search for: untrust

hi: at RHEL 7.4 we had used "map untrusted to domain = yes". so users can login with "username" instead of "sam-dom\username". after upgrade to RHEL 7.5, samba version upgrade from 4.6 to 4.7. now "map untrusted to domain = yes" or "map untrusted to domain = auto" are not working. can w...

Hi I have a question/problem about winbind and the "map untrusted to domain" (=yes) parameter. I use samba 3.6.0 on FreeBSD 8.2 with the following configuration: [global] encrypt passwords = yes map untrusted to domain = yes allow trusted domains = yes client ntlmv2 auth = yes client use spnego = yes client lanman auth = yes client plaint...

This change allows use of untrusted X11 forwarding (which is more secure) without requiring users to choose a finite timeout after which to refuse new connections. This matches the semantics of the X11 security extension itself, which also treat a validity timeout of 0 on an authentication cookie as indefinite. Signed-off-by:...

2018-06-29 15:12 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>: > On Fri, 29 Jun 2018 12:56:33 +0800 > d tbsky via samba <samba at lists.samba.org> wrote: > >> hi: >> >> at RHEL 7.4 we had used "map untrusted to domain = yes". so users >> can login with "username" instead of "sam-dom\username". >> >> after upgrade to RHEL 7.5, samba version upgrade from 4.6 to 4.7. >> now "map untrusted to domain = yes" or "map untrusted to domain = &g...

For awhile, at least a week and probably more, aptitude has been complaining that R packages are untrusted. I'm using the amd64 architecture. The packages are r-cran-{cluster,mass,zoo,matrix,digest}. There have been a couple of recent threads that seem related, but I'm having trouble interpreting them or their relevance. i386 is apparently unsigned, but I'm on amd64. There is some corr...

http://bugzilla.mindrot.org/show_bug.cgi?id=111 Summary: sshd syslogs raw untrusted data Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org Reported...

In bash, given a string assignment as follows, how do I "add slashes" automagically, so that it can be safely passed to another program? Notice that the assignment contains spaces, single-quotes and double-quotes, maybe god-only-knows-what-else. It's untrusted data. Yet I need to pass it all *safely*. The appropriate function in PHP is addslashes(); but what is the bash equivalent? EG: #! /bin/sh A="This isn't a \"parameter\""; B=`/path/to/somecommand.sh $A`; exit 0; Thanks, -Ben -- Only those who reach toward a...

...nSSL 0.9.8j 07 Jan 2009 $ ssh -vvv -X example.com [ Relevant debug info: ] debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 [OpenSSH_5.1, OpenSSL 0.9.7j 04 May 2006] debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-TLLOFKxvay/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 $ xeyes...

...Apr 29, 2020 at 03:39:53PM +0530, Srivatsa Vaddagiri wrote: > That would still not work I think where swiotlb is used for pass-thr devices > (when private memory is fine) as well as virtio devices (when shared memory is > required). So that is a separate question. When there are multiple untrusted devices, at the moment it looks like a single bounce buffer is used. Which to me seems like a security problem, I think we should protect untrusted devices from each other. > -- > QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member > of Code Aurora Forum, hos...

...Apr 29, 2020 at 03:39:53PM +0530, Srivatsa Vaddagiri wrote: > That would still not work I think where swiotlb is used for pass-thr devices > (when private memory is fine) as well as virtio devices (when shared memory is > required). So that is a separate question. When there are multiple untrusted devices, at the moment it looks like a single bounce buffer is used. Which to me seems like a security problem, I think we should protect untrusted devices from each other. > -- > QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member > of Code Aurora Forum, hos...

...; >> Do SEV-ES guests _always_ #VC on rdtsc(p)? > > Only if the hypervisor is intercepting those instructions. Ahh, so any instruction that can have an instruction intercept set potentially needs to be able to tolerate a #VC? Those instruction intercepts are under the control of the (untrusted relative to the guest) hypervisor, right? >From the main sev-es series: +#ifdef CONFIG_AMD_MEM_ENCRYPT +idtentry vmm_communication do_vmm_communication has_error_code=1 +#endif Since this is set as non-paranoid, that both limits the instructions that can be used in entry paths *and*...

...; >> Do SEV-ES guests _always_ #VC on rdtsc(p)? > > Only if the hypervisor is intercepting those instructions. Ahh, so any instruction that can have an instruction intercept set potentially needs to be able to tolerate a #VC? Those instruction intercepts are under the control of the (untrusted relative to the guest) hypervisor, right? >From the main sev-es series: +#ifdef CONFIG_AMD_MEM_ENCRYPT +idtentry vmm_communication do_vmm_communication has_error_code=1 +#endif Since this is set as non-paranoid, that both limits the instructions that can be used in entry paths *and*...

...t;Samba"-domain. > > Workstations and users log on to the windows domain "AD". > > Previously users mapped their homedrive from the NT4-domain "Samba", > running samba 3.6 + OpenLDAP. In order for this to go smoothly we > where using the option "map untrusted to domain = yes" so the users > from the "AD"-domain where able to map their drives from the "Samba" > domain without entering their passwords. > > Now we would like the users in the Windows domain "AD" to map their > homedrive from a fileserve...

http://bugzilla.mindrot.org/show_bug.cgi?id=849 Summary: Document or fix untrusted X11 authority timeout Product: Portable OpenSSH Version: 3.8.1p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org Reported...

How can I get ssh to use "untrusted" cookies (see xauth(1), X11-SECURITY-Extension) with forwarded X clients? Cheers. Aurelio.

We have a file server, solaris 2.8 running SAMBA 2.2.8, that has two netbios names and we have an include file for smb.conf for each. We have some machines that are trusted and some that are not. Trusted means standardized windows install, users don't have root, untrusted means not necessarily standard install, users do have root. The trusted machines are defined in an NIS netgroup. The untrusted machines are in a different NIS netgroup. The basic hostname/netbios alias shares directories to machines that are trusted, but not to an untrusted group of machin...

...ity = domain: # wbinfo -a uni-ruse\\dstoykov%password plaintext password authentication succeeded challenge/response password authentication succeeded # wbinfo -a fgdgdgd\\dstoykov%password plaintext password authentication succeeded challenge/response password authentication succeeded "map untrusted to domain" solves the same problem for smbd, but doesn't seem to affect ntlm_auth. [global] workgroup = UNI-RUSE realm = UNI-RUSE.BG server string = security = ADS load printers = No printcap name = /dev/null disable spools...

...If I go and get Kerberos tickets for the problem clients (using kinit and friends against the domain controller), mount.cifs with sec=krb5i works. But we cannot get sec=ntlmsspi to work. This was working on an older server (CentOS 6.10, Samba 3.6.23), and I think the key is that the "map untrusted to domain" option was deprecated and eventually removed in Samba 4.8. Otherwise, the configurations between the older and newer server are identical. For non-domain joined clients without Kerberos tickets , I'm guessing that "map untrusted to domain" was allowing the Samba...

----- Original Message ----- > From: "samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Sent: Tuesday, July 17, 2018 2:29:59 PM > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = > auto > On Tue, 17 Jul 2018 13:53:41 -0500 (CDT) > Andrew Martin <amartin at xes-inc.com> wrote: > >> ----- Original Message ----- >> > From: "samba" <samba at lists.samba.org> >> > To: "samba" <samba at lists.s...

...#39;import' Time for a change isn't it? :) I am able to implement Alan Cox's suggestion with 3 lines in a shell: --- 8< --- # transfer 'trusted' cookie to new file: xauth extract - $DISPLAY | xauth -f $HOME/.sshXauthority merge - # replace 'trusted' cookie with 'untrusted' cookie xauth -f .sshXauthority generate $DISPLAY . untrusted # tell applications where to get the untrusted cookie export XAUTHORITY=$HOME/.sshXauthority --- >8 --- An attacker on the remote host is no more able to log keystrokes, taking screenshots or do remote control stuff. So pleas...