Re: Remotely edit user disk quota
same user password somewhere else. The whole point of ssh is to prevent this sort of thing, by encrypting the message traffic over this insecure communication channel. I think most people using ssh already know it. or maybe not?:) An attacker may be able to intercept the encrypted traffic, but it will take a skilled cryptanalyst and a lot of CPU time -- or the attacker will have to be very lucky -- to decrypt the message and recover the passwords while they are still valid. All of this things are strong enough to require billions of years to crack or more. From the beginning my point of this discussion is to stop stupidly repeating golden rules like - program a is secure - program b is insecure - so just don't use program b Because it teaches people not to think. There are difference between insecure program and program without extra security. (You *do* change passwords periodically, don't you?) Of course! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
2009/5/29 Wojciech Puchar woj...@wojtek.tensor.gdynia.pl: Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: Even 15 seconds of thinking is enough to understand that logging to other user and then su - gives completely no extra security. I don't buy this, given that root's login name is well known :) if someone can intercept the passwords you type, then he/she will intercept both user password you log in and then su password you type. He/she actually can gain more if you use su, as you may use the same user password somewhere else. But we're talking about vulnerability to dictionary and brute-force attacks. You'd have to first: Ascertain a username in the wheel group. Brute-force that password. THEN, you need to brute-force root's password. Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
But we're talking about vulnerability to dictionary and brute-force attacks. You'd have to first: Ascertain a username in the wheel group. As time needed to brute-force crack any of my password is incomparably longer than the age of universe, this is not an argument. It's just a matter to use good passwords ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: Even 15 seconds of thinking is enough to understand that logging to other user and then su - gives completely no extra security. I don't buy this, given that root's login name is well known :) if someone can intercept the passwords you type, then he/she will intercept both user password you log in and then su password you type. He/she actually can gain more if you use su, as you may use the same user password somewhere else. The whole point of ssh is to prevent this sort of thing, by encrypting the message traffic over this insecure communication channel. An attacker may be able to intercept the encrypted traffic, but it will take a skilled cryptanalyst and a lot of CPU time -- or the attacker will have to be very lucky -- to decrypt the message and recover the passwords while they are still valid. (You *do* change passwords periodically, don't you?) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
2009/5/28 Kirk Strauser k...@strauser.com: On Thursday 28 May 2009 02:34:02 pm Wojciech Puchar wrote: And yes - i do log as root by insecure rsh and telnet. OK, I'm now promoting you to batshit insane. Seriously, there's no excuse for running telnet - even in a secure (ha!) environment - when so much better alternatives exist. Let me shoot you a hypothetical: your webserver gets compromised. Something I pointed out earlier. Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: Even 15 seconds of thinking is enough to understand that logging to other user and then su - gives completely no extra security. I don't buy this, given that root's login name is well known :) If a system accepts remote root logins, an attacker need only guess or intercept one thing -- the root password -- to log in with root privileges. If it does not accept remote root logins, that attacker must guess or intercept three things: the login name of a user in the wheel group, that user's password, and also the root password. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
for running telnet - even in a secure (ha!) environment - when so much better alternatives exist. Let me shoot you a hypothetical: your webserver gets compromised. Something I pointed out earlier. and what? assuming it will actually be possible to get root access at all because of bug it such buggy things like PHP, mysql etc. (unlikely) what he will do? arp attack from within jail? But just please accept that other people are DIFFERENT than you. You prefer just repeating things that you considered simply the best once (like ssh), i prefer something more. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: Even 15 seconds of thinking is enough to understand that logging to other user and then su - gives completely no extra security. I don't buy this, given that root's login name is well known :) if someone can intercept the passwords you type, then he/she will intercept both user password you log in and then su password you type. He/she actually can gain more if you use su, as you may use the same user password somewhere else. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Remotely edit user disk quota
Hi, I am writing a Perl script to run on our web server. This script will be used to create user accounts. I can do almost every thing on the web server: - create the home directory - add a user in LDAP - create the MySQL database for that user The only thing I cannot do is to set the disk quota: the home directory is NFS mounted from another machine acting as file server, the quota must be edited on the file server. How could I nicely and securely connect from the script on the web server to the file server, in order to edit the quota? It should be nice and secure and without password. TIA Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
- create the MySQL database for that user The only thing I cannot do is to set the disk quota: the home directory is NFS mounted from another machine acting as file server, the quota must be edited on the file server. How could I nicely and securely connect from the script on the web server to the file server, in order to edit the quota? It should be use rsh and .rhosts :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
How could I nicely and securely connect from the script on the web server to the file server, in order to edit the quota? It should be use rsh and .rhosts :) I do that already, not really what I call secure ;) As I put up a new machine, I'd prefer something else. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
use rsh and .rhosts :) I do that already, not really what I call secure ;) Could you please explain why it is not secure in your case? I don't know exactly the environment in your case so i can't answer for sure, but most probably it's perfectly secure. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
2009/5/28 Olivier Nicole o...@cs.ait.ac.th: How could I nicely and securely connect from the script on the web server to the file server, in order to edit the quota? It should be use rsh and .rhosts :) I do that already, not really what I call secure ;) As I put up a new machine, I'd prefer something else. Olivier You could use ssh and ssh keys. That's what I use in my scripts. rsh and ssh are so similar in use there's really no point in using rsh at all any more. The security gained by ssh is so great that any (very small) overhead is well worth it. Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
use rsh and .rhosts :) I do that already, not really what I call secure ;) Could you please explain why it is not secure in your case? I don't know exactly the environment in your case so i can't answer for sure, but most probably it's perfectly secure. Because rsh/rlogin etc. is unsecure in any case. I don't remember the details, I think it has to do with the way it checks (or do not check) that the hosts are the one they pretend they are. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
rsh and ssh are so similar in use there's really no point in using rsh at all any more. there is a point. Just try to think why instead of simply repeating a phrase ssh is secure, rsh is not, don't use it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
2009/5/28 Wojciech Puchar woj...@wojtek.tensor.gdynia.pl: rsh and ssh are so similar in use there's really no point in using rsh at all any more. there is a point. Just try to think why instead of simply repeating a phrase ssh is secure, rsh is not, don't use it. rlogin has several serious security problems: * All information, including passwords, is transmitted unencrypted (making it vulnerable to interception). * The .rlogin (or .rhosts) file is easy to misuse (potentially allowing anyone to login without a password) - for this reason many corporate system administrators prohibit .rlogin files and actively search their networks for offenders. * The protocol partly relies on the remote party's rlogin client providing information honestly (including source port and source host name). A corrupt client is thus able to forge this and gain access, as the rlogin protocol has no means of authenticating other machines' identities, or ensuring that the rlogin client on a trusted machine is the real rlogin client. * The common practice of mounting users' home directories via NFS exposes rlogin to attack by means of fake .rhosts files - this means that any of NFS's security faults automatically plague rlogin. Due to these serious problems rlogin was rarely used across untrusted networks (like the public internet) and even in closed deployments it has fallen into relative disuse (with many Unix and Linux distributions no longer including it by default). Many networks which formerly relied on rlogin and telnet have replaced it with SSH and its rlogin-equivalent slogin. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
sure, but most probably it's perfectly secure. Because rsh/rlogin etc. is unsecure in any case. I don't remember the very bad you don't remember the details. Let i give you an example. I throw 1000$ on my table in my flat. Is this money insecure? The answer is - maybe, it's just as secure as my doors and windows cause you have to enter my flat first to get it. Other case - i put this 1000$ into hardened steel coffer. Is it secure? The answer is - The coffer provides EXTRA security over just throwing it on table. The question - do i need an extra cost of coffer? the answer depends again of how good my doors and windows are! Same with rsh. If your servers are connected by LAN and there are only your servers there, there are not possible to: 1) sniff your traffic as potential sniffer isn't in LAN 2) cheat from outside your inside's IP. So you simply don't need a coffer. As coffer is an extra cost, ssh is an extra cost. Actually great cost of unneeded encryption and RSA/DSA negotiation on startup. The other case: i have secure tunnels between some of my servers and my home computer. I do use rsh/rlogin for everything as the communication is already secured! The difference between human and monkeys is that human can think himself instead of just learning and blindly repeating. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
Due to these serious problems rlogin was rarely used across untrusted networks Good you finally pointed out the most important thing rlogin/rsh is insecure across untrusted network This is QUITE a difference between this and rsh is insecure. period rsh is as secure as the communication channel. If it can be considered secure - DO USE rsh, because it's fastest as it doesn't have any encryption overhead. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
2009/5/28 Wojciech Puchar woj...@wojtek.tensor.gdynia.pl: Due to these serious problems rlogin was rarely used across untrusted networks Good you finally pointed out the most important thing rlogin/rsh is insecure across untrusted network This is QUITE a difference between this and rsh is insecure. period rsh is as secure as the communication channel. If it can be considered secure - DO USE rsh, because it's fastest as it doesn't have any encryption overhead. But the encryption overhead is almost nothing. The best security comes in layers. Also, I think it's a bad idea to leave money lying round like that. That's why we have banks. More layers. Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
Also, I think it's a bad idea to leave money lying round like that. That's why we have banks. More layers. like most people today you like overcomplexity, layers etc. But there are still people that prefer simplicity. You should have some respect to them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
Wojciech Puchar wrote: Also, I think it's a bad idea to leave money lying round like that. That's why we have banks. More layers. like most people today you like overcomplexity, layers etc. But there are still people that prefer simplicity. You should have some respect to them. Some. But zero sympathy the day it all blows up in their faces due to just one little configuration error or, oops, exploit they didn't know about. In any case, I believe we've had the Wojciech can do all sorts of advanced things as he doesn't have to protect himself from any junior admins on shift 3 or comply with any best practices that he thinks are silly because it's all about him on his network conversation on this list before. A rehash would be tedious. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: Remotely edit user disk quota
respect to them. Some. But zero sympathy the day it all blows up in their faces due to just one little configuration error or, oops, exploit they didn't know about. what configuration error could you imagine. In my opinion there is bigger change to make a configuration error in more sophisticated config than in simple. and higher chance for security bug in more complex program than in simple. rshd is damn simple program compared to sshd. My rule is - if you can do more simple, DO IT more simple. If this make me very advanced administrator it's just a proof that it's easy to become advanced administrator, you just have not to repeat blindly what's said everywhere. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
rsh is as secure as the communication channel. If it can be considered secure - DO USE rsh, because it's fastest as it doesn't have any encryption overhead. Are you on a 386? depends, between pentium I and core2 quad. what's a difference? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
On Thursday 28 May 2009 08:53:23 am Wojciech Puchar wrote: depends, between pentium I and core2 quad. what's a difference? Well, I can transfer 25MB/s between hosts on the LAN without my CPU ever breaking 10% CPU usage. I'm of the opinion that most people don't need to optimize for CPU in such cases when the security payoffs are so great. -- Kirk Strauser ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
On Thursday 28 May 2009 06:13:11 am Wojciech Puchar wrote: rsh is as secure as the communication channel. If it can be considered secure - DO USE rsh, because it's fastest as it doesn't have any encryption overhead. Are you on a 386? -- Kirk Strauser ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
On 28/5/09 15:04, Kirk Strauser wrote: On Thursday 28 May 2009 08:53:23 am Wojciech Puchar wrote: depends, between pentium I and core2 quad. what's a difference? Well, I can transfer 25MB/s between hosts on the LAN without my CPU ever breaking 10% CPU usage. I'm of the opinion that most people don't need to optimize for CPU in such cases when the security payoffs are so great. There is also the option of the HPN patches (http://www.psc.edu/networking/projects/hpn-ssh/ included as options in the openssh-portable port) which allows a none cypher so you have the security of the encrypted key authentication but no encryption overhead for transferring files. However the OP doesnt seem to want to transfer files over it so the encryption overhead will be pretty minimal anyway. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
On Thu, 28 May 2009 12:15:22 +0100, Chris Rees utis...@googlemail.com wrote: Also, I think it's a bad idea to leave money lying round like that. That's why we have banks. More layers. No. We have benks because they make it easier to steal people's money more silently, so they notice when it's too late. Special offer from Lehmann brothers. :-) -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
On Thu, 28 May 2009 09:04:43 -0500, Kirk Strauser k...@strauser.com wrote: Well, I can transfer 25MB/s between hosts on the LAN without my CPU ever breaking 10% CPU usage. I'm of the opinion that most people don't need to optimize for CPU in such cases when the security payoffs are so great. As Wojciech pointed out correctly before, security is only as good as the weakest point. Of course you can add security by using SSH, and it's definitely indicated when doing things via the Internet. As long as you are inside your own net, covered from the Internet, with only trustworthy machines inside it, you could even use telnet. Connecting systems by a security tunnel that already adds means of cryptography, and you consider this tunnel to be secure enough, the above situation applies. But you can always SSH inside a security tunnel, if you want. It just increases security. The more the better. :-) At the point where this the more generates so much overhead that things are lagging, stalling or just work much too slow, or slower than they should, you can re-thing the situation. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
2009/5/28 Polytropon free...@edvax.de: On Thu, 28 May 2009 09:04:43 -0500, Kirk Strauser k...@strauser.com wrote: Well, I can transfer 25MB/s between hosts on the LAN without my CPU ever breaking 10% CPU usage. I'm of the opinion that most people don't need to optimize for CPU in such cases when the security payoffs are so great. As Wojciech pointed out correctly before, security is only as good as the weakest point. Of course you can add security by using SSH, and it's definitely indicated when doing things via the Internet. As long as you are inside your own net, covered from the Internet, with only trustworthy machines inside it, you could even use telnet. Connecting systems by a security tunnel that already adds means of cryptography, and you consider this tunnel to be secure enough, the above situation applies. But you can always SSH inside a security tunnel, if you want. It just increases security. The more the better. :-) At the point where this the more generates so much overhead that things are lagging, stalling or just work much too slow, or slower than they should, you can re-thing the situation. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... I know I sound like Theo, but security and reliability are ALWAYS more important than overhead or speed. Always. Since the OP asked for quote How could I nicely and securely connect from the script on the web server to the file server, in order to edit the quota? It should be nice and secure and without password. /quote He even said 'secure' twice. There is a web server involved, meaning possibility of compromise (we all know how secure web servers tend to be), and then one has access to network traffic for sniffing. Also, if this is for quotas, then surely the people accessing the server via *NFS* are inside the network? Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
On Thu, 28 May 2009 18:04:23 +0100, Chris Rees utis...@googlemail.com wrote: [The OP] even said 'secure' twice. There is a web server involved, meaning possibility of compromise (we all know how secure web servers tend to be), and then one has access to network traffic for sniffing. Also, if this is for quotas, then surely the people accessing the server via *NFS* are inside the network? Yes, I agree to that, but it doesn't stand in any contradiction to what I said, or what Wojciech said. So for the OP, security is needed. As it has been mentioned, using encryption tunnels is one (valid) means to do this, SSH is another, and both of them can even be combined. If the environment is that insecure that it doesn't allow rsh / rlogin, then DO NOT USE IT. But if it is, why not? At least, the OP's description involving web servers doesn't justify using just rsh / rlogin, and not telnet, of course. :-) -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
Well, I can transfer 25MB/s between hosts on the LAN without my CPU ever breaking 10% CPU usage. probably true, i never checked actually. i just don't understand such reasoning that you have to waste (even small) CPU power without sense. For example local private LAN or already-encrypted VPN network - which is common case in my case. Actually i don't use ssh at all except rare cases when i help someone else. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
good as the weakest point. Of course you can add security by using SSH, and it's definitely indicated when doing things via the Internet. As long as you are inside your own net, covered from the Internet, with only trustworthy machines inside it, you could even use telnet. which i actually do. even more! i ALWAYS change configuration to allow root login from telnet rsh and ssh which is disabled by default. Even 15 seconds of thinking is enough to understand that logging to other user and then su - gives completely no extra security. And yes - i do log as root by insecure rsh and telnet. The only think you should be aware is to not do it when connection is from outside and insecure. This case i actually don't use even ssh if it's not mine computer. How can i be sure that ssh is secure, but keylogging isn't installed? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
I know I sound like Theo, but security and reliability are ALWAYS more important than overhead or speed. I really agree with You. That's why every admin (and user too) should think about what is he/she doing, instead of repeating the same mantras about security/insecurity of something. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
But if it is, why not? At least, the OP's description involving some time ago i heard from linux user that rshd is removed at all because it's insecure. Just got another example how good decision i made moving away from it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
On Thursday 28 May 2009 02:34:02 pm Wojciech Puchar wrote: And yes - i do log as root by insecure rsh and telnet. OK, I'm now promoting you to batshit insane. Seriously, there's no excuse for running telnet - even in a secure (ha!) environment - when so much better alternatives exist. Let me shoot you a hypothetical: your webserver gets compromised. The intruder uses a little ARP poisoning to launch a MITM attack between your workstation and the database server. He comes back a couple hours later and uses your plaintext root password to make a backup of your database for his personal use. Oh, but that could never happen to you, because you run a PtP VPN between every pair of machines on your network, said network being separated from the Internet by a 2 meter air gap and a Doberman Pinscher. Seriously, using telnet today is flat-out stupid, and I'd fire you in a second if you brought that level of bullheaded incompetence into my company. /rant -- Kirk Strauser ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Remotely edit user disk quota
And yes - i do log as root by insecure rsh and telnet. OK, I'm now promoting you to batshit insane. Seriously, there's no excuse thank you very much. while i don't know exactly what is a difference between batshit insane and insane i feel really proud! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org