Displaying 20 results from an estimated 3000 matches similar to: "SCP Remote-To-Remote?"
2017 Aug 21
6
pop 110/995, imap 143/993 ?
If I read this correctly, starttls will fail due to the MITM attack. That is the client knows security has been compromised. Using SSL/TLS, the MITM can use SSL stripping. Since most Postifx conf use "may" for security, the message would go though unencrypted. Correct???
Is there something to enable for perfect forward security with starttls?
? Original Message ?
From: s.arcus at
2009 Oct 26
1
Support for merging LPK into mainline openssh?
Hello
I've created patch to the openssh which allows to use an agent for obtaining the public keys.
It may be the first step towards the implementation of something similar lpk. The solution is independent on the agent, so it may be used with ldap based agent or with any other technology.
May be that patch acceptable as the first aproach to the lpk replacement?
It is placet in mindrot's
2017 Aug 22
1
pop 110/995, imap 143/993 ?
Robert Wolf wrote:
>> else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you
>> have enabled something like cram-md5.
>
> Hi,
>
> exactly, this is the reason, why plain-text is still needed. You don't need
> encryption for authentication, if you have secure authentication. Without
> knowing original password, the MITM cannot generate correct hash
2017 Aug 21
2
pop 110/995, imap 143/993 ?
Lest anyone think STARTTLS MITM doesn't happen,
https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/
Not only for security, I prefer port 993/995 as it's just plain simpler
to initiate SSL from the get-go rather than to do some handshaking that
gets you to the same point.
Joseph Tam <jtam.home at gmail.com>
2020 May 31
3
identify 143 vs 993 clients
On 29/05/20 11:27 pm, mj wrote:
> Thanks to all who participated in the interesting discussion.
>
> It seems my initial thought might have been best after all, and
> discontinuing port 143 might be the safest way proceed.
Yes and no. Some of the attack vectors mentioned are not reasonable and
it really depends on the client. Thunderbird, for example, used to have
settings for
2004 Dec 22
0
scp problem
Hello.
Since some days I cannot use scp anymore but ssh login work. Reinstall
did not help. I do not exactly what has changed but I now it used to
work.
sshd runs on a firewall-bastion host (Linux SuSE 9.2).
Firewall is open on port 22 for local network. Even tried all open (in
and outgoing).
Between the clent and the firewall-bastion is another nat-router. Works
with ssh, though.
The
2004 Mar 01
1
GSSAPI support in 3.8 ?
Hi All,
>From Changelog with 3.8:
"The experimental "gssapi" support has been replaced with the
"gssapi-with-mic" to fix possible MITM attacks.The two versions are not
compatible."
I am using OpenSSH-3.6 with Simon's patch and OpenSSH-3.7 built with GSSAPI
support. The latest version OpenSSH-3.8 is not working with 3.6 or 3.7 with
GSSAPI authentication. I
2017 Aug 15
2
How does SMB 3.0 encryption work?
It does, thanks.
So if the password is known, or the KDC compromised, then in principle
MITM becomes possible?
On 2017-08-14 15:28, Andrew Bartlett wrote:
> On Mon, 2017-08-14 at 06:45 -0400, Daniel Benoy via samba wrote:
>> Is it perhaps using your password somehow? Like, if an attacker knew
>> the
>> password that the client is using to connect, would it then be able to
2014 Dec 06
1
MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN
Am 6. Dezember 2014 13:10:58 MEZ, schrieb Reindl Harald <h.reindl at thelounge.net>:
>
>Am 06.12.2014 um 06:56 schrieb Jan Wide?:
>> If you add disable_plaintext_auth=yes ssl=required settings, then
>> dovecot will drop authentication without STARTTLS. But damage will be
>> done, client will send unencrypted (or in this scenario MD5 or SHA512
>> hash)
2020 Aug 28
3
accessing foreign AD users to NT domain
Rowland penny via samba ha scritto il 27/08/20 alle 16:43:
> [...]
> Netbios is intrinsically tied to SMBv1 and? LLMNR (Link-Local Multicast
> Name Resolution) is also connected in a way, it allows name resolutions
> without a nameserver. So, if you are using it, I personally wouldn't,
> ever heard of MITM ?
Just to understand a little more... NetBIOS with a wins server
2013 Apr 22
0
samba4 backup script
Hi list
I recently encountered errors while trying to backup the samba4 AD.
Apparently tar had some problems with sockets in the samba4 directory.
I modified the samba4 backup script, perhaps this or a similar change is
good to include upstream?
Cheers
Simon Oosthoek
-------------- next part --------------
#!/bin/sh
#####################################################
# THIS FILE IS
2015 Aug 22
4
[security] Thunderbird vulnerable to MITM
Thunderbird has a MITM vulnerability with its otherwise rather groovy
auto-configuration feature.
The problem is that it makes requests via HTTP to retrieve the auto
configuration information.
This allows a black hat (e.g. the NSA) to modify the results sent to the
client, and the client has no way to verify the results have not been
tampered with.
This could even allow the black hat to act
2007 May 29
1
Tunnelling Puppet over SSH
I work at a large financial institution (AXA) and we have a large number
of DMZs for our partner and internet-facing servers.
The only access to the various DMZs is via SSH and no DMZ-initiated
connections are allowed back to the internal network. I''d consider
putting a Puppet server in the DMZ but no communication is allowed
between DMZs either.
Has anyone tried tunnelling Puppet
2004 Jul 21
1
[Bug 904] Better support for multi hop ssh/scp/sftp and anonymous port forwarding
http://bugzilla.mindrot.org/show_bug.cgi?id=904
Summary: Better support for multi hop ssh/scp/sftp and anonymous
port forwarding
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: ssh
AssignedTo:
2017 Aug 22
3
pop 110/995, imap 143/993 ?
On 22.08.2017 03:56, Peter wrote:
>>> Lest anyone think STARTTLS MITM doesn't happen,
>>>
>>> https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/
> Right, the attack does happen, but it can be prevented by properly
> configuring the server and client.
Dovecot, by default, requires STARTTLS before accepting plaintext
2004 Apr 02
1
Complex Routing/Firewalling/Bridging question
I''m being cast headlong into unfamiliar waters here, and being desperate for
some air, thought I''d come here for some help. :)
Anyway, my employer is going through some whiplash-inducing growth spurts,
and as a result, the simple "Internet T-1 -> Linux Firewall/NAT -> LAN"
setup just isn''t going to cut it anymore.
First, we''re bringing in 2
2017 Aug 14
2
How does SMB 3.0 encryption work?
I'm interested in using SMB encryption to connect over untrusted
networks. I see that I can enable it in samba with 'smb encrypt = ...'
which is great, and I'm seeing posts from Microsoft (like this one:
https://technet.microsoft.com/en-us/library/dn551363(v=ws.11).aspx)
bragging about how it can detect man-in-the-middle attacks.
Can anyone point me at the basic details of how
2015 Jan 11
1
Thoughts on samba backup script for DCs
Hello,
possibly the author of the samba backup script will read this.
I customized the script myself due to some things:
1. At the end the script looks for samba4_* files to rotate the backups. But only backups of the private folder get this prefix with the original script. sysvol and etc backups will remain.
2. The wiki of backup and restore advises to restore on the same version of samba the
2015 Mar 25
5
FYI: SSH1 now disabled at compile-time by default
There's a world of difference between changing defaults and killing
functionality. SSH in general and OpenSSH in particular is part of what
we'll eventually get around to identifying as (I know everyone hates this
word) critical infrastructure. That means it doesn't break, particularly
not intentionally, and even more particularly not without time, warning,
and probably public input.
2012 Jun 22
2
SIP over SSL TCP or SRTP?
Hello,
Which one of these ensures that SIP packets are sent and received in a
secure format so that users using public wifi don't allow MITM type of
attacks or others can't read the plaintext SIP packet info. VPN is not an
option. Looking for 2nd most secure to VPN.
P.S. Are both options part of the configs of Asterisk or need modules to be
selected and installed before doing the