OpenBSD Journal

Secure Administration Recipes

Contributed by jose on from the oreilly-cookbooks dept.

O'Reilly has a recently released book, The Linux Security Cookbook . Many of the recipes apply equally well to almost any form of UNIX. Several of the recipes have been posted online and are available for your use.

The first batch of recipes covers public key authentication in OpenSSH, encrypted backups, and combined logfiles. The second pair of recipes covers time based service access with xinetd (available in ports) and inetd and also some basics of sudo. The third pair of recipes covers PAM (which isn't in use on BSD) and authentication for SMTP. Some neat stuff lurks in there that you can apply to your OpenBSD system.

(Comments are closed)


Comments
  1. By Chad Loder () on http://www.loder.us

    It would be nice to have some recipes like this specifically for OpenBSD, for example chrooting various add-on services, setting up a secure CVS server, etc. Maybe I'll write some.

    Comments
    1. By Martijn () martijn@bunix.org on http://www.bunix.org/

      Setting up a secure CVS server recipes for OpenBSD would be very nice.

      Comments
      1. By Chad Loder () on http://www.loder.us

        I've just set some up and it was pretty gratifying to see it all working...it's fresh in my mind so I'll try writing something this week.

      2. Comments
        1. By Anonymous Coward () on

          I don't like smrsh, it's not installed by default and it's had plenty of security holes over its history

        2. By Anonymous Coward () on

          http://vivien.franken.de/security/cvs/securecvs.pdf

        3. By Martijn () martijn@bunix.org on http://www.bunix.org/

          I think the ssh method is realy nice, but how do I set this up on m$ windows systems? Because most of our development stations do not run *nix.

          Comments
          1. By Anony mouse cow erd () on


            Cygwin? It has CVS and SSH as downloads.

            Otherwise since WINCVS is just a wrapper to
            cvs, I think it could be configured to
            use SSH, perhaps a windows port of SSH,
            like openssh?


            Comments
            1. By Anonymous Coward () on

              use tortoise cvs, its cute for m$

      3. By janus () janus :@: errornet : de on http://janus.errornet.de

        There is already one... it's in german, but maybe someone want's to translate it.

        http://openbsd.de/scvs/

        Comments
        1. By bsdguy () on

          google can translate it:

          http://translate.google.com/translate?sourceid=navclient&hl=en&u=http%3A%2F%2Fopenbsd%2Ede%2Fscvs%2Fonehtml%2F

      4. By schubert () on http://schubert.cx/

        http://open.bsdcow.net/tutorials/cvsweb_in_chroot

    2. By submicron () submicron.hates.spam@NOSPAM.inherently-evil.net on www.inherently-evil.net

      This might be an interesting contribution project. Something wikki-like perhaps? I figure everyone on here has at least one winning recipie for setting up some aspect of OpenBSD. It'd be nice to have a central repository for these.

  2. By Anonymous Coward () on

    I thought PAM was used in FreeBSD?

    Comments
    1. By grey () on

      FreeBSD & NetBSD have PAM in one form or another [in NetBSD I believe it is a package]. Dug Song attempted a port of PAM to OpenBSD a few years back. However, if you dig around you'll note that the general sentiment from some outspoken OpenBSD developers (or at the least, Theo) is that BSDauth is a preferable mechanism to PAM.

      It should also be noted that the other BSD's do make use of BSDauth; just that they also allow for PAM usage.

      At least, that's my (perhaps flawed) understanding of PAM state of affairs.

      Comments
      1. By djm () on

        I can say with confidence: PAM blows goats

        It is a pity that noone has tried porting BSDauth to other platforms, it is a much nicer API and a much more sane design (clear separation of policy and mechanism, no dynamic loading of security modules)

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]