> So the setup has to be one in which the outside walls are strong and
>thick, but once inside, there are no walls except those which you choose
>to build. If you can gain root on the AIX machine, great! Setup a
>usenet server (have you ever wanted to try that in AIX?) and link news
>between the servers. Since NONE of the machines have access to the
>outside world, and the world can't get to them without going through the
>gateway, it has to be STRONG - otherwise, I'm just giving away shells to
>whoever wants them.
Ok, you want to give away access to a soft, chewy interior. Nothing wrong with
that, it sounds like fun. You want to use SSH (I presume) to prevent people
from sniffing passwords for the accounts you've given away, or hijacking
connections. I would tend to think that may be overprotecting a bit
for accounts you give away, but that's OK too.
One problem I see, that I've seen many times before, is that you're
relying on users to keep secrets, i.e. their name and password. In this
case, there's not much incentive for them to keep these secret. They're
free.
How much of a problem this gets to be depends on how well you police it,
and how generous you are with accounts.
> What I'm HOPING for is a tiny online community of Unix hackers and
>geeks working together to build a chaotic network of services - if you
>want to run a MUD on a system, go to town. IRC? Build it. Just want
>to hack? Go to - nobody's going to arrest you for it. Be gentle, if
>you gain root and rm -rf, you're destroying a lot of people's work... I
>realize that there WILL be jerks, but I'm hoping that there'll be some
>respect between users. If you hack root, add yourself a user with UID
>and GID 0 and use it instead - otherwise, every machine has a guest
>account.
You'll get some abuse, you recognize that, though.
> So my target audience is Unix freaks - for the first little while (a
>month or two of setup), it will only be a few users testing EVERYTHING
>-- but after it is working to my satisfaction, there will be a Slashdot
>announcement for it. At this point, I no longer will have any real idea
>who my users are.
And, uhh.... how much bandwidth do you have?
> Having the gateway spawn a single 'telnet' session from an ssh login is
>a good idea, but probably not the best one. I did consider an OTP
>scheme, but it's difficult to use it in the way I want to - considered
>something along the lines of "You get ONE password. Use it once, add a
>user, no more passwords ( <- this is the hard part. ) After you've been
>here a while, and proved to be beneficial for the network, you get three
>more passwords, to give to people that YOU feel would be beneficial.
Not quite following... sounds like you trying to make sure people only
get one account? If you open it up to the public, you've got no way to
know that those dozen applications for accounts aren't all me. After all,
I can generate as many e-mail addresses as I need. And then I can give
them to the l0zers you've already kicked off before.
> SSH on all of the systems is an idea - but it takes away from the
>initial fun. If someone wants to compile a sniffer on there, go to -
>but you're going to have to use kermit or similar to get the source onto
>the machine... no ftp out, etc. :)
I cut and paste source into vi all the time.. There are lots of ways to
bootstrap any tools you need onto a system using even the most
limited access. One can write a uudecoder in shell code, etc....
> As far as I can see, the best way to do this is with a low-end pentium
>system running NetBSD gatewaying the network - ONLY ssh open, with a
>'network' account. This account spawns 'telnet' as it's shell, on the
>internal network. This is your access to the network; telnet only -
>perhaps there's a better way, but I (eventually) expect several thousand
>users - even if some are only one-time users. I think there's enough
>advanced Linux geeks who are just itching to play with different flavors
>of Unix.
Like I mentioned before... my telnet client has a shell command. What does that
do in your environment? You might want to rip some things out of the telnet
client.
All-in-all, it sounds like fun. I hope the bastards don't get you down.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
