SSH...

SSH...

[Alex deVries]

SSH 1.2.22-2i compiles just fine on SGI/Linux, and it actually works.
There was a problem with 1.2.21 where it wouldn't handle incoming
authentications.

But, I live in the evil USA, and can't re-export it. Could someone in a
decent country stick an RPM binary that's signed with a PGP key put it on
ftp.replay.com ?  Alan?

- A

-- 
Alex deVries          Run Linux on everything,
                      run everything on Linux.

Re: SSH...

[Alan Cox]

> But, I live in the evil USA, and can't re-export it. Could someone in a
> decent country stick an RPM binary that's signed with a PGP key put it on
> ftp.replay.com ?  Alan?

When I get a moment I will

Re: SSH...

[Alan Cox]

> But, I live in the evil USA, and can't re-export it. Could someone in a
> decent country stick an RPM binary that's signed with a PGP key put it on
> ftp.replay.com ?  Alan?

When I get a moment I will

ssh

[Daniel Sercaianu]

[-- Attachment #1: Type: text/plain, Size: 138 bytes --]


Hello,

How can I drop ssh packets for destination hosts to which destination port is unknown and different from 22/tc?.


Daniel

[-- Attachment #2: Type: text/html, Size: 734 bytes --]

Re: ssh

[Antony Stone]

On Monday 24 June 2002 1:23 pm, Daniel Sercaianu wrote:

> Hello,
>
> How can I drop ssh packets for destination hosts to which destination port
> is unknown and different from 22/tc?.

I can think of two answers to this:

1. You can't.   Netfilter / IPtables works by port number, not by content, so 
you can only filter by port number.

2. You allow through the traffic on the port numbers you want, and you block 
everything else.   Doesn't stop someone running an SSH server on port 80, 
though, if you're trying to allow web access.

 

Antony.

Re: ssh

[Maciej Soltysiak]

> 1. You can't.   Netfilter / IPtables works by port number, not by content, so 
> you can only filter by port number.
Hmm, maybe you could...
Look:
1. look for a openingpacket with ssh connection characteristics, say a
   version string and mark packets, use recent module, put them to a
   seperate chain. something like that.
2. filter by port number.

What do you think?

Maciej

Re: ssh

[Ramin Alidousti]

On Mon, Jun 24, 2002 at 03:47:49PM +0200, Maciej Soltysiak wrote:

> > 1. You can't.   Netfilter / IPtables works by port number, not by content, so 
> > you can only filter by port number.
> Hmm, maybe you could...
> Look:
> 1. look for a openingpacket with ssh connection characteristics, say a
>    version string and mark packets, use recent module, put them to a
>    seperate chain. something like that.

Yes. Very expensive though and not full-proof in case of fragments.

Ramin

> 2. filter by port number.
> 
> What do you think?
> 
> Maciej
> 

ssh

[Timothy Wood]

Is there any particular reason openssh needs a patch to work with SE and
ssh does not?.

Timothy,




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ssh

[Stephen Smalley]

On 2 Jul 2002, Timothy Wood wrote:

> Is there any particular reason openssh needs a patch to work with SE and
> ssh does not?.

The sshd daemon (whether from OpenSSH or not) needs to be patched to
transition to an appropriate security context for the user and to relabel
the user's ptys properly, just like login.  Strictly speaking, you could
run an unmodified sshd daemon, but you would be limited to a single user
domain and would lack the SELinux user identity information.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

SSH

[Fabien.LIOU]

Hi,

Can you explain me what are the differences between ssh-3.X and OpenSSH-3.X
?

I would like to have the same distribution installed in Linux boxes and
Solaris boxes.

What is the best package ?

Thanks

Fabien

Re: SSH

[David Jackson]

Fabien.LIOU@fr.thalesgroup.com wrote:

> Hi,
>
> Can you explain me what are the differences between ssh-3.X and OpenSSH-3.X

Openssh is Open Source, free to use, and most important is being activily
maintained
ssh (if  your are referring to the commerical product), closed source and cost
you money ?

As far as Solaris, the package provide by Sun is OpenSSH but besure and check
the version.

David

Re: SSH

[Michael H. Warfield]

On Tue, Jul 09, 2002 at 10:54:45AM -0600, David Jackson wrote:


> Fabien.LIOU@fr.thalesgroup.com wrote:

> > Hi,

> > Can you explain me what are the differences between ssh-3.X and OpenSSH-3.X

> Openssh is Open Source, free to use, and most important is being activily
> maintained
> ssh (if  your are referring to the commerical product), closed source and cost
> you money ?

	Half right...  Well...  Maybe 1/3 right.

	Ssh from SSH Communications is not "closed source".  The source
is completely available.  It may not meet the licensing requirements of
OSI for the "Open Source" branding, but it is not closed source.  You can
download the source from their web site and build it on your system
if you so desire, right now.

	It is also free for non-commercial use.  The "non-commercial"
aspect has gotten a lot stricter since the very loose definition days
of SSH 1.x, but it still is free for non-commercial use.

	OpenSSH incorporates both SSH version 1 and SSH version 2 in
a single client (server) binary.  Commercial SSH only incorporates
the version 2 protocol unless you install the older SSH1 package
(which they no longer officially support) FIRST.  Even then, there
are latency issues and protocol startup issues if you need to support
SSH1.

	All that being said, OpenSSH is still definitely the way to go.
Definitely Open Source (BSD License) and definitely free for both
non-commercial and commercial uses, plus supporting both major versions
of the SSH protocol (actually 3 versions of the protocol, two minor revisions
of the version 1 protocol plus the version 2 protocol).

> As far as Solaris, the package provide by Sun is OpenSSH but besure and check
> the version.

	DEFINITELY check the OpenSSH version.  Versions prior to 3.4p1
(that's 3.4 Portable 1, not 3.4 patch 1) with either BSDAuth, S/Key,
or PAM enabled are vulnerable to a serious remote execution security hole.
BSDAuth and S/Key are not commonly compiled in (other that on OpenBSD and
a few odd others) but PAM potentially is.  IAC...  The safest thing is
to be on 3.4p1.

> David

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

ssh

[Simpson, Doug]

I have acomputer I want to ssh to from the internet.  What is the IPTABLES
command to open this port?
Thanks,
Doug

RE: ssh

[Simpson, Doug]

whoops - forgot this is a dual homed computer and I am opening the eth0 to
the outside world for ssh.
I did find this - 
iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
this confuses me because of the "DROP" and the "--syn"
Thanks,
Doug

-----Original Message-----
From: Simpson, Doug 
Sent: Tuesday, January 14, 2003 1:59 PM
To: 'netfilter@lists.netfilter.org'
Subject: ssh


I have acomputer I want to ssh to from the internet.  What is the IPTABLES
command to open this port?
Thanks,
Doug

Re: ssh

[Zander]

> whoops - forgot this is a dual homed computer and I am opening the eth0 to
> the outside world for ssh.
> I did find this -
> iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
> iptables -A INPUT -p tcp --syn -j DROP
> this confuses me because of the "DROP" and the "--syn"
> Thanks,
> Doug
>
> -----Original Message-----
> From: Simpson, Doug
> Sent: Tuesday, January 14, 2003 1:59 PM
> To: 'netfilter@lists.netfilter.org'
> Subject: ssh
>
>
> I have acomputer I want to ssh to from the internet.  What is the IPTABLES
> command to open this port?
> Thanks,
> Doug
>

if you're opening ssh to the machine itself then:

/sbin/iptables -A INPUT -p tcp -i eth0 -d <eth0 IP address> --dport 22 -j
ACCEPT
/sbin/iptables -A OUTPUT -p all -o eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT

if for a host behind the firewall:

/sbin/iptables -A FORWARD -p tcp -i eth0 -o ethx -d <ssh server
ipaddress> --dport 22 -j ACCEPT
/sbin/iptables -A FORWARD -p all -m state --state RELATED,ESTABLISHED -j
ACCEPT

some of those interface settings aren't compulsary like in the forward chain
but I like to put them in. I would suggest them though for the INPUT and
OUTPUT chains as you have more than one interface. Oh and maybe set the
default policy of all to DROP.

HTH

Zz

Re: ssh

[MAB]

El Mar 14 Ene 2003 21:28, Simpson, Doug escribió:
> whoops - forgot this is a dual homed computer and I am opening the eth0 to
> the outside world for ssh.
> I did find this -
> iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT

With this rule you mean you accept every incoming packet from the internet 
through the por 22, and specially packets with the SYN,RST,ACK bit sets to 1 
(you accept people should establish a connection to the 22 port)

> iptables -A INPUT -p tcp --syn -j DROP

And, out of that, every incoming TCP packet, DROPs

-Miguel Angel Baeyens

KeyID: 0x6FB7A511 en rediris.es

ssh

[IT Clown]

Hi All

How do i allow ssh in from the internet, thanks?

Regards
_____________________________________________________________________
For super low premiums ,click here http://www.dialdirect.co.za/quote

Re: ssh

[Koyama Mituru]

From: "IT Clown" <iptables@mailbox.co.za>
Subject: ssh
Date: Wed, 14 Jul 2004 16:15:22 +0200

> How do i allow ssh in from the internet, thanks?

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

-- 
Koyama Mituru    netfilter@gvelo.ddnn.jp

RE: ssh

[Piszcz, Justin Michael]

Should all incoming ports that relate to a service such as SSH, FTP use
-m state --state NEW? 

I have never used this with iptables; but I remember using it with
ipfilter.

What are the security implications (if any) of not using -m state
--state NEW?



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Koyama Mituru
Sent: Wednesday, July 14, 2004 10:26 AM
To: netfilter@lists.netfilter.org
Subject: Re: ssh

From: "IT Clown" <iptables@mailbox.co.za>
Subject: ssh
Date: Wed, 14 Jul 2004 16:15:22 +0200

> How do i allow ssh in from the internet, thanks?

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

-- 
Koyama Mituru    netfilter@gvelo.ddnn.jp

Re: ssh

[Antony Stone]

On Wednesday 14 July 2004 4:26 pm, Piszcz, Justin Michael wrote:

> Should all incoming ports that relate to a service such as SSH, FTP use
> -m state --state NEW?

It doesn't really matter, IMHO.

> What are the security implications (if any) of not using -m state
> --state NEW?

Well, there are two types of packets - ones that are NEW, and ones that 
aren't.   If you use "-m state --state NEW" as a match on the rule to allow 
the first packet in (because it's only the first one which will be NEW 
anyway), then you must have some other rule which allows the second and 
subsequent packets in (which are no longer NEW; they are ESTABLISHED).   In 
my opinion it makes no difference whether the rule for the first packet would 
*only* let in the NEW packet, or if it would let in the later ones as well.

Remember that the efficient order to place your rules in the FORWARD chain is:
1. Allow ESTABLISHED & RELATED packets through the firewall.
2. Allow the first packets of selected connection types.

Therefore any ESTABLISHED packets aren't going to get beyond rule 1 anyway, so 
it dosn't much matter whether the rules at (2) allow them or not.

The only other type of packet which you might want to think about is INVALID 
packets, however whether you consider these to be a security risk or not is 
moot, I think.   Even if an INVALID packet were to be allowed through your 
firewall to an internal host, any response would not get back out again 
because it's not part of an ESTABLISHED connection, so unless the INVALID 
packet can actually do some harm all on its own, it seems to me that allowing 
NEW, or allowing all, packets in makes little difference (for a given service 
and destination).

If someone wants to send you an INVALID packet anyway, all they need to do is 
send you a SYN packet to a listening port/address first - that will set up an 
ESTABLISHED connection tracking table entry, and then any further packets 
from the same source IP/port will be FORWARDED through the traditional Rule 
1.

Just my 2c - I will be interested to see any other opinions on the topic.

Regards,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Koyama Mituru
> Sent: Wednesday, July 14, 2004 10:26 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: ssh
>
> From: "IT Clown" <iptables@mailbox.co.za>
> Subject: ssh
> Date: Wed, 14 Jul 2004 16:15:22 +0200
>
> > How do i allow ssh in from the internet, thanks?
>
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ssh

[Koyama Mituru]

[-- Attachment #1: Type: Text/Plain, Size: 593 bytes --]

From: "Piszcz, Justin Michael" <justin.piszcz@mitretek.org>
Subject: RE: ssh
Date: Wed, 14 Jul 2004 11:26:10 -0400

> Should all incoming ports that relate to a service such as SSH, FTP use
> -m state --state NEW? 
> 
> I have never used this with iptables; but I remember using it with
> ipfilter.
> 
> What are the security implications (if any) of not using -m state
> --state NEW?

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

I don't want other packets.

-- 
Koyama Mituru    netfilter@gvelo.ddnn.jp

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: ssh

[Antony Stone]

On Wednesday 14 July 2004 4:57 pm, Koyama Mituru wrote:

> > Should all incoming ports that relate to a service such as SSH, FTP use
> > -m state --state NEW?
> >
> > What are the security implications (if any) of not using -m state
> > --state NEW?
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
> I don't want other packets.

That's a good security attitude.

Antony.

-- 
"Note: Windows 98, Windows 98SE and Windows 95 are not affected by [MS
Blaster].   However, these products are no longer supported.   Users of these
products are strongly encouraged to upgrade to later versions."

(which *are* affected by MS Blaster...)

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

                                                     Please reply to the list;
                                                           please don't CC me.

SSH

[alexander.lopata]

It seems that sshd does not see authorized_keys file in my home folder.
What I've done is put my openSSH public key in %h/.ssh/authorized_keys  
and configure my ssh client to use corresponding private key. But SSH 
still ask password. What can be wrong ?

Re: SSH

[Helmut Djurkin]

$HOME/.ssh/ should not be accessible by others
try 'chmod go-rwx $HOME/.ssh -R'

alexander.lopata schrieb:
> It seems that sshd does not see authorized_keys file in my home folder.
> What I've done is put my openSSH public key in 
> %h/.ssh/authorized_keys  and configure my ssh client to use 
> corresponding private key. But SSH still ask password. What can be 
> wrong ?
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: SSH

[Chamith Kumarage]

Hi Alexander,

Check the permissions of authorized_keys file at server end and and %
h/.ssh at client end. Depending on the OpenSSH version, check for the
availability of authorized_keys2 file.

Thanks,

~Chamith

-  
*** There's no place like ${HOME} ***


On Sun, 2008-07-13 at 03:14 +0300, alexander.lopata wrote:
> It seems that sshd does not see authorized_keys file in my home folder.
> What I've done is put my openSSH public key in %h/.ssh/authorized_keys  
> and configure my ssh client to use corresponding private key. But SSH 
> still ask password. What can be wrong ?
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html