FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 03-03-2011, 07:16 AM
Gerfried Fuchs
 
Default Disable ZeroConf: how to ?

Hi!

* Bastien ROUCARIES <roucaries.bastien@gmail.com> [2011-03-02 18:25:30 CET]:
> Does avahi could be disable (using kernel level firewalling is not
> from my point of view a solution) ?

A nice hack that I was informed just recently about:

echo exit 0 >> /etc/default/avahi-daemon

That will disable the daemon quite effectively.
Rhonda
--
"What are the differences between Mark Zuckerberg and me? I give private
information on corporations to you for free, and I'm a villain.
Zuckerberg gives your private information to corporations for money and
he's Man of the Year." -- Julian Assange


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110303081651.GA18831@anguilla.debian.or.at">http ://lists.debian.org/20110303081651.GA18831@anguilla.debian.or.at
 
Old 03-03-2011, 08:32 AM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Wed, Mar 2, 2011 at 11:51 PM, Ben Hutchings <ben@decadent.org.uk> wrote:
> On Wed, 2011-03-02 at 23:09 +0100, Julien BLACHE wrote:
>> Bastien ROUCARIES <roucaries.bastien@gmail.com> wrote:
>>
>> Hi,
>>
>> > Because I work in a untrusted work place and home network (public
>> > networks, wifi...) I whish to purge zeroconf functionnality.
>>
>> Looks like you want a firewall. Just sayin'.
>
> A firewall is mitigation against insecure applications and
> configurations. *The availability of firewalls does not excuse us from
> making applications and their default configurations secure.

I perfectly agree...

Bastien

> Ben.
>
> --
> Ben Hutchings
> Once a job is fouled up, anything done to improve it makes it worse.
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=cR_5giGbqxkOyNpWkvUMDFAciyp7_S5ySE7+Z@mail .gmail.com">http://lists.debian.org/AANLkTi=cR_5giGbqxkOyNpWkvUMDFAciyp7_S5ySE7+Z@mail .gmail.com
 
Old 03-03-2011, 08:36 AM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Wed, Mar 2, 2011 at 11:54 PM, Klaus Ethgen <Klaus@ethgen.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Am Mi den *2. Mr 2011 um 18:25 schrieb Bastien ROUCARIES:
>> More and more packages depend on avahi aka zeroconf. I have found some information on http://wiki.debian.org/ZeroConf
>>
>> Because I work in a untrusted work place and home network (public networks, wifi...) I whish to purge zeroconf functionnality.
>
> I fighted this bunch of functionality since long ago. The whole zerconf
> stuff is only useful in secure and clear defined environments. But there
> you don't need it anyway.
>
> With zeroconf there is some thinks that play together and has to be
> killed:
> - - avahi (-daemon) -- as you find by yourself -- and the packages
> *zeroconf, libnss-mdns, avahi-autoipd, avahi-daemon.
> - - The package slpd
> - - The linklocal route (169.254.0.0)

Ok so this package should be marked as suggest only ? Will fill bug,
if needed as a whislist level.

>> Does avahi could be disable (using kernel level firewalling is not from my point of view a solution) ?
>
> See above.
>
>> And more specifically from an administrator point of view does avahi could library could be made purgeable and no more than suggest
>> dependencies (I am willing to fill a mass bug report because purging avahi will purge gnome and kde ...) ?
>
> Well, as I do not use gnome nor kde I am not concerned from this
> dependencies.
>
>> And moreover could you give a clear answer about the security risk on untrusted network ?
>
> That is difficult. It depends on the environment. If you have a clear
> and secure environment, zeroconf is not that insecure. But in all other
> environments you do not want to have it.

Ok so a telnet equivalent from a security point of view...

Regards

Bastien

> Regards
> * Klaus


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimVgZuWM-btAmjJeT1+goPrqtUR2PY2yBG=4Wv2@mail.gmail.com">htt p://lists.debian.org/AANLkTimVgZuWM-btAmjJeT1+goPrqtUR2PY2yBG=4Wv2@mail.gmail.com
 
Old 03-03-2011, 08:59 AM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Wed, Mar 2, 2011 at 10:24 PM, Josselin Mouette <joss@debian.org> wrote:
> Le mercredi 02 mars 2011 * 18:25 +0100, Bastien ROUCARIES a écrit :
>> And more specifically from an administrator point of view does avahi
>> could library could be made purgeable and no more than suggest
>> dependencies (I am willing to fill a mass bug report because purging
>> avahi will purge gnome and kde ...) ?
>
> As Philipp pointed out, only gnome depends on it, and that’s not
> gnome-desktop-environment. You can use the latter if you want only the
> official GNOME desktop.


Not true anymore see below:
gnome-desktop-environment
Depends: gnome-user-share
Depends: libapache2-mod-dnssd
Depends: avahi-daemon
Recommends: telepathy-salut
Depends: avahi-daemon

>> And moreover could you give a clear answer about the security risk on
>> untrusted network ?
>
> I’d say Avahi is mostly as insecure as the services that use it for
> advertising.

Yes I have just read the draft RFC and it document some pitfall in
insecure network:
http://tools.ietf.org/html/draft-cheshire-dnsext-multicastdns-08
In an environment where the participants are mutually antagonistic
and unwilling to cooperate, other mechanisms are appropriate, like
manually administered DNS.

In an environment where there is a group of cooperating participants,
but there may be other antagonistic participants on the same physical
link, the cooperating participants need to use IPSEC signatures
and/or DNSSEC [RFC 2535] signatures so that they can distinguish mDNS
messages from trusted participants (which they process as usual) from
mDNS messages from untrusted participants (which they silently
discard).

When DNS queries for *global* DNS names are sent to the mDNS
multicast address (during network outages which disrupt communication
with the greater Internet) it is *especially* important to use
DNSSEC, because the user may have the impression that he or she is
communicating with some authentic host, when in fact he or she is
really communicating with some local host that is merely masquerading
as that name. This is less critical for names ending with ".local.",
because the user should be aware that those names have only local
significance and no global authority is implied.

Most computer users neglect to type the trailing dot at the end of a
fully qualified domain name, making it a relative domain name (e.g.
"www.example.com"). In the event of network outage, attempts to
positively resolve the name as entered will fail, resulting in
application of the search list, including ".local.", if present.
A malicious host could masquerade as "www.example.com." by answering
the resulting Multicast DNS query for "www.example.com.local."
To avoid this, a host MUST NOT append the search suffix
".local.", if present, to any relative (partially qualified)
host name containing two or more labels. Appending ".local." to
single-label relative host names is acceptable, since the user
should have no expectation that a single-label host name will
resolve as-is.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinaxgo2-sd9FsnqHPNOi2e4LOD+ebRTg+ro_soQ@mail.gmail.com">ht tp://lists.debian.org/AANLkTinaxgo2-sd9FsnqHPNOi2e4LOD+ebRTg+ro_soQ@mail.gmail.com
 
Old 03-03-2011, 09:02 AM
Klaus Ethgen
 
Default Disable ZeroConf: how to ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Am Do den 3. Mr 2011 um 3:35 schrieb Chow Loong Jin:
> > A system has not to listen for any unused and unneeded services ever. A
> > firewall is to control services you _need_.
> >
> > All that zeroconf stuff is absolutely not needed and wanted. (By the
> > most users, I suppose.)
[...]
> Actually I absolutely love the <machine>.local resolution functionality on a
> network (it works much better than the NetBIOS crap that can never find another
> machine on a network when you want it). That, and Pidgin's Bonjour support
> interfaces with iChat over zeroconf, allowing you to chat with users (and
> exchange files, perhaps?) across a network without needing to set up a
> centralized chatting system.

The thoughts of that makes me shiver! Trusting untreatable sources on a
network for configuring local stuff is worse ever. Either you have a
trustable network then it gets configured in a clean way and by intend.
Or you have a untrusted network you do not want to use ever or only such
fare that you can oversee it.

> I think those two functionalities are pretty useful to the end-user.

Well, they might be for a mac or windows user that is not care about
security at all. But it is horror for a debian user who care at least a
bit about security.

And even if you not care about, then that functionality should be
explicit configured and not per default.

And even worse, debian is often used on server platforms where you never
ever want to have any such magically configured services.

> Rather than blabbering about potential security issues stemming from
> avahi-daemon being installed and enabled on a system, how about actually finding
> one and reporting it?

Oh, they are not potential. Trusting on untrusted stuff for doing any on
your machine raises the vector for intrusion to hell.

Ah, and to give a example of the past. No one ever did think about that
mssql is vulnerable due to a comfort feature until in 2001/2002 the
mssql-slammer (or how the worm was called) took down mayor parts of the
net. Zeroconf and avahi plays in the same category.

> gnome-user-share does not share stuff by default as far as I can tell, and
> padevchooser only uses avahi-daemon for discovering extra Pulseaudio sinks on
> the network (it doesn't advertise its own sinks by default).

Uh, you mean, that anybody can listen to your music or your teamspeak
session or your voip session with your girlfriend due zeroconf found a
audio sink in the network and did reconfigure your system to use it?

> An avahi-enabled system that advertises no services is pretty much as secure as
> the avahi-disabled system.

That is not true. For two reasons:
1. It is one more daemon that is not needed and can have bugs. (And even
more it lowers the sensibility about unusual processes on your
system)
2. It even configure parts of your system from untrusted information
from the network.

Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBTW9nR5+OKpjRpO3lAQrpqgf/UD6Vmg5rF/RhVY9VPgPpx3FdcFQXJ3b0
IJsdsPL+7MsUEblqTlabxuDPALXM/RcORDQaTX+2wzeaLO5Tu9+ZoeuvNiT9mNWy
NLoqFWIRtoDYiwlQK2KfCT0PGLU9EEa1ynk3naIhVp/QPods2bpHG3lIYMgPCY4D
A0Y+6knrWjwRLVRiWQuzRhH6T6ykbPkw08yr1/9vy45CiRXbXvIpk9vJhpOPD7nX
sxfY2bMIk5NCUKdJ6QVLKUe+HM5wJO0IsRSMNPFg+RLk99xEYU gP87MeUi7O14CC
9VfopJAak/MYttLLxW6K0X/Ltoflpqr58TWvmzDpIS0VSBEA3wkwoA==
=okFJ
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110303100247.GA20678@ikki.ethgen.ch">http://lists.debian.org/20110303100247.GA20678@ikki.ethgen.ch
 
Old 03-03-2011, 09:19 AM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Thu, Mar 3, 2011 at 11:02 AM, Klaus Ethgen <Klaus@ethgen.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> Am Do den *3. Mr 2011 um *3:35 schrieb Chow Loong Jin:
>> > A system has not to listen for any unused and unneeded services ever. A
>> > firewall is to control services you _need_.
>> >
>> > All that zeroconf stuff is absolutely not needed and wanted. (By the
>> > most users, I suppose.)
> [...]
>> Actually I absolutely love the <machine>.local resolution functionality on a
>> network (it works much better than the NetBIOS crap that can never find another
>> machine on a network when you want it). That, and Pidgin's Bonjour support
>> interfaces with iChat over zeroconf, allowing you to chat with users (and
>> exchange files, perhaps?) across a network without needing to set up a
>> centralized chatting system.
>
> The thoughts of that makes me shiver! Trusting untreatable sources on a
> network for configuring local stuff is worse ever. Either you have a
> trustable network then it gets configured in a clean way and by intend.
> Or you have a untrusted network you do not want to use ever or only such
> fare that you can oversee it.

I agree and moreover because Chow Loong Jin use <machine>.local instead of
<machine>.local. it could be resolved to whatever the hell to universe...

>> I think those two functionalities are pretty useful to the end-user.
>
> Well, they might be for a mac or windows user that is not care about
> security at all. But it is horror for a debian user who care at least a
> bit about security.
>
> And even if you not care about, then that functionality should be
> explicit configured and not per default.
>
> And even worse, debian is often used on server platforms where you never
> ever want to have any such magically configured services.

I agree, this sould be disable by default or at least asked to run at
config time with a no default, and only be authorized to resolve if
you use a fqdn and not a relative domain name...
And with mdns...

>> Rather than blabbering about potential security issues stemming from
>> avahi-daemon being installed and enabled on a system, how about actually finding
>> one and reporting it?
>
> Oh, they are not potential. Trusting on untrusted stuff for doing any on
> your machine raises the vector for intrusion to hell.
>
> Ah, and to give a example of the past. No one ever did think about that
> mssql is vulnerable due to a comfort feature until in 2001/2002 the
> mssql-slammer (or how the worm was called) took down mayor parts of the
> net. Zeroconf and avahi plays in the same category.
>
>> gnome-user-share does not share stuff by default as far as I can tell, and
>> padevchooser only uses avahi-daemon for discovering extra Pulseaudio sinks on
>> the network (it doesn't advertise its own sinks by default).
>
> Uh, you mean, that anybody can listen to your music or your teamspeak
> session or your voip session with your girlfriend due zeroconf found a
> audio sink in the network and did reconfigure your system to use it?
>
>> An avahi-enabled system that advertises no services is pretty much as secure as
>> the avahi-disabled system.
>
> That is not true. For two reasons:
> 1. It is one more daemon that is not needed and can have bugs. (And even
> * more it lowers the sensibility about unusual processes on your
> * system)
> 2. It even configure parts of your system from untrusted information
> * from the network.

I agree, and it is only the daemon part the depend on client part is
even more scarry...

We trust a lot untrusted source...


> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20110303100247.GA20678@ikki.ethgen.ch
>
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=FVSy4PW0=T1DUVGbH5Fhu71kZbNfmCRO64RTU@mail .gmail.com">http://lists.debian.org/AANLkTi=FVSy4PW0=T1DUVGbH5Fhu71kZbNfmCRO64RTU@mail .gmail.com
 
Old 03-03-2011, 09:25 AM
Tollef Fog Heen
 
Default Disable ZeroConf: how to ?

]] Klaus Ethgen

Hi,

| The thoughts of that makes me shiver! Trusting untreatable sources on a
| network for configuring local stuff is worse ever.

Then just don't use it? Nobody is forcing you to.

| > I think those two functionalities are pretty useful to the end-user.
|
| Well, they might be for a mac or windows user that is not care about
| security at all. But it is horror for a debian user who care at least a
| bit about security.
|
| And even if you not care about, then that functionality should be
| explicit configured and not per default.

That makes it much less useful. On the other hand, it's not like your
system will suddenly go around connecting to random services just
because it sees them announced.

| And even worse, debian is often used on server platforms where you never
| ever want to have any such magically configured services.

Oh, I quite like services to announce themselves so I can just do ssh
foo.local. Not everything gets set up in DNS and ssh caches the host
key so doing a mitm attack after the initial handshake is prevented.
It's not like it'll magically be pulled in on servers or anybody is
suggesting making it part of the base system.

| Ah, and to give a example of the past. No one ever did think about that
| mssql is vulnerable due to a comfort feature until in 2001/2002 the
| mssql-slammer (or how the worm was called) took down mayor parts of the
| net. Zeroconf and avahi plays in the same category.

Except zeroconf isn't routed so to be able to exploit it you need to be
on the same physical segment?

| > gnome-user-share does not share stuff by default as far as I can tell, and
| > padevchooser only uses avahi-daemon for discovering extra Pulseaudio sinks on
| > the network (it doesn't advertise its own sinks by default).
|
| Uh, you mean, that anybody can listen to your music or your teamspeak
| session or your voip session with your girlfriend due zeroconf found a
| audio sink in the network and did reconfigure your system to use it?

That they are discovered does not mean they are used, just that they are
available. If you have found any bugs where network sinks are used
automatically please file bugs about that.

Really, if you want to disable avahi, please feel free to do so on your
systems. Or use a firewall, or both. Debian has a fair balance of
functionality, security and convenience out of the box, if you disagree
with the current balance, feel free to invest the work into making it
possible to harden Debian further.

Regards,
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87sjv4jybg.fsf@qurzaw.varnish-software.com">http://lists.debian.org/87sjv4jybg.fsf@qurzaw.varnish-software.com
 
Old 03-03-2011, 09:32 AM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Thu, Mar 3, 2011 at 11:25 AM, Tollef Fog Heen <tfheen@err.no> wrote:
> ]] Klaus Ethgen
>
> Hi,
>
> | The thoughts of that makes me shiver! Trusting untreatable sources on a
> | network for configuring local stuff is worse ever.
>
> Then just don't use it? *Nobody is forcing you to.
>
> | > I think those two functionalities are pretty useful to the end-user.
> |
> | Well, they might be for a mac or windows user that is not care about
> | security at all. But it is horror for a debian user who care at least a
> | bit about security.
> |
> | And even if you not care about, then that functionality should be
> | explicit configured and not per default.
>
> That makes it much less useful. *On the other hand, it's not like your
> system will suddenly go around connecting to random services just
> because it sees them announced.
>
> | And even worse, debian is often used on server platforms where you never
> | ever want to have any such magically configured services.
>
> Oh, I quite like services to announce themselves so I can just do ssh
> foo.local.

The balance about using FQDN like you do and not foo.local that will
resolve to hell

>*Not everything gets set up in DNS and ssh caches the host
> key so doing a mitm attack after the initial handshake is prevented.
> It's not like it'll magically be pulled in on servers or anybody is
> suggesting making it part of the base system.

It is pulled when I use gnome on my server...

> | Ah, and to give a example of the past. No one ever did think about that
> | mssql is vulnerable due to a comfort feature until in 2001/2002 the
> | mssql-slammer (or how the worm was called) took down mayor parts of the
> | net. Zeroconf and avahi plays in the same category.
>
> Except zeroconf isn't routed so to be able to exploit it you need to be
> on the same physical segment?
>
> | > gnome-user-share does not share stuff by default as far as I can tell, and
> | > padevchooser only uses avahi-daemon for discovering extra Pulseaudio sinks on
> | > the network (it doesn't advertise its own sinks by default).
> |
> | Uh, you mean, that anybody can listen to your music or your teamspeak
> | session or your voip session with your girlfriend due zeroconf found a
> | audio sink in the network and did reconfigure your system to use it?
>
> That they are discovered does not mean they are used, just that they are
> available. *If you have found any bugs where network sinks are used
> automatically please file bugs about that.
>
> Really, if you want to disable avahi, please feel free to do so on your
> systems. *Or use a firewall, or both. *Debian has a fair balance of
> functionality, security and convenience out of the box, if you disagree
> with the current balance, feel free to invest the work into making it
> possible to harden Debian further.

But how to disable was not documented and that is the problem...
Moreover current configuration that allow to use local link that are
not FQDN is a little bit insecure

Bastien

> Regards,
> --
> Tollef Fog Heen
> UNIX is user friendly, it's just picky about who its friends are
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/87sjv4jybg.fsf@qurzaw.varnish-software.com
>
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinfcvL7j6s-KLNMHABRcQS4kO0=pQNE=ujooCgx@mail.gmail.com">http://lists.debian.org/AANLkTinfcvL7j6s-KLNMHABRcQS4kO0=pQNE=ujooCgx@mail.gmail.com
 
Old 03-03-2011, 09:54 AM
Klaus Ethgen
 
Default Disable ZeroConf: how to ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Am Do den 3. Mr 2011 um 11:25 schrieb Tollef Fog Heen:
> Then just don't use it? Nobody is forcing you to.
[...]
> | And even if you not care about, then that functionality should be
> | explicit configured and not per default.
>
> That makes it much less useful. On the other hand, it's not like your
> system will suddenly go around connecting to random services just
> because it sees them announced.

So you contradict yourself within two paragraphs. It makes it less
useful to enable it only on manual intervention (say, it should be
enabled automatic) but on the other hand you say that nobody is forcing
me (or others) to use it. How do that plays together?

> Oh, I quite like services to announce themselves so I can just do ssh
> foo.local. Not everything gets set up in DNS and ssh caches the host
> key so doing a mitm attack after the initial handshake is prevented.

Not ever service has that security fence.

> Except zeroconf isn't routed so to be able to exploit it you need to be
> on the same physical segment?

Physical might be relative with wireless networks. But you are true,
that isn't routed (good thanks), but that hinders it only from taking
down the whole net.

> If you have found any bugs where network sinks are used automatically
> please file bugs about that.

Oh, there is no change of that as I never ever will use such stuff.

> Really, if you want to disable avahi, please feel free to do so on your
> systems.

That the discussion is about, yes. And the pressure some dependencies
bring in.

> Or use a firewall, or both.

It is told on other places that firewalling is not the solution.

> Debian has a fair balance of functionality, security and convenience
> out of the box,

Unfortunately some people on debian started to place convenience much
higher as security. I think that is a dangerous trend. Debian gives up
more and more security for convenience.

> if you disagree with the current balance, feel free to invest the work
> into making it possible to harden Debian further.

Oh, I did. I am not a DD and involved myself in some discussions about
that. But finally I found out that the force of (some) DDs is higher
than mine and that they misuse it. So I am only able to fix that issues
I have locally and share the hardened packages to others on a private
repository. That is not great but sometimes it is the only workable way.
And it is no easy way.

Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBTW9zVZ+OKpjRpO3lAQrwpAf+Nr0JUdpUpSeyyFKSRX GEbsxibvBbORWm
j6DYb4QhwftUx75Kj/7dVQtu9MrGYzykHjUxTPyM00jRfjSOgcCzMdFPt3NXEWtG
WeCXFrtsFW+1ulQQY+3p9QSGlR1PwduEhWKrhIDMwbatLdFHCl/JoQk2dRj2Tkza
33HHca1zrfeCslqbeemrsKSDo0m3WT94futvFNwpJGVBgDBhRu hBHqvgEC3HNrJj
HmdYE14nnAI4qPjRkPYe4lRFI6A1geET30ToHfY/xVOS6FuvTlJmWI/U1CDr/6YI
71OE65YEl1UzJu5U2LpcubkG1sHrdl3kNAJobNuABQPJRStPRO A/Lg==
=nivA
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110303105413.GB20678@ikki.ethgen.ch">http://lists.debian.org/20110303105413.GB20678@ikki.ethgen.ch
 
Old 03-03-2011, 10:06 AM
Mike Hommey
 
Default Disable ZeroConf: how to ?

On Thu, Mar 03, 2011 at 11:32:23AM +0100, Bastien ROUCARIES wrote:
> >*Not everything gets set up in DNS and ssh caches the host
> > key so doing a mitm attack after the initial handshake is prevented.
> > It's not like it'll magically be pulled in on servers or anybody is
> > suggesting making it part of the base system.
>
> It is pulled when I use gnome on my server...

Isn't using gnome on a server asking for trouble already ?

Mike


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110303110647.GA9533@glandium.org">http://lists.debian.org/20110303110647.GA9533@glandium.org
 

Thread Tools




All times are GMT. The time now is 09:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org