Didn't find much on the archives.
Any currently working crypto filesystem for FreeBSD?
I found tcfs, but it seems they don't have the BSD version ready yet.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Martin J. Muench (muenchgmc-online.de)
Date: Sun Nov 04 2001 - 13:35:45 CST

Hi,

> Any currently working crypto filesystem for FreeBSD?
CFS (Cryptographic File System): /usr/ports/security/cfs

> I found tcfs, but it seems they don't have the BSD version ready yet.
There is only a NetBSD and an OpenBSD version at the moment at
http://tcfs.dia.unisa.it/

    --[ Martin J. Muench ]--
--[ http://mjm.gmc-online.de ]--
--[ http://perl.gmc-online.de ]--

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Francisco Reyes (listsnatserv.com)
Date: Sun Nov 04 2001 - 13:48:31 CST

On Sun, 4 Nov 2001, Poul-Henning Kamp wrote:

> Both chroot and jail must be run as root. Chroot doesn't hide
> anything only jail does.

So what was chroot used for?

For jail is it necessary to have an entire environment? I only need a few
binaries.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Poul-Henning Kamp (phkcritter.freebsd.dk)
Date: Sun Nov 04 2001 - 13:57:05 CST

In message <20011104144213.R18641-100000zoraida.natserv.net>, Francisco Reyes
writes:
>On Sun, 4 Nov 2001, Poul-Henning Kamp wrote:
>
>> Both chroot and jail must be run as root. Chroot doesn't hide
>> anything only jail does.
>
>So what was chroot used for?

See /usr/share/doc/papers/jail.ascii.gz

>For jail is it necessary to have an entire environment? I only need a few
>binaries.

You only need the binaries you want.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phkFreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: terezaemailerotica.com
Date: Sun Nov 04 2001 - 17:35:17 CST

Hi there,

This is the Tereza responding to your erotic e-mail request...
Baby, you are just a few moments away from enjoying the HOTTEST ADULT
NEWSLETTER AND SITES ON THE WEB!

First, let's take care of some business. I need you to slide that
little mouse pointer over to the link below and click to confirm your free
subscription.

http://core.emailerotica.com/confirm.php?tid=0ff035ec

Now for the good stuff. After you confirm, you will join the millions of
people across the world that enjoy what has been called the BEST FREE ADULT
SERVICE ON THE NET. Here's what you'll experience:

==> Erotic XXX pictures delivered through your e-mail daily...and you get
    to choose your favorite categories!! We have a wide selection for all
    tastes!
==> The largest FREE video and live show collection on the web PLUS
    passwords to free hardcore video shows.
==> Ask Elxis - our beautiful sex advisor answers all of your sexual
    questions. You name it Elxis has the answers!!
==> Hot ADULT ONLY! chat. We have teamed up with The Adult Chat Network
    to offer you free access to the net's premier adult chatrooms. There's
    a room for everyone and thousands of people online at any given time.
==> Free Erotic Story archive - lurid tales of forbidden sex - lesbians,
    asians, fetish are just of the few categories to choose from
==> Hardcore Comics - updated daily, they will have you ROFLYAO!
==> Direct connection to our Adult Mall, Bookstore, Sexy Screensavers and
    Wallpaper, Online Casino and Messagez...our FREE e-mail account you can
    take anywhere. And MUCH MORE!

So if you haven't done so already, I must ask the question:

WHAT ARE YOU WAITING FOR???

=====> CONFIRM NOW! <===== (Click on the link below)

http://core.emailerotica.com/confirm.php?tid=0ff035ec

That's it!! It's all you need to do to start enjoying the widest selection
of adult fun on the Internet! There's no other way to do it, so CONFIRM
NOW!

****************************************
IMPORTANT NOTICE:

This message is not spam mail. Your e-mail address was entered on a
website ad describing our newsletter and services. If you did NOT request
this e-mail, then please DO NOT RESPOND and you will be AUTOMATICALLY
REMOVED from the program.
****************************************

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: alexus (mldb.nexgen.com)
Date: Sun Nov 04 2001 - 18:55:38 CST

does jail require to have NAT set up in order for jail users to go outside
of jail (like browse, telneting out and etc..)

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Thomas S. Greenwalt (tomgtrancer.com)
Date: Sun Nov 04 2001 - 19:20:40 CST

I've been playing with setting up a firewall. This is the setup:
The firewall PC is running FreeBSD 4.4 with the default 'simple' firewall
running. There are two ethernet cards in it, one at IP 206.147.211.9 talking
to the outside network. The other ethernet card is using IP 10.0.0.1 and is
talking to an internel network of two PCs.
One PC is running FreeBSD 4.4 and is at IP 10.0.0.2 and the other PC is
running Win98 and is at IP 10.0.0.3. Both are using 10.0.0.1 as the default
gateway.
If both machines are plugged into the network and running everything seems to
be working fine. However as soon as I shut down the Win98 box or unplug it
from the network, the FreeBSD machine can't communicate out of the firewall
anymore. Plug the Win98 box back in and it starts working again.
Any suggestions? TIA

-- 
Tom Greenwalt (F.O.E.)  Trancer Software Inc.  tomgtrancer.com
9099 7th Street NE                                  http://www.trancer.com/
Minneapolis, MN 55434-1113                  http://www.trancer.com/~tomg
---- When I'm good I'm very good, when I'm bad I'm better, ----
---------- But when I'm evil you better run. -------------
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Crist J. Clark (cristjcearthlink.net)
Date: Mon Nov 05 2001 - 00:32:30 CST

On Sun, Nov 04, 2001 at 07:55:38PM -0500, alexus wrote:
> does jail require to have NAT set up in order for jail users to go outside
> of jail (like browse, telneting out and etc..)

No.

-- 
Crist J. Clark                     |     cjclarkalum.mit.edu
                                   |     cjclarkjhu.edu
http://people.freebsd.org/~cjc/    |     cjcfreebsd.org
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Christoph Kukulies (kukugilberto.physik.rwth-aachen.de)
Date: Mon Nov 05 2001 - 01:21:46 CST

I found a syslog of Nov 2, 00:30 saying:

sshd: Local: Corrupted check bytes on input.

Possible attack?

What is the way to go with sshd and FreeBSD?

-- 
Chris Christoph P. U. Kukulies kukugil.physik.rwth-aachen.de
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: alexus (mldb.nexgen.com)
Date: Mon Nov 05 2001 - 01:54:16 CST

how else should i set it up then?

my jail users seems to be really in jail :)

i mean they can't go outside of jail to evil internet:] they can't browse
they can't telnet/ssh outside they can't use irc nothing

any ideas?

----- Original Message -----
From: "Crist J. Clark" <cristjcearthlink.net>
To: "alexus" <mldb.nexgen.com>
Cc: <freebsd-securityFreeBSD.ORG>
Sent: Monday, November 05, 2001 1:32 AM
Subject: Re: jail

> On Sun, Nov 04, 2001 at 07:55:38PM -0500, alexus wrote:
> > does jail require to have NAT set up in order for jail users to go
outside
> > of jail (like browse, telneting out and etc..)
>
> No.
> --
> Crist J. Clark | cjclarkalum.mit.edu
> | cjclarkjhu.edu
> http://people.freebsd.org/~cjc/ | cjcfreebsd.org
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Domas Mituzas (domas.mituzasdelfi.lt)
Date: Mon Nov 05 2001 - 01:56:37 CST

Hi there,

> i mean they can't go outside of jail to evil internet:] they can't browse
> they can't telnet/ssh outside they can't use irc nothing

That depends on which jail IP address you specified, what firewall rules
you have on that box. Jail is a synonim for fine-tuning userland's
environment.

--
Regards,
Domas
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Denis P. Kravar (Denis_Kravaragtu.secna.ru)
Date: Mon Nov 05 2001 - 02:00:23 CST

    Hi all!

    I install 4.4-RELEASE and recompile kernel. After rebooting type
/root> top
and receive next:
top: nlist failed

    What it mind and how i can run `top`?

--
With best regards    Denis Kravar
ICQ: 15561179
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: titus manea (titusedc.dnttm.ro)
Date: Mon Nov 05 2001 - 02:11:50 CST

Make sure you boot via loader(8) and you NOT load kernel directly.
You may have /boot on a separate partition and the bootstrap code is unable
to load /boot/loader and will fall back to /kernel.

On Mon, Nov 05, 2001 at 02:00:23PM +0600, Denis P. Kravar wrote:
> Hi all!
>
> I install 4.4-RELEASE and recompile kernel. After rebooting type
> /root> top
> and receive next:
> top: nlist failed
>
> What it mind and how i can run `top`?
>
> --
> With best regards Denis Kravar
> ICQ: 15561179
>
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
__________________________________________________________________________
 Titus Manea  <titus2edc.com>       |  Eastern Digital Inc.
         Lab owner                   |   http://2edc.com
                                     |    +40-56-192091           
        
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Rasputin (rasputinsubmonkey.net)
Date: Mon Nov 05 2001 - 04:01:48 CST

* Denis P. Kravar <Denis_Kravaragtu.secna.ru> [011105 08:10]:
> Hi all!
>
> I install 4.4-RELEASE and recompile kernel. After rebooting type
                                          ^^^^^^^
Looks like you need to do make world too.

See Handbook for details.

> /root> top
> and receive next:
> top: nlist failed

-- 
How wonderful opera would be if there were no singers.
Rasputin :: Jack of All Trades - Master of Nuns ::
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: titus manea (titusedc.dnttm.ro)
Date: Mon Nov 05 2001 - 04:09:45 CST

There is no reason to make world if you didnt update source
He never said he cvs[up] or updated kernel source in any way

On Mon, Nov 05, 2001 at 10:01:48AM +0000, Rasputin wrote:
> * Denis P. Kravar <Denis_Kravaragtu.secna.ru> [011105 08:10]:
> > Hi all!
> >
> > I install 4.4-RELEASE and recompile kernel. After rebooting type
> ^^^^^^^
> Looks like you need to do make world too.
>
> See Handbook for details.
>
> > /root> top
> > and receive next:
> > top: nlist failed
>
> --
> How wonderful opera would be if there were no singers.
> Rasputin :: Jack of All Trades - Master of Nuns ::
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
__________________________________________________________________________
 Titus Manea  <titus2edc.com>       |  Eastern Digital Inc.
         Lab owner                   |   http://2edc.com
                                     |    +40-56-192091           
        
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Kris Kennaway (krisobsecurity.org)
Date: Mon Nov 05 2001 - 05:33:46 CST

On Mon, Nov 05, 2001 at 02:00:23PM +0600, Denis P. Kravar wrote:
> Hi all!
>
> I install 4.4-RELEASE and recompile kernel. After rebooting type
> /root> top
> and receive next:
> top: nlist failed
>
> What it mind and how i can run `top`?

What on earth does this have to do with security? Please don't abuse
the mailing lists.

Kris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE75nkZWry0BWjoQKURAsv7AJ9nxPqwmqg44szgl0bAtXmJ7yH3ggCfVNjH
MF8lU6XbKLIeWAf0cgmlg5c=
=ZGUf
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Alexander S. Volchenkov (volaxuh.ru)
Date: Mon Nov 05 2001 - 09:51:52 CST

Hi All!

I've just installed ssh2 and trying to implement it's chroot feature.
I have a problem with user login.

User "dummy" is in the "chrooted" group. His home directory :
/home/chrooted/dummy contains bin subdirectory with a mirror of /bin.
User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine.

From /etc/sshd2_conf:
-------------------------------------------
AllowGroups chrooted
ChRootGroups chrooted
-------------------------------------------

Client session:
-------------------------------------------
gate# ssh2 -l dummy localhost
dummylocalhost's password:
Authentication successful.
Connection to localhost closed.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-------------------------------------------

tail /var/log/messages:
-------------------------------------------
sshd[16513]: User dummy's local password accepted.
sshd[16513]: Password authentication for user dummy accepted.
sshd[16513]: User dummy, coming from localhost.sbm, authenticated.
-------------------------------------------

What I need to do to fix it?

Thanks,
Alexander S. Volchenkov (mailto:volaxuh.ru)

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Peter Pentchev (roamringlet.net)
Date: Mon Nov 05 2001 - 09:46:39 CST

On Mon, Nov 05, 2001 at 06:51:52PM +0300, Alexander S. Volchenkov wrote:
> Hi All!
>
> I've just installed ssh2 and trying to implement it's chroot feature.
> I have a problem with user login.
>
> User "dummy" is in the "chrooted" group. His home directory :
> /home/chrooted/dummy contains bin subdirectory with a mirror of /bin.
> User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine.
>
> From /etc/sshd2_conf:
> -------------------------------------------
> AllowGroups chrooted
> ChRootGroups chrooted
> -------------------------------------------
>
> Client session:
> -------------------------------------------
> gate# ssh2 -l dummy localhost
> dummylocalhost's password:
> Authentication successful.
> Connection to localhost closed.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> -------------------------------------------
>
> tail /var/log/messages:
> -------------------------------------------
> sshd[16513]: User dummy's local password accepted.
> sshd[16513]: Password authentication for user dummy accepted.
> sshd[16513]: User dummy, coming from localhost.sbm, authenticated.
> -------------------------------------------
>
> What I need to do to fix it?

On the server, stop any sshd's running, then run an 'sshd -d' and
watch its output.

G'luck,
Peter

-- 
This sentence was in the past tense.
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Magdalinin Kirill (bsdforumenhotmail.com)
Date: Mon Nov 05 2001 - 10:48:22 CST

>gate# ssh2 -l dummy localhost
>dummylocalhost's password:
>Authentication successful.
>Connection to localhost closed.
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

at this point sshd already made chroot for the user
and tries to run /bin/sh, which does not exist, because
there is no sh in /home/chrooted/dummy/bin/ (after
chroot /home/chrooted/dummy/bin/ is not a link to system
/bin, it is just empty /bin).

If you want to allow a couple of users at your box, then
placing sh (which is statically linked) in
/home/chrooted/dummy/bin/ should do the trick. If there
must be many users, then consider making bin, usr and
even var directories under /home/chrooted, and chroot
all users to /home/chrooted. All binaries in bin, usr must
be statically linked or you will have to place all necessary
libraries over there, which is a security risk(?).

I don't remember exectly why, but instead of chrooting users
by sshd I use the following would-be-shell to chroot users,
that shell is set as user's default shell and is called by sshd
at login time:

#include <stdio.h>
#include <unistd.h>

int main (int argc, char *argv []) {

char *dir, *cmd;

chroot("/home");
asprintf(&dir, "/home/home/%s", getenv("LOGNAME"));
chdir(dir);
free(dir);

if (argc > 2)
{
asprintf(&cmd, "/usr/local/bin/bash %s %s", argv[1], argv[2]);
}
else
{
asprintf(&cmd, "/usr/local/bin/bash");
}
system(cmd);
free(cmd);
}

Hope this helps,

Kirill Magdalinin
bsdforumenhotmail.com

>From: "Alexander S. Volchenkov" <volaxuh.ru>
>Reply-To: volaxuh.ru
>To: freebsd-securityFreeBSD.ORG
>Subject: Chrooted SSH2 problem
>Date: Mon, 5 Nov 2001 18:51:52 +0300
>
>Hi All!
>
>I've just installed ssh2 and trying to implement it's chroot feature.
>I have a problem with user login.
>
>User "dummy" is in the "chrooted" group. His home directory :
>/home/chrooted/dummy contains bin subdirectory with a mirror of /bin.
>User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine.
>
>From /etc/sshd2_conf:
>-------------------------------------------
>AllowGroups chrooted
>ChRootGroups chrooted
>-------------------------------------------
>
>Client session:
>-------------------------------------------
>gate# ssh2 -l dummy localhost
>dummylocalhost's password:
>Authentication successful.
>Connection to localhost closed.
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>-------------------------------------------
>
>tail /var/log/messages:
>-------------------------------------------
>sshd[16513]: User dummy's local password accepted.
>sshd[16513]: Password authentication for user dummy accepted.
>sshd[16513]: User dummy, coming from localhost.sbm, authenticated.
>-------------------------------------------
>
>What I need to do to fix it?
>
>Thanks,
>Alexander S. Volchenkov (mailto:volaxuh.ru)
>
>To Unsubscribe: send mail to majordomoFreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Anthony Atkielski (anthonyatkielski.com)
Date: Mon Nov 05 2001 - 11:14:29 CST

Can anyone assist me with the exact configuration for getting SecureCRT (on
Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work okay,
and--mysteriously--SSH2 seems to work against my Web server (4.2 release) on the
Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get is a
message saying

Public-key authentication with the SSH2 server for user root failed. Please
verify username and public/private key pair.

Do I have to run anything to make SSH2 work, or is sshd sufficient? I have
telnetd disabled. I have PermitRootLogin set to without-password. root can log
in under SSH1, but nobody can log in under SSH2.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: alexus (mldb.nexgen.com)
Date: Mon Nov 05 2001 - 11:27:50 CST

check your secure crt configuration

most likly you specify to use public key instead of password

----- Original Message -----
From: "Anthony Atkielski" <anthonyatkielski.com>
To: <freebsd-securityfreebsd.org>
Sent: Monday, November 05, 2001 12:14 PM
Subject: SecureCRT and SSH2 on FreeBSD

> Can anyone assist me with the exact configuration for getting SecureCRT
(on
> Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work
okay,
> and--mysteriously--SSH2 seems to work against my Web server (4.2 release)
on the
> Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get
is a
> message saying
>
> Public-key authentication with the SSH2 server for user root failed.
Please
> verify username and public/private key pair.
>
> Do I have to run anything to make SSH2 work, or is sshd sufficient? I
have
> telnetd disabled. I have PermitRootLogin set to without-password. root
can log
> in under SSH1, but nobody can log in under SSH2.
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: alexus (mldb.nexgen.com)
Date: Mon Nov 05 2001 - 11:32:23 CST

jail ip is set one of those private ip address like 172.16-19.0.0
192.168.0.0 10.0.0.0

and i have no rules on my firewall

----- Original Message -----
From: "Domas Mituzas" <domas.mituzasdelfi.lt>
To: "alexus" <mldb.nexgen.com>
Cc: <cjclarkalum.mit.edu>; <freebsd-securityFreeBSD.ORG>
Sent: Monday, November 05, 2001 2:56 AM
Subject: Re: jail

> Hi there,
>
> > i mean they can't go outside of jail to evil internet:] they can't
browse
> > they can't telnet/ssh outside they can't use irc nothing
>
> That depends on which jail IP address you specified, what firewall rules
> you have on that box. Jail is a synonim for fine-tuning userland's
> environment.
>
>
> --
> Regards,
> Domas
>
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Noonan, Mr. Sean P. (noonansnosc.mil)
Date: Mon Nov 05 2001 - 11:51:30 CST

I use CRT v3.3 with SSH2 against 4.3-STABLE without problems. Here's my
/etc/sshd/sshd_config and the method I use to convert the v2 key for use
with ssh2. Any problems email me at my personal address,
snoonansnoonan.com.

P.S. - I don't allow root to login directly, but that's not the crux of your
problem...so it shouldn't matter...

Good luck,

Sean.

-----Original Message-----
From: owner-freebsd-securityFreeBSD.ORG
[mailto:owner-freebsd-securityFreeBSD.ORG]On Behalf Of Anthony
Atkielski
Sent: Monday, November 05, 2001 9:14 AM
To: freebsd-securityFreeBSD.ORG
Subject: SecureCRT and SSH2 on FreeBSD

Can anyone assist me with the exact configuration for getting SecureCRT (on
Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work
okay,
and--mysteriously--SSH2 seems to work against my Web server (4.2 release) on
the
Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get is
a
message saying

Public-key authentication with the SSH2 server for user root failed. Please
verify username and public/private key pair.

Do I have to run anything to make SSH2 work, or is sshd sufficient? I have
telnetd disabled. I have PermitRootLogin set to without-password. root can
log
in under SSH1, but nobody can log in under SSH2.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• text/plain attachment: key_conversion.txt

• text/plain attachment: sshd_config.txt

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Anthony Atkielski (anthonyatkielski.com)
Date: Mon Nov 05 2001 - 13:24:12 CST

Public-key is what I want, not password. In fact, PermitRootLogin
without-password supposedly prevents password authentication from being used in
SSH, forcing PK authentification.

----- Original Message -----
From: "alexus" <mldb.nexgen.com>
To: "Anthony Atkielski" <anthonyatkielski.com>; <freebsd-securityfreebsd.org>
Sent: Monday, November 05, 2001 18:27
Subject: Re: SecureCRT and SSH2 on FreeBSD

> check your secure crt configuration
>
> most likly you specify to use public key instead of password
>
> ----- Original Message -----
> From: "Anthony Atkielski" <anthonyatkielski.com>
> To: <freebsd-securityfreebsd.org>
> Sent: Monday, November 05, 2001 12:14 PM
> Subject: SecureCRT and SSH2 on FreeBSD
>
>
> > Can anyone assist me with the exact configuration for getting SecureCRT
> (on
> > Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work
> okay,
> > and--mysteriously--SSH2 seems to work against my Web server (4.2 release)
> on the
> > Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get
> is a
> > message saying
> >
> > Public-key authentication with the SSH2 server for user root failed.
> Please
> > verify username and public/private key pair.
> >
> > Do I have to run anything to make SSH2 work, or is sshd sufficient? I
> have
> > telnetd disabled. I have PermitRootLogin set to without-password. root
> can log
> > in under SSH1, but nobody can log in under SSH2.
> >
> >
> > To Unsubscribe: send mail to majordomoFreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Daniel Brown (djbunixan.com)
Date: Mon Nov 05 2001 - 14:04:28 CST

192.168.x.x and 10.x.x.x IP ranges are non-routable (publicly
accessible), and unless you own the 172.16-19.x.x range, neither is it.
In these cases you do need to use NAT.

However, most uses for Jail are for binding a prison to a publicly
accessible IP address, which means no NAT is necessary.

If you only have one publicly available IP address and you do not intend
them to accept incoming connections, perhaps you should consider binding
your prisons to that IP address instead of the private non-routable IPs
instead. You can run Jail multiple times with the same IP address,
including the primary IP of your machine.

This assumes, of course, that the machine these prisons exist on has a
publicly available IP. If it exists entirely on a private network, you
should turn on NAT on your router/firewall.

      -Daniel

------------ Quoted Message ------------
Date...: Mon, 5 Nov 2001 12:32:23 -0500
From...: "alexus" <mldb.nexgen.com>
To.....: "Domas Mituzas" <domas.mituzasdelfi.lt>
CC.....:
Subject: Re: jail

jail ip is set one of those private ip address like 172.16-19.0.0
192.168.0.0 10.0.0.0

and i have no rules on my firewall

----- Original Message -----
From: "Domas Mituzas" <domas.mituzasdelfi.lt>
To: "alexus" <mldb.nexgen.com>
Cc: <cjclarkalum.mit.edu>; <freebsd-securityFreeBSD.ORG>
Sent: Monday, November 05, 2001 2:56 AM
Subject: Re: jail

> Hi there,
>
> > i mean they can't go outside of jail to evil internet:] they can't
browse
> > they can't telnet/ssh outside they can't use irc nothing
>
> That depends on which jail IP address you specified, what firewall rules
> you have on that box. Jail is a synonim for fine-tuning userland's
> environment.
>
>
> --
> Regards,
> Domas
>
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Anthony Atkielski (anthonyatkielski.com)
Date: Mon Nov 05 2001 - 14:09:44 CST

That fixed it! The sshgen step was missing; I had a vague recollection of doing
something like that before, but I was unable to remember what it was. Your note
explained what to do. Thanks.

----- Original Message -----
From: "Noonan, Mr. Sean P." <noonansnosc.mil>
To: "'Anthony Atkielski'" <anthonyatkielski.com>
Cc: <freebsd-securityFreeBSD.ORG>
Sent: Monday, November 05, 2001 18:51
Subject: RE: SecureCRT and SSH2 on FreeBSD

> I use CRT v3.3 with SSH2 against 4.3-STABLE without problems. Here's my
> /etc/sshd/sshd_config and the method I use to convert the v2 key for use
> with ssh2. Any problems email me at my personal address,
> snoonansnoonan.com.
>
> P.S. - I don't allow root to login directly, but that's not the crux of your
> problem...so it shouldn't matter...
>
> Good luck,
>
> Sean.
>
>
>
> -----Original Message-----
> From: owner-freebsd-securityFreeBSD.ORG
> [mailto:owner-freebsd-securityFreeBSD.ORG]On Behalf Of Anthony
> Atkielski
> Sent: Monday, November 05, 2001 9:14 AM
> To: freebsd-securityFreeBSD.ORG
> Subject: SecureCRT and SSH2 on FreeBSD
>
>
> Can anyone assist me with the exact configuration for getting SecureCRT (on
> Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work
> okay,
> and--mysteriously--SSH2 seems to work against my Web server (4.2 release) on
> the
> Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get is
> a
> message saying
>
> Public-key authentication with the SSH2 server for user root failed. Please
> verify username and public/private key pair.
>
> Do I have to run anything to make SSH2 work, or is sshd sufficient? I have
> telnetd disabled. I have PermitRootLogin set to without-password. root can
> log
> in under SSH1, but nobody can log in under SSH2.
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Paul Lapan (paulteleshelter.com)
Date: Mon Nov 05 2001 - 14:24:15 CST

unsubscribe

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Matthew Dillon (dillonapollo.backplane.com)
Date: Mon Nov 05 2001 - 15:48:52 CST

:
:Just a quick question..
:
:By default of denying all incoming/outgoing ICMP via
:ipfw using: ipfw add 120 deny icmp from any to any
:
:Does it deny ICMP-REDIRECT packets?
:
:Bryan

    Yes, but you don't want to block all ICMP packets or you will
    break TCP connections through paths which have smaller MTUs,
    because the TCP stack will never get code 3's.

    I recommend the following. If you have a recent system also
    see 'man firewall'.

    add 120 allow icmp from any to any icmptypes 0,8,11,12,13,14
    add 121 deny icmp from any to any

                                        -Matt
                                        Matthew Dillon
                                        <dillonbackplane.com>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Danny (eyezonmegmx.net)
Date: Mon Nov 05 2001 - 18:15:03 CST

From reading all the FAQs and whatnot from DJB (who seems to be quite
the arrogant prick) it doesn't appear that there is any way of using a
q-mail server as a realy besides running his 'tcpserver'. Is this the
case or can I use qmail as a realy without relying on anything besisides
the 4.4 base system?

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Kris Kennaway (krisobsecurity.org)
Date: Mon Nov 05 2001 - 19:28:24 CST

On Mon, Nov 05, 2001 at 07:15:03PM -0500, Danny wrote:
> >From reading all the FAQs and whatnot from DJB (who seems to be quite
> the arrogant prick) it doesn't appear that there is any way of using a
> q-mail server as a realy besides running his 'tcpserver'. Is this the
> case or can I use qmail as a realy without relying on anything besisides
> the 4.4 base system?

This is not a security-related question: please don't abuse the
mailing lists, and ask your general support questions on
questionsFreeBSD.org.

Kris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE75zy3Wry0BWjoQKURAhvvAJ452mkin/st5IhKxrNYj+88y7+c4QCeLmB7
ogJxoEn2NEe8KA70rkRogGg=
=R934
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Brian Behlendorf (briancollab.net)
Date: Mon Nov 05 2001 - 19:31:53 CST

This is really not on-topic for this list, but to answer it anyways,
tcpserver is like inetd in that it passes along network connections to
particular processes (in this case, qmail-smtpd) and is what listens on
port 25 for SMTP traffic, so it is a necessary part of using qmail as your
MTA. If all you need to do is be able to send mail, you don't even really
need an MTA, as most modern mail clients (all the GUI ones I know of,
pine, mutt, etc) can SMTP connect to a remote mail server.

        Brian

On Mon, 5 Nov 2001, Danny wrote:
> From reading all the FAQs and whatnot from DJB (who seems to be quite
> the arrogant prick) it doesn't appear that there is any way of using a
> q-mail server as a realy besides running his 'tcpserver'. Is this the
> case or can I use qmail as a realy without relying on anything besisides
> the 4.4 base system?
>
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Jason Hunt (lethprimus.ca)
Date: Mon Nov 05 2001 - 19:50:16 CST

I have the following for my SecureCRT settings. I am using a password,
not a public key, but I was having problems implementing ssh2 at first.
My settings for the connection are as follows:

Protocol: ssh2
Port: 22
Cipher: 3DES
MAC: MD5
Authentication: Password
SSH Server: Standard

When you create a new connection in SecureCRT (atleast for 3.01), ssh2
defaults to the SSH Server type of "DataFellows 2.0.13", which does not
work. However, this may not even be the problem, since your using a
public key instead of password. Hope this helps.

On Mon, 5 Nov 2001, Anthony Atkielski wrote:

> Public-key is what I want, not password. In fact, PermitRootLogin
> without-password supposedly prevents password authentication from being used in
> SSH, forcing PK authentification.
>
> ----- Original Message -----
> From: "alexus" <mldb.nexgen.com>
> To: "Anthony Atkielski" <anthonyatkielski.com>; <freebsd-securityfreebsd.org>
> Sent: Monday, November 05, 2001 18:27
> Subject: Re: SecureCRT and SSH2 on FreeBSD
>
>
> > check your secure crt configuration
> >
> > most likly you specify to use public key instead of password
> >
> > ----- Original Message -----
> > From: "Anthony Atkielski" <anthonyatkielski.com>
> > To: <freebsd-securityfreebsd.org>
> > Sent: Monday, November 05, 2001 12:14 PM
> > Subject: SecureCRT and SSH2 on FreeBSD
> >
> >
> > > Can anyone assist me with the exact configuration for getting SecureCRT
> > (on
> > > Windows) to work with SSH2 against a FreeBSD server? I got SSH1 to work
> > okay,
> > > and--mysteriously--SSH2 seems to work against my Web server (4.2 release)
> > on the
> > > Net, but I can't connect to my own FreeBSD 4.3 server at home; all I get
> > is a
> > > message saying
> > >
> > > Public-key authentication with the SSH2 server for user root failed.
> > Please
> > > verify username and public/private key pair.
> > >
> > > Do I have to run anything to make SSH2 work, or is sshd sufficient? I
> > have
> > > telnetd disabled. I have PermitRootLogin set to without-password. root
> > can log
> > > in under SSH1, but nobody can log in under SSH2.
> > >
> > >

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Carroll Kong (damascushome.com)
Date: Mon Nov 05 2001 - 20:02:52 CST

At 07:15 PM 11/5/01 -0500, Danny wrote:
> From reading all the FAQs and whatnot from DJB (who seems to be quite
>the arrogant prick) it doesn't appear that there is any way of using a
>q-mail server as a realy besides running his 'tcpserver'. Is this the
>case or can I use qmail as a realy without relying on anything besisides
>the 4.4 base system?

http://www.qmail.org/man/man8/qmail-remote.html

smtproutes seems to create a relay. Also, he highly suggests using
tcpserver for all qmail activity, relay or not. It really is not all that
hard to use, just use tcpserver.

-Carroll Kong

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Eugene Grosbein (eugengrosbein.pp.ru)
Date: Mon Nov 05 2001 - 22:03:46 CST

Hi!

I run local cvsup-mirror of FreeBSD CVS Repository. It runs just fine.
I would like to provide read-only anoncvs access to the Repo and wonder
how to make it secure. E.g. I do not want users to:

- make brute-force attacks to /etc/master.passwd
- touch the Repo in any way, no commits, no tags, no
  val-tags nor history nor any other file modifications.

Is it possible?

Eugene Grosbein

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: David G Andersen (dandersecs.utah.edu)
Date: Mon Nov 05 2001 - 22:11:20 CST

See 'anoncvssh', from the OpenBSD project:

http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps

Then grab the distribution:

http://www.openbsd.org/anoncvs.shar

Then follow the instructions in the README. Since this isn't
a real CVS tree that you're granting access to (i.e. not one
that you're making commits to yourself), the setup is really
quite straightforward. Works well, is a CPU and disk bandwidth/seek
hog, but it's super convenient for local access.
(These are features of using CVS instead of CVSup, NOT features
of anoncvssh. anoncvssh just gives you a more secure way of
doing the ssh).

If you're super paranoid, you can mount large parts of the
CVS repository read-only.

  -Dave

Lo and behold, Eugene Grosbein once said:
>
> Hi!
>
> I run local cvsup-mirror of FreeBSD CVS Repository. It runs just fine.
> I would like to provide read-only anoncvs access to the Repo and wonder
> how to make it secure. E.g. I do not want users to:
>
> - make brute-force attacks to /etc/master.passwd
> - touch the Repo in any way, no commits, no tags, no
> val-tags nor history nor any other file modifications.
>
> Is it possible?
>
> Eugene Grosbein
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

-- 
work: dgalcs.mit.edu                          me:  dgapobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Eugene Grosbein (eugengrosbein.pp.ru)
Date: Mon Nov 05 2001 - 23:18:40 CST

On Mon, Nov 05, 2001 at 09:11:20PM -0700, David G Andersen wrote:

> See 'anoncvssh', from the OpenBSD project:
> http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps
> Then grab the distribution:
> http://www.openbsd.org/anoncvs.shar
>
> Then follow the instructions in the README. Since this isn't
> a real CVS tree that you're granting access to (i.e. not one
> that you're making commits to yourself), the setup is really
> quite straightforward. Works well, is a CPU and disk bandwidth/seek
> hog, but it's super convenient for local access.
> (These are features of using CVS instead of CVSup, NOT features
> of anoncvssh. anoncvssh just gives you a more secure way of
> doing the ssh).
>
> If you're super paranoid, you can mount large parts of the
> CVS repository read-only.

It seems anoncvssh need OpenBSD's cvs distribution and
modifications of some files inside the Repo that is what
I would rather avoid to do. Is it safe to hack CVSROOT/*?

And if I'll want to provide public access once, will I be allowed
to limit using of compression?

Eugene Grosbein

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Daniel Hagan (dhagancolltech.com)
Date: Tue Nov 06 2001 - 00:44:54 CST

You are probably being attacked. See
http://www.cert.org/incident_notes/IN-2001-12.html for information on
this vulnerability.

Daniel

Christoph Kukulies wrote:
>
> I found a syslog of Nov 2, 00:30 saying:
>
> sshd: Local: Corrupted check bytes on input.
>
> Possible attack?
>
> What is the way to go with sshd and FreeBSD?
>
> --
> Chris Christoph P. U. Kukulies kukugil.physik.rwth-aachen.de
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Alexander S. Volchenkov (volaxuh.ru)
Date: Tue Nov 06 2001 - 01:21:40 CST

Hello, Peter!

> >
> > I've just installed ssh2 and trying to implement it's chroot feature.
> > I have a problem with user login.
> >
> > User "dummy" is in the "chrooted" group. His home directory :
> > /home/chrooted/dummy contains bin subdirectory with a mirror of /bin.
> > User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine.
> >
> > From /etc/sshd2_conf:
> > -------------------------------------------
> > AllowGroups chrooted
> > ChRootGroups chrooted
> > -------------------------------------------

-------------- SKIP -----------------

> On the server, stop any sshd's running, then run an 'sshd -d' and
> watch its output.

The output of sshd2 -d1:

        gate# ssh2 -l dummy gate
        dummygate's password: <password>
        Authentication successful.
        sshd2[1296]: /etc/spwd.db: No such file or directory
        debug: ssh_user_become: getpwnam: Bad file descriptor
        debug: Switching to user 'dummy' failed!
        Connection to gate closed.

Does it mean i must provide /etc/spwd.db file in the user home directory?
In this case, how can I create this file for single user usage?

Thanks, Alexander S. Volchenkov (mailto:volaxuh.ru)

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Christoph Kukulies (kukugilberto.physik.RWTH-Aachen.DE)
Date: Tue Nov 06 2001 - 01:39:34 CST

On Tue, Nov 06, 2001 at 01:44:54AM -0500, Daniel Hagan wrote:
> You are probably being attacked. See
> http://www.cert.org/incident_notes/IN-2001-12.html for information on
> this vulnerability.
>
> Daniel
>
> Christoph Kukulies wrote:
> >
> > I found a syslog of Nov 2, 00:30 saying:
> >
> > sshd: Local: Corrupted check bytes on input.

Although it doesn't have exactly the pattern. No host that disconnected.

I logged into the machine at that time from home via ISDN at that time.
Well, time anyway to switch to openssh.

-- 
Chris Christoph P. U. Kukulies kukugil.physik.rwth-aachen.de
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Peter Pentchev (roamringlet.net)
Date: Tue Nov 06 2001 - 03:53:03 CST