[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Unencrypted YOU password readable by all



Hi!

YOU can connect to the internet using a proxy.
first you have to edit the "wgetrc" file in /etc. enable passive ftp,
use proxy on, and the proxy address:port. than retry it in the Yast2
proxy settings, port should be missing.
and than edit you /etc/sysconfig files with yast2. there you have also
to be shure to have use proxy, passive ftp enabled and that the proxy
address and port is correct.

after my SuSE 8.2 installation I had to change the wgetrc file, in Yast2
the proxy port was missing, sysconfig i had to change manually to proxy
support.

strange is that in SuSE 8.1 there was a update to solve the problem.
there it was a minor bug, had only to change the wgetrc file, but now i
had to controll and correct every file which has to do something with
connecting to the net -> thanks to a friend of mine for the 1000 questions I
asked him to get it working.

hope it helps. could be that I missed a file, misstyped a filename, or
forgot a config file I changed -> still a noob

greetings
Ewald Recher

On Mit, 2003-07-09 at 08:58, Peer Stefan wrote:
> Hi,
> > From: Kenny [mailto:kenny-sp@xxxxxxxxxx]
> > In SUSE 8.2 te pass isn't in this file
> 
> Yes, because Mark was talking about SuSE Linux Enterprise Server. You buy one year (or at least 3 months) of maintenance and you get a username and password for the ftp-updates. Mark was referring to this password.
> 
> And AFAIK YOU is still not capable of connecting to the internet via proxy-servers in 8.2.
> 
> Regards,
> Stefan
> 
> > 
> > On Tue, 8 Jul 2003 16:36:15 +0200
> > "Mark Perry" <PERRY@xxxxxxxxxx> wrote:
> > 
> > > Hi List,
> > > I just noticed that the Userid and Password for YOU (Yast 
> > Online Update)
> > > are stored unencrypted in /etc/sysconfig/onlineupdate and 
> > that file is
> > > readable by anyone.
> > > FYI: this is on IBM zSeries (SLES/8 s390).
> > > 
> > > This might not be the Userid and Password for access to the 
> > Linux system
> > > itself, but I for one am uncomfortable about leaving such 
> > information wide
> > > open.
> > > At the very least it enables unauthorized use of YOU on 
> > another system
> > > where the "cracker" may already have root access.
> > > 
> > > Note this same file can optionally also contain a userid 
> > and password for
> > > access to a proxy server, which may in fact be more of an exposure.
> > > 
> > > All the Best / Mit Freundlichen Gruessen
> > > Mark G. Perry
> > > 
> > > IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
> > > Schoenaicher Strasse 220, 71032 Boeblingen, Germany
> > > Email/Sametime: perry@xxxxxxxxxx
> > > Office Tel: (+49)-7031-16-3626


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here