Re: [techtalk] How to make man pages?
>I'm working on a program and I would like to create man pages for >it. Does anyone know where I could find a document that outlines how to >create one (or several)? I'm totally lost. :^( > >Thanks in advance, > >Stephan I have never used it, but I'm told that docbook can do wonders in that respect - it can generate html, ps, and man output among others. If you want to have choices regarding the output format, try that. Britta ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Perl debugger advice needed
How can you go to a particular line in a program and execute it and the following lines? I want to jump over a loop and examine the contents of the hash table and then move on. I know it is line number something but the something part I can't remember. Thanks, Lynn ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
RE: [techtalk] Perl debugger advice needed
Lynn Kuhlman, [EMAIL PROTECTED] said: > How can you go to a particular line in a program and execute it and the > following lines? I want to jump over a loop and examine the contents of > the hash table and then move on. I know it is line number something but > the something part I can't remember. According to man perldebug and the h command in the debugger, you probably want to use the c (for continue) command. Supposing your loop ends at line 20, you'd do c 20 which means continue to line 20. This'll land you at the end of the loop, line 20, without stopping along the way. Then, you can do examining, then n, s, or more c (c without arguments goes to the next breakpoint or the end of the program) to keep going. (Note that this won't actually skip the execution of the loop, it just won't stop there. I don't know if you can tell the debugger not to run stuff; I usually just comment it out) ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Perl debugger advice needed
On Fri, 7 Jul 2000, Lynn Kuhlman wrote: > How can you go to a particular line in a program and execute it and the > following lines? I want to jump over a loop and examine the contents of > the hash table and then move on. At the debugger prompt type 'b line-no' where line-no is the number of some line after the loop. Type c to run your script and stop at line-no. When you are through, type c again to move on. If you like a debugger with a GUI try ddd http://www.gnu.org/software/ddd/ddd.html bye Anmol ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] login restriction
Hello all- Does anyone know how to restrict users on a RHL 6.0 box from being able to actually login? I know this sounds strange, but hear me out. I have this new mailserver up, and I want people to be able to POP to it to retrieve mail, but not anything else. I had thought the way to do this was through the /etc/security/access.conf, and indeed that file seems to say that's what it's for, yet when I add a rule to it like: -:username:ALL that user can still login. Any ideas? Thanks, Brian PS-If I could at least make it so that they couldn't login via telnet, THAT would be a big help... ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Hi
Hi, I just joined this mailing list and thought I'd say hello. A little about: Name : Bill Age 31 gender Male I have been using linux a long time, I am a member of TLUG and CLC. Bill ___ Get 100% FREE email for life from Excite Canada Visit http://mail.excite.ca ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
RE: [techtalk] login restriction
> Does anyone know how to restrict users on a RHL 6.0 box from being able to > actually login? I know this sounds strange, but hear me out. I have this > new mailserver up, and I want people to be able to POP to it to retrieve > mail, but not anything else. I had thought the way to do this was through > the /etc/security/access.conf, and indeed that file seems to say > that's what > it's for, yet when I add a rule to it like: > > -:username:ALL > > that user can still login. Any ideas? Yes. It's very simple. Edit the /etc/passwd file. The last field of each user is the program to be executed at login. It is usually /bin/sh, /bin/bash, or something of the like. If you change this for /bin/false then they won't be able to telnet in. Samantha ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
Brian Sweeney wrote: > > Hello all- > > Does anyone know how to restrict users on a RHL 6.0 box from being able to > actually login? > PS-If I could at least make it so that they couldn't login via telnet, THAT > would be a big help... edit /etc/inetd.conf (as root). turn off rlogind and telnetd. (ie, comment out the lines that call rlogind andtelnetd by putting a "#" in front of them: the results should look like this: # login stream tcp nowait root /usr/sbin/tcpd in.rlogind -a all on one line) then do a 'killall -HUP inetd' as root. i assume redhat puts inetd.conf in /etc; don't know for sure, i use suse. redhat seems to break many things. you seem to be confusing security with network services. try reading the inetd man page; it may help to clear up some misconceptions. access.conf controls what /already existing/ services users can login to; inetd.conf controls what services are actually run. also, did you try HUP'ing inetd or what have you after you made the changes to access.conf? it may just be that the daemons don't recognize the configuration changes, but ultimately trimming down your inetd.conf will be better for security, anyway. (hint: rlogind and telnetd are big security weaknesses. properly managed sshd with good logging facilities is a much better solution even if you do decide you must let people log in remotely.) ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
Samantha Jo Moore wrote: > > > Does anyone know how to restrict users on a RHL 6.0 box from being able to > > actually login? I know this sounds strange, but hear me out. I have this > > new mailserver up, and I want people to be able to POP to it to retrieve > > mail, but not anything else. I had thought the way to do this was through > > the /etc/security/access.conf, and indeed that file seems to say > > that's what > > it's for, yet when I add a rule to it like: > > > > -:username:ALL > > > > that user can still login. Any ideas? > > Yes. It's very simple. Edit the /etc/passwd file. The last field of each > user is the program to be executed at login. It is usually /bin/sh, > /bin/bash, > or something of the like. If you change this for /bin/false then they won't > be able to telnet in. yeah, but it still leaves rlogind and telnetd flapping in the wind. can you say "telnet to port 25", boys and girls? gaping security flaws are /bad/. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
Hi Brian and all, Du hast am Fri, Jul 07, 2000 at 01:52:46PM -0400 folgendes geschrieben: > > Does anyone know how to restrict users on a RHL 6.0 box from being able to > actually login? I know this sounds strange, but hear me out. I have this What about /bin/nologin, /bin/false or something similar as login-shell in /etc/passwd? If you want to disable non-root-logins completely, some distributions (c.f. the pam-configfile for login -- /etc/pam.d/login or similar) check, whether a /etc/nologin-file exists. However, I wouldn't recommend this because even a sysadmin shouldn't do everything as root. Greets Patricia ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
Hi! On Fri, Jul 07, 2000 at 01:52:46PM -0400, Brian Sweeney wrote: > Does anyone know how to restrict users on a RHL 6.0 box from being able to > actually login? I know this sounds strange, but hear me out. I have this > new mailserver up, and I want people to be able to POP to it to retrieve > mail, but not anything else. I had thought the way to do this was through > the /etc/security/access.conf, and indeed that file seems to say that's what It should be possible to set their login shell to /bin/false but be careful to not allow ftp !!! Regards, Eva -- Eva Fenrich Fachschaft Umweltschutztechnik FachschaftsvertreterInnenversammlung Universitaet Stuttgart [EMAIL PROTECTED] Non quia difficilia sunt non audemus, sed quia non audemus difficilia sunt. L.A. Seneca ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
RE: [techtalk] login restriction
Susannah D. Rosenberg, [EMAIL PROTECTED], said: > yeah, but it still leaves rlogind and telnetd flapping in the wind. can > you say "telnet to port 25", boys and girls? > > gaping security flaws are /bad/. Taking out rlogind and telnetd won't close port 25. And I'm assuming a mail server would like to leave the smtp port open. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Hi
Welcome aboard - Original Message - From: "bill t" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 07, 2000 1:44 PM Subject: [techtalk] Hi > > Hi, > I just joined this mailing list and thought I'd say hello. > > A little about: > Name : Bill > Age 31 > gender Male > > I have been using linux a long time, I am a member of TLUG and CLC. > > Bill > > > > > > ___ > Get 100% FREE email for life from Excite Canada > Visit http://mail.excite.ca > > > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk > ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
security blather Re: [techtalk] login restriction
"Fan, Laurel" wrote: > > Susannah D. Rosenberg, [EMAIL PROTECTED], said: > > yeah, but it still leaves rlogind and telnetd flapping in the wind. can > > you say "telnet to port 25", boys and girls? > > > > gaping security flaws are /bad/. > > Taking out rlogind and telnetd won't close port 25. And I'm assuming a > mail server would like to leave the smtp port open. yep. but there's a difference between being able to /telnet/ to port 25, and opening an smtp connection to port 25. granted, the best way to really make sure that packets heading for specific ports are properly formatting is to do really intense, packet/socket filtering via firewall (Checkpoint's Firewall-1 can do this, as I believe can a few others), but the less services you have running the less chance you have for this kind of attack. telnetd (and to a lesser extent) rlogind are /bad/. without using them in the intended manner, they can be used to gather lots of information about target systems, and to attack and exploit them. there are much better methods of logging in remotely (ssh!), and telnet especially can be used in all kinds of information gathering, attacks, exploits, etc, etc. everyone knows what a horrible security hole finger is, right? telnet and rlogin are just as risky. there's absolutely no reason to leave them running. (then again, blind trust in ssh is foolish as well, but properly administered it's much better than telnet. the trick is the whole "trusted hosts" bit, but that's always a weak point in crypto, anyway) (btw: am i the /only/ one who turns off nearly everything in /etc/inetd.conf by default? is people's general security consciousness this bad? if you haven't already edited your default inetd.conf, try portscanning yourself sometime [nmap's a good tool for this -- www.insecure.org if your distro doesn't have it standard]. you'd be amazed to see the kind of things that a default install of, say, redhat, leaves flapping in the wind. mmm. port 6000! even scarier, try doing a /UDP/ scan on yourself. if the scan comes up with a good eight, nine, ten services you don't even /use/ coming back -- be scared. be /very/ scared.) ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] yet another solaris question ...
Hi chix! While we're discussing the passwd file, i have a problem. I didn't really know another way to set my PATH automatically other than appending it to my shell line in my passwd file, like this: jellhead:x:100:1::/export/home/jellhead:/usr/local/bin/tcsh;setenv PATH /usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin This worked for me in linux in the past, but my Solaris Sparc server doesn't like it (i can't log in as jellhead anymore). Does anyone know a good alternative? I've considered a few other things, but i'm a little intimidated by this funky Solaris box ... # begin horror story Last time i made changes to my passwd file on this server, i decided i was really, really tired of using sh, so i decided to set my SHELL in the passwd file to /usr/local/bin/tcsh. Unfortunately i mistyped the path, and it was after i *saved the file and logged off* and tried to log back in using my new settings that i discovered NO ONE HAS ROOT ACCESS TO THE THING ANYMORE!! We had to go over to the rack (this is a Sun Netra1) and boot the thing off the CD to fix it. Luckily the sysadmins involved (i'm not the sysadmin, i'm the webmaster) didn't give me *too* hard of a time :-) # end horror story Thanx! ~Christian » Christian MacAuley » [EMAIL PROTECTED] » http://jellspace.net ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] yet another solaris question ...
Amanda Owens wrote: > > You should be able to set your path in a .bashrc or .cshrc file (depending > on your shell, I suppose - I seem to have both on my linux box at home, > though we run from a .cshrc file at work). > > In a .bashrc the line would be: > > export PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin > > While a .cshrc would use: > set PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin > or > setenv PATH /usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin > > Given that you're running tcsh, you'll probably need the .cshrc file. This > file is also good for setting up aliases and the like. yep, but a small addendum: it's probably better to do set PATH=$PATH:/extra/stuff/goes/here:/more/stuff/here/too then to just copy the existing path and then add to it; that way, if various sysadminny things need to modify the path that's in /etc/passwd, they still can, and the .cshrc just sources the standard path and adds to it. (um, the syntax for that may be slightly off. i use bash more or less exclusively) ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
RE: security blather Re: [techtalk] login restriction
Susannah D. Rosenberg, [EMAIL PROTECTED], said: > yep. but there's a difference between being able to /telnet/ to port 25, > and opening an smtp connection to port 25. No, there is not. Unless by "telnet" you mean something besides "run a program named telnet and connect to port 25". (In which case, what do you mean?) If I can, from my computer, open an "smtp connection" to port 25 on somehost, I can run "telnet somehost 25". Neither of which has anything at all to do with telnetd. There is nothing inherently insecure about a port or a protocol. All that matters is what the program on the other end does with it. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] yet another solaris question ...
> > Given that you're running tcsh, you'll probably need the .cshrc file. This > > file is also good for setting up aliases and the like. Oddly no such file exists on this infernal contraption. Grrr. I added my line to the /etc/.login script instead, and it works fine :-) > yep, but a small addendum: it's probably better to do > set PATH=$PATH:/extra/stuff/goes/here:/more/stuff/here/too > then to just copy the existing path and then add to it; that way, if > various sysadminny things need to modify the path that's in /etc/passwd, > they still can, and the .cshrc just sources the standard path and adds > to it. Yes, yes. Good idea :-) Thanx grrls! ~Christian » Christian MacAuley » [EMAIL PROTECTED] » http://jellspace.net ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] yet another solaris question ...
You should be able to set your path in a .bashrc or .cshrc file (depending on your shell, I suppose - I seem to have both on my linux box at home, though we run from a .cshrc file at work). In a .bashrc the line would be: export PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin While a .cshrc would use: set PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin or setenv PATH /usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin Given that you're running tcsh, you'll probably need the .cshrc file. This file is also good for setting up aliases and the like. HTH. Mur! On Fri, 7 Jul 2000, Christian MacAuley wrote: > Hi chix! > > While we're discussing the passwd file, i have a problem. I didn't > really know another way to set my PATH automatically other than > appending it to my shell line in my passwd file, like this: > > jellhead:x:100:1::/export/home/jellhead:/usr/local/bin/tcsh;setenv > PATH /usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin > > This worked for me in linux in the past, but my Solaris Sparc server > doesn't like it (i can't log in as jellhead anymore). Does anyone > know a good alternative? I've considered a few other things, but i'm > a little intimidated by this funky Solaris box ... > > # begin horror story > Last time i made changes to my passwd file on this server, i decided i > was really, really tired of using sh, so i decided to set my SHELL in > the passwd file to /usr/local/bin/tcsh. Unfortunately i mistyped the > path, and it was after i *saved the file and logged off* and tried to > log back in using my new settings that i discovered NO ONE HAS ROOT > ACCESS TO THE THING ANYMORE!! We had to go over to the rack (this is > a Sun Netra1) and boot the thing off the CD to fix it. Luckily the > sysadmins involved (i'm not the sysadmin, i'm the webmaster) didn't > give me *too* hard of a time :-) > # end horror story > > Thanx! > > ~Christian > > > » Christian MacAuley » [EMAIL PROTECTED] » http://jellspace.net > > > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk > ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
On Fri, 7 Jul 2000 13:52:46 -0400, "Brian Sweeney" <[EMAIL PROTECTED]> said: >Does anyone know how to restrict users on a RHL 6.0 box from being able to >actually login? RH 6.0 has so many security flaws that you simply should not run it in an open environment. Upgrading bind is absolutely essential because the version of bind shipped with 6.0 is vulnerable to a compromise that gives the intruder root access. You should probably upgrade to at least 6.1 and preferably 6.2, and read up thoroughly on security issues. >I know this sounds strange, but hear me out. I have this new >mailserver up, and I want people to be able to POP to it to retrieve >mail, but not anything else. Disable telnetd and rlogind. (You should do this anyway; if you want to allow remote access to your box, make people use sshd.) The easiest way to do this is to edit /etc/inetd.conf and comment out the lines that enable telnetd and rlogind, then killall -HUP inetd. Kelly ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: security blather Re: [techtalk] login restriction
On Fri, 7 Jul 2000 15:14:59 -0400 , "Fan, Laurel" <[EMAIL PROTECTED]> said: >If I can, from my computer, open an "smtp connection" to port 25 on >somehost, I can run "telnet somehost 25". Neither of which has >anything at all to do with telnetd. I am indeed at a loss to tell how a firewall could tell a connection to port 25 that originates from a MTA from one that originates from some other sort of socket opening program. The TCP protocol doesn't tell you squat about what the program opening the socket intends to do with it. Admittedly, a firewall _could_ terminate a SMTP session that doesn't "act right", but it can't tell that until the connection has been established and some data has been exchanged. Unless, of course, someone has a "psychic firewall" out there that I haven't heard about. Kelly ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
RE: [techtalk] login restriction
in inetd.conf - turn off all services you don't want. This includes rlogin, rtelnet, and telnet. in /etc/passwd set the last to /dev/null use tcpwrappers on all incoming services you left open (via inetd.conf). Do not run any stand alone servers you don't trust. That is all. Bill On Fri, 7 Jul 2000 14:12:06 -0400 , Fan, Laurel wrote: > Susannah D. Rosenberg, [EMAIL PROTECTED], said: > > yeah, but it still leaves rlogind and telnetd flapping in the wind. can > > you say "telnet to port 25", boys and girls? > > > > gaping security flaws are /bad/. > > Taking out rlogind and telnetd won't close port 25. And I'm assuming a > mail server would like to leave the smtp port open. > > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk ___ Get 100% FREE email for life from Excite Canada Visit http://mail.excite.ca ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: security blather Re: [techtalk] login restriction
[EMAIL PROTECTED] wrote: > > On Fri, 7 Jul 2000 15:14:59 -0400 , "Fan, Laurel" <[EMAIL PROTECTED]> said: > > >If I can, from my computer, open an "smtp connection" to port 25 on > >somehost, I can run "telnet somehost 25". Neither of which has > >anything at all to do with telnetd. > > I am indeed at a loss to tell how a firewall could tell a connection > to port 25 that originates from a MTA from one that originates from > some other sort of socket opening program. The TCP protocol doesn't > tell you squat about what the program opening the socket intends to do > with it. Admittedly, a firewall _could_ terminate a SMTP session that > doesn't "act right", but it can't tell that until the connection has > been established and some data has been exchanged. Unless, of course, > someone has a "psychic firewall" out there that I haven't heard about. erm... packet filtering mean anything to you? basically, said firewall takes in said packet destined for port X. it scans through/reads the signature of said packet (ie, headers, footers, neat stuff like that), and then decides whether or not to foreward it on. there are even more sophisticated things you can do with this (a good example is NFR, network Flight Recorder, which is basically a "psychic firewall" designed to recognize and filter on known security exploits -- ie, "does this packet look like this known script-kiddie attack?") in fact, this is really just a more complicated version of how cisco routers do access-list filtering, from what i can tell. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: security blather Re: [techtalk] login restriction
On Fri, 07 Jul 2000 16:34:30 -0400, "Susannah D. Rosenberg" <[EMAIL PROTECTED]> said: >packet filtering mean anything to you? I understand the concept. I'm stating that there's no way you can tell a TCP SYN on port 25 from an MTA from a TCP SYN on port 25 from telnet. They look exactly the same. Kelly ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
On Fri, Jul 07, 2000 at 01:54:41PM -0400, Susannah D. Rosenberg wrote: > yeah, but it still leaves rlogind and telnetd flapping in the wind. can > you say "telnet to port 25", boys and girls? > > gaping security flaws are /bad/. This has been discussed a bit already, but I think there's some deep misunderstanding going on. You can delete telnetd and rlogind, and still be able to telnet to port 25. Using a telnet client to connect to port 25 -- it has nothing to do with a telnet server (unless your system is configured very strangely). You're connecting to sendmail, exim, qmail-smtpd, or some other SMTP server. telnetd isn't relevant in this case. Now, telnetd should certainly be disabled, but if you don't want certain people logging in at all, do the shell trick as well. It works fine for ssh as well. -- Aaron Malone ([EMAIL PROTECTED]) System Administrator I can bend minds with my spoon. Poplar Bluff Internet, Inc. http://www.semo.net ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
Aaron Malone wrote: > > On Fri, Jul 07, 2000 at 01:54:41PM -0400, Susannah D. Rosenberg wrote: > > yeah, but it still leaves rlogind and telnetd flapping in the wind. can > > you say "telnet to port 25", boys and girls? > > > > gaping security flaws are /bad/. > > This has been discussed a bit already, but I think there's some deep > misunderstanding going on. You can delete telnetd and rlogind, and > still be able to telnet to port 25. Using a telnet client to connect > to port 25 -- it has nothing to do with a telnet server (unless your > system is configured very strangely). You're connecting to sendmail, > exim, qmail-smtpd, or some other SMTP server. telnetd isn't relevant > in this case. gar. feh. re-reading what i wrote: yes, you're right. damn, i've been playing around with packet filtering and IPSec too much lately. [what i have been doing in my Copious Free Time: trying to come up with a way to re-aritechtect an absurdly FUBARed LAN /and/ add security in a way that will not disrupt it's current functionality. i've been up for... um... a long time. you know you've drunk too much caffeine when the phrase "no service udp-small-monkeys" makes some bizarre sort of sense. ... access-lists.] > Now, telnetd should certainly be disabled, but if you don't want > certain people logging in at all, do the shell trick as well. It > works fine for ssh as well. yeah, but it's still a slightly dodgy way of doing it, imho. the etc/security/access.conf thing is probably a better way of doing it, or putting people into a group that has restricted access. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
RE: [techtalk] login restriction
Hey all- Thanks everyone for the responses; the setting login to /bin/false is a neat trick. Also, FYI to those who feared for the security of my server, I DO have a firewall implemented, and this machine is behind it. I don't have to worry as much about what ports are open where b/c the firewall only lets SMTP traffic connect to the server from the outside world, and it has some decent anti-spoofing in case someone tries to pretend their on my team. ;-). I was really just concerned with some dumb-luck user reading about a "nifty telnet thingy" on the web and doing damage purely by accident. Hence my wanting to lock them out. I do try and be of the minimalist school whenever possible "If they don't NEED it, don't give it...". Oh, and I typoed before; I'm running RHL6.1...but thanks for the tips on 6.0, I didn't realize it was so bad. *SIGH* too many servers to administer...;-) Does anybody know, on a side note, why the /etc/security/access.conf file is there by default, to be used by PAM, even though it apparently doesn't do anything? -Brian ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
On Fri, Jul 07, 2000 at 05:10:21PM -0400, Susannah D. Rosenberg wrote: > yeah, but it's still a slightly dodgy way of doing it, imho. the > etc/security/access.conf thing is probably a better way of doing it, or > putting people into a group that has restricted access. Just out of curiosity, could you give some justification for the above statements? I'm just wondering what your reasoning is here. :) -- Aaron Malone ([EMAIL PROTECTED]) System Administrator I can bend minds with my spoon. Poplar Bluff Internet, Inc. http://www.semo.net ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Using Putty to connect to SSH
I am new to using SSH, and when I try to use putty to connect to my linux server at home from work, the window appears, and dissapears immediately. I tried using telnet to connect to the SSH port and all that happens is the following string appears at the top of the telnet window (leading me to believe I am getting through the firewall) SSH-2.0-2.0.13 (non-commercial) I am not sure if I have setup my ssh2d server properly.. I basically just built it, and ran it. I can ssh2 localhost and log in fine from a telnet window onto that machine. Thanks for your help, Adrian ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Hello from a Newbie!
Hello all I have just signed up for this list today, so I thought I should say hello and tell you a little about myself. I have just finnished my Chemistry degree and I am working as a research assistant at Brock University in St. Catharines. Soon I will be headed out to Halifax to do some graduate work. (or be a prof's slave how ever you want to look at it) Anyway, I have just been using linux for the past year and I feel like I have barely started climbing the learning curve. I have to admit that I have never taken a single computer course and I know a minimal amount about how computers REALLY work. I started using linux because I am too poor to buy software from Bill Gates. It has been a great learning experience and I have come to really appreciate the open source concept. I have to say as a newbie to the linux community it is difficult to find a mailing list where people actually provide each other with useful (non-condasending) advice...but everyone seems really helpful here...so thank you! On other lists I have been hesitant to ask questions for fear of getting a strip torn out of me for asking too basic a question...not to mention I don't usually understand what people suggest I do. Now for my Query I would like to restrict telnet access to my computer to only a few IP addresses. In order to do this I edited the hosts.deny fill with ALL:ALL, and the hosts.allow file with the IP adresses which I wanted to allow access. Unfortunately this doesn't seem to work. Is there another way to restrict access? If there is how do I do it? Thank you for anything you can offer. P.S. Sorry about the length of my posting. --- Paul RagognaPhone: (905)688-5550 ext. 3410 Dept. of Chemistry e-mail: [EMAIL PROTECTED] Brock University, 500 Glenridge Ave. St. Catharines, ON, L2S 3A1 "Great spirits have always encountered violent opposition from mediocre minds" -Albert Einstein- ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
Aaron Malone wrote: > > On Fri, Jul 07, 2000 at 05:10:21PM -0400, Susannah D. Rosenberg wrote: > > yeah, but it's still a slightly dodgy way of doing it, imho. the > > etc/security/access.conf thing is probably a better way of doing it, or > > putting people into a group that has restricted access. > > Just out of curiosity, could you give some justification for the above > statements? I'm just wondering what your reasoning is here. :) maybe "dodgy" is a bad word. "non-extensible" and "klduge" might be better. it probably comes down to the fact that, personally, i don't like to fsck around with things like /etc/passwd if i don't have to. call me paranoid; for some reason, it always makes me nervous. then again, i like to do as little as root as humanly possible. okay, i guess i am paranoid. :) i also remember once when a main server at work went down, for some reason prompting the sysadmin to set everyone /bin/false, being totally unable to start up X-Windows (server, not client programs hosted on said downed server), nor being able to access anything in my home directory (which was NFS mounted, so very likely not caused by /bin/false). i'm not entirely sure why this happened, but call it bad experience trauma. :) ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
Brian Sweeney wrote: > > Hey all- > > Thanks everyone for the responses; the setting login to /bin/false is a neat > trick. Also, FYI to those who feared for the security of my server, I DO > have a firewall implemented, and this machine is behind it. I don't have to > worry as much about what ports are open where b/c the firewall only lets > SMTP traffic connect to the server from the outside world, and it has some > decent anti-spoofing in case someone tries to pretend their on my team. ;-). > I was really just concerned with some dumb-luck user reading about a "nifty > telnet thingy" on the web and doing damage purely by accident. Hence my > wanting to lock them out. I do try and be of the minimalist school whenever > possible "If they don't NEED it, don't give it...". Oh, and I typoed > before; I'm running RHL6.1...but thanks for the tips on 6.0, I didn't > realize it was so bad. *SIGH* too many servers to administer...;-) > > Does anybody know, on a side note, why the /etc/security/access.conf file is > there by default, to be used by PAM, even though it apparently doesn't do > anything? well, i've never actually played around with the file before (yet), but one of the lines in my default seems to be involve denying console logins to all but certain accounts, only letting certain people login remotely, etc, etc. it /looks/ very similar to a by-user-account/group version of /etc/hosts.deny ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
On Fri, Jul 07, 2000 at 05:36:41PM -0400, Susannah D. Rosenberg wrote: > maybe "dodgy" is a bad word. "non-extensible" and "klduge" might be > better. it probably comes down to the fact that, personally, i don't > like to fsck around with things like /etc/passwd if i don't have to. > call me paranoid; for some reason, it always makes me nervous. then > again, i like to do as little as root as humanly possible. okay, i guess > i am paranoid. :) Well, you never have to directly touch /etc/passwd for this. man chsh. And I must confess I'm not really sure what you mean by "non-extensible". Extensibility is certainly important in protocols and filespecs, but I just don't see it as an issue here, where all I want to do is restrict people from logging in via telnet/ssh/ftp (well, maybe ftp). Incidentally, does the /etc/security/access.conf thing work with ssh? I just tried disabling my access to our mail server, but it still let me in. I didn't spend much time on the docs, maybe I did it wrong. :) -- Aaron Malone ([EMAIL PROTECTED]) System Administrator"We learn from history that we learn Poplar Bluff Internet, Inc.nothing from history." http://www.semo.net --George Bernard Shaw ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] restricting IP
Paul Ragogna wrote: > Now for my Query > > I would like to restrict telnet access to my computer to only a few IP > addresses. In order to do this I edited the hosts.deny fill with ALL:ALL, > and the hosts.allow file with the IP adresses which I wanted to allow > access. Unfortunately this doesn't seem to work. Is there another way > to restrict access? If there is how do I do it? i hate to be repetitive, but, um, did you HUP the server after editing the file? yeah, i know, it's basic and silly, but i wouldn't suggest it if i hadn't made the same mistake myself occasionally. (try, as root or appropriately empowered user: 'killall -HUP inetd'.) also, to again be repetitive: telnet, nn! ssh forever! ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Using Putty to connect to SSH
> I am new to using SSH, and when I try to use putty to connect to my linux server > at home from work, the window appears, and dissapears immediately. I tried using > telnet to connect to the SSH port and all that happens is the following string > appears at the top of the telnet window (leading me to believe I am getting > through the firewall) > > SSH-2.0-2.0.13 (non-commercial) (from http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html) Question: Does PuTTY support the SSH 2 protocol? Answer: Not yet. I hope it will soon. so the question is, are you set up to support ssh2 with ssh1 compatibility..check out http://www.onsight.com/faq/ssh/ssh-faq-9.html#ss9.4 Hope this helps. Vinnie ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Hello from a Newbie!
On Fri, 7 Jul 2000, Paul Ragogna wrote: > I would like to restrict telnet access to my computer to only a few IP > addresses. In order to do this I edited the hosts.deny fill with ALL:ALL, > and the hosts.allow file with the IP adresses which I wanted to allow > access. Unfortunately this doesn't seem to work. Is there another way > to restrict access? If there is how do I do it? that sounds about right...how is it not working (i.e. letting everyone in? letting no one in? -- what happens if you have nothing in hosts.allow?) Vinnie ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] IHTML and Apache on RH6.1
Has anyone tried installing IHtml? Specifically, with Apache 1.3.9-8 on RH 6.1? The owner wants to try IHtml Merchant, which must first have IHtml installed. Apache was already compiled with shared objects enabled, so I installed IHtml as per the instructions, then restarted Apache, and it wouldn't restart. I tried commenting out the LoadModule lines that the installation added, and it still wouldn't restart. After various fiddling by me and the system admin, we finally had to remove the httpd.conf file and replace it with a backup copy. We even had to use a tape backup copy because the backup that IHtml made wasn't really a backup copy, it had the LoadModule line for IHtml in it as well. Has anyone had any luck with this? Amy | [EMAIL PROTECTED] ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
On Fri, Jul 07, 2000 at 04:45:02PM -0500, Aaron Malone wrote: > Incidentally, does the /etc/security/access.conf thing work with ssh? > I just tried disabling my access to our mail server, but it still let > me in. I didn't spend much time on the docs, maybe I did it wrong. :) To answer my own question, it seems /etc/security/access.conf and its brethren (sisthren?) are a PAM component. AFAIK, ssh doesn't use PAM, so access.conf is useless for restricting SSH logins. -- Aaron Malone ([EMAIL PROTECTED]) System Administrator"We learn from history that we learn Poplar Bluff Internet, Inc.nothing from history." http://www.semo.net --George Bernard Shaw ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
Aaron Malone wrote: > > On Fri, Jul 07, 2000 at 05:36:41PM -0400, Susannah D. Rosenberg wrote: > > maybe "dodgy" is a bad word. "non-extensible" and "klduge" might be > > better. it probably comes down to the fact that, personally, i don't > > like to fsck around with things like /etc/passwd if i don't have to. > > call me paranoid; for some reason, it always makes me nervous. then > > again, i like to do as little as root as humanly possible. okay, i guess > > i am paranoid. :) > > Well, you never have to directly touch /etc/passwd for this. man > chsh. And I must confess I'm not really sure what you mean by > "non-extensible". Extensibility is certainly important in protocols > and filespecs, but I just don't see it as an issue here, where all I > want to do is restrict people from logging in via telnet/ssh/ftp > (well, maybe ftp). it's the ftp that mainly i'm talking about here. think the slowly-becoming-ubiqeutous 'www' group (ie, "yes, you can log into ftp, but only to these directories, from these IP addresses, nyeah nyeah"). :) (which is, btw, when i bother to set up ftp servers correctly, my prefered way of doing business -- then again, i'm also fond of madly disempower the 'users' group, then cheerfully adding /lots/ and /lots/ and /lots/ of interesting 'supplementary' groups with functionality based on... uh... function. modularity-fetishism at it's finest.) > > > Incidentally, does the /etc/security/access.conf thing work with ssh? > I just tried disabling my access to our mail server, but it still let > me in. I didn't spend much time on the docs, maybe I did it wrong. :) sorry, no clue. oooh... . damn. it's like a little howto on being a group-based access nazi. cool! quote from the default suse group.conf: '# Example: games are alowed between the hours of 6pm and 6am.' wow. how mind-boggingly evil and restrictive. :) ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: security blather Re: [techtalk] login restriction
Hey All, A firewall cannot tell the difference btwn a telnet connection and a smtp connection, that I am aware of. Telnet doesn't really do anything special beside open a connection to a particluar port (usu. 23). In addition to that many smtp's have to be configured to allow for somewhat non-standard stmp connections, ie -> using bogus mail clients. HTH, Harry > I am indeed at a loss to tell how a firewall could tell a connection > to port 25 that originates from a MTA from one that originates from > some other sort of socket opening program. The TCP protocol doesn't > tell you squat about what the program opening the socket intends to do > with it. Admittedly, a firewall _could_ terminate a SMTP session that > doesn't "act right", but it can't tell that until the connection has > been established and some data has been exchanged. Unless, of course, > someone has a "psychic firewall" out there that I haven't heard about. > > Kelly > > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk > ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] yet another solaris question ...
> Hi chix!
>
> While we're discussing the passwd file, i have a problem. I didn't
> really know another way to set my PATH automatically other than
> appending it to my shell line in my passwd file, like this:
>
> jellhead:x:100:1::/export/home/jellhead:/usr/local/bin/tcsh;setenv
> PATH /usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin
>
> This worked for me in linux in the past, but my Solaris Sparc server
> doesn't like it (i can't log in as jellhead anymore). Does anyone
> know a good alternative? I've considered a few other things, but i'm
> a little intimidated by this funky Solaris box ...
Wibble ... not seen this before -- bad practice :)
Okay... you need to modify any of:
/etc/profile- Global settings for ksh, sh (and bash?)
/etc/csh.cshrc - Global settings for csh, tcsh
$HOME/.profile - User settings for ksh, sh
$HOME/.cshrc- User settings for csh, tcsh
Now -- as you're using tcsh, take your pick of .cshrc or /etc/cshrc ... the
line you want to do would be:
setenv PATH ${PATH}:/new/path/here:/another/new/path/here:/and/so/on
basically, each path is seperated by a colon. The first reference to ${PATH}
ensures any existing path remains. If you want to set it from scratch, feel
free to ignore it :)
>
> # begin horror story
> Last time i made changes to my passwd file on this server, i decided i
> was really, really tired of using sh, so i decided to set my SHELL in
> the passwd file to /usr/local/bin/tcsh. Unfortunately i mistyped the
> path, and it was after i *saved the file and logged off* and tried to
> log back in using my new settings that i discovered NO ONE HAS ROOT
> ACCESS TO THE THING ANYMORE!! We had to go over to the rack (this is
> a Sun Netra1) and boot the thing off the CD to fix it. Luckily the
> sysadmins involved (i'm not the sysadmin, i'm the webmaster) didn't
> give me *too* hard of a time :-)
> # end horror story
>
One hint -- in general, changing the shell for root is a bad thing...some
Unixes don't like it, as some tools assume the root shell will be /bin/sh
(cron is one example). Now, you didn't say which shell you were changing, but
it sounds like the root shell.
If you want to use another shell as root, either start it manually when you
log in, or in /.profile get that to start your preferred shell...eg,
exec /bin/ksh
Using exec will force the shell to replace the currently executing shell in
userspace, so you don't need to type exit twice to logout :) It leaves
/etc/passwd alone and is then kinder to fussy apps.
Also place any shells used as login shells in /etc/shells...this ensures
things like ftpd don't complain. :)
Chris... :)
--
@}-,'-- Chris Johnson --'-{@
/ "(it is) crucial that we learn the difference / [EMAIL PROTECTED] \
/ between Sex and Gender. Therein lies the key / \
/ to our freedom" -- LB / www.nccnet.co.uk/~sixie \
___
techtalk mailing list
[EMAIL PROTECTED]
http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Hello from a Newbie!
> Now for my Query
>
> I would like to restrict telnet access to my computer to only a few IP
> addresses. In order to do this I edited the hosts.deny fill with ALL:ALL,
> and the hosts.allow file with the IP adresses which I wanted to allow
> access. Unfortunately this doesn't seem to work. Is there another way
> to restrict access? If there is how do I do it?
>
Part of me is still suprised hosts.deny is still in existance -- most (all?)
linux dists these days ship with TCP wrappers that support extra options (man
host_options(5)).
These options make hosts.deny redundant and mean you have only one file to
manage ... :)
So, in your case, you could have:
ALL: : ALLOW
ALL: : ALLOW
ALL: ALL: DENY
in hosts.allow, and delete hosts.deny. you can even have login banners put on
screen (see the "banners" keyword). I tend to use this as the last rule in
hosts.allow:
ALL:ALL:rfc931 10: banners /etc/access/denied: spawn
(/etc/access/bin/deny_log %a %h %u %d &): DENY
Which, for every service on every incoming address (unless an earlier rule
matched it), it attempts an ident lookup (10 second timeout), displays a
banner that says summat like "access denied", and spawns a trap door shell
script that mails me before denying access.
Very powerful additions... :)
Chris...
--
@}-,'-- Chris Johnson --'-{@
/ "(it is) crucial that we learn the difference / [EMAIL PROTECTED] \
/ between Sex and Gender. Therein lies the key / \
/ to our freedom" -- LB / www.nccnet.co.uk/~sixie \
___
techtalk mailing list
[EMAIL PROTECTED]
http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] pppd question...
Hi, On Sun, 2 Jul 2000, Megan McGuire wrote: > im having some problems conecting to my isp from linux... it used to work > and it doesnt anymore =\ the modem dails and the scipts login just fine, but > it either gets an LCP-TimeOut, so i set the lcp-request higher and now it > just gets a "Modem Hung up" after ppp0 <-> /dev/ttyS1 serial connection > established. anyone know what would cause this? Had a look at /var/log/messages? Maybe it helps if you set your pppd to passive mode. Just delete the # in the corresponding line. -- Anne Anne Forker-- [EMAIL PROTECTED] --ICQ: 17699654 registered Linux user #134989 (see: http://counter.li.org) Linux-User helfen Schulen: http://www.pingos.schulnetz.org Linux Chix FAQs: http://sourceforge.net/project/linuxchix-faqs ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Opening X-Windows through SSH
More questions! The whole reason for my installing SSH on my machine is so that I can bring up X-Windows remotely (an Xterm for example). What do I set my display too, to get it to run through SSH? ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Opening X-Windows through SSH
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 7 Jul 2000, Adrian Glover wrote: > More questions! > > The whole reason for my installing SSH on my machine is so that I can bring up > X-Windows remotely (an Xterm for example). > > What do I set my display too, to get it to run through SSH? > I was looking at my man page for OpenSSH, and you should be able to just ssh from the computer running the XServer, and ssh should *automatically* forward the connections over the encrypted channel. Check your man page to make sure -- also, the sshd on the other end probably needs to be configured to support it, I know it gets turned off sometimes because of past security problems. Jeff My Geekcode has moved to my .plan file. finger [EMAIL PROTECTED] for that and other Junk My Public Key -- http://24.5.73.229/pubkey.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.1 (GNU/Linux) Comment: Made with pgp4pine 1.75 iD8DBQE5ZmhQ7sVCtrzVTMERAmKZAJwIVpWrGFwxWMNtb2moXT8z4T/Z4QCg3IqK vGQD1QuH3QNoIn2hneeK8QY= =IK8d -END PGP SIGNATURE- ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] login restriction
"Susannah D. Rosenberg" wrote: > > Samantha Jo Moore wrote: > > If you change this for /bin/false then they won't > > be able to telnet in. > > yeah, but it still leaves rlogind and telnetd flapping in the wind. can > you say "telnet to port 25", boys and girls? > > gaping security flaws are /bad/. Summary: /bin/false or /bin/true as a login shell prevents an individual from logging in via telnet, ssh or rlogin. Closing off rlogind and telnetd prevents ANYONE from logging in via rlogin or telnet. (But not ssh. Which is usually deliberately permitted) Jenn V. -- "Do you ever wonder if there's a whole section of geek culture you miss out on by being a geek?" - Dancer. [EMAIL PROTECTED]Jenn Vesperman http://www.simegen.com/~jenn/ ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Hi and Intro
I guess I wasn't sure about the protocol of this list. Having seen a number of "Hi!"'s, I suppose I should do an intro ... My name is Julie Haugh. Some of my work that you may be familiar with includes the Shadow Password Suite, which is distributed with many Linux distros these days as "shadow-utils" or something like that. Shadow is now into its teenage years, which is something I find utterly amazing. This isn't an AIX list, so if you're familiar with me from AIX, that's another way. I've been using Linux since the days when most people downloaded floppy images and the thought of someone burning CDs and starting a company like RedHat were the furthest from our brains. I work for IBM (though I don't speak for them ...) as the tech lead in the AIX base O/S security development group. I'm also a vendor security analyst and was the tech lead for the C2 evaluation of AIX. Unlike most Linux users, I don't use Linux for all of my "home" biz since there are just too many cards and other goodies in my machine (an aging Dell Dimension XPS 166 ...) that I'm afraid won't run on Linux. When I feel confident that I can watch "3rd Rock" on the same screen as I read netnews, perhaps I'll get rid of WinDoze for good. I'm doing many other fun things with Linux which I cannot discuss because I don't speak for my employer ... Grrls Rule! -- Julie. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] OpenSSH and keys
Hello I was using openssh-1.2.1 for a while and recently switched to openssh-2.1.1 With the older version of openssh, I could establish connection to my server over the Internet. With the newer version, the keys that are generated by ssh-keygen do not allow me to connect to my server. The server accepts the keys generated by the older version of ssh. My ssh client is TeraTerm Pro for windows. I do not think that should make any difference. This client works fine with the old keys and the new server. I do not why the new keys are not working with the new server. Is anyone else experiencing this problem? Any ideas appreciated. Thank you in advance. Subba Rao [EMAIL PROTECTED] http://pws.prserv.net/truemax/ => Time is relative. Here is a new way to look at time. <= http://www.smcinnovations.com ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Hi and Intro
Hey Julie, Welcome to list list, and thanks for useradd! Harry Hoffman Manager - Information Technology Restaurants Unlimited Inc. 206.634.3082 x. 270 On Fri, 7 Jul 2000, Julie wrote: > I guess I wasn't sure about the protocol of this list. Having seen > a number of "Hi!"'s, I suppose I should do an intro ... > > My name is Julie Haugh. Some of my work that you may be > familiar with includes the Shadow Password Suite, which is > distributed with many Linux distros these days as "shadow-utils" > or something like that. Shadow is now into its teenage years, > which is something I find utterly amazing. This isn't an AIX list, > so if you're familiar with me from AIX, that's another way. > > I've been using Linux since the days when most people downloaded > floppy images and the thought of someone burning CDs and > starting a company like RedHat were the furthest from our brains. > > I work for IBM (though I don't speak for them ...) as the tech lead > in the AIX base O/S security development group. I'm also a vendor > security analyst and was the tech lead for the C2 evaluation of > AIX. > > Unlike most Linux users, I don't use Linux for all of my "home" > biz since there are just too many cards and other goodies in my > machine (an aging Dell Dimension XPS 166 ...) that I'm afraid > won't run on Linux. When I feel confident that I can watch "3rd > Rock" on the same screen as I read netnews, perhaps I'll get > rid of WinDoze for good. > > I'm doing many other fun things with Linux which I cannot > discuss because I don't speak for my employer ... > > Grrls Rule! > > -- Julie. > > > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk > ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Hi and Intro
From: <[EMAIL PROTECTED]> > Hey Julie, > Welcome to list list, and thanks for useradd! No probs! I'll have to see if I can dig up xuseradd and the rest of the Motif things I wrote zillions of years ago. -- Julie. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Re: Opening X-Windows through SSH
I use have openssh2.1. On the server, in /etc/ssh/sshd_config I have X11Forwarding yes X11DisplayOffset 10 and on the client, in $HOME/.ssh/config I have ForwardX11 yes This one could also be put in /etc/ssh/ssh_config on the client. After you have sshed over to the other machine you can start your X apps. Adrian Glover wrote: > > More questions! > > The whole reason for my installing SSH on my machine is so that I can bring up > X-Windows remotely (an Xterm for example). > > What do I set my display too, to get it to run through SSH? > -- > This message came to you via the Vancouver Linux Users Group mailing list. > For unsubscription instructions do not email the list, but rather send mail > to <[EMAIL PROTECTED]>. -- -o) [EMAIL PROTECTED] /\\ Orbis non sufficit _\_v ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
[techtalk] Debian woes
I have a Debian box here running wu-ftpd and telnetd. For some reason, it refuses to allow my Windows box to access those services (upload, download, access). However my Mandrake box is able to connect and upload/download/access to it. Anyone have any ideas?
Re: [techtalk] Using Putty to connect to SSH
I'm afraid that putty does not support ssh2 at the present time. my suggestion, dump ssh2 and dl ssh1 or openssh. Adrian Glover wrote: > I am new to using SSH, and when I try to use putty to connect to my linux server > at home from work, the window appears, and dissapears immediately. I tried using > telnet to connect to the SSH port and all that happens is the following string > appears at the top of the telnet window (leading me to believe I am getting > through the firewall) > > SSH-2.0-2.0.13 (non-commercial) > > I am not sure if I have setup my ssh2d server properly.. I basically just built > it, and ran it. I can ssh2 localhost and log in fine from a telnet window onto > that machine. > > Thanks for your help, > > Adrian > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Debian woes
> Kath wrote: > > I have a Debian box here running wu-ftpd and telnetd. For some reason, > it refuses to allow my Windows box to access those services (upload, > download, access). However my Mandrake box is able to connect and > upload/download/access to it. > > Anyone have any ideas? What sort of 'refuses to allow'? What (if any) error messages do you receive? What (if anything) is in logs? Jenn V. -- "We're repairing the coolant loop of a nuclear fusion reactor. This is women's work!" Helix, Freefall. http://www.purrsia.com/freefall/ Jenn Vesperman[EMAIL PROTECTED] http://www.simegen.com/~jenn ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Debian woes
On Sat, Jul 08, 2000 at 12:02:50AM -0400, Kath wrote: > I have a Debian box here running wu-ftpd and telnetd. For some > reason, it refuses to allow my Windows box to access those services > (upload, download, access). However my Mandrake box is able to > connect and upload/download/access to it. Can you get to other services? telnetd is a inetd service and wu-ftpd can be run via inetd. You should check /etc/hosts.deny to see if tcp_wrappers will be dropping your connection. Other tahn that it is difficult to diagnose your problem without further information. -- Dan Nguyen | It is with true love as it is with ghosts; [EMAIL PROTECTED] | everyone talks of it, but few have seen it. [EMAIL PROTECTED] | -Maxime De La Rochefoucauld ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Debian woes
> Can you get to other services? telnetd is a inetd service and wu-ftpd > can be run via inetd. You should check /etc/hosts.deny to see if > tcp_wrappers will be dropping your connection. Other tahn that it is > difficult to diagnose your problem without further information. My suggestions: check logs in /var/log/syslog (at least that's where I looked when I was having these sorts of problems) to see what is going on when a connection attempt is happening check hosts.deny and hosts.allow. Turn off paranoid (comment out the line ALL: ALL: PARANOID) and see if that makes a difference (for me it didn't but we tested it a couple of times to see if that was the problem), if not you might want to turn it back on. check ip masq/forwarding to see if there are some rules in there you don't like. Somehow my box was denying incoming stuff using rules I'd never implemented... try ipfwadm -F (forwarding rules) -O (out rules) and -I (in rules) to see what rules are in there and you can use -d to delete. Again, I think knowing if other services are working a-ok would be helpful (webserver? samba? anything?) -nicole ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
