Subject: Re: A couple of security-related issues.
To: Richard Rauch <>
From: Manuel Bouyer <>
List: tech-security
Date: 12/27/2000 21:16:21
On Tue, Dec 26, 2000 at 04:18:05PM -0600, Richard Rauch wrote:
> [Aside: Since you asked a number of questions, I'm providing the answers
> for reference.  However, if you skim a ways down, you will see that I have
> worked out the solution to the problem with OpenSSH & the otp prompts.)

Ok :)

> [...]
> $ man ssh.conf
> man: no entry for ssh.conf in the manual.
> $ man 5 ssh.conf
> man: no entry for ssh.conf in the manual.

Hum, as I said I don't have a 1.5 system to look at rigth now :)
> (Hm, that word ``no'' should probably be capitalized, as long as we have a
> period to end the ``sentence''.  (^&  Of course, then, we need to add a
> verb.  ``man: No entry was found in the manual for %s.'', perhaps?  Or, if
> one prefers, ``man: No entry for %s was found in the manual.'')
> However, on a second pass through ssh's man-page, I looked for
> skey.  (Previously, not knowing that it was skey-related, I had looked for
> otp/OTP, and expansions thereof.  The otp prompt _really_ should mention
> something about skey!  IMHO.)
> Anyway, the /etc/ssh.conf option that one needs
> is: SkeyAuthentication.  Under OpenSSH, this option exists and defaults to
> an annoying ``yes''.  It is unexampled in the commented out lines in
> /etc/ssh.conf, so you really need to know what to look for in the man-page
> to figure it out.

Also note that telnet or rlogin can detect if the user has an skey entry
or not, and only ask for the OTP when needed. sshd should'nt ask for an OTP
when there's none.

> [...]
> Still, we have (if commented-out) /usr/pkg/etc/rc.d/apache referenced from
> rc.local.  And do you object to /etc/man.conf refering to /usr/pkg
> directories?  (^&  As long as the obvious does-it-exist check is made, it
> seems reasonable to use audit-packages in the daily security run.  The
> leap does not seem so large to me.

Better would be to have a security.local or something like this.

> I do read them.  Regular as a broken clock, even!  (^&  (Seriously,
> sometimes I let a week or more go by, but I generally read root's mail
> from time to time, precisely because of things like the daily security
> report---which on my system _does_ include audit-packages.  And I don't
> really want to have it jammed into my regular mailbox.  I just don't read 
> root's mail on a _daily_ basis.)

I prefer to read  them daily. Especially the fsck run from the daily script
pointed to a broken disk one time or two, better to see this sooner than
later :) There's also postmaster mail which can points you to a problem on
the mail server. Root mail can also points to a problem in a crontab, which you
may want to fix ASAP ... 

Manuel Bouyer, LIP6, Universite Paris VI.