Re: PING: Igor S. , regarding Kerberos v4. - BSD

This is a discussion on Re: PING: Igor S. , regarding Kerberos v4. - BSD ; Clever Monkey wrote: >So, instead you post them to USENET? Yes , you make a valid point Clever Monkey. But what else can one do , the project does not have any secure mechanism in place that I am aware ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: PING: Igor S. , regarding Kerberos v4.

  1. Re: PING: Igor S. , regarding Kerberos v4.

    Clever Monkey wrote:

    >So, instead you post them to USENET?





    Yes , you make a valid point Clever Monkey.


    But what else can one do , the project does not have any
    secure mechanism in place that I am aware of.


    It would also be better if the project had a reputation for
    correcting ALL minor flaws that are reported as well as
    ALL reported flaws that impact upon security. I'm not
    saying that I know of any other OS that can compare favorably
    with OpenBSD's reputation as a secure OS (or for it's "Quality").


    It's just discouraging to see things continually , like:

    Active Internet connections (including servers)
    Proto Recv-Q Send-Q Local Address Foreign Address (state)
    udp 0 0 *.514 *.*

    ...it's not correct that any application can be allowed to do
    this. Every new OpenBSD user is going to do a "netstat -an -f inet"
    and wonder why udp 514 is being displayed. It's simply not correct to
    just filter it indefinitely , the application should be fixed.


    Some other , far more important flaws exist and should be corrected by
    some clever means , but have not been , and clear and unequivocal
    statements have been made that they will NEVER be fixed. Rather than
    mention the matter just here , I will start another thread. I've been
    EXTREMELY peeved since I first became aware of the situation , not because
    flaws had been found , but that high-level decisions had been summarily made
    to never fix the flaws. To never fix the flaws or even jettison the entire
    core functionality being provided rather than actually fix , rewrite , or
    re-design the code.


    Regards , An Odd User.


  2. Re: PING: Igor S. , regarding Kerberos v4.

    "George Orwell" wrote in message
    news:c385a8aa6a1774573bf8da62739855d3@mixmaster.it ...
    >
    > Some other , far more important flaws exist and should be corrected by
    > some clever means , but have not been , and clear and unequivocal
    > statements have been made that they will NEVER be fixed. Rather than
    > mention the matter just here , I will start another thread. I've been
    > EXTREMELY peeved since I first became aware of the situation , not because
    > flaws had been found , but that high-level decisions had been summarily
    > made
    > to never fix the flaws. To never fix the flaws or even jettison the
    > entire
    > core functionality being provided rather than actually fix , rewrite , or
    > re-design the code.


    Rightly or wrongly, I have more faith in the directors of the OpenBSD
    project than you clearly have. Time and time again, they've been proved
    right. I'd be very surprised if they didn't thoroughly understand the
    issues - rather better than either you or me.

    Just a thought.

    Steve
    http://www.fivetrees.com



  3. Re: PING: Igor S. , regarding Kerberos v4.

    George Orwell writes:

    > It's just discouraging to see things continually , like:
    >
    > Active Internet connections (including servers)
    > Proto Recv-Q Send-Q Local Address Foreign Address (state)
    > udp 0 0 *.514 *.*
    >
    > ..it's not correct that any application can be allowed to do
    > this. Every new OpenBSD user is going to do a "netstat -an -f inet"
    > and wonder why udp 514 is being displayed. It's simply not correct to
    > just filter it indefinitely , the application should be fixed.


    A grep of /etc/services or running fstat | grep 514 shows that this
    is for and in use by syslogd. Reading the man page for syslogd gives
    you the necessary information to check if this is a problem or not.
    It says:

    syslogd opens an Internet domain socket as specified in /etc/services.
    Normally syslogd will only use this socket to send messages outwards, but
    in ``insecure'' mode it will also read messages from this socket.
    syslogd also opens and reads messages from the UNIX domain socket
    /dev/log, and from the special device /dev/klog (to read kernel mes-
    sages).

    It also says that to be ``insecure'' syslogd has to be started with
    the -u option. A ps or a grep of "syslogd" in /etc/rc* will tell
    show that this is not the case (unless you changed your rc.conf or
    rc.conf.local files).

    Next you're going to tell me that sending syslog messages outwards
    is obsolete. Perhaps on the public internet, but it is still used
    quite often on private nets where there is an otherwise protected
    log server that is started in ``insecure'' mode.

    // marc

  4. Re: PING: Igor S. , regarding Kerberos v4.

    Marco S Hyman wrote:
    > George Orwell writes:
    >
    >> It's just discouraging to see things continually , like:
    >>
    >> Active Internet connections (including servers)
    >> Proto Recv-Q Send-Q Local Address Foreign Address (state)
    >> udp 0 0 *.514 *.*
    >>
    >> ..it's not correct that any application can be allowed to do
    >> this. Every new OpenBSD user is going to do a "netstat -an -f inet"
    >> and wonder why udp 514 is being displayed. It's simply not correct to
    >> just filter it indefinitely , the application should be fixed.

    >
    > A grep of /etc/services or running fstat | grep 514 shows that this
    > is for and in use by syslogd. Reading the man page for syslogd gives
    > you the necessary information to check if this is a problem or not.
    > It says:
    >
    > syslogd opens an Internet domain socket as specified in /etc/services.
    > Normally syslogd will only use this socket to send messages outwards, but
    > in ``insecure'' mode it will also read messages from this socket.
    > syslogd also opens and reads messages from the UNIX domain socket
    > /dev/log, and from the special device /dev/klog (to read kernel mes-
    > sages).
    >
    > It also says that to be ``insecure'' syslogd has to be started with
    > the -u option. A ps or a grep of "syslogd" in /etc/rc* will tell
    > show that this is not the case (unless you changed your rc.conf or
    > rc.conf.local files).


    A quick test, however, will show you that syslog doesn't accept messages
    there, and a quick search will tell you that you're not the first to
    wonder at the above.

    It's a bit strange, but harmless.

    > Next you're going to tell me that sending syslog messages outwards
    > is obsolete. Perhaps on the public internet, but it is still used
    > quite often on private nets where there is an otherwise protected
    > log server that is started in ``insecure'' mode.


    Yes, that's in fact a very good idea in most cases.

    Joachim

+ Reply to Thread