Linux ISP Security and Crypto Device Interfaces

WAD-Dawg writes: "Linux security is a topic of much concern and investigation lately. Here are a few white papers that cover important Linux security topics. This white paper contains informtaion, code examples, and proven strategy on securing Linux Servers for Service Providers. And this article covers PKCS #11 openCryptoki, an API that is rapidly becoming the de facto, non-Windows-platform industry standard for interfacing between cryptographic hardware and user space applications. Both are very well written and provide important and timely information on Linux security."

Physician...

Heal thyself!

[SA-2002:00] Slashcode login vulunerability RISK FACTOR: HIGH SYNOPSIS Slash, the code that runs Slashdot and many other web sites, has a vulnerability in recent versions that allows any logged-in user to log in as any other user. This allows users to take nearly full control of a Slash system (post and delete stories, posting stories, edit users, post as other users, etc., and do anything that a Slash user can do) by logging in to an adminstrator's Slash account. VULNERABLE SYSTEMS Any system running Slash 2.1.x (development versions for 2.2), 2.2.0, 2.2.1, or 2.2.2, and sites using the development code from CVS. Slash 2.0.x and previous are unaffected. RESOLUTION Slash 2.2.3 should be installed for all Slash 2.1 and 2.2 sites. Users of the development code from CVS should run cvs update and install the most recent code. In the meantime, if upgrading is not possible or will not happen immediately, site administrators should either shut down the web site or disable admin.pl and users.pl by moving them elsewhere or disabling the execution bits (Apache may need to be restarted following this). Further, site administrators should change their passwords, and check the "seclev" field in the users table to make sure no one has a seclev greater to or equal than "100" who should not have administrator privileges: mysql> SELECT uid, nickname, seclev FROM users WHERE seclev >= 100; That should list only users with some administrator privileges. Site administrators should subscribe to the slashcode-general or slashcode-announce mailing lists, to keep up to date on the latest releases and security notices. Subscription information is on the Slashcode site at http://slashcode.com/. CREDITS Daniel Bowers found and exploited the bug, and notified the Slash team. The Slash team immediately patched the code and released Slash 2.2.3 three hours after notification. CONTACT INFORMATION Chris Nandor, pudge@osdn.com http://slashcode.com/ Nandor? Isn't that between Gondor and Mordor?

Plugabble authentication

[tzanger]

I've always liked the idea behind PAM but the implementation blew chunks. I can't get through to either of the links in the article but can someone in the know explain how this is different from PAM?

I got your crypto right here!!

[Big_Ass_Spork]

* g o a t s e x * g o a t s e x * g o a t s e x * g g o / \ \ / \ o a \ a t `. : t s` \ s e \ / / \\\ -- \\ : e x \ \/ --~~ ~-- \ x * \ \-~ ~-\ * g \ \ .--------.___\ g o \ \// ((> \ o a \ . C ) ((> / a t /\ C )/ \ (> / t s / /\ C)|Crypto (> / \ s e ( C__)\___/ // _/ / \ e x \ \\// (/ x * \ \) `---- --' * g \ \ / / g o / \ o a / \ \ a t / / \ t s / / \/\/ s e / e x x * g o a t s e x * g o a t s e x * g o a t s e x *