Security
Using ssh-agent(1) to ease usage of SSH key authentication
Many SSH clients supports “key agent” or “authentication agent”, which holds private key for you, and ease the authentication process.
By default, OpenSSH does not enable this. You can easily use ssh-agent(1) to accomplish the mission.
ssh-agent startx
The above command will start X session with ssh-agent. This means that you can add private key to the agent.
ssh-add ~/.ssh/id_dsa
Add your own ssh key.
Then ssh authentications will be accomplished automatically. Note that you may need to use ssh -A in certain configurations.
参与评论默默发展的OpenBSDzz
作者: Builder.com Wednesday, October 20 2004 12:02 PM
随着十月的到来,Theo de Raadt将会和后来的五名开发人员一道,在相当长的一段时间里带上方便食品,在加拿大自己的家乡卡尔加里(Calgary)登山,享用啤酒,并促膝长谈OpenBSD的未来,而Raadt正是这个开放源代码操作系统的项目主管。
而在同一时刻,他们将与OpenBSD于11月1日进行的下一次发布保持着最后的接触,这将是其构思严谨的设计过程的最新一次发布,而这一设计过程在过去10年里每6个月就有一个新的发布。
阅读全文…More and more Linux vulnerabilities - Can *YOU* even trust such a kernel?
They did it again!
CAN-2005-0176
CAN-2005-0177
CAN-2005-0178
CAN-2005-0449
Before patching your already fragile kernel, consider other true Open Source operating systems, like FreeBSD and DragonFlyBSD!
参与评论Bruce Schneier的blog提到,SHA-1被攻破了
一个神话的最终结束……
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
参与评论An vulnerability, a threat, and you lose root, that's Linux.
Every quarter we got the same news: Linux did it again!
Yes, they DID it again. Many sites became victim during the last scan of awstats vulnerability, the most famous ones are www.phpbb.com, and moto.debian.org.tw, etc. You can Google the cracker organization and find more.
Why Linux is again and again vulnerable to these hack attempts? Why other systems doesn’t have such serious security issues even when an exploit is published? The answer is apparant: Linux did worst ever, among all Operating Systems, even when you include Windows. Imagine, a kernel which can permit normal users to gain root privilege.
阅读全文…Applied the "NOFOLLOW" plugin
Follow arved’s port change: added the official NOFOLLOW plugin into the plugins directory.
This is useful because Google will never follow the links to raise page ranks, thus eliminates blog spamming’s benefit.
参与评论When to validate whether program is accepting potentially malicious input?
What is a privilege elevation? It meant that someone who (maliciouslly) obtain higher privilege through some method that is not predicated by programmer.
In order to prevent it, we should avoid giving unnecessary privileges, and validate all input. However, in a imperfect world, just validating everything is not enough, since there are too many things that can not be validated easily.
On most Unix systems, we have a “set uid” bit that can allow subsequent process to run under other credentials. This, however, opens an window that we can potentially allow malicious code to be injected into the system, to obtain higher privileges.
阅读全文…Spam, spam, spam!!
It seems that there is some keywords in the central cleaning house and I can’t update the blacklist… Maybe we should create a new one!
参与评论skeljail implemented in the RCng way
I have finally got skeljail implemented through the RCng way. After some test I will post the patch for review.
A skel jail is a jail that share essential binaries/libraries with the base system (optionally, other base template if you want) through mount_nullfs.
参与评论How to disable Outlook's level 1 attachment blocking feature
I’d say I really dislike this feature, it always prevent me from being able to receive attachments and does not actually block virii since I have some carefully designed security mechanisms installed on my computer.
Of course someone may say “Outlook sucks, don’t use it!” but I won’t say that. Outlook is a great product that is very safe if you have configured it *CORRECTLY*. The feature of the attachment blocking, while may be useful for not experienced users, will harm users that is experienced and is highly security-aware when communicating with non-experienced folks.
阅读全文…