LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Fedora Core 6 overly secure (http://www.linuxquestions.org/questions/linux-security-4/fedora-core-6-overly-secure-498932/)

dmcmahon 11-05-2006 05:19 PM

Fedora Core 6 overly secure
 
This whole secure by default thing is really getting out of hand. So, I just installed FC 6 after having been running RH9 for many years. Now, ftp, telnet, rlogin, etc are all disabled, and despite my best efforts I can't get them to work. Apparently they are all "kerberized" now. Well that's just great, so how the sam hill is that supposed to work across different machines and OSes? All I want to do is ftp some friggin files from the machine where I backed everything up. Nothing seems to work. I've installed xinetd and edited the scripts in /etc/xinetd.d to "enable" ftp. No joy. I've also shut down xinetd and started vsftpd, again, no joy.

gilead 11-05-2006 06:51 PM

Are you getting errors when you try and start them? What sort of messages are appearing in the log files (e.g. /var/log/messages, /var/log/vsftpd)?

randyding 11-05-2006 07:11 PM

For ftp you need to take away the -a option to the daemon.
Check the file /etc/xinetd.d/gssftp
Code:

change: server_args  = -l -a
to: server_args = -l

then restart the xinetd daemon.
Just read the man page for each of the services, and there is a way bypass the auth mechanisms.

macemoneta 11-05-2006 09:30 PM

Keep in mind the reason those services are disabled by default is that have the ability to send userids and passwords in clear text. Anyone between the client a server can see the login information (including wireless users, if you are on WiFi).

If you've just got an Ethernet cable between two machines, no problem. If you are sending information across the Internet, big problem.

Instead of using telnet/rlogin, you can use ssh. Instead of using ftp, you can use scp (uses ssh for transport). If the client is a Windows machine, you can install the free PuTTY program for ssh/scp.

dmcmahon 11-06-2006 10:05 AM

I took out the -a, still no luck. Attempting to ftp (yes it's from a Windows machine) just hangs with no response. Attempting to ftp from the Linux box gives a litany of GSSAPI errors. It starts with

Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: unspecified GSS failure. Minor code may provide more information
GSSAPI error minor: no credentials cache found
...

I know all about the security issues, but this is a workstation accessed on a LAN not the internet. This is a collossal pain in the arse.

dmcmahon 11-06-2006 11:16 AM

Also X port is not working
 
It's like all external port access is disable to the machine. I have the xserver running and I've issues the "xhost +" command. Yet, non-local connections are refused.

dmcmahon 11-06-2006 12:11 PM

I'm beginning to suspect FC6 has installed a software firewall of some sort. Anyone know how to turn it off? There's nothing in the control panel.

dmcmahon 11-06-2006 12:16 PM

And indeed, once I tumbled to that, the magic incantation is found to configure the friggin firewall:

system-config-securitylevel

Jeeze, would it be too much trouble to put the @#$%ing thing on the control panel or menu somewhere?

macemoneta 11-06-2006 12:20 PM

You mean menu System-Administration->Security Level and Firewall?


All times are GMT -5. The time now is 09:30 PM.