My point was that it should not matter only when you're dealing with
user's accounts. Even if they log in under a user account to your primary
Server they still won't be using a root account. On the other hand, if
you did this with the root account then I would agree with you. It is the
Administrators duty to secure all the computers and not the other way
around, but if you're users have root access then security should become
their concern and not yours. Can you imagine trying to manage such a
network, you would not know what they have done to the computer.
On Tue, 21 Nov 2000, Admin wrote:
> I don't agree with your analogy for the following reasons.
>
> 1. A server should be secure enough that any regular user can't gain
> access to the root account\files.
Agreed.
> 2. If a computer is broken into on a network, then most likely every
> computer of that network will have the same password and shadow file.
> This is simply replicated from the server.
password and shadow files are not replicated across the network. Most
users have different passwords on different computers.
> Thus wheather you use passwords or something else it would not make
> any difference since someone who has gained root access would be able
> to copy the shadow file and crack it wide open.
They have access on a user's computer, not the server.
> 3. Someone would need to gain complete control of the computer to be
able
> to make use of the autologin feature, if properly configured.
We're talking about the user's computer, remember. Not under the
sysadmin's control. Most users have not the first clue about security, so
for an attacker to get root on a user's box isn't hard.
> Even if all these barriers are broken, it is a great idea to have a
> firewall to block all computer that should not have access to your
network
Joe's home computer is a valid connecting IP. The problem is that it's not
Joe behind the wheel.
> and if you
> can't trust your internal employees then that's a company problem. It is
> also possible to set up alarm to let you know if someone is tampering
with
> certain files. A properly configured network would not need to worry
about
> this issue.
Right! Spend time securing the server, rather than futile attempts at
ensuring the good intentions of connecting users.
--Jeff
> Have a happy !
> -----Original Message-----
> From: Jeff Turner [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, November 21, 2000 6:27 AM
> To: Dave Dykstra
> Cc: [EMAIL PROTECTED]
> Subject: Re: autologin considered harmful?
>
>
>
> On Mon, 20 Nov 2000, Dave Dykstra wrote:
>
> > On Sat, Nov 18, 2000 at 02:08:00PM +1100, Jeff Turner wrote:
> > > Auto-login means that if any user's machine is compromised, the
> attacker
> > > has an account on the server too! The ssh auto-login feature allows
> > > users to create "webs of trust" completely outside the control of the
> > > sysadmin. It removes the password barrier between systems, and allows
> > > breakins to quickly propagate between systems. As such it is harmful
> and
> > > wrong, and should be switched off by default.
> >
> > A very smart security expert successfully pursuaded me that if a user's
> > machine is compromised, all bets are off. It makes no difference
whether
> > you use passwords/passphrases or not, the cracker can still get in to
the
> > server.
>
> So.. let's say user Joe's home computer is rooted. Must we now assume
that
> the attacker has access to Joe's user account on the server?
>
> If so...
>
> Because a sysadmin has no control over a user's computer, the safest
> assumption is then that all user's home computers are compromised,
> and therefore so are their accounts on the server.
>
> So the only thing a sysadmin can really do is make sure that users can't
> hurt the system EVER.
>
> > The vital thing is to secure the user's machine, not introduce
> > artificial barriers that don't make any difference anyway.
>
> Hear hear :)
>
>
> --Jeff
>
> > The best overall solution is to use ssh-agent on a secured client
> > machine rather than passphrase-less keys, because that also protects
> > against physical seizure of the client machine, although most of us
> > don't worry about that.
> >
> > - Dave Dykstra
>
