670 lines
27 KiB
HTML
670 lines
27 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.1F.i">
|
|
<TITLE>The Answer Guy 35: FS Security using Linux</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)" border="0" align="middle">
|
|
<font color="#B03060">The Answer Guy</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)" border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
Starshine Technical Services,
|
|
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" height="50" width="60"
|
|
alt="(?) " border="0">Crypto Support for Linux</H3>
|
|
|
|
<p><strong>From dreamwvr, August sometime in 1998
|
|
(in an old thread on the Linux-Admin List which
|
|
I've been reading as part of the research for my book).
|
|
</strong></p>
|
|
<!-- begin 15 -->
|
|
<P><STRONG>i believe it is called efs which stands for encrypted file system...
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
><FONT COLOR="#000099"><EM>
|
|
Glynn Clements wrote:
|
|
<br>There is Matt Blaze's CFS (cryptogrphic filesystem) which
|
|
is basically a userspace filesytem over NFS to the loopback
|
|
interface. This was part of a larger package called ESM,
|
|
encrypted session manager. That wasn't Linux specific, but
|
|
does work under it.
|
|
</em></font></BLOCKQUOTE>
|
|
<P><STRONG><FONT COLOR="#000066"><EM><IMG SRC="../../gx/dennis/qbub.gif"
|
|
ALT="(?)" HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>Joseph Martin wrote:
|
|
<br>I am helping a friend set up a new computer system. He is
|
|
particularly interested in security. The regular linux authentication at
|
|
the console should work well enough, however I was wondering about even
|
|
more security. Are there any encrypted file systems we could set up? For
|
|
example the computer boots up, loads the system from a ext2 partition and
|
|
then presents a login prompt. After login a mount command is given, a
|
|
password supplied and the partition data made visible and acessable. After
|
|
use of partition it is unmounted and rendered unusuable again. Anything
|
|
like that exist?
|
|
</EM></FONT></STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
><FONT COLOR="#000099"><EM>
|
|
You can use the loop device, which turns a file into a device which
|
|
can then be mounted (assuming that it contains a valid filesystem).
|
|
</EM></FONT></blockquote>
|
|
<blockquote><FONT COLOR="#000099"><EM>
|
|
The loop device supports on-the-fly encryption/decryption using DES or
|
|
IDEA (but you have to get the appropriate kernel source files
|
|
separately; they aren't part of the standard kernel source due to
|
|
legal nonsense).
|
|
</EM></FONT></blockquote>
|
|
<blockquote><FONT COLOR="#000099"><EM>
|
|
Alternatively, you can just encrypt the file with any encryption
|
|
package (e.g. PGP), and decrypt it before mounting. However, this
|
|
requires sufficient disk space to store two copies of the file.
|
|
</EM></FONT></blockquote>
|
|
<blockquote><FONT COLOR="#000099"><EM>
|
|
Glynn Clements
|
|
</EM></FONT></blockquote>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>There is also the TCFS --- a transparent CFS from Italy. This
|
|
is Linux specific code. (<A HREF="http://tcfs.dia.unisa.it"
|
|
>http://tcfs.dia.unisa.it</A>)
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
There was also supposed to be a userfs module for encryption
|
|
--- but I don't know if that was ever completed to production
|
|
quality.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The best place to get most crypto code is to just fetch it
|
|
from <A HREF="ftp://ftp.replay.com">ftp://ftp.replay.com</A> (or
|
|
<A HREF="http://www.replay.com">http://www.replay.com</A>) which is
|
|
located offshore (Netherlands?) to put it beyond the
|
|
jurisdiction of my government's inane trade regulations.
|
|
(Apologies to the free world).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I thought I read on the kernel list that
|
|
<A HREF="http://www.kerneli.org">http://www.kerneli.org</A>
|
|
was supposed to be a site where
|
|
international (non-U.S. exportable) patches would be gathered
|
|
and made available. However that address only returns a lame
|
|
one line piece of text to lynx. I fared better with their ftp
|
|
site at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="ftp://ftp.kerneli.org/pub/Linux/kerneli/v2.1"
|
|
>ftp://ftp.kerneli.org/pub/Linux/kerneli/v2.1</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Where I saw a list of files of the form: <tt>patch-int-2.1.*</tt>
|
|
(which I presume are "international" patches).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Userspace toys can be found in:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="ftp://ftp.kerneli.org/pub/Linux/redhat-contrib/hacktic/i386"
|
|
>ftp://ftp.kerneli.org/pub/Linux/redhat-contrib/hacktic/i386</A>
|
|
</code></BLOCKQUOTE>
|
|
(RPM format, of course).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Meanwhile the loopfs encryption module seems to be located at
|
|
Linux Mama (canonical home of unofficial Linux kernel patches)
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.linuxmama.com/dev-server.html"
|
|
>http://www.linuxmama.com/dev-server.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
which has a link to:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="ftp://fractal.mta.ca/pub/crypto/aem"
|
|
>ftp://fractal.mta.ca/pub/crypto/aem</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
TCFS is also suitable for encrytion of files on an NFS server
|
|
(only the encrypted blocks traverse your network --- the
|
|
client system does the decryption. That's a big win for
|
|
security <EM>and</EM> performance).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
As for encryption of other network protocols: There's the
|
|
standard ssh, ssltelnet/sslftp (SSLeay), STEL, suite for
|
|
applications layer work, and a couple of IPSec projects for
|
|
Linux at the network/transport layer. A friend of mine has
|
|
been deeply interested in the <A HREF="http://www.xs4all.nl/~freeswan/"
|
|
>FreeS/WAN</A> project at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.xs4all.nl/~freeswan"
|
|
>http://www.xs4all.nl/~freeswan</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... or at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.flora.org/freeswan">http://www.flora.org/freeswan</A>
|
|
</code></BLOCKQUOTE>(a mirror)</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... This consists of a kernel patch and some programs to
|
|
manage the creation of keys etc.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The idea of the <A HREF="http://www.xs4all.nl/~freeswan/">FreeS/WAN</A>
|
|
project is to provide opportunistic
|
|
host-to-host encryption at the TCP/IP layer. In other words
|
|
my Linux router would automatically attempt to create a secure
|
|
context (tunnel/route) when communicating with your IPSec
|
|
enabled system or router. Similar projects are underway for
|
|
<A HREF="http://www.freebsd.org/">FreeBSD</A>, a few routers like Cisco,
|
|
and even NT.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Anyway I haven't tried it recently but I hear that it's almost
|
|
ready for prime time.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
One of the big issues is that FreeS/WAN isn't designed for
|
|
manual VPN use --- so it's command line utilities for testing
|
|
this are pretty crude (or were, last time I tried them). On
|
|
the other hand we still don't have wide deployment of
|
|
Secure-DNS --- which is necessary before we can trust those
|
|
DNS "KEY" RR's. So, for now, all FreeS/WAN and other S/WAN
|
|
secure contexts involve some other (non-transparent) key
|
|
management hackery.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Hopefully someone will at least create a fairly simple
|
|
front end script for those of us that want to "just put up
|
|
a secure link" between ourselves and a remote office or
|
|
"stategic business partner."
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Also FreeS/WAN has focused it's effort on the 2.0.x kernels.
|
|
When 2.2 ships there will be another, non-trivial, effort
|
|
required to adapt the KLIPS (kernel level IP security?)
|
|
code to the new TCP/IP stack. The addition of LSF (linux
|
|
socket facility --- a BPF-like interface) should make that
|
|
easier --- but it still sounds like it will be a pain.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
There's apparently also an independent implementation of
|
|
IPSec for Linux from University of Arizona (Mason Katz).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html"
|
|
>http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... however this doesn't seem to offer any of the crypto
|
|
code, even through some sort of hoops (like MIT's
|
|
"prove-you're-a-U.S.-citizen/resident" stuff). I've copied
|
|
Mason on this (Bcc) so he can comment if he chooses.
|
|
I've also copied Kevin Fenzi and Dave Wreski in case they
|
|
want to incorporate any of these links into their Linux
|
|
Security HOWTO.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://sunsite.unc.edu/LDP/HOWTO/mini/VPN.html"
|
|
>http://sunsite.unc.edu/LDP/HOWTO/mini/VPN.html</A>
|
|
<br><A HREF="http://sunsite.unc.edu/LDP/HOWTO/Security-HOWTO.html"
|
|
>http://sunsite.unc.edu/LDP/HOWTO/Security-HOWTO.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
An alternative to FreeS/WAN for now is to use VPS
|
|
<A HREF="http://www.strongcrypto.com">http://www.strongcrypto.com</A>
|
|
with '<tt>ssh</tt>' This basically creates a pppd "tunnel" over a specially
|
|
conditioned ssh connection. You have to get your copy of '<tt>ssh</tt>' from
|
|
some other site, for the usual reasons.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Yet another alternative to these is CIPE (cryptographic IP
|
|
encapsulation?) at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://sites.inka.de/sites/bigred/devel/cipe.html"
|
|
>http://sites.inka.de/sites/bigred/devel/cipe.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... which used encrypted UDP as the main transport.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Of course we shouldn't forget our venerable old three head dog
|
|
of mythic fame: Kerberos. This old dog is voted most likely
|
|
to be our future authentication and encryption infrastructure
|
|
(if for no other reason than the fact that Microsoft has vowed
|
|
to "embrace and extent" --- e.g. "engulf and extinguish" it
|
|
with Windows <strike>NT v5.0</strike>2000).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The canonical web page for MIT Kerberos seems to be at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://web.mit.edu/kerberos/www">http://web.mit.edu/kerberos/www</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... some news on that front is that Kermit version 6.1
|
|
is slated to include support for Kerberos authentication and
|
|
encryption. More on that is on their web site:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.columbia.edu/kermit/ck61.html"
|
|
>http://www.columbia.edu/kermit/ck61.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... on the international front I hope to see the Heimdal
|
|
project (from Sweden) reach production quality very soon.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.pdc.kth.se/heimdal">http://www.pdc.kth.se/heimdal</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
When I talked to a couple of the developers of Heimdal I asked
|
|
some hard questions about things like support SOCKS proxy (by
|
|
their Kerberized clients), and support for one-time-passwords,
|
|
support for NIS/NIS+ (nameservices lookups), etc. They seemed
|
|
to have all the right answers on all counts.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
All that and it's free.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Another European effort that is not nearly as attractive to
|
|
us "free software fanatics" is the SESAME project (Secure
|
|
European System for Applications in a Multi-vendor
|
|
Environment)
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.esat.kuleuven.ac.be/cosic/sesame"
|
|
>http://www.esat.kuleuven.ac.be/cosic/sesame</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The SESAME license only allows for free "experimental" use ---
|
|
no free distribution, no installation for customers, and no
|
|
"production use." Worse than all that no indication is made
|
|
as to how much licensing would cost (say for individual use by
|
|
a consultant). It appears to be geared towards limited
|
|
distribution to "big" clients (the owners seem to be Bull SA,
|
|
of France).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
However, they have some interesting ideas and their web pages
|
|
are well worth reading. The suite of libraries seems to
|
|
offer some worthwhile extensions over Kerberos.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Some other pointers to cryptographic software are
|
|
at Tatu Ylonen's (author of ssh) pages:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.cs.hut.fi/crypto/software.html"
|
|
>http://www.cs.hut.fi/crypto/software.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
(I've also copied Arpad Magosanyi, author of the
|
|
VPN mini-HOWTO, in the hopes that he can find the time
|
|
to integrate some of these notes into his HOWTO ---
|
|
perhaps just as a list of references to other packages
|
|
near the end).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Of course the main thrust of Linux security has nothing
|
|
to do with cryptography. An over-riding concern is
|
|
that any privileged process might be subverted to take
|
|
over the whole system.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Bugs in <tt>imapd</tt>, <tt>in.popd</tt>, <tt>mountd</tt>, etc.
|
|
continue to plague Linux admins.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
If security is really your friend's top interest and concern,
|
|
and he's planning on running a general purpose Unix system
|
|
with a mixture of common daemons (network services) and
|
|
applications on it. I'd really have to recommend
|
|
<A HREF="http://www.openbsd.org/">OpenBSD</A>
|
|
<A HREF="http://www.openbsd.org">http://www.openbsd.org</A>.
|
|
That is considered by many to be the
|
|
most secure "out of the box" version of Unix available to the
|
|
general market today. (In the realm of commercial Unix, I've
|
|
heard good things about BSDI/OS (<A HREF="http://www.bsdi.com"
|
|
>http://www.bsdi.com</A>).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
That is not to say that Linux is hopeless. Alan Cox has been
|
|
co-ordinating a major Linux Security Audit project at
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.eds.org/audit">http://www.eds.org/audit</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
or:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://lwn.net/980806/a/secfaq.html"
|
|
>http://lwn.net/980806/a/secfaq.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
There's also a set of "Secure Linux kernel patches" by
|
|
Solar Designer (I don't know his conventional name ---
|
|
everyone on the lists refers to him by this handle).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.false.com/security/linux/index.html"
|
|
>http://www.false.com/security/linux/index.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
These are a set of patches that prevent a couple of the most
|
|
common sorts of exploits (buffer overflows and symlinks
|
|
in <TT>/tmp</TT> and other world-writable directories).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
However, these patches are for 2.0.x kernels. They've been
|
|
firmly rejected by Linus for inclusion into future kernels in
|
|
favor of a more flexible and general (and more complicated)
|
|
approach.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Linux version 2.2 will support a "capabilities lists"
|
|
(privileges) feature. This splits the SUID 'root' mechanism
|
|
into a few dozen separate privileged operations. By default
|
|
the system maps 'root' and 'SUID root' to setting all of these
|
|
privileges as "enabled" and "inheritable." A <tt>sysctl()</tt> call
|
|
allows a program to blank some or all of these bits,
|
|
preventing it and (if one is clearing the "inheritable" bits)
|
|
all of its descendants (all the processes it creates) from
|
|
exercising these operations.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
This should allow us to emulate the BSD securelevel if we want
|
|
to (create a little userspace utility that clears the
|
|
appropriate "inheritable" bits and then <tt>exec()</tt>'s '<tt>init</tt>' ---
|
|
now <EM>all</EM> processes are unable to perform these operations).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
It's also nice in that it's more flexible than the BSD
|
|
'securelevel' feature. For example you could just strip the
|
|
privilege bits from 'inetd' and your various networking
|
|
daemons. This would mean that the attacker would have to
|
|
trick some console/serial line controlled process into
|
|
executing any exploit code.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
The eventual plan is to add support for the additional bits in
|
|
the filesystem. That won't happen for 2.2 --- but will likely
|
|
be one of the planned project for 2.3. These filesystem
|
|
attributes would be like a whole vector of SUID like bits ---
|
|
each enabling one privilege. So each program that you'd
|
|
currently make SUID 'root' would get a (hopefully) small
|
|
subset of the privileges. If that sounds complicated and
|
|
<EM>big</EM> --- then you understand. This is essentially what the
|
|
MLS/CMW "B2-level" secure versions of commercial Unix do. (As
|
|
described in the TCSEC "orange book" from what I hear).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
As a stopgap measure I hope that someone writes a wrapper
|
|
utility that allows me (as an admin) to "manually" start
|
|
programs with a limited set of privileges. This would allow
|
|
me to write scripts, started as 'root' that would strip all
|
|
unnecessary privs, and exec some other program (such as
|
|
'<tt>dump</tt>' or '<tt>sendmail</tt>' or '<tt>imapd</tt>' etc).
|
|
(Such a wrapper would
|
|
also allow a developer or distribution maintainer to easily
|
|
test what privs a particular package really needed to work).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
So, that's an overview of the Linux crypto and security.
|
|
There are just too many web resources on this subject to list
|
|
them all, and there is obviously plenty of work being done on
|
|
this all the time. The major constraint on any new security
|
|
work is the need to support Unix and all the existing and
|
|
portable Unix/Linux packages.
|
|
</BLOCKQUOTE>
|
|
|
|
<!-- end 15 -->
|
|
<p><hr width="40%" align="center"><p>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" height="50" width="60"
|
|
alt="(?) " border="0">Crypto Support ... What Book?</H3>
|
|
|
|
<p><strong>From Dave Wreski on Mon, 09 Nov 1998
|
|
</strong></p>
|
|
<!-- begin 13 -->
|
|
<P><STRONG><FONT COLOR="#000066"><EM>
|
|
(From an old thread on the Linux-Admin List which
|
|
I've been reading as part of the research for my book).
|
|
</EM></FONT></STRONG></P>
|
|
<P><STRONG>
|
|
Hey Jim. I was just wondering what kind of book you are writing? Is this
|
|
a linux-specific security book?
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Dave
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
Linux Systems Administration (for Macmillan Computer
|
|
Publishing <A HREF="http://www.mcp.com">http://www.mcp.com</A>).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Since I consider security to permeate all aspects of
|
|
systems administration, there will be quite a bit of that
|
|
interwined with my discussions of requirements analysis,
|
|
recovery and capacity planning, maintenance and automation
|
|
etc.
|
|
</BLOCKQUOTE>
|
|
|
|
<!-- end 13 -->
|
|
<p><hr width="40%" align="center"><p>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" height="50" width="60"
|
|
alt="(?) " border="0">FS Security using Linux</H3>
|
|
|
|
|
|
<p><strong>From AZ75 on Tue, 10 Nov 1998
|
|
</strong></p>
|
|
<!-- begin 11 -->
|
|
<P><STRONG>
|
|
Hello, My name is Jim Xxxxxx and I am a US citizen. I would like have a
|
|
copy of the crypto code sent to me for testing if that's posible.
|
|
I am at: ....
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
I think you misunderstand part of this thread.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I wrote an article (posted to the Linux-admin mailing list
|
|
and copied to my editors at the Linux Gazette, and to a
|
|
couple of involved parties and HOWTO authors). In that
|
|
article I referred to the work of Mason Katz.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Mason wrote one of the two implementation of IPSec for
|
|
Linux. Please go to
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html"
|
|
>http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... and take particular note of this:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
You may request the export controlled sections by sending email to
|
|
<A HREF="mailto:mjk@cs.arizona.edu">mjk@cs.arizona.edu</A>
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... at the bottom.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Also, if you read the notes more thoroughly, you'll
|
|
find a comment that:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><blockquote><font color="#000066"><em>
|
|
Although we are not currently tracking the IPSEC architecture, we
|
|
believe that the released version can be brought up to date and
|
|
extended to allow for more services.
|
|
</em></font></blockquote></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... which means that this implementation is probably out
|
|
of sync with recent revisions to IPSec. That means that
|
|
coding work would have to be done to make it interoperable
|
|
with other implementations.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I think you'd be far better off with the Linux
|
|
<A HREF="http://www.xs4all.nl/~freeswan/">FreeS/WAN</A>
|
|
implementation. In that case you'll be importing the
|
|
code from the Netherlands. The stated goal of the Linux
|
|
FreeS/WAN project is to provide a fully interoperable,
|
|
standard implementation of IPSec.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I still don't know what they're going to do about
|
|
key management and Secure-DNS. I can't pretend to
|
|
have sorted out the morass of competing key management
|
|
specifications: Photuris, ISAKMP/Oakley, SKIP, IKE, etc.
|
|
The Pluto utility with FreeS/WAN implements some sort
|
|
of IKE with ISAKMP for part of the job (router-to-router
|
|
mutual authentication?). The
|
|
<A HREF="http://www.openbsd.org/">OpenBSD</A> IPSec uses Photuris
|
|
--- and I don't know of a Linux port of that. Presumably
|
|
an interested party in some free country could port the
|
|
OpenBSD Photuris to use the same interfaces to FreeS/WAN's
|
|
KLIPS (kernel level IP security) as Pluto. My guess is
|
|
that the two key management protocols could work
|
|
concurrently (your FreeS/WAN host could concievably
|
|
establish SA -- security associations -- with IKE hosts
|
|
through Pluto and with Photuris hosts) although I don't
|
|
know how each end would know which key management protocol
|
|
to use.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I came across one reference to an alleged free
|
|
implementation of Sun's SKIP for Linux in an online
|
|
back issue of UnixReview Magazine (now called Performance
|
|
Computing). That made a passing references with no URL.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Further Yahoo! searches dug up Robert Muchsel's:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.tik.ee.ethz.ch/~skip"
|
|
>http://www.tik.ee.ethz.ch/~skip</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... which leads to a frames site (Yuck!). However, the
|
|
recent versions of Lynx can get one past that to more
|
|
useful page at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.tik.ee.ethz.ch/~skip/UsersGuide.html"
|
|
>http://www.tik.ee.ethz.ch/~skip/UsersGuide.html</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
I also guess that <A HREF="http://www.freebsd.org/">FreeBSD</A>
|
|
offers a SKIP enabled IPSec/IPv6
|
|
implementation out of Japan through the KAME project at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BLOCKQUOTE><code>
|
|
<A HREF="http://www.kame.net">http://www.kame.net</A>
|
|
</code></BLOCKQUOTE></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Anyway, for now it appears that most of the key management
|
|
will have to be done by hand (using shared secrets which
|
|
are exchanged using PGP, GNU Privacy Guard, or over '<tt>ssh</tt>'
|
|
or '<tt>psst</tt>' (GPG is the GNU re-implementation of PGP
|
|
<A HREF="http://www.d.shuttle.de/isil/gnupg"
|
|
>http://www.d.shuttle.de/isil/gnupg</A>
|
|
which is moving along
|
|
nicely, and psst is the very beginnings of an independent
|
|
GNU implementation of the ssh protocol IETF draft
|
|
specification at: <A HREF="http://www.net.lut.ac.uk/psst"
|
|
>http://www.net.lut.ac.uk/psst</A>).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
So, Jim, there's plenty of crypto code freely available
|
|
--- you just have to import it from various countries
|
|
with greater degrees of "free speech" than our government
|
|
currently recognizes here in the U.S.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
(as is my custom I've removed identifying personal
|
|
info from your message --- since this is being copied
|
|
to my editors at LG).
|
|
</BLOCKQUOTE>
|
|
|
|
<!-- end 11 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 1998, James T. Dennis
|
|
<BR>Published in <I>The Linux Gazette</I> Issue 35 December 1998</H5>
|
|
<P> <hr> <P>
|
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<TABLE WIDTH="96%"><TR VALIGN="center" ALIGN="center">
|
|
<TD ROWSPAN="3" COLSPAN="3" WIDTH="26%"><A HREF="../lg_answer35.html"
|
|
><IMG SRC="../../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Index ]"></A></td>
|
|
<TD WIDTH="14%"><A HREF="office.html">office</A></TD>
|
|
<TD WIDTH="14%"><A HREF="largedisk.html">largedisk</A></TD>
|
|
<TD WIDTH="14%"><A HREF="links.html">links</A></TD>
|
|
<TD WIDTH="14%"><A HREF="yamaha.html">yamaha</A></TD>
|
|
<TD WIDTH="14%"><A HREF="magickeys.html">magickeys</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD><A HREF="passwd.html">passwd</A></TD>
|
|
<TD><A HREF="ftproot.html">ftproot</A></TD>
|
|
<TD><A HREF="pvtmail.html">pvtmail</A></TD>
|
|
<TD><A HREF="netware.html">netware</A></TD>
|
|
<TD><A HREF="crypto.html">crypto</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD><A HREF="relay.html">relay</A></TD>
|
|
<TD><A HREF="project.html">project</A></TD>
|
|
<TD><A HREF="bootmethod.html">bootmethod</A></TD>
|
|
<TD><A HREF="sysadmin.html">sysadmin</A></TD>
|
|
<TD><A HREF="ipscript.html">ipscript</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD><A HREF="loopfs.html">loopfs</A></TD>
|
|
<TD><A HREF="mrtg.html">mrtg</A></TD>
|
|
<TD><A HREF="slimscan.html">slimscan</A></TD>
|
|
<TD><A HREF="rpm.html">rpm</A></TD>
|
|
<TD><A HREF="egg.html">modutil</A></TD>
|
|
<TD><A HREF="libc.html">libc</A></TD>
|
|
<TD><A HREF="dell.html">dell</A></TD>
|
|
<TD><A HREF="remoteroot.html">remoteroot</A></TD>
|
|
</TR></TABLE>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<A HREF="../index.html"
|
|
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../../index.html"
|
|
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
|
|
<A HREF="../lg_bytes35.html"
|
|
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
|
|
<A HREF="../anderson.html"
|
|
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|