Prefetch Technologies // Keeping your cache lines cozy

Archive

Posts in Security

LDAP client deficiencies

securityMay 21, 2007 2 min read

I have been spending a bit of time lately configuring Solaris and Linux hosts to authenticate against LDAP. Authentication works well on the surface, but the actual client implementations are somewhat lacking. Let's take the Linux pam_ldap module for instance. To authenticate a single session, the pam_ldap module performs thirty-three operations, which includes 7 TCP connections and a number of redundant searches…

$ read more →
earlier

When SSH permissions bite!

securityApr 12, 2007 1 min

Last week I set up several Linux and Solaris hosts to use key based authentication. For some reason two of the hosts continued to prompt me for a password, even though the server and client were configured correctly to used DSA keys (I was using the same config on all of the servers, so I knew it worked). When I traced the sshd daemon on one of the hosts that was misbehaving, I saw the following just before the password prompt was displayed: The strace output made me realize that $HOME/.ssh might not be set to 0700, or the authorized_keys file might not be set to 0600. It turns out the permissions on both entries were set incorrectly, and after adjusting the permissions (which got borked by an incorrect umask entry in /etc/profile), everything worked as expected…

$ read more →

Password expiration attributes in /etc/shadow

securityJan 21, 2007 1 min

Most modern day UNIX operating systems store password expiration data in /etc/shadow. This expiration data includes the last time a user changed their password, the number of days a user can use a given password, an interval to warn a user that their password is going to expire, etc. There are six (I don't count sp_flag since it's reserved for future use) fields that apply to password expiration, and they are described in the shadow(3) manual page: If you are looking for a nifty tool to help visualize this data, you can check out the super useful chage utility.

$ read more →

Debugging OpenBSD passwd problems

securityopenbsdJan 6, 2007 1 min

I recently had to manually add a few users to /etc/passwd and /etc/master.passwd on an OpenBSD 3.9 server. After I added the entries, the accounts were still unable to login. I started poking around with ktrace, and noticed that during a normal account creation session the files /etc/pwd.db and /etc/spwd.db were modified: -rw-r--r-- 1 root wheel 40960 Nov 23 05:38 /etc/pwd.db -rw-r----- 1 root _shadow 40960 Nov 23 05:38 /etc/spwd.db After seeing this, I went and read up on both of these files. It turns out that /etc/passwd and /etc/master.passwd get converted to database files by pwd_mkdb, and then the database files are used for actual authentication…

$ read more →

Verifying GPG signatures

securityDec 27, 2006 1 min

One of my friends recently asked me how to verify a signature that is distributed with an opensource application. Since I didn't have a machine handy to show him, I thought I would jot this down for him in my blog. The first step in verifying a signature requires locating the public key of the individual who signed the binary. Once you locate the key and validate it's authenticity, you can use the gpg "--import" option to import the key…

$ read more →