From: Digestifier To: Linux-Admin@senator-bedfellow.mit.edu Reply-To: Linux-Admin@senator-bedfellow.mit.edu Date: Tue, 17 Aug 93 15:13:46 EDT Subject: Linux-Admin Digest #5 Linux-Admin Digest #5, Volume #1 Tue, 17 Aug 93 15:13:46 EDT Contents: Re: German keymap with pl11 doesn't work? (Linus Torvalds) Re: Why use shadow? (David Megginson) SLS 1.03, WD8003, no-go? (PERUCCI, PHILIP A.) Re: Why use shadow? (Alec Muffett) need help getting 2nd printer working (Bob Myers) SLS 1.03 net configuration? (PERUCCI, PHILIP A.) Re: LILO like DOS executable Loader? (Kevin Burtch) Re: NFS mount fails with authentication error (Tom Lane) Re: Why use shadow? (Michael Kenney) Re: Why use shadow? (Dirk Haratz) Re: tar & mt (Warner Losh) Re: Why use shadow? (Warner Losh) Re: Why use shadow? (Warner Losh) Re: Why use shadow? (Ralph Becker-Szendy) Floppy administration (Larry Doolittle) ---------------------------------------------------------------------------- From: torvalds@klaava.Helsinki.FI (Linus Torvalds) Subject: Re: German keymap with pl11 doesn't work? Date: 13 Aug 1993 20:43:07 +0300 In article <24g05fINNb5d@unidoct.chemietechnik.uni-dortmund.de> sn@plato.chemietechnik.uni-dortmund.de (sn) writes: >Hi, I installed SLS 1.02 on my system and upgraded to the pl 11 Kernel, >gcc 2.4.5 and libc 4.4.1 >I also got kbd.tar.gz off some ftp server. It contains loadkeys and dump- >keys binary and source. >I can't get the files compiled myself and the binaries don't work either. >The error I'm getting when I try to compile them is >"KEYBD_ALT_GR undefined" >"KEYBD_SHIFT undefined" >etc (some other special keys). I looked in /usr/include/linux/keyboard.h >and there are only things like "KEYBD_L_ALT"/"KEYBD_R_ALT" etc. >Do I need a newer version of the keyboard.tar for pl11? Actually, you need an older version for pl11 - the kbd.tar.gz archive is for the newer pl12 kernel which is in alpha right now (hope to make it official by the weekend). The pl12 kernel allows a much more complete re-mapping of keys, so that almost *anything* is re-mappable (it's not perfect: it might be useful to install separate maps for different VC's, and separate maps for the "sticky" mode keys like caps-lock and num-lock would also be even cleaner than the current setup). Linus ------------------------------ From: dmeggins@aix1.uottawa.ca (David Megginson) Subject: Re: Why use shadow? Date: 17 Aug 93 06:45:26 In article <1993Aug17.063031.27942@colorado.edu> drew@caesar.cs.colorado.edu (Drew Eckhardt) writes: It's not a real problem if your users use "uncrackable" passwords, ie non-alphas, mixed case non-dictionary words, long length, etc. where the increased search space makes brute-force attacks impractical. Competant users will choose such passwords by themselves, competant system administrators will force users to choose "uncrackable" passwords using /bin/passwd replacements like npasswd. (Since this discussion is not Linux-specific, I am redirecting followups to comp.security.misc). You make a good point, and I certainly use such passwords on public systems like this one (as well as on my Linux box), but I see no reason _not_ to use shadow passwords. "Impractical" applies only if a hacker is not bound and determined to break into your machine -- in the extreme case, someone might set a transputer onto your password file for a month (!), and it wouldn't be that hard, since even complicated passwords are usually syllabic. Why leave a security hole at all when it is so easy to close it? David M. ------------------------------ Crossposted-To: comp.os.linux.help From: SSB1PZP@imcvms.med.navy.mil (PERUCCI, PHILIP A.) Subject: SLS 1.03, WD8003, no-go? Date: Tue, 17 Aug 1993 11:20:03 GMT Anyone know any tips on getting SLS 1.03 up on the net? I have been using SLS for a few versions, with no trouble. This time, though, the NET, for me, is a no-go. I checked EVERYTHING per various postings I have seen, as well as the NET-2-FAQ. No joy... All I get are lots of annoying "eth0 ..." messages. Does SLS 1.03 not work with the WD8003 (without building a kernel), or am I just an idiot? Any good docs to read? Is Slackware easier to get up? I have Adaptec 1542C and WD8003. I need to get this up FAST so I can load OS/2! =========================================================================== Phil Perucci, Systems Programmer | "I don't speak for any organization ssb1pzp@imcvms.med.navy.mil | and no organization speaks for me" =========================================================================== ------------------------------ From: alecm@uk-usenet.uk.sun.com (Alec Muffett) Subject: Re: Why use shadow? Date: 17 Aug 1993 12:07:15 GMT Reply-To: alecm@uk-usenet.uk.sun.com In article g6q@renux.frmug.fr.net, rene@renux.frmug.fr.net (Rene COUGNENC) writes: >The passwords are encrypted, but you can find some packages like 'cracklib', >using dictionaries, algorythms and... time, capable to guess some elementary >passwords used by too many users. Minor point: "Crack" is a password cracker, "CrackLib" (above) is a library designed to enhance the functionality of many password protection suites (eg: shadow) by preventing users from using obviously guessable passwords. - alec ------------------------------ Crossposted-To: comp.os.linux.help From: bmyers@asd470.dseg.ti.com (Bob Myers) Subject: need help getting 2nd printer working Reply-To: bmyers@asd470.dseg.ti.com Date: Tue, 17 Aug 1993 12:47:21 GMT Here's the software setup; SLS 1.02/.99.p11 (soon to be .p12)/gcc-2.4.5/libc-4.4.1/include-4.4.1/image-4.4.1/ net-2 binaries. I am trying to get an HP DJ500C working with my system. It's attached to /dev/lp2, using int 5 as you'd normally expect. I've installed the filter to convert lf=lf+cr (get around staircase effect), and have been able to successfully do : /usr/lib/hpif <~/Xconfig >/dev/lp2 (hpif is the filter name) However, for some reason I can't seem to get anything out of the system if i do: lpr -Plp2 ~/Xconfig I have a seperate spool area, /usr/spool/lp2, to handle this printer. when I issue lpq, i get a message saying that there are no entries (more than likely due to default to lp1 area). But, when I use lpc and check the status, I see that there are a number of jobs queued in the spool area....that the printer is enabled, and all the other stuff...but the daemon isn't active. if i then type in 'start lp2', i see the 'daemon started' message but still, no output from the system. what am i missing? -bob ------------------------------ Crossposted-To: comp.os.linux.help From: SSB1PZP@imcvms.med.navy.mil (PERUCCI, PHILIP A.) Subject: SLS 1.03 net configuration? Date: Tue, 17 Aug 1993 14:18:04 GMT After reading every post I can find, NET-2-FAQ, and double checking everything, with SLS 1.03 and a WD8003 I still get eth0: bogus packet size, status=0x0 nxpg=0x0 size=0x0 eth0: bogus packet, status=0x0 nxpg=0x0 size=0x0 eth0: mismatched read page pointers c vs 0. Also, I get the all-too-common "Network not found" error after the route add commands. Naturally, pinging myself works... The rc.net looks like: ifconfig eth0 131.158.54.21 broadcast 131.158.54.255 netmask 255.255.255.0 route add 131.158.54.21 # tried with and without this route add 131.158.54.0 route add default gw 131.158.54.50 1 ifconfig lo 127.0.0.1 up netmask 255.255.255.0 route add 127.0.0.1 lo My /etc/networks is just nmimc 131.158.54.0 Note that I made up the "nmimc" - it corresponds to nothing else. I don't know what to put here. My hostname and domain, I don't think, fit... The hardware is good, works with DOS and SLS 1.02. Any ideas?? =========================================================================== Phil Perucci, Systems Programmer | "I don't speak for any organization ssb1pzp@imcvms.med.navy.mil | and no organization speaks for me" =========================================================================== ------------------------------ From: kburtch@pts.mot.com (Kevin Burtch) Subject: Re: LILO like DOS executable Loader? Reply-To: kburtch@pts.mot.com Date: Tue, 17 Aug 1993 14:43:54 GMT In article 23122@cse.iitb.ernet.in, vinod@cse.iitb.ernet.in (Vinod G Kulkarni) writes: >Brian E. Gallew (geek+@CMU.EDU) wrote: >: bootlin works nicely for loading linux from DOS. One Caveat: loading >: linux with bootlin will fail heinously (hard reset necessary) IFF you >: install a memory manager (e.g. QEMM, 386^MAX). Linux wants to put the >: cpu into protected mode from real mode, which can't be done once your >: memory manager is loaded (already in protected mode). >: -Brian This is only true with bootlin.com 1.3. Version 1.4 is supposed to solve that problem. Bootlin.com does work in the config.sys very nicely. :) If you have MS-DOS 6.0, the built in menu works great! It also has the advantage of having multiple compilations to chose from. If you want, you can keep pl9 to boot from as a standby when trying a new alpha kernel or drivers. :) > >And, bootlin doesnot allow setting kernel parameters like LILO >especially the root device, ramdisk size etc. It does allow you to set >the root device if it is be default 0. (I just saw the code, haven't >tried it.) The root device of kernel should therefore be set beforehand >using rdev. > >-VInod You can do this easily enough after loading linux by using the rdev command on your Image file that you place on your MS-DOS partition. Kevin ------------------------------ From: tgl@netcom.com (Tom Lane) Subject: Re: NFS mount fails with authentication error Date: Tue, 17 Aug 1993 17:33:14 GMT kunitz@informatik.hu-berlin.de (U.Kunitz) writes: > mbeattie@black.ox.ac.uk (Malcolm Beattie) writes: >> tgl@netcom.com (Tom Lane) writes: >>>I'm trying to network SLS 1.03 with a couple of HP workstations. >>>I can't get Linux to NFS-mount the workstations' filesystems; >>>it fails with this message: >>> >>>rpc mount: RPC: Authentication error; why = Invalid client credential >>Some implementations of NFS have trouble if the client user is a >>member of too many groups (i.e. appears in too many lines in >>/etc/group.) Here, `too many' can mean 4 or 8 or 16, for example. > It's a problem of System V. System V don't know additional groups. > You have to delete all additional group entries for the user who mounts. > (Root in almost every case.) Thanks guys! I changed the Linux machine's /etc/group so that root is only a member of the root group. Then I could NFS-mount. The limiting number of groups might be more than just one, I didn't experiment. (The /etc/group file supplied by SLS 1.03 lists root as a member of about half a dozen groups, but this is redundant since root can do whatever she pleases anyway :-).) I did *not* have to reduce root's group membership on the HP machines. It appears to me this is a genuine bug in the Linux NFS implementation: if it can't cope with more than one group, why doesn't it just use the current GID and be done with it? In the short run, this problem and its workaround probably ought to be listed in the FAQ. (Side note: if you encounter this problem, you must log out and in again after fixing /etc/group, but it is not necessary to reboot. Apparently the group membership info is cached on a per-session basis?) regards, tom lane ------------------------------ From: kenney@stein.u.washington.edu (Michael Kenney) Subject: Re: Why use shadow? Date: 17 Aug 1993 17:21:10 GMT In article <1993Aug17.085954.4227@swan.pyr>, Alan Cox wrote: >In article muts@compi.hobby.nl (Peter Mutsaers) writes: >>Because someone with lots of CPU time on a CRAY can read the encrypted >>passwords and do a brute force guessing of passwords through this. If > >This is a popular and very dangerous myth. A bog standard 386 PC is more >than enough to do effective password cracking by running a dictionary over >a password file. Crack takes a day to run on a 4Mb 386 here (also doing >other work) and the first time I ran it to tighten up our password file >it got 1/3rd of the passwords. > > YOU DONT NEED A CRAY :: YOU _DO_ NEED SHADOW PASSWORDS > Despite the paranoid hysteria, the chances of your system being broken into aren't very high. Just use intelligent passwords (ie *not words from the dictionary*), run COPS (or something similar) every now and then, and don't give out your password to anyone. IMHO shadow passwords are overkill for a Linux workstation (unless you allow access to a bunch of bored cs undergrads :-). Think about it ... if someone really wants to gain access to your Linux system, all they need is a bootable-root floppy. ---- Mike Kenney UW Applied Physics Lab mikek@apl.washington.edu ------------------------------ From: dharatz@informatik.uni-rostock.de (Dirk Haratz) Subject: Re: Why use shadow? Date: Tue, 17 Aug 1993 14:46:42 GMT Hello! Peter Mutsaers (muts@compi.hobby.nl) wrote: | >> On 14 Aug 93 23:39:18 EDT, eekim@husc11.harvard.edu (Eugene Kim) | >> said: | EK> Using shadow also prevents me from just editing the passwd file | EK> to add new users. Does anyone know why shadow is better than | EK> passwd? | Because someone with lots of CPU time on a CRAY can read the encrypted You don't need a cray for this! Especially if you have some nice people with :: password fields! :-) With shadow you can't find out them without trying 'login' or 'su' (I think). Dirk -- dharatz@informatik.uni-rostock.de "Microsoft proudly presents: The worlds first object oriented BASIC- interpreter running on CP/M, MSDOS and Windows/NT!" ------------------------------ Crossposted-To: comp.os.linux From: imp@boulder.parcplace.com (Warner Losh) Subject: Re: tar & mt Date: Tue, 17 Aug 1993 15:23:58 GMT In article <1993Aug17.014111.11261@ennews.eas.asu.edu> gomez@enuxsa.eas.asu.edu (JL Gomez) writes: >Doing a 'tar -c -b 128 . -f /dev/nrmt0' followed by a 'mt weof' makes >the tape drive rewind. It rewinds because the default device for mt is /dev/rmt0, which is the rewind device. If you really want to do mt weof, say "mt -f /dev/nrmt0 weof", but see below, since this is rarely needed. >What I want to do is append a new directory path to the current tape >position. The kernel will automatically write an eof on the tape when tar closes /dev/nrmt0. At that point, you can issue the second tar command and it will create another file on the tape. Warner -- Warner Losh imp@boulder.parcplace.COM ParcPlace Boulder I've almost finished my brute force solution to subtlety. ------------------------------ From: imp@boulder.parcplace.com (Warner Losh) Subject: Re: Why use shadow? Date: Tue, 17 Aug 1993 15:25:39 GMT In article muts@compi.hobby.nl (Peter Mutsaers) writes: >Because someone with lots of CPU time on a CRAY can read the encrypted >passwords and do a brute force guessing of passwords through this. Most PCs these days have enough horse power to crank through a dictionary attack in less time than a day. Warner -- Warner Losh imp@boulder.parcplace.COM ParcPlace Boulder I've almost finished my brute force solution to subtlety. ------------------------------ From: imp@boulder.parcplace.com (Warner Losh) Subject: Re: Why use shadow? Date: Tue, 17 Aug 1993 15:29:14 GMT In article <1993Aug17.085954.4227@swan.pyr> iiitac@swan.pyr (Alan Cox) writes: > YOU DONT NEED A CRAY :: YOU _DO_ NEED SHADOW PASSWORDS You also need good passwords that are not in any of the current dictionary attack schema, or if they are, are part of schema that are so huge that it would be impractical to try them in general. Generally mixing case, numbers and punctutation will help. Two words, slightly mispelled, can also be good. Random characters are the best (unless they appear in system documentation as good passwords). Warner -- Warner Losh imp@boulder.parcplace.COM ParcPlace Boulder I've almost finished my brute force solution to subtlety. ------------------------------ From: ralph@falcon.SLAC.Stanford.EDU (Ralph Becker-Szendy) Subject: Re: Why use shadow? Date: Tue, 17 Aug 1993 17:46:34 GMT First, this is not a Linux-specific question. It is not even completely Unix-specific. In article <1993Aug17.085954.4227@swan.pyr>, Alan Cox wrote: >In article muts@compi.hobby.nl (Peter Mutsaers) writes: >>Because someone with lots of CPU time on a CRAY can read the encrypted >>passwords and do a brute force guessing of passwords through this. If > >This is a popular and very dangerous myth. A bog standard 386 PC is more >than enough to do effective password cracking by running a dictionary over >a password file. Crack takes a day to run on a 4Mb 386 here (also doing >other work) and the first time I ran it to tighten up our password file >it got 1/3rd of the passwords. > > YOU DONT NEED A CRAY :: YOU _DO_ NEED SHADOW PASSWORDS As with many things ... it depends. For example, my Linux system at home is not connected to any network. The modem won't accept incoming calls (plus, there is no getty running on the modem). The only two people who have a key to the house are my wife and me. For all it matters, we don't even need passwords; we have family members visiting once in a while, they are usually not computer-literate enough to pose a threat. If a burgler breaks in, he is much more likely to cart the whole machine away, than to set up a network, NFS-mount the rootdisk, crack the passwords, and log in and do damage to my system :-) Obviously, any machine used (a) on a network where other people can get access to the /etc partition or (b) where other people can attempt to log in or (c) physically accessible to possible malicious people is in a very different situation. Obviously, in such a case shadow passwords (or NIS) is not only a good idea, but a necessity. Even then, I would worry much more about someone walking into my office while I'm at lunch, carrying a bootable rootdisk and hitting the reset button (or for that matter, walking away with my CPU box in his backpack). -- Ralph Becker-Szendy RALPH@SLAC.STANFORD.EDU Stanford Linear Accelerator Center RALPH@SLACVM.BITNET M.S. 95, P.O. Box 4349, Stanford, CA 94309 (415)926-2701 My opinion. This is not SLAC, Stanford U, or the US DoE speaking. Just me. ------------------------------ From: doolitt@cebaf4.cebaf.gov (Larry Doolittle) Subject: Floppy administration Reply-To: doolitt@cebaf4.cebaf.gov (Larry Doolittle) Date: Tue, 17 Aug 1993 17:45:13 GMT I don't feel the floppy drive setup on my machine is as good as it could be. Anybody out there have any ideas how it could be better? Right now they are set like: brw-rw-r-- 1 root floppy 2, 0 Aug 29 1992 fd0 and I end up su'ing to root to do anything with a floppy. I don't like doing that every time I use a floppy. Mtools do fine reading from MS-DOS floppies as a general user. If a non-su tries to mount a minix floppy, even if the floppy is protected rw-rw-rw-, he/she/I get the "can't create lock file /etc/mtab~: Permission denied" error. I am attached directly to internet, so I shouldn't just make /etc world writable. I tried monkeying with groups, but since I both don't know the rules on group setup, and I am not really sure what I am trying to do with the permissions, I naturally did not come up with anything constructive. My setup came from SLS a long time ago, I am running 0.99pl6 on one computer (its about time to upgrade) and 0.99pl11 on another. Thanks for your comments. - Larry Doolittle doolittle@cebaf.gov ------------------------------ ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests to be added to or deleted from it should be directed, is: Internet: Linux-Admin-Request@NEWS-DIGESTS.MIT.EDU You can send mail to the entire list (and comp.os.linux.admin) via: Internet: Linux-Admin@NEWS-DIGESTS.MIT.EDU Linux may be obtained via one of these FTP sites: nic.funet.fi pub/OS/Linux tsx-11.mit.edu pub/linux sunsite.unc.edu pub/Linux End of Linux-Admin Digest ******************************