UNIX.dog

UNIX.dog

Announcements

These announcements are also avaiable over RSS. Just add .rss to the path here.
Also, all announcements are signed with the following PGP key:

67A3 9437 8618 B72E B4D5  CC69 B0EB E117 49B9 9367 alpha@unix.dog

so you can verify their authenticity. When a new announcement is out, you should also recieve an email if you're registered.

SSH Security Hole

Posted Thu, 26 Jan 2023 12:51:32 CST. Download PGP signature.

On 2023-01-25, ~yosh emailed me about a security hole with SSH
authentication. Before that day, anyone could gain SSH shell access as
any LDAP user with a blank or invalid password. This didn't affect any
other service, including sudo or passwd, so it wasn't possible to gain
access to any other service except an SSH shell.

As far as I know, this issue didn't affect plain UNIX users in
/etc/passwd, and I have no reason to believe this was ever actually
abused.

The misconfiguration occured with PAM and OpenSSH. Despite
PasswordAuthentication being disabled in OpenSSH,
KbdInteractiveAuthentication was still enabled by default allowing PAM
to display a login prompt for a password; modifying the PAM and OpenSSH
configuration fixed the password validation error and also disabled
plaintext authentication for good.

Since passwords are stored hashed in LDAP with proper authentication
required to view the hash, I don't believe any password hashes were
accessed. Root access was not possible directly, and I think a targeted
attack was unlikely. WTMP logs show no unusual logins, SSH logs
indicate that root login was disabled and common automated botnet
scanning only attempts password and not keyboard interactive auth
(usually with invalid users as well).

In any case, I would reccomend that you update your password or at the
very least change it to the same one if you haven't in the past month or
so. New users or users that changed their password after December 2022
should have passwords hashed with ARGON2ID, otherwise PBKDF2-SHA512 with
10000 iterations.

I'm sorry this wasn't noticed earlier. In any case, it seems other
systems were properly configured, and I've learned PAM is a beast that
you should probably avoid messing with too much lest confusing security
holes rear their head.

~ Kayden

VPS Migration

Posted Sat, 12 Nov 2022 17:13:36 CST. Download PGP signature.

Arf!! UNIX.dog will soon be moving to a U.S. Central
Contabo VPS instance. I'm kind of tired of the huge
latencies across the Atlantic, it makes SSH sessions
annoying and since most of us seem to be in North
America it makes more sense imo. This won't change
anything, other than make sure that you don't have
any direct IP reference as those will change. Once
the migration is finished, it may take a bit for all
the DNS changes to propagate.

Anyways, I plan to do this migration on Tuesday, Nov. 15.
Please be warned that UNIX.dog may be down for a while!
I need to essentialy tunnel the data over, which may
take a while as there's around 50GB space being used.

Happy barking! Awoo!!
~ Kayden (wruff)

New Announcement System!

Posted Thu, 03 Nov 2022 13:23:51 CDT. Download PGP signature.

Hewwo everyone!
I hope unix.dog has been working well for y'all. This is the
first announcement that I'm making, and I want to thank
everyone for giving me suggestions on how to improve unix.dog.

It means a lot to me :3

Also, with that being in mind, I'd like to reboot the server
this Sunday, November 6th at about 6pm PST. It shouldn't take
that long, but I'm just letting everyone know if you have something
running.

Thank you!
~ Kayden