, but I affraid, that this inconsistency could bite somewhere
else, and in any case, I want su(1) to work :)
Is here any reasons why pam_group(8) is inconsistent with id(1) in
way to determine ti which groups user belongs?
--
// Black Lion AKA Lev Serebryakov
__
I edit audit_event(5) file,
as it seems, that one event could belong only to one class, and I
don't want to remove these events from their natural classes.
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
h
ut does somebdy but me
need it?
Does somebody use audit on FreeBSD on production systems?
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send
m ftpd doesn't use setaudit() :(
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
all users, and, yes,
auditreduce -r USER /dev/auditpipe0 | praudit
shows activity after login...
What do I do wrong?
P.S. Maybe, here is more adequate list for BSM Audit questions?
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.
ry.
Minimal ldap client, nss/pam_ldap and SSH keys in LDAP out-of-box is
great!
But it is disagree with trend to stirp-down base system :(
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd
ese ldap-related modules are strange in their desire to
have config files like "ldap.conf" :)
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To uns
based on asn.1 to C compiler from Lev
Walkin (http://lionet.info/asn1c/blog/)? ;-)
Client-only part doesn't look very hard to implement, when all
boilerplate code (packing/unpacking/network processing, etc) is
auto-generated from RFCs.
--
// Black Li
point, that if we
want our own LDAP client library, we don't need to write tons of
non-obvious, error-prone and security-sensitive code by hands.
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.free
only "root" member (as all
other members are in LDAP), system never takes "wheel" members from
LDAP (because /etc/group has priority) and "su" doesn't work!
What is proper way to resolve this problem?
--
// Black Lion AKA Lev Serebryakov
___
Hello, Dag-Erling.
You wrote 22 сентября 2011 г., 19:21:27:
> Lev Serebryakov writes:
>> But when "wheel" is in /etc/group with only "root" member (as all
>> other members are in LDAP), system never takes "wheel" members from
>> LDAP (because /e
Hello, Rene.
You wrote 26 сентября 2011 г., 15:07:09:
> Why not have /etc/group be authoritive for wheel (an thus have a list
> of local superusers).
Idea is to have no local users (but root) at all :)
--
// Black Lion AKA Lev Sereb
hor), it is
ass in pain have 3rd party modules/drivers in system.
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "
.ietf.org/html/rfc2898
[2] http://static.usenix.org/events/usenix99/provos/provos_html/node1.html
[3] http://www.tarsnap.com/scrypt.html
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailm
is repo aren't signed by developers../
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
ld be
called by sshd, not some "authorization daemon", if I understand situation
right. Or don't I?
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
ot;authorization
SO> daemon" can't be set environment in other process.
des@ suggests to have ability to pass env variables from authorization
daemon, but anyway, pam_setcred() should be called by shell process (or its
parent), and not any process in system, am I right?
--
/
verything pam_setcred() does can be done in a separate process, and the
DES> result returned to the application using sendmsg().
Why do we need separate daemon for it? Why it could not be built-in to sshd
itself? One more daemon -- one more point of failure...
--
// Black
s.
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
this by farming PAM out to a child
DES> process.
And, IMHO, proper way to fix this bug is to fix it here, as "most of things"
is already done.
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lis
need this functionality too? ftpd(8)? Is it affected?
But I'm not sure, that ftpd(8) needs something like this at all, as I could
not imagine any kerberized / single login application run with ftpd as
parent. Maybe, my imagination is poor.
And, yes, what do you mean by "fundamentally br
d gain here looks to be
little, especially for things like sshd, where all user input is received
via well-defined protocol with packet lengths, MACs and user input is
almost sanitized by this level -- only thing which could be invalid is
zero bytes in text data.
Do you have any examples, how th
Hello, Dag-Erling.
You wrote 4 сентября 2013 г., 11:53:14:
DES> Lev Serebryakov writes:
>> Accept input from hostile user is huge security issue per se? Ouch. In
>> modern world there are only hostile users. Yes, all our software has
>> huge security issue, I know that :
ich doesn't know about this new API (ouch,
I don't like this part).
(10) Many backends should be re-implemented from NSS or PAM API (and I
don't like this one too). Generic wrappers for NSS and/or PAM modules
looks complicated and, ag
S> Malta in a couple of weeks, which will focus less on the problem and
DES> more on the solution.
Thank you! I'm regretting, I will not be at Malta :( But tickets from
Russia are really expensive :(
--
// Black Lion AKA Lev Serebryakov
o, yet, it is their level of competence, but
you could not pass around them, if you want official PCI/DSS certification,
for example. Did you seen this epic thread on stackoverflow (or its
devops/sysops counterpart) about "log file with every login of each user
with password in clea
ter could avoid certificate, for
example (I don't say, that it is so for EVERY certification, but formal,
bank- or government-recognized security ones typically are SUCH strict).
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebs
have any real memory-model described, so it is very
hard to reason about this C code, if it i C.
--
// Black Lion AKA Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
er FreeBSD system via NFS.
So, overlay FS with per-file encryption is not a solution, as
SMB-only users could not call "mount" and enter password.
full-disk encryption is not a solution too, as "root" could read all
files in such case, as here is no encryption at all.
Is it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Does somebody succeed to setup FreeBSD for usage with Yubikey NEO
token without Yubico authentication service, with OATH-HOTP?
- --
// Lev Serebryakov
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
iQJ8BAEBCgBmBQJVnp4
do the offline auth, but this
> seems to be documented well in ykpamcfg(1)
ykpamcfg(1) documents challenge-response which is for local usage,
as it needs two-way communication with token.
I'm trying to install security/oathtoolkit but I don't understand
which parameters in use
ult on 10-STABLE, modules from
`${LOCALBASE}/lib/security' can not be loaded by name (without full
path) in PAM configuration file.
Which place is correct? I like `${LOCALBASE}/lib/security', but using
full pathnames looks ugly!
- --
// Lev Serebryakov
-BEGIN P
ield specifies the name or full path of the module to
call. If only the name is specified, the PAM library will search for it
in the following locations:
1. /usr/lib
2. /usr/local/lib
- --
// Lev Serebryakov
-BEGIN PGP SIGNATURE-
Ver
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I have this:
expire-after:356d AND 5G
and now my /var/audit contains 1 year of files, but it takes 105
gigabytes (!).
It is FreeBSD 10.2-STABLE r286784
- --
// Lev Serebryakov AKA Black Lion
-BEGIN PGP SIGNATURE-
Version: GnuPG
Hello Terje,
Saturday, January 9, 2016, 11:55:42 PM, you wrote:
>> expire-after:356d AND 5G
>>
>> and now my /var/audit contains 1 year of files, but it takes 105
>> gigabytes (!).
>>
>> It is FreeBSD 10.2-STABLE r286784
> I don't recall how that limit is implemented, but it could be related t
Hello Freebsd-security,
I have /etc/security/audit_control configured to have 200M trace files and
"audit -n" is scheduled to run twice a day, at 00:00 and 12:00. Old trace
files looks Ok (it is November 2015):
-r--r- 1 rootaudit 209715488 Nov 16 19:05
2015111609.2015111616
Hello Terje,
Saturday, January 9, 2016, 11:55:42 PM, you wrote:
> I don't recall how that limit is implemented, but it could be related to this:
Looks like I could not understand man page right :)
Expiration with AND is by time, and size is additional condition. So, "365
AND 5G" could leave an
/
wpa_supplicant) affected?
--
// Lev Serebryakov
signature.asc
Description: OpenPGP digital signature
Hello Joey,
Wednesday, January 3, 2018, 4:56:50 AM, you wrote:
> No way around it. It's hardware FAIL, and ignoring it isn't an option since
> it's apparently a huge hole.
Looks like there IS way around it and it was "silently" committed to Linux
http://pythonsweetness.tumblr.com/post/169166980
Hello Freebsd-security,
https://reviews.llvm.org/D41723
--
Best regards,
Lev mailto:l...@freebsd.org
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, s
Hello Julian,
Thursday, January 4, 2018, 8:49:50 PM, you wrote:
>> https://reviews.llvm.org/D41723
>>
>>
> not really..
> What's to stop an unprivileged used bringing his own compiler? or a
> precompiled binary?
As far as I understand, Spectre can not cross boundaries, so precompiled
binary will
Now, when FreeBSD 12 have ChaCha20 and Poly1305 support in kernel, are
here any plans to add support of RFC7634 to IPsec?
--
// Lev Serebryakov
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
h algorithms, but it is mostly unused.
There is no way to re-key encryption without re-allocating context
("key" or "schedule", even naming is not consistent). Ouch.
As I could see by commits, there was some simplifications , but,
maybe, here is project to cleanup this s
On 05.03.2019 22:55, Shawn Webb wrote:
>> This came over my phone's news feed. Another example that Colin Percival was
>> right when he wrote his paper on exploiting cache for fun and profit many
>> years ago.
>
> Weird machines are weird.
Not-weird machines
44 matches
Mail list logo
