Lachlan,
Thanks for the response! I haven't tried it yet, but does ssh with a
passphrase address your concern? If somebody steals your private key
can it be used without the passphrase?
Thanks,
Randy Kramer
PS: Thanks for the discussion. From what you've said and other things
I've heard before, my impression of chrooting is that you somehow create
an "artificial" root account / environment with limited privileges, and
somebody that uses this artificial account cannot get to the real root
account? Is this close?
Lachlan Cranswick wrote:
> While chroot'ing may be considered flawed: given 99% of present
> hacking seems to be by the unskilled running auto-scripts -
> (looking for suckers who have unpatched systems or setup flaws):
> anything that frustrates these scripts, minimizes un-needed services
> and/or provides "non-standard" (rsync?) chrooted environments which
> requiring custom/non-automated skills to overcome are going to be
> effective to a large degree.
>
> (also using a deception toolkit on all exposed and unexposed
> servers and UNIX clients (minimicking services) can also make
> things more interesting: e.g., http://www.all.net/dtk )
> E.g., For running a remotely mirrored UNIX webserver - nothing more is
> needed than webserver(apache) and rsync. And, if given remote admin
> rights, a very tight custom OpenSSH install(?)
>
> Passwordless secureshell accounts for tunnelling rsync through
> is potentially one degree of freedom too many(!?)