On Wed, 11 Oct 2000, Karl J. Runge wrote:
> For the benefit of the list, I was wondering if the admins out there
> who have made their LAN's more secure by removing rsh, rlogin (and
> possibly telnetd and ftpd) and replacing these with ssh and scp, would
> explain what additional steps are needed or should be done to make the
> scheme successful.
There really isn't anything else to do. Just stop using rsh/telnet and
start using ssh.
> My point is that in a workplace LAN with multiple users sharing
> machines and resources there are typically more services availible
> than in using ssh across the internet (e.g. between firewalls).
> So saying "always use ssh" might not be enough (though it surely
> helps some amount).
I guess I'm not sure what you're getting at... wherever you connected
to rshd, rlogind, or telnetd before, now use sshd instead. It really is
that simple. You might want/need to keep telnet around, as it can be used
to connect to any port for troubleshooting, but the rest of those can just
go.
> Possible loopholes that come to mind are:
>
> - User's ~/.ssh/ contents exported via NFS
If your NFS environment is secure, this isn't a problem.
> - Snooping passphrases via X11
This could conceivably be an issue... if someone had root access to your
machine.
> - yppasswd data or pop/imap passwords easily sniffed to circumvent ssh
Nope. ssh does not use the yp password AT ALL (unless you configure it
that way). As for pop/imap... well, they're not very secure protocols,
though you can use either over SSL if your server and clients support it,
and you can also redirect a port on your local machine to those ports on a
remote machine. This does have limitations, but it can work just fine.
> I understand the replacement rsh -> ssh is an incremental improvement
> no matter where it is applied, but what (if any) additional steps/policies
> do people feel are needed for it to work in an workplace environment?
None.
> Wasn't mclinux doing this? If so, how did it go?
Fine... we simply turned off rshd, rlogind, telnetd, and ftpd. The users
have other ways to get at various bits of data, i.e. both ssh and NFS, so
it's not been a problem.
> > > I'd also be interested in your suggestions/experiences for ssh activity
> > > automation i.e. via cron *w/o* passphrase. (which I believe was the
> > > intention of the original post as well).
Well, we do this, and I would want to have the absolute minimum of
passphrase-less keys kicking around, so we've designated one machine to be
our central administration server, and only root on that machine is
allowed to remotely run automated scripts via ssh. Obviously the number
of poeple who have the root password to that machine must be very limited.
--
Derek Martin
Senior System Administrator
Mission Critical Linux
[EMAIL PROTECTED]
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
