Friday, September 19, 2003
Why the net rocks, and at the same time is damn scary....
So its been a bad week to be in the opensource world. I don't think I can remeber doing so many patches in a single week. But its always good to end a week on an up beat. The following post to bugtraq made my week seem worth it.:
How fricking cool is that? You can't get away with anything in the opensource world. Your coding talent is on full public display and the masses are just waiting to tear your boastful statements to shreads. If only our political system worked the same way. Imagine Mr. Bush declaring that Iran was an immediate threat and by the following day there were 15 reponses that discredited the statement... :)
While on the topic of the openssh hole... It truely amazed me how many dangerously clueless people post "in the know" statements on message boards. While reading the comments on slashdot story I was agast at the amount of completely wrong information that was being spread. In case you are wondering:
1) Having PermitRootLogin No does not mean you aren't vulnerable. The alignment problem is before authentication happens.
2) Privilege seperation also doesn't protect you in this case because the problem is before the seperation occurs.
3) Tcp wrappers also aren't going to help you because they get checked after the protocal init...
Sigh. I hope that people are actually bothering to upgrade even tho they incorrectly think they are safe. You would think after all this time someone would have come up with an automated wait to test for this class of bug...
"After reading about a theoretical remote hole in OpenSSH and many detractors
smugly saying that they weren't vulnerable because they run LSH (a free
alternative), I'd like to present a working remote root exploit against LSH
version 1.4.x...."
How fricking cool is that? You can't get away with anything in the opensource world. Your coding talent is on full public display and the masses are just waiting to tear your boastful statements to shreads. If only our political system worked the same way. Imagine Mr. Bush declaring that Iran was an immediate threat and by the following day there were 15 reponses that discredited the statement... :)
While on the topic of the openssh hole... It truely amazed me how many dangerously clueless people post "in the know" statements on message boards. While reading the comments on slashdot story I was agast at the amount of completely wrong information that was being spread. In case you are wondering:
1) Having PermitRootLogin No does not mean you aren't vulnerable. The alignment problem is before authentication happens.
2) Privilege seperation also doesn't protect you in this case because the problem is before the seperation occurs.
3) Tcp wrappers also aren't going to help you because they get checked after the protocal init...
Sigh. I hope that people are actually bothering to upgrade even tho they incorrectly think they are safe. You would think after all this time someone would have come up with an automated wait to test for this class of bug...
Thursday, September 18, 2003
Generating OpenSSL keys, certs and CSRs by hand
I keep having to look this up so I'm just going to write it down.
Generate a key (1024 bit):
openssl genrsa -des3 -out privkey.pem 1024
Generate Self Signed cert:
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Generate a key (1024 bit):
openssl genrsa -des3 -out privkey.pem 1024
Generate Self Signed cert:
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Wednesday, September 17, 2003
Bring Em On
(yes that was meant to be an ironic dig at the man occupying the white house)
Woohoo, keeping up the excellent one nasty sploit per day trend.... Now its sendmail yet again. Does it ever end? If you're still unlucky enough to be running sendmail atleast you can commiserate with people running windows...
In the good news department, Mandrake redeemed themselves by being one of the first to release the sendmail fix. (before redhat).
Woohoo, keeping up the excellent one nasty sploit per day trend.... Now its sendmail yet again. Does it ever end? If you're still unlucky enough to be running sendmail atleast you can commiserate with people running windows...
In the good news department, Mandrake redeemed themselves by being one of the first to release the sendmail fix. (before redhat).
Qtopia for Mac OS X
Qtopia 1.7 is out and it finally has support for OS X. I haven't been able to sync my zaurus contacts etc since I ditched my linux desktop a year ago. Its nice to see that Trolltech is paying attention to the mac crowd. They still don't help you much with usb ethernet which is required to sync via the cradle. A quick google search turns up a driver that has been working pretty well for me. Of course, the easiest/fastest way is to just use a wireless cf card. I've been uploading mp3's to my zuarus via ssh.
So whats a Zaurus you ask? The coolest little pda you ever did see. Well actually it kinda sucks as a pda in the traditional sense. Its standard PIM functions (contacts,calendar, todo,etc) are kinda weak. But the Zaurus is so much more. It runs Linux and is amazingly flexible. Imagine having a fullblown webserver, sporting PHP and a MySQL backend sitting in the palm of your hand? Well thats exactly what you can do with the Zaurus. You can mount nfs and windows network drives. You can watch smooth video, listen to mp3s, surf the web with a real web browser, stream internet radio stations, instant message, and the list goes on. At the height of my Z usage I would be hacking code in a text editor, surfing the web, instant messaging, listening to music and messing around in the terminal with a ssh connection to a remote server all at the same time. Sadly I haven't used my Z much recently (cept as a mp3 player). Maybe now that it just got a little easier to sync it with the mac I will start using it again.
So whats a Zaurus you ask? The coolest little pda you ever did see. Well actually it kinda sucks as a pda in the traditional sense. Its standard PIM functions (contacts,calendar, todo,etc) are kinda weak. But the Zaurus is so much more. It runs Linux and is amazingly flexible. Imagine having a fullblown webserver, sporting PHP and a MySQL backend sitting in the palm of your hand? Well thats exactly what you can do with the Zaurus. You can mount nfs and windows network drives. You can watch smooth video, listen to mp3s, surf the web with a real web browser, stream internet radio stations, instant message, and the list goes on. At the height of my Z usage I would be hacking code in a text editor, surfing the web, instant messaging, listening to music and messing around in the terminal with a ssh connection to a remote server all at the same time. Sadly I haven't used my Z much recently (cept as a mp3 player). Maybe now that it just got a little easier to sync it with the mac I will start using it again.
Tuesday, September 16, 2003
A Triple Header
The last couple of days have been fun (can you hear the sarcasm dripping from my voice?). Two days, three fairly serious remotely exploitable security holes? When it rains it pours. Oi vey.
First there was the cute little pine bug. Believe it or not I still use pine (a text terminal based email client). It beats the snot out of webmail when i'm on the road. Combine that with *&^%#^$ Mandrake's decision to drop pine packages left me having to build my own pine rpms *again*. I guess I can't crap on people who use Outlook anymore...
That was followed by the nifty mysql buffer overflow. I have roughly 20 servers providing mysql to almost 2,000 users. To make life more fun, Mandrake *STILL* hasn't released updated mysql rpms. I really don't like making MySQL rpms. Its always a massive drag. Arg... (How many days till friday?)
Someone must have known that I wasn't having enough fun yet so they rounded my day out with a massive openssl hole. Nothing like 0 day warning before this one was out in the wild. Pretty scarry considering the number of machines on the net that are running ssh these days. Very disappointed to find that Mandrake took even longer than Redhat to get a fix out. Atleast they got it out the same day.
I don't mean to be bashing Mandrake. I am little peeved at their slow response recently on security issues recently, but I can't blame them. Overall Mandrake is an excellent distribution. URPMI is a sysadmin's best friend. Think apt-get but rpms.
Oh well, hopefully tomorrow will be a better day.
First there was the cute little pine bug. Believe it or not I still use pine (a text terminal based email client). It beats the snot out of webmail when i'm on the road. Combine that with *&^%#^$ Mandrake's decision to drop pine packages left me having to build my own pine rpms *again*. I guess I can't crap on people who use Outlook anymore...
That was followed by the nifty mysql buffer overflow. I have roughly 20 servers providing mysql to almost 2,000 users. To make life more fun, Mandrake *STILL* hasn't released updated mysql rpms. I really don't like making MySQL rpms. Its always a massive drag. Arg... (How many days till friday?)
Someone must have known that I wasn't having enough fun yet so they rounded my day out with a massive openssl hole. Nothing like 0 day warning before this one was out in the wild. Pretty scarry considering the number of machines on the net that are running ssh these days. Very disappointed to find that Mandrake took even longer than Redhat to get a fix out. Atleast they got it out the same day.
I don't mean to be bashing Mandrake. I am little peeved at their slow response recently on security issues recently, but I can't blame them. Overall Mandrake is an excellent distribution. URPMI is a sysadmin's best friend. Think apt-get but rpms.
Oh well, hopefully tomorrow will be a better day.
New G4 Powerbooks
Apple has finally gotten around to updating its 15" powerbook (my current tool of choice), woohoo! The new model has a redesigned case (including the spiffy backlit keyboard) that matches the rest of the powerbook line. The processor has been bumped up to 1.25Ghz. Bluetooth, firewire 800 and airport extreme all come standard. I think the coolest feature of all is the ability to stuff in 2gigs of ram. 2gigs of ram in a laptop? Now we're talking. :) I priced out "my new powerbook" and it comes in a just shy of $4000. Can anyone out there spot me some cash? I write code real good? The scarry thing is that it would probably only last me a year or so.
Overall its a decent upgrade but I don't think its enough of a boost to bother upgrading. I'm atually surprised that this upgrade didn't come at the same time that the 12" and 17" were announced. I guess the 15" had been in production for long enough that it took time to get through the product cycle.
There were rumors of a dual processor version but seems like that was nothing but rumor. I think a dual processor laptop would be rediculous when it came to power consumption. The thing I like most about mine is its good batter life and super light portability. Take one look good luck at my poor battered laptop and you can see I carry it all over the place.
What I am really waiting for is a new line of Powerbooks based on the G5. There must be some fairly significant cooling and power challenges that need to be worked out before they will see the light of day. I guess I have a while to wait. Its probably a good thing since it hasn't even been a year since I got my current laptop.
Still no word on the OS X 10.3 cept, "available later this year". I really wish they would atleast do a public beta. I really NEED the new user switching feature. :) The bsd style ports feature also sounds pretty interesting. I'm assuming this means that they have rounded the corners on their X11 server. It would be nice if they integrated it more seemlessly into the os. I don't want to have an extra icon in the doc for the x server. I would rather have a section in System Preferences to turn on the x server. Of course then they would have to keep track of your x windows for you... (but that shouldn't be terribly hard). That would make running all those wonderful gui opensource projects truely useful to mac osx users.
Overall its a decent upgrade but I don't think its enough of a boost to bother upgrading. I'm atually surprised that this upgrade didn't come at the same time that the 12" and 17" were announced. I guess the 15" had been in production for long enough that it took time to get through the product cycle.
There were rumors of a dual processor version but seems like that was nothing but rumor. I think a dual processor laptop would be rediculous when it came to power consumption. The thing I like most about mine is its good batter life and super light portability. Take one look good luck at my poor battered laptop and you can see I carry it all over the place.
What I am really waiting for is a new line of Powerbooks based on the G5. There must be some fairly significant cooling and power challenges that need to be worked out before they will see the light of day. I guess I have a while to wait. Its probably a good thing since it hasn't even been a year since I got my current laptop.
Still no word on the OS X 10.3 cept, "available later this year". I really wish they would atleast do a public beta. I really NEED the new user switching feature. :) The bsd style ports feature also sounds pretty interesting. I'm assuming this means that they have rounded the corners on their X11 server. It would be nice if they integrated it more seemlessly into the os. I don't want to have an extra icon in the doc for the x server. I would rather have a section in System Preferences to turn on the x server. Of course then they would have to keep track of your x windows for you... (but that shouldn't be terribly hard). That would make running all those wonderful gui opensource projects truely useful to mac osx users.
Monday, September 15, 2003
Howto get Postfix and Sasl to play nice on Mandrake 9.1
Okay, so setting up postfix and sasl to do smtp authentication on mandrake 9.1 was a tad harder then I had than I expected. Mandrake 9.1 ships with a version of postfix that has sasl and tls support compiled in, which is a great start, but they kinda leave you hanging. I couldn't find any good howtos. There was a how to for mandrake 8.x and a more generic howto but neither quite covered the file layout that was used in 9.1. Maybe there are docs buried somewhere and I am guilty of breaking the rtfm rule, but here is my mini howto:
Start by making sure you have the right rpms:
I made the same mistake that apparently alot of people have been making which is not insalling the libsasl7-plug-* rpms. This results in the error:
fatal: no SASL authentication mechanisms
in /var/log/mail/errors and
Sep 15 14:07:56 xxxx postfix/master[xxxx]: warning: process /usr/lib/postfix/smtpd pid xxxx exit status 1
Sep 15 14:07:56 xxxx postfix/master[xxxx]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
in /var/log/mail/warnings. The plug rpms provide the mechanisms that its complaining so loudly about.
Once the rpms are installed, edit /etc/postfix/main.cf and add:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mail.xxx.com
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains
smtpd_sasl_security_options = noanonymous
Make sure the above lines don't wrap. (there should only be four lines, each starting with smtpd).
Now comes decision time. You can either user sasldb (which is a seperate user database from the passwd/shadow) or you can use saslauthd (which uses pam to access passwd/shadow unix passwords). I choose to use sasldb for several reasons: 1) saslauthd only lets you use the PLAIN text authentication method which means you are shooting your password in plaintext across the net. Granted you should also be using ssl (TLS) but you can't count on your users being smart enough to do that. sasldb lets you use MD5 challenge response passwords which are much safer imho; 2) I don't want just any user on the system to be able to send mail through my server remotely (call me a control freak? or maybe i just know that there are alot of dusty accounts on the system)
So I'm only going to give directions for sasldb here. Saslauthd isn't that much harder but can get tricky if you are setup to chroot jail your postfix (which you really should be doing, and i think thats the default installation in 9.1). Saslauthd uses /var/lib/sasl/mux to talk to clients (like postfix). With chroot jail, postfix can't access things outside of /var/spool/postfix. So you see the problem. (Hint: setup saslauthd to put its socket file under /var/spool/postfix, duh).
Next step is to tell postfix what to authenticate against. Edit /usr/lib/sasl/smtpd.conf (it might not exist) and add:
pwcheck_method: sasldb
Now its time to create your sasldb. Type:
saslpasswd -c username
It should prompt you for a password and create /etc/sasldb. It might complain about "saslpasswd: generic failure". Running it again a second time seemed to clear it right up for me. Now, since we are running postfix chroot jailed, you need to copy/move /etc/sasldb to /var/spool/postfix/etc/sasldb. Since I am only using sasl for postfix, I just:
mv /etc/sasldb /var/spool/postfix/etc/sasldb
ln -s /var/spool/postfix/etc/sasldb /etc/sasldb
Now, we need to make sure postfix can read the db. You can either do:
chmod 644 /var/spool/postfix/etc/sasldb
or
chown postfix.postfix /var/spool/postfix/etc/sasldb
If you are only going to be using sasl for postfix then i would go for the second option. Not sure the first option is a terribly great idea.
Next, double check your realm:
sasldblistusers
should spit out:
user: xxxx realm: mail.xxx.com mech: PLAIN
user: xxxx realm: mail.xxx.com mech: DIGEST-MD5
user: xxxx realm: mail.xxx.com mech: CRAM-MD5
Make sure that mail.xxx.com matches the smtpd_sasl_local_domain = mail.xxx.com line that you put in /etc/postfix/main.cf.
That should do it. Just restart postfix:
/etc/rc.d/init.d/postfix check
/etc/rc.d/init.d/postfix restart
To check to make sure its installed correctly:
telnet yourmailserver 25
then type
ehlo postfix
it should respond with a series of lines that start with 250. You should have one that looks like:
250-AUTH CRAM-MD5 DIGEST-MD5 PLAIN
depending on the libsasl7-plug-* rpms that you installed earlier.
Enjoy!
Start by making sure you have the right rpms:
I made the same mistake that apparently alot of people have been making which is not insalling the libsasl7-plug-* rpms. This results in the error:
fatal: no SASL authentication mechanisms
in /var/log/mail/errors and
Sep 15 14:07:56 xxxx postfix/master[xxxx]: warning: process /usr/lib/postfix/smtpd pid xxxx exit status 1
Sep 15 14:07:56 xxxx postfix/master[xxxx]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
in /var/log/mail/warnings. The plug rpms provide the mechanisms that its complaining so loudly about.
Once the rpms are installed, edit /etc/postfix/main.cf and add:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mail.xxx.com
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains
smtpd_sasl_security_options = noanonymous
Make sure the above lines don't wrap. (there should only be four lines, each starting with smtpd).
Now comes decision time. You can either user sasldb (which is a seperate user database from the passwd/shadow) or you can use saslauthd (which uses pam to access passwd/shadow unix passwords). I choose to use sasldb for several reasons: 1) saslauthd only lets you use the PLAIN text authentication method which means you are shooting your password in plaintext across the net. Granted you should also be using ssl (TLS) but you can't count on your users being smart enough to do that. sasldb lets you use MD5 challenge response passwords which are much safer imho; 2) I don't want just any user on the system to be able to send mail through my server remotely (call me a control freak? or maybe i just know that there are alot of dusty accounts on the system)
So I'm only going to give directions for sasldb here. Saslauthd isn't that much harder but can get tricky if you are setup to chroot jail your postfix (which you really should be doing, and i think thats the default installation in 9.1). Saslauthd uses /var/lib/sasl/mux to talk to clients (like postfix). With chroot jail, postfix can't access things outside of /var/spool/postfix. So you see the problem. (Hint: setup saslauthd to put its socket file under /var/spool/postfix, duh).
Next step is to tell postfix what to authenticate against. Edit /usr/lib/sasl/smtpd.conf (it might not exist) and add:
pwcheck_method: sasldb
Now its time to create your sasldb. Type:
saslpasswd -c username
It should prompt you for a password and create /etc/sasldb. It might complain about "saslpasswd: generic failure". Running it again a second time seemed to clear it right up for me. Now, since we are running postfix chroot jailed, you need to copy/move /etc/sasldb to /var/spool/postfix/etc/sasldb. Since I am only using sasl for postfix, I just:
mv /etc/sasldb /var/spool/postfix/etc/sasldb
ln -s /var/spool/postfix/etc/sasldb /etc/sasldb
Now, we need to make sure postfix can read the db. You can either do:
chmod 644 /var/spool/postfix/etc/sasldb
or
chown postfix.postfix /var/spool/postfix/etc/sasldb
If you are only going to be using sasl for postfix then i would go for the second option. Not sure the first option is a terribly great idea.
Next, double check your realm:
sasldblistusers
should spit out:
user: xxxx realm: mail.xxx.com mech: PLAIN
user: xxxx realm: mail.xxx.com mech: DIGEST-MD5
user: xxxx realm: mail.xxx.com mech: CRAM-MD5
Make sure that mail.xxx.com matches the smtpd_sasl_local_domain = mail.xxx.com line that you put in /etc/postfix/main.cf.
That should do it. Just restart postfix:
/etc/rc.d/init.d/postfix check
/etc/rc.d/init.d/postfix restart
To check to make sure its installed correctly:
telnet yourmailserver 25
then type
ehlo postfix
it should respond with a series of lines that start with 250. You should have one that looks like:
250-AUTH CRAM-MD5 DIGEST-MD5 PLAIN
depending on the libsasl7-plug-* rpms that you installed earlier.
Enjoy!
Sunday, September 14, 2003
Nokia 3650 iSync Calendar
finally got my nokia 3650 to sync my calendar using iSync on mac os x. just edit "/Library/Application Support/SyncService/501/SymbianConduitDefaults.plist" and look for "kNSSyncDeviceShouldSlowSyncCalendars". change the next line from false to true. restart isync. woohoo. so this has got to be the first time since i cracked my palm pilot's screen 4 years ago, that i have had a device that actually sync's with my computer properly. still working on getting my zaurus to do the same thing. but then i would have to carry an extra device. :)
okay, now for my rant of the day....
not sure about the format being used there. its xml but it seems to kinda break the whole point of xml and object oriented data structures by having the order of the objects matter:
why not just use a crusty ini file? They should do something like:
or maybe:
that way it wouldn't matter what order the key and values came in. yeash.
stupid engineering is one my serious pet peeves. followed shortly after by good engeering (such as xml) being misused in stupid ways (like the above example). it should be the underlying drive of every engineer, whether software or hardware, to always develop a solution "the right way." i would go almost so far to say that engineers have a moral reponsibility to create human interfaces that are fluid and intuitive. if a user is going to have to repeat the same task over and over, you don't bury that task 4 clicks deep, you minimize the time and effort required for that task. anything less deteriorates the value of technology. technology was meant to save time and allow the human race to progress even further down whatever twisted path we're headed. if, as an engineer, you create something that takes an extra 4 seconds out of that progress, then you have done a disservice to progress. and should be ashamed of yourself. :)
of course i'm guilty of creating retarded interfaces too. here's hoping i take my own advice....
okay, now for my rant of the day....
not sure about the format being used there. its xml but it seems to kinda break the whole point of xml and object oriented data structures by having the order of the objects matter:
<key>kNSSyncDeviceShouldSlowSyncCalendars</key>
<true/>
<key>kNSSyncDeviceShouldSlowSyncContacts</key>
<true/>
why not just use a crusty ini file? They should do something like:
<key name="kNSSyncDeviceShouldSlowSyncCalendars">true</key>
or maybe:
<key name="kNSSyncDeviceShouldSlowSyncCalendars" value="true"/>
that way it wouldn't matter what order the key and values came in. yeash.
stupid engineering is one my serious pet peeves. followed shortly after by good engeering (such as xml) being misused in stupid ways (like the above example). it should be the underlying drive of every engineer, whether software or hardware, to always develop a solution "the right way." i would go almost so far to say that engineers have a moral reponsibility to create human interfaces that are fluid and intuitive. if a user is going to have to repeat the same task over and over, you don't bury that task 4 clicks deep, you minimize the time and effort required for that task. anything less deteriorates the value of technology. technology was meant to save time and allow the human race to progress even further down whatever twisted path we're headed. if, as an engineer, you create something that takes an extra 4 seconds out of that progress, then you have done a disservice to progress. and should be ashamed of yourself. :)
of course i'm guilty of creating retarded interfaces too. here's hoping i take my own advice....
