting a ton of attempts on my ssh/ftp connections as of late, first they started with the usual script kids trying the admin/guest/etc on the ssh connection, now i get people trying all sorts of stupid usernames with blank passwords on the ftp connection. 1. Is there a way to block an IP, either perm. or for set period of time for SSH attempts 2. Is there a simular way for VSFTP I'm sure i could block the address's manually, but i'd like it if it was automated? say for 6 attempts? Matt SuSE 9.1 --------------------------------- Do you Yahoo!? Yahoo! Mail - You care about security. So do we.

7 7

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security January 2005