Subject: Re: A couple of security-related issues.
To: Richard Rauch <firstname.lastname@example.org>
From: Manuel Bouyer <email@example.com>
Date: 12/24/2000 18:16:58
On Sat, Dec 23, 2000 at 06:09:12PM -0600, Richard Rauch wrote:
> (Please CC: replies to me; I read the lists via the web-page, which often
> While upgrading from 1.5_ALPHA from August to 1.5 (proper), I noticed some
> bumps and changes w.r.t. security. Explanations, or pointers to same,
> would be appreciated.
> * With 1.5 and OpenSSH, I get nagged about ``otp'' (One-Time
> Password, maybe?) when logging into some systems. I never got
Yes, it's One-Time Password
> pestered by this with the standard ssh from pkgsrc. After 3
> trials (and failures, since I have no idea what to enter), I
> get a standard password challenge.
> I seem to remember reading about One Time Passwords as a feature
> of kerberos. I decided that it sounded a bit over the top to
No, it's skey. It's also here for telnet and rlogin.
> remember a new, arbitrary password for every login, so I never
> went there. Can I get OpenSSH to stop this behavior, or is there
> a reason that I should want OpenSSH to do this? (Or am I missing
> the point of one-time passwords?)
> (OpenSSH only does this with some hosts. My other computer is still
> on 1.5_ALPHA with ssh[d], and doesn't do the ``otp'' stuff to me.)
> I couldn't see any options in ssh's man-page that seemed to govern
I've run into this as well, and discovered it falled back to otp when
the login is invalid. I've found several reasons for a login to be invalid:
unknown login, the shell doesn't exists (it took some time to find this
one :), ...
Check that you can properly log on the console.
> * Old /etc/security.conf had check_rhosts=NO, with a comment of
> ``Don't turn this on; malicious users can take advantage''. Now,
> it is check_rhosts=YES, with no comment. I assume that whoever
> made the change knew what they were doing; still, can someone
> (briefly) explain why it wasn't okay before, but is okay now?
I seem to remember it was an issue with symlinks and find. I don't know
the details, you may want to check the commit message for the security
> * I figured that audit-packages would be in /etc/security by now.
audit-packages is a package, it's not part of the base system.
> Did it come too late, or was it just an oversight? (I run it
> in my /etc/security, though I must admit that I don't check the
> results as often as I could. Maybe I should have security's
> output go to my main account instead of to root?)
you should forward all root mail to individual account(s). Postmaster
and abuse too.
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr