I don't agree with your analogy for the following reasons.
1. A server should be secure enough that any regular user can't gain
access to the root account\files.
2. If a computer is broken into on a network, then most likely every
computer of that network will have the same password and shadow file.
This is simply replicated from the server. Thus wheather you use
passwords or something else it would not make any difference since
someone who has gained root access would be able to copy the shadow
file and crack it wide open.
3. Someone would need to gain complete control of the computer to be able
to make use of the autologin feature, if properly configured.
Even if all these barriers are broken, it is a great idea to have a
firewall to block all computer that should not have access to your network
and if you
can't trust your internal employees then that's a company problem. It is
also possible to set up alarm to let you know if someone is tampering with
certain files. A properly configured network would not need to worry about
this issue.
Have a happy !
-----Original Message-----
From: Jeff Turner [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, November 21, 2000 6:27 AM
To: Dave Dykstra
Cc: [EMAIL PROTECTED]
Subject: Re: autologin considered harmful?
On Mon, 20 Nov 2000, Dave Dykstra wrote:
> On Sat, Nov 18, 2000 at 02:08:00PM +1100, Jeff Turner wrote:
> > Auto-login means that if any user's machine is compromised, the
attacker
> > has an account on the server too! The ssh auto-login feature allows
> > users to create "webs of trust" completely outside the control of the
> > sysadmin. It removes the password barrier between systems, and allows
> > breakins to quickly propagate between systems. As such it is harmful
and
> > wrong, and should be switched off by default.
>
> A very smart security expert successfully pursuaded me that if a user's
> machine is compromised, all bets are off. It makes no difference whether
> you use passwords/passphrases or not, the cracker can still get in to the
> server.
So.. let's say user Joe's home computer is rooted. Must we now assume that
the attacker has access to Joe's user account on the server?
If so...
Because a sysadmin has no control over a user's computer, the safest
assumption is then that all user's home computers are compromised,
and therefore so are their accounts on the server.
So the only thing a sysadmin can really do is make sure that users can't
hurt the system EVER.
> The vital thing is to secure the user's machine, not introduce
> artificial barriers that don't make any difference anyway.
Hear hear :)
--Jeff
> The best overall solution is to use ssh-agent on a secured client
> machine rather than passphrase-less keys, because that also protects
> against physical seizure of the client machine, although most of us
> don't worry about that.
>
> - Dave Dykstra
