Shift o' crypto on sourceware ?

Shift o' crypto on sourceware ?

[Jason Molenda]

So it looks like the kerb binaries on sourceware need to be rebuilt with
patched sources, cf
	        http://lwn.net/2000/0518/a/kerberos.html

In case anyone is wondering, I believe tito.cygnus.com is still
spinning with the KerbNet CVS repo on it.  I tarred up a copy of
the repo for Ken Raeburn & Mark Eichin before I left Cygnus - I
also have the sources to various Kerbnet sources on my
compilation-of-all-Cygnus-sources CDs.  I mention this just because
I'm not sure if anyone currently at Cygnus would know what Kerberos
is :-) or where the sources might be.

On the same note, the SSH binary that sysadmin has installed on
sourceware (1.2.26) is old and lame.  The newer and improveder
OpenSSH should really be installed in its place - and the recent
release of OpenSSH can even handle SSH2 keys and protocol.  IIRC
the biggest impediments to switching were (a) you gotta convert
sourceware's host key out of its RSA-encoded form and (b) you gotta
slightly edit the sshd.conf file to work with OpenSSH.

I don't know if rms has looked at OpenSSH yet.  I doubt many people
inside Cygnus really care if Kerberos were to stop working on
sourceware.  With Marc gone, as soon as the Kerberos install at
Cygnus hits any kind of problem, it'll probably be obsoleted and
users told to use SSH in its stead.  In short, I don't know if I'd
personally expend much energy on patching the Kerberos binaries;
I think it'd be time better spent to deprecate them and force people
over to SSH for sourceware.

J

Re: Shift o' crypto on sourceware ?

[Chris Faylor]

On Thu, May 18, 2000 at 11:50:39AM -0700, Jason Molenda wrote:
>On the same note, the SSH binary that sysadmin has installed on
>sourceware (1.2.26) is old and lame.  The newer and improveder OpenSSH
>should really be installed in its place - and the recent release of
>OpenSSH can even handle SSH2 keys and protocol.

I am running openssh 2.1 here and it does not seem to like logging into
a cygnus machine using v2 protocol.  My tunnels are also mysteriously
stalling since I started using it.

And, it occasionally gives me this warning when logging into any non
openssh machine:

Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024.
Warning: This may be due to an old implementation of ssh.

While, that may be a true problem, I'm tired of seeing it repeatedly and
there doesn't seem to be any way to turn it off.

I guess, in short, IMO, openssh is not ready for active endorsement
quite yet.

cgf

IIRC
>the biggest impediments to switching were (a) you gotta convert
>sourceware's host key out of its RSA-encoded form and (b) you gotta
>slightly edit the sshd.conf file to work with OpenSSH.
>
>I don't know if rms has looked at OpenSSH yet.  I doubt many people
>inside Cygnus really care if Kerberos were to stop working on
>sourceware.  With Marc gone, as soon as the Kerberos install at
>Cygnus hits any kind of problem, it'll probably be obsoleted and
>users told to use SSH in its stead.  In short, I don't know if I'd
>personally expend much energy on patching the Kerberos binaries;
>I think it'd be time better spent to deprecate them and force people
>over to SSH for sourceware.
>
>J

-- 
cgf@cygnus.com                        Cygnus Solutions, a Red Hat company
http://sourceware.cygnus.com/         http://www.redhat.com/

Re: Shift o' crypto on sourceware ?

[Jim Kingdon]

> 	        http://lwn.net/2000/0518/a/kerberos.html

Why not just use the RPM's from

  ftp://ftp.redhat.com/pub/redhat/updates/6.2/i386/krb5*

?  I've been using the 6.2 packages on my workstation and they seem to
work great.

I guess I'll attempt this if I get no objections, although having some
help from someone who has actually adminned a Kerberos server is
probably a good idea ;-).

> In short, I don't know if I'd personally expend much energy on
> patching the Kerberos binaries; I think it'd be time better spent to
> deprecate them and force people over to SSH for sourceware.

Deprecating them may be a good idea but it isn't enough - we need to
either upgrade or remove them.

I've started looking at using SSH for root logins as well as non-root
ones.  Is there an SSH equivalent of ksu?  Or should we just set the
regular password and use su (I don't like this one as it means sharing
a root password)?  Or something like sudo?

Re: Shift o' crypto on sourceware ?

[Jonathan Larmour]

Jim Kingdon wrote:
> I've started looking at using SSH for root logins as well as non-root
> ones.  Is there an SSH equivalent of ksu?  Or should we just set the
> regular password and use su (I don't like this one as it means sharing
> a root password)?  Or something like sudo?

Or just put the relevant public keys in /root/.ssh/authorized_keys and just
do "ssh -l root sourceware.cygnus.com" (or even "ssh -l root localhost" to
do a su equivalent).

Jifl
-- 
Red Hat, 35 Cambridge Place, Cambridge, UK. CB2 1NS  Tel: +44 (1223) 728762
"Plan to be spontaneous tomorrow."  ||  These opinions are all my own fault

Re: Shift o' crypto on sourceware ?

[Jim Kingdon]

> Or just put the relevant public keys in /root/.ssh/authorized_keys and just
> do "ssh -l root sourceware.cygnus.com" (or even "ssh -l root localhost" to
> do a su equivalent).

Well, I've been avoiding that because a lot of the config files (not
all) are under CVS (or perhaps RCS in a few cases) and I want people
to see who was editing them.

I guess setting LOGNAME manually would work....

Re: Shift o' crypto on sourceware ?

[Jason Molenda]

On Thu, May 18, 2000 at 04:04:03PM -0400, Jim Kingdon wrote:
> > Or just put the relevant public keys in /root/.ssh/authorized_keys and just
> > do "ssh -l root sourceware.cygnus.com" (or even "ssh -l root localhost" to
> > do a su equivalent).

FWIW I agree that this is the easiest approach.

> Well, I've been avoiding that because a lot of the config files (not
> all) are under CVS (or perhaps RCS in a few cases) and I want people
> to see who was editing them.
> 
> I guess setting LOGNAME manually would work....

You could always set it in the authorized_keys file.  I think this 
would work:

environment="LOGNAME=jsm" 1024 63 22332222....38282 j@molenda.com


J

Re: Shift o' crypto on sourceware ?

[Andrew Cagney]

Jonathan Larmour wrote:
> 
> Jim Kingdon wrote:
> > I've started looking at using SSH for root logins as well as non-root
> > ones.  Is there an SSH equivalent of ksu?  Or should we just set the
> > regular password and use su (I don't like this one as it means sharing
> > a root password)?  Or something like sudo?
> 
> Or just put the relevant public keys in /root/.ssh/authorized_keys and just
> do "ssh -l root sourceware.cygnus.com" (or even "ssh -l root localhost" to
> do a su equivalent).

To throw one in from left field.  Should people be allowed to run ssh
locally?

	Andrew

Re: Shift o' crypto on sourceware ?

[Jason Molenda]

On Fri, May 19, 2000 at 10:00:10AM +1000, Andrew Cagney wrote:

> 
> To throw one in from left field.  Should people be allowed to run ssh
> locally?
> 


From a really paranoid security point of view, I'd say "no" (that
is how the cracker got from sourceware.cygnus.com to basil.cygnus.com
when they broke in last summer), but I can't help but think of all
sorts of inconveniences that this would entail.

And inevitably, users will copy in an ssh binary so they can log
out from sourceware to other systems (heck, _I'd_ do it if my IS
people removed the ssh binaries) which would be even weaker than
a centrally controlled ssh.


Jason

Re: Shift o' crypto on sourceware ?

[Jim Kingdon]

> You could always set it in the authorized_keys file.  I think this 
> would work:
> 
> environment="LOGNAME=jsm" 1024 63 22332222....38282 j@molenda.com

OK, I have set this up for me, and verified that CVS is in fact using
LOGNAME.

Tom?  Jeff?  You want to add yourselves to /root/.ssh/authorized_keys?

And, assuming we are about to deinstall Kerberos, how do we notify any
non-root people who are using it?  I'm kind of guessing this is a
pretty small set, but I don't want to be cutting people off on a whim
and getting them all upset (well, actually I do <insert evil laugh
here> but I'm not supposed to admit such things ;-)).

Re: Shift o' crypto on sourceware ?

[Jeffrey A Law]

  In message < 200005191819.OAA00647@devserv.devel.redhat.com >you write:
  > > You could always set it in the authorized_keys file.  I think this 
  > > would work:
  > > 
  > > environment="LOGNAME=jsm" 1024 63 22332222....38282 j@molenda.com
  > 
  > OK, I have set this up for me, and verified that CVS is in fact using
  > LOGNAME.
  > 
  > Tom?  Jeff?  You want to add yourselves to /root/.ssh/authorized_keys?
  > 
  > And, assuming we are about to deinstall Kerberos, how do we notify any
  > non-root people who are using it?  I'm kind of guessing this is a
  > pretty small set, but I don't want to be cutting people off on a whim
  > and getting them all upset (well, actually I do <insert evil laugh
  > here> but I'm not supposed to admit such things ;-)).
Actually, we can't completely de-install kerberos.  RMS would throw a fit
as he dosn't consider ssh (even the open versions) suitable for use with
the GNU project at this time.

I don't mind encouraging more folks to move towards ssh, but we can't
decommission krb right now.

jeff

Re: Shift o' crypto on sourceware ?

[Andrew Cagney]

Jonathan Larmour wrote:
> 
> Jim Kingdon wrote:
> > I've started looking at using SSH for root logins as well as non-root
> > ones.  Is there an SSH equivalent of ksu?  Or should we just set the
> > regular password and use su (I don't like this one as it means sharing
> > a root password)?  Or something like sudo?
> 
> Or just put the relevant public keys in /root/.ssh/authorized_keys and just
> do "ssh -l root sourceware.cygnus.com" (or even "ssh -l root localhost" to
> do a su equivalent).

To throw one in from left field.  Should people be allowed to run ssh
locally?

	Andrew

Re: Shift o' crypto on sourceware ?

[Jeffrey A Law]

  In message < 200005191819.OAA00647@devserv.devel.redhat.com >you write:
  > > You could always set it in the authorized_keys file.  I think this 
  > > would work:
  > > 
  > > environment="LOGNAME=jsm" 1024 63 22332222....38282 j@molenda.com
  > 
  > OK, I have set this up for me, and verified that CVS is in fact using
  > LOGNAME.
  > 
  > Tom?  Jeff?  You want to add yourselves to /root/.ssh/authorized_keys?
  > 
  > And, assuming we are about to deinstall Kerberos, how do we notify any
  > non-root people who are using it?  I'm kind of guessing this is a
  > pretty small set, but I don't want to be cutting people off on a whim
  > and getting them all upset (well, actually I do <insert evil laugh
  > here> but I'm not supposed to admit such things ;-)).
Actually, we can't completely de-install kerberos.  RMS would throw a fit
as he dosn't consider ssh (even the open versions) suitable for use with
the GNU project at this time.

I don't mind encouraging more folks to move towards ssh, but we can't
decommission krb right now.

jeff

Shift o' crypto on sourceware ?

[Jason Molenda]

So it looks like the kerb binaries on sourceware need to be rebuilt with
patched sources, cf
	        http://lwn.net/2000/0518/a/kerberos.html

In case anyone is wondering, I believe tito.cygnus.com is still
spinning with the KerbNet CVS repo on it.  I tarred up a copy of
the repo for Ken Raeburn & Mark Eichin before I left Cygnus - I
also have the sources to various Kerbnet sources on my
compilation-of-all-Cygnus-sources CDs.  I mention this just because
I'm not sure if anyone currently at Cygnus would know what Kerberos
is :-) or where the sources might be.

On the same note, the SSH binary that sysadmin has installed on
sourceware (1.2.26) is old and lame.  The newer and improveder
OpenSSH should really be installed in its place - and the recent
release of OpenSSH can even handle SSH2 keys and protocol.  IIRC
the biggest impediments to switching were (a) you gotta convert
sourceware's host key out of its RSA-encoded form and (b) you gotta
slightly edit the sshd.conf file to work with OpenSSH.

I don't know if rms has looked at OpenSSH yet.  I doubt many people
inside Cygnus really care if Kerberos were to stop working on
sourceware.  With Marc gone, as soon as the Kerberos install at
Cygnus hits any kind of problem, it'll probably be obsoleted and
users told to use SSH in its stead.  In short, I don't know if I'd
personally expend much energy on patching the Kerberos binaries;
I think it'd be time better spent to deprecate them and force people
over to SSH for sourceware.

J

Re: Shift o' crypto on sourceware ?

[Jim Kingdon]

> 	        http://lwn.net/2000/0518/a/kerberos.html

Why not just use the RPM's from

  ftp://ftp.redhat.com/pub/redhat/updates/6.2/i386/krb5*

?  I've been using the 6.2 packages on my workstation and they seem to
work great.

I guess I'll attempt this if I get no objections, although having some
help from someone who has actually adminned a Kerberos server is
probably a good idea ;-).

> In short, I don't know if I'd personally expend much energy on
> patching the Kerberos binaries; I think it'd be time better spent to
> deprecate them and force people over to SSH for sourceware.

Deprecating them may be a good idea but it isn't enough - we need to
either upgrade or remove them.

I've started looking at using SSH for root logins as well as non-root
ones.  Is there an SSH equivalent of ksu?  Or should we just set the
regular password and use su (I don't like this one as it means sharing
a root password)?  Or something like sudo?

Re: Shift o' crypto on sourceware ?

[Chris Faylor]

On Thu, May 18, 2000 at 11:50:39AM -0700, Jason Molenda wrote:
>On the same note, the SSH binary that sysadmin has installed on
>sourceware (1.2.26) is old and lame.  The newer and improveder OpenSSH
>should really be installed in its place - and the recent release of
>OpenSSH can even handle SSH2 keys and protocol.

I am running openssh 2.1 here and it does not seem to like logging into
a cygnus machine using v2 protocol.  My tunnels are also mysteriously
stalling since I started using it.

And, it occasionally gives me this warning when logging into any non
openssh machine:

Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024.
Warning: This may be due to an old implementation of ssh.

While, that may be a true problem, I'm tired of seeing it repeatedly and
there doesn't seem to be any way to turn it off.

I guess, in short, IMO, openssh is not ready for active endorsement
quite yet.

cgf

IIRC
>the biggest impediments to switching were (a) you gotta convert
>sourceware's host key out of its RSA-encoded form and (b) you gotta
>slightly edit the sshd.conf file to work with OpenSSH.
>
>I don't know if rms has looked at OpenSSH yet.  I doubt many people
>inside Cygnus really care if Kerberos were to stop working on
>sourceware.  With Marc gone, as soon as the Kerberos install at
>Cygnus hits any kind of problem, it'll probably be obsoleted and
>users told to use SSH in its stead.  In short, I don't know if I'd
>personally expend much energy on patching the Kerberos binaries;
>I think it'd be time better spent to deprecate them and force people
>over to SSH for sourceware.
>
>J

-- 
cgf@cygnus.com                        Cygnus Solutions, a Red Hat company
http://sourceware.cygnus.com/         http://www.redhat.com/

Re: Shift o' crypto on sourceware ?

[Jonathan Larmour]

Jim Kingdon wrote:
> I've started looking at using SSH for root logins as well as non-root
> ones.  Is there an SSH equivalent of ksu?  Or should we just set the
> regular password and use su (I don't like this one as it means sharing
> a root password)?  Or something like sudo?

Or just put the relevant public keys in /root/.ssh/authorized_keys and just
do "ssh -l root sourceware.cygnus.com" (or even "ssh -l root localhost" to
do a su equivalent).

Jifl
-- 
Red Hat, 35 Cambridge Place, Cambridge, UK. CB2 1NS  Tel: +44 (1223) 728762
"Plan to be spontaneous tomorrow."  ||  These opinions are all my own fault

Re: Shift o' crypto on sourceware ?

[Jim Kingdon]

> You could always set it in the authorized_keys file.  I think this 
> would work:
> 
> environment="LOGNAME=jsm" 1024 63 22332222....38282 j@molenda.com

OK, I have set this up for me, and verified that CVS is in fact using
LOGNAME.

Tom?  Jeff?  You want to add yourselves to /root/.ssh/authorized_keys?

And, assuming we are about to deinstall Kerberos, how do we notify any
non-root people who are using it?  I'm kind of guessing this is a
pretty small set, but I don't want to be cutting people off on a whim
and getting them all upset (well, actually I do <insert evil laugh
here> but I'm not supposed to admit such things ;-)).

Re: Shift o' crypto on sourceware ?

[Jason Molenda]

On Fri, May 19, 2000 at 10:00:10AM +1000, Andrew Cagney wrote:

> 
> To throw one in from left field.  Should people be allowed to run ssh
> locally?
> 


From a really paranoid security point of view, I'd say "no" (that
is how the cracker got from sourceware.cygnus.com to basil.cygnus.com
when they broke in last summer), but I can't help but think of all
sorts of inconveniences that this would entail.

And inevitably, users will copy in an ssh binary so they can log
out from sourceware to other systems (heck, _I'd_ do it if my IS
people removed the ssh binaries) which would be even weaker than
a centrally controlled ssh.


Jason

Re: Shift o' crypto on sourceware ?

[Jason Molenda]

On Thu, May 18, 2000 at 04:04:03PM -0400, Jim Kingdon wrote:
> > Or just put the relevant public keys in /root/.ssh/authorized_keys and just
> > do "ssh -l root sourceware.cygnus.com" (or even "ssh -l root localhost" to
> > do a su equivalent).

FWIW I agree that this is the easiest approach.

> Well, I've been avoiding that because a lot of the config files (not
> all) are under CVS (or perhaps RCS in a few cases) and I want people
> to see who was editing them.
> 
> I guess setting LOGNAME manually would work....

You could always set it in the authorized_keys file.  I think this 
would work:

environment="LOGNAME=jsm" 1024 63 22332222....38282 j@molenda.com


J

Re: Shift o' crypto on sourceware ?

[Jim Kingdon]

> Or just put the relevant public keys in /root/.ssh/authorized_keys and just
> do "ssh -l root sourceware.cygnus.com" (or even "ssh -l root localhost" to
> do a su equivalent).

Well, I've been avoiding that because a lot of the config files (not
all) are under CVS (or perhaps RCS in a few cases) and I want people
to see who was editing them.

I guess setting LOGNAME manually would work....