October 2006 - openSUSE Security - openSUSE Mailing Lists

Re: [suse-security] Password length
by Boyan Tabakov 16 Oct '06

16 Oct '06

On 16.10.2006 13:59, Miguel ALBUQUERQUE wrote: > Same thing...maybe a bug in YAST ? How can check it manually ? See if your /etc/default/passwd file sais something like: CRYPT_FILES=blowfish BLOWFISH_CRYPT_FILES=10 If passwords are crypted with blowfish, the hash in /etc/shadow should start with the '$2a$10$' magic. SuSE 9.3, 10 and 10.1 use blowfish by default. Why did you modified this anyway? -- Blade hails you... It's not the monsters under your bed It is the Man next door That makes you fear, makes you cry... --Nightwish

2 1

Re: [suse-security] Open port in SuSEfirewall2
by Terje J. Hanssen 16 Oct '06

16 Oct '06

Jürgen Mell wrote: > Next step would be to check whether the SSH daemon is running at all. As > root at the workstation enter > > > rcsshd status # rcsshd status Checking for service sshd running > If a remote ssh > connection does not work, try it from the workstation itself: > > ssh localhost > Does this work or do you get any error messages? ~> ssh localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 2a:34:............................. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. Password: Last login: Mon Oct 16 09:32:33 2006 Have a lot of fun... Looks like ssh is running and working on my Linux box. I have no other Linux boxes internal on LAN to test ssh from, though the telnet as mentioned gave a message. The problem is still to get external response/access throught port 22 forwarding on the separate router. Terje

2 1

SPAM: Matthew Eldridge has just sent you $93.50 USD with PayPal
by service＠paypal.com 10 Oct '06

10 Oct '06

PayPal Protect Your Account Info Make sure you never provide your password to fraudulent websites. To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL (https://www.paypal.com/us/) to be sure you are on the real PayPal site. PayPal will never ask you to enter your password in an email. To learn more about protecting yourself from fraud, visit the Security Center. Click "Security Center" on the bottom of any PayPal page Protect Your Password You should never give your PayPal password to anyone, including PayPal employees. Matthew Eldridge just sent you money with PayPal. Matthew Eldridge is a Verified buyer. -------------------------------------------------------------------------- Payment Details Amount: $93.50 USD Transaction ID: 9FW55189WD400453J View the details of this transaction online -------------------------------------------------------------------------- Shipping Information Address: Matthew Eldridge 1936 68th Street Windsor Heights, IA 50322 United States Address Status: Confirmed -------------------------------------------------------------------------- Thank you for using PayPal! The PayPal Team PayPal Email ID PP274

1 0

PGP key implementation question
by HG 10 Oct '06

10 Oct '06

Hello! Sorry, this is not quite the right place, but as I previously got good answers about the PGP servers from you guys, I thought that maybe somebody could help me again. (Plus I tried to subscribe to the PGP mailing list, but either it's down as nothing happened or completely gone as the website was not found...) Ok, rolling out PGP at a small company. This is what I'm thinking. 1) Master signing key that is used to sign every key - Not uploaded to keyservers, just on the https-page with fingerprints and all - No encryption key - No email - My key added as revokation key Q: should I sign this? Q: if https-page is not available (from our IT), should I then sign this (my key will be uploaded to the key servers)? Q: should the global revokation key be added also 2) Global revokation key (Only use is to revoke other keys) - Signed by the master key Q: Does this need the encryption key, or should I delete it also? Q: If it needs, then it needs a email address also? Q: Should this be uploaded to the key server 3) ADK - Not uploaded to keyservers - Signed by the master key - AFAIK, needs an encryption key and therefore an email address? - Will be split later on (when I learn that stuff) 4) Individual email keys - Global revokation key as the revoking key - ADK added as the ADK key - Signed by the master key - added to the key servers How does this sound? -- HG.

2 1

Re: [suse-security] Deny access to file for all applications with apparmor?
by Boyan Tabakov 08 Oct '06

08 Oct '06

On 8.10.2006 03:56, Crispin Cowan wrote: > AppArmor currently does not have a way to do this, but it is in our road > map. The idea would be a "default profile" that applies to *any* process > started, which does not otherwise have an explicit profile. The problem > with the default profile approach is that this profile has to > simultaneously satisfy 2 requirements: > > 1. Be "tight" enough that a process confined only by the default > profile cannot corrupt AppArmor itself. > 2. Be "loose" enough that administrative processes, such as YaST and > RPM, can still function. I see. Hope you will come up with a solution! > * The security of the default profile will be exceptionally weak if > it is a negative profile. This is for all the usual security > weaknesses of a default allow policy. OK, but how would this 'weakness' be any different than the current state, where there is no profile assigned at all to most of the processes. If the default negative profile is empty, that would mean 'access granted' by default, which won't corrupt anything. > * The usability of the system will be severely compromised if the > default profile is a positive (normal) profile. *Every* process in > the system will be subject to this default profile, and so lots of > "normal" UNIX administrative procedures won't work. A default restrictive profile could render the system completely unusable. Thats why I guess the default profile should be negative only. If it is positive, it would truly need a lot time to develop. > Therefore, using the default profile feature is likely to be appropriate > only for specialized situations where the configuration can be limited > to a specific need, and therefore its administrative needs will be > relatively simple. Exactly! My situation is like this. But having the tools to do this, only gives the administrator more options. It means that the administrator should be paying more attention, too. Good luck with the project! -- Blade hails you... All the same take me away We're dead to the world --Nightwish

1 0

tomcat5 webdav and user dirs
by Wouter 02 Oct '06

02 Oct '06

Hi, I have installed a few days ago tomcat whit the suse rpms. But i want now that i can make user directoy's. Because the world can now write in de webdav dir.... Is there someone who knows how i can make a few user directory's ? Greets

2 1

Encrypted filesystem on loop file
by Carlos E. R. 01 Oct '06

01 Oct '06

Hi, I'm trying to create an encrypted filesystem via Yast partitioner in SuSE 10.1, using a file mounted via the loop device. I have done this before, in fact I have two such things created under 9.3 running; but I can't (couldn't) with 10.1, it is creating a plain non encrypted filesystem instead. Or so it seemed. Looking carefully again, after several runs, I noticed that it was mounting the filesystem as plain non encrypted, but it was in fact creating an encrypted one with the appropriate entry en /etc/cryptotab instead of in /etc/fstab - whereas in 9.3 it created then in /etc/fstab instead, and in 8.x they were created in /etc/cryptotab. This criteria change is very confusing. Perhaps Yast could ask where the user wanted to define it - feature request, perhaps? It's not only a config file difference; an encrypted filesystem defined in /etc/fstab can be mounted with the command mount, but one defined in /etc/cryptotab is mounted via the command "/etc/init.d/boot.crypto start", which is less comfortable for manual mount after boot (and it mounts all devices listed, even if already mounted). /etc/cryptotab sample line: /dev/loop3 /file3 /crypta3 ext3 twofish256 acl,user_xattr /etc/fstab, the equivalent sample line: /file3 /crypta3 ext3 noauto,acl,user_xattr,loop=/dev/loop3,encryption=twofish256 0 0 Both work with the same file, I tried. I'll stay with the second one. But in 9.3 the fstab line was instead (incompatible): /file2 /crypta2 ext3 noauto,acl,user_xattr,loop=/dev/loop2,encryption=twofish256,phash=sha512,itercountk=100 Comments? Also, how would I create the equivalent encrypted filesystem manually; docus, howtos? Tks. -- Cheers, Carlos Robinson

2 2

[suse-security] Deny access to file for all applications with apparmor?
by Boyan Tabakov 01 Oct '06

01 Oct '06

Hi, I was recently going through the manuals of apparmor. As far as I could understand you can create profiles for specific executables. I was wondering, however, is it possible to create a 'generic' profile that should be applied to ANY process started. Or, what I really want to accomplish, how can I deny access to specific file for ALL processes, except, let's say one or two? If I understand the concept right, this can't be done, but let me know if I am wrong, please! -- Blade hails you... Toll no bell for me father But let this suffering pass from me Send me no shepherd to heal my world But the Angel - the dream foretold --Nightwish

2 4