ncyoung.com

Here are my own steps to setting up cygwin and the sshd service for Windows 2000.

Openssh is a great tool, and the cygwin port works like a charm once you have it running. If I had known the info in step 7, installatio0n would have been quite painless.

1. Download cygwin from http://cygwin.com/. Run the setup program and select the packages you want. The simplest thing to do is to get the default packages that are selected for you by the installer, plus "cygrunsrv" from the admin category and "openssh" from the net category. I found installing cygwin to be the easiest part of the process, and if you get stuck there's lot's of great help out there...

2. Edit C:cygwincygwin.bat. Make sure it contains the following setting for the CYGWIN environmental variable:

set CYGWIN=binmode tty ntsec

2. Start a cygwin bash shell. If cygwin installed correctly, you should be able to find it in start->programs->cygwin.

3. Make sure cygrunsrv is installed by typing "cygrunsrv -S sshd". This is the command that will start the sshd server, but that's not installed yet. If you get an error from cygrunsrv like "service does not exist" then you're on the right track. If you get "command cygrunsrv not found"
then go back over your install and make sure you get cygrunsrv.

4. Again from the bash shell, run ssh-host-config. Answer yes to the key generation questions. I found it easier not to use privilege separation. Answer yes to install as a service.

5. Start sshd with "cygrunsrv -S sshd" ("cygrunsrv -E sshd" shuts it down). At this point you should also have "Cygwin sshd" available as a service that you can start and stop from start->control panel->administrative tools->computer management - go to the services and applications->services list.

6. If all that went well, you should be able to ssh to the server("ssh localhost -l loginName"). At this point only user accounts that existed before your cygwin install and had administrator access will work. This and the next step were the biggest gotchas for me in this whole game.

7. To enable a user to log in via ssh: You should know that sshd looks for information in the comments field of /etc/passwd and coordinates it with NT permissions. This was mentioned but not explained in the howtos I read.

Here's how make it work: First, create the NT user and make them part of the administrators group.

Next, use the mkpasswd command to format a special passwd entry for that user. You can look at the output with the command "mkpasswd -l". Then either cut and paste the info you need into your /etc/passwd file, or use the command "mkpasswd -l > /etc/passwd".

This second will overwrite your existing passwd file. No matter what you do, make a copy of /etc/passwd before making any changes.

Create home directories for your users with the following commands:
"mkdir /home/userLogin"
"chown userLogin /home/userLogin"

Sshd only reads /etc/passwd once when it starts, so stop and start the server after you make changes to /etc/passwd.

I take it the mkgroup command does the same thing for /etc/group as mkpasswd does for /etc/passwd; I never needed to use it.


A howto

Another howto

About the NT and cygwin security

Active worms like Code Red and the earlier Morris worm infect new machines without human intervention of any kind.

The worms we've seen so far have been less efficient than they could be.

The warhol worm optimizes by pre-scanning for vulnerable hosts, skipping the first, shallow part of the infection growth curve. It also has algorithms for reducing redundant scans so that it can find new infectable machines more efficiently. When you put several optimizations together, as the author does in the scenario at the end of this article, it gets pretty nasty:

Warhol Worm

Here's more on optimization, complex enough that it would be hard to implement and also that it would require a larger worm, something that saphire (below) might have proven unnecessary or counterproductive. Also more apocalypse scenarios:

curious yellow

The Saphire worm actually happened this January. It spread much faster than previous worms primarily because it was small enough to fit within a single UDP packet. Each packet sent was a potential infection, and the worm could go on to the next IP address without even waiting for a response.

Saphire

From a wired article

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

Ben Franklin wrote those words over 200 years ago...

If one of Osama bin Laden's goals, as has been reported, was to trigger crackdowns against freedoms by Western governments, he got the ball rolling quite effectively on Sept. 11, 2001.

The United States now imprisons its own citizens incommunicado, indefinitely and without lawyers or trials, for the duration of what we're told is an essentially permanent state of war.

In the good old days of the iron curtain, we condemned other countries for such actions, calling them human rights violations. Now some of those same nations are our partners of convenience in the war on terror, and our own government has enthusiastically embraced our former adversaries' old tactics.

I just read secrets and lies by Bruce Schneier. It was a fun read, especially the first two thirds.

Things I liked:
- His writing is generally good and he's entertaining. I'm already fascinated with the topic, and this book was great at focusing on the most important topics without hitting a lot of technicality.
- comparisons of computer security to physical security
- compelling and accessible explanation of ways in which security is a complex and difficult beast to analyze
- examining the conflict between security and complexity of systems, and the fact that we've consistently chosen the later
- cogent presentation of basic tools for analyzing and thinking about security: evaluating weakest links, interdependencies, and human factors


Things I didn't like:
- comparisons of computer security to real world security
- promoting his company in the last chapter called into question his objectivity (many of the points he used to sell his own company were presented throughout the book)
- given the fact that complexity is the major enemy of security, it would seem that reducing complexity would be a great first step towards securing systems. There was undue hand-wringing over the fact that systems are getting more complex at a dizzying rate and the market isn't doing anything to correct for it. For the general purpose computer, this trend is likely to continue. I would have liked to hear some exploration of methodology or philosophy of using an appropriate level of complexity for a given task.

I just got a bunch of page requests for an old form mail cgi script that does have security vulnerabilities.

I do not have this script and have never run it at all. In the space of a few minutes, I got requests for formmail.cgi, FormMail.cgi, formmail.pl, FormMail.pl, /cgi-bin/formmail.cgi and variations with /cgi, /cgi-local, etc.

I even got some requests that were clearly meant to use the script itself to notify the sender. For example someone (presumably sk8tr5445653) requested this:

http://ncyoung.com/cgi-bin/FormMail.pl?email=rockstar@mail.com&subject=ncyoung.com/cgi-bin/ FormMail.pl &message=rockstar&recipient=sk8tr5445653@aol.com

The way this URL is formed, it would cause FormMail.pl (if it existed) to send an email to sk8tr5445653@aol.com basically saying "here I am, come attack me".

Cute.

A post I made earlier linked to a DeCSS page that allows you to download DeCSS - the perl script that takes out CSS styles. Identity "chaff" for the much persecuted DeCSS software package.

A goofy perspective on chaff:

http://www.satirewire.com/news/aug02/encryption.shtml

From Bruce Schneier's current cryptogram newsletter:

http://www.counterpane.com/crypto-gram.html

Polyphemus's one eye is a single point of failure; when Odysseus pokes it out, he is much less able to defend himself. Polyphemus's alarm is ignored because Odysseus said his name was Nobody, so he winds up shouting that nobody is trying to kill him (you'd think the other Cyclopes would come see what's going on, but maybe Polyphemus shouts random stupid things all the time, like an IDS). Polyphemus finally has to let the sheep out to graze -- it's a mission-critical function -- and Odysseus and his men then escape by masquerading as legitimate traffic (sheep).

And along those lines...

DeCSS art

I read that many fingerprint systems can be fooled just by breathing on them... warming them up activates the last fingerprint detected.

Could skin grafts or scar tissue fool fingerprint recognition systems? Imagine a criminal or a spy with fingerprints "tattooed" in rows on his forearm.

Why secrets reduce security:

http://www.theatlantic.com/issues/2002/09/mann.htm

On my books wishlist:

Translucent databases

Is there really software that lets you find out everything about someone? I know no-one from Nairobi is going to transfer money to my account and then let me keep some of it. I doubt that any parts of my anatomy will be getting larger anytime soon, even for the low price of $38.98. I've had money making offers saying that I can get rich if I just work hard enough, and offers saying I can get rich while hardly lifting a finger. I don't believe it.

The one junk email offer I don't know enough about to dismiss is the "Private detective in a Box" I wouldn't expect to find out everything about someone, but maybe a SS#, credit report, residence history... ??? Probably I'm too lazy to find out without a better reason than idle curiosity.

Provide ASP front end for making SNMP queries, displaying query results as options in a configuration form, then sending configuration information to another server via remote procedure calls.

Configuration information is then used by a Perl script to write an MRTG configuration file so that the user can see the information they'd like to see graphed for that device.

ASP front end and Perl backend communicate later to provide further customization of reports by the user, and to organize links to the MRTG reports.

started: 2001-05-29

Ended: 2001-06-26