On Tue, 2 Jul 2002, James Ralston wrote: > A possible alternative would be something like OpenSSH's "privilege > separation" feature, but the complexity of implementing it might very > well outweigh the benefits, as the communication between the > unprivileged listener and the privileged authentication/shell helpers > would be complex.
I agree, the priv seperation looks interesting, but I'm just not convinced how much it helps, IIRC even with the priv seperation, if an attacker breaks into the current OpenSSH via say, Gobbles's script, then they *still* get a shell, allbeit an unpriv'd one. That being said, I still ponder if it's possible to make lshd fail securely. > every machine. A determined and *intelligent* attacker will do the > same thing, but very slowly, over enough time as to not trip any IDSs. Depends on the IDS method. It'll not trip the SNORTs of the world, but a good aggregating passive IDS will still catch most slow scans, even if it can't tell you where the scan is coming from. > But in 12+ months, I've never been hit with > a (complete) portscan attempt. Not one. It's 8:17 AM, and I've already had a some ijit hit all of my low ports this morning. My home network however rarely sees fullish scans, most of the time it's just the random script kiddie as you pointed out. > > Metaphorically speaking, with such a plethora of juicy, low-hanging > fruit within easy reach, there's little reason to climb up to the top > of the tree and see what might be there. The only people who are > going to do that are intelligent and determined people who have good > reason to believe that there's something *really* juicy up there. > > Have you by chance read Building Secure Software (John Viega, Gary McGraw (Viega is one of the guys behind RATS (http://www.securesoftware.com/rats.php)) I mention this because there is a chapter in the book that is says the same thing as what you wrote ;-) The point in my questions was to ponder if it was possible to try to and keep a hole in lsh from being an automatic skeleton key to the system. Moving lsh won't help much, and it doesn't look like it'll be reasonable to do any sort of priv seperation or priv dropping. In any case, lsh is one very nice piece of software. We'll move the rest of our equipment from SSH and OpenSSH to lsh in August. Later this month I'll try my hand at seeing how lshd runs under cygwin.
