[OT] TCP/IP and OSI (Was: Re: MAC-based ssh)
On Fri, 02 May 2003 at 06:20:58PM +0200, Peter Ondraska wrote: Doesn't TCP/IP have only at most 4 layers? In the OSI model there are 7 Layers. TCP/IP takes up only two of them (3 4). Layer 1 - Physical - Cat5, Fiber, etc. Layer 2 - Datalink - Ethernet, FDDI, etc. Layer 3 - Network - IP, IPX, etc. Layer 4 - Transport - TCP, UDP, XPX, ICMP, IGMP, (the list goes on and on). Layer 5 - Session - HTTP, SMTP, POP3, SSH, NNTP, etc. Layer 6 - Presentation - GIF, HTML, etc. Layer 7 - Application - Layer for communicating with the user. So, to answer your question, yes TCP only acts at layer 4, but when one looks at networking as a whole it goes up much farther than layer 4. Layer 4 and down is usually the concern of the O/S. -- Phillip Hofmeister Network Administrator/Systems Engineer IP3 Inc. http://www.ip3security.com PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #71: Someone is standing on the Ethernet cable causing a kink in the cable pgpjsGWWEE42P.pgp Description: PGP signature
Re: MAC-based ssh
Hans van Leeuwen [EMAIL PROTECTED] wrote: Hello, My company has created an application that allows remote users to edit their DNS-records. This app needs to restart bind on the remote nameservers. This is a poor way to do dynamic DNS. I have decided to do this thrue SSH by putting the client key in authorized_keys2. But this seems a little risky, so I was wondering if it was possible to get sshd to only allow the client MAC-address. I think you're probably trying to solve the wrong problem here, but you can add a command=/usr/bin/dowhatever directive to the line for your key in authorized_keys, and when that key is used to log in, that's the command that gets run. This will reduce your risk somewhat. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C pgpI77mhHxbkp.pgp Description: PGP signature
Re: MAC-based ssh
hi, using mac addresses for client authentication seems to me as an extremely risky business as a mac address can easily be copied/cloned/spoofed... imho, it does not offer any authentication at all... g. On Fri, 2 May 2003, Hans van Leeuwen wrote: Hello, My company has created an application that allows remote users to edit their DNS-records. This app needs to restart bind on the remote nameservers. I have decided to do this thrue SSH by putting the client key in authorized_keys2. But this seems a little risky, so I was wondering if it was possible to get sshd to only allow the client MAC-address. I've looked around, but for some reason search-engines tend to send me to www.apple.com ;-) Hans
Re: MAC-based ssh
did you consider just to blockother mac-addresses through iptables? but... i don't know, what you are doing there, but are you sure you want to grant every user ssh access? i assume you need to be root for this? how are you going to solve it over ssh? and how do you prevent users from just shutting down your bind? i would suggest to use a webinterface, for example with php, which puts commands into a database, or something similar (perhaps a text file could do it, too) and then run a cronjob, let's say, every 10 mins with a script that restarts bind. HvL Hello, HvL My company has created an application that allows remote users to edit HvL their DNS-records. This app needs to restart bind on the remote nameservers. HvL I have decided to do this thrue SSH by putting the client key in HvL authorized_keys2. But this seems a little risky, so I was wondering if HvL it was possible to get sshd to only allow the client MAC-address. HvL I've looked around, but for some reason search-engines tend to send me HvL to www.apple.com ;-)
Re: MAC-based ssh
Hans van Leeuwen [EMAIL PROTECTED] writes: My company has created an application that allows remote users to edit their DNS-records. This app needs to restart bind on the remote nameservers. I think this is the wrong solution. A better idea is a cron job on the nameserver periodically reloading the zone files (which are what you're editing, right?). Another solution, requiring more work, is to use secure dynamic updates (as detailed by RFC 3007). -- Espen Wiborg [EMAIL PROTECTED] Do not meddle in the affairs of gurus, for they can make your life miserable by doing nothing.
Re: MAC-based ssh
Hello, are you really sure, that your dns server and all customers are located in the same ip subnet? Authentication via the mac address of your internet router does not seem to be very secure idea... ;) achim -- Demokratie beruht auf drei Prinzipien: auf der Freiheit des Gewissens, auf der Freiheit der Rede und auf der Klugheit, keine der beiden in Anspruch zu nehmen. [ Mark Twain ] PGP: DCBF 6A6B 87A8 741C FBF8 27AC 2DBA 62D2 7A57 6D88
Re: MAC-based ssh
Kay-Michael Voit wrote: did you consider just to blockother mac-addresses through iptables? Yes, but the MAC should just be checked for one specific user. but... i don't know, what you are doing there, but are you sure you want to grant every user ssh acces No, just one user with limited rights. That user executes a C-script that becomes root and reloads bind. Only this users key is trusted. i would suggest to use a webinterface, for example with php, which puts commands into a database, or something similar (perhaps a text file could do it, too) and then run a cronjob, let's say, every 10 mins with a script that restarts bind. But isn't ssh more secure than a web interface (even when using SSL)? Using your method, anybody who hackes the webapp has total root access... We thought about the cron-option, but as soon as a domain is registered, the Dutch TLD-organisation checks if there is a valid DNS-record. Therefore bind needs to be reloaded as soon as the mail is send to the TLD-org. We could que all mail and send it thrue a cronjob as well, but this seems a bit complicated for the task.
Re: MAC-based ssh
Danny De Cock wrote: hi, using mac addresses for client authentication seems to me as an extremely risky business as a mac address can easily be copied/cloned/spoofed... imho, it does not offer any authentication at all... I understand that MAC-adresses can be spoofed, but I thought I would use it as an extra layer of protection. Of course a valid key will also be needed. Hans
Re: MAC-based ssh
On 02 May 2003, Hans van Leeuwen wrote: I have decided to do this thrue SSH by putting the client key in authorized_keys2. But this seems a little risky, so I was wondering if it was possible to get sshd to only allow the client MAC-address. If these remote users always connect from the same IP address, then you should put this into authorized_keys: from=hostname or ip ssh-rsa ...public-key... It is also possible to further restrict this connection. Something like command=/etc/init.d/bind restart,from=... ssh-rsa ... will restart bind for every such connection without giving the user any other possibilities. Check sshd(8) for more options. Oliver
Re: MAC-based ssh
On Fri May 02, 2003 at 02:34:17PM +0200, Oliver Hitz wrote: On 02 May 2003, Hans van Leeuwen wrote: I have decided to do this thrue SSH by putting the client key in authorized_keys2. But this seems a little risky, so I was wondering if it was possible to get sshd to only allow the client MAC-address. [...] It is also possible to further restrict this connection. Something like command=/etc/init.d/bind restart,from=... ssh-rsa ... will restart bind for every such connection without giving the user any other possibilities. Check sshd(8) for more options. Better for an unprivileged user: command=sudo /etc/init.d/bind restart,from=... ssh-rsa ... so long Thomas -- .''`. Obviously we do not want to leave zombies around. - W. R. Stevens : :' : Thomas Krennwallner djmaecki at ull dot at `. `'` 1024D/67A1DA7B 9484 D99D 2E1E 4E02 5446 DAD9 FF58 4E59 67A1 DA7B `-http://bigfish.ull.at/~djmaecki/
Re: MAC-based ssh
Oliver Hitz wrote: It is also possible to further restrict this connection. Something like command=/etc/init.d/bind restart,from=... ssh-rsa ... This does the job. Only I execute 'bind restart' thrue a small C-program with a suid-bit. Thanks for the help everybody! Hans
Re: MAC-based ssh
On Fri, 02 May 2003 at 12:26:04PM +0200, Hans van Leeuwen wrote: I have decided to do this thrue SSH by putting the client key in authorized_keys2. But this seems a little risky, so I was wondering if it was possible to get sshd to only allow the client MAC-address. SSHD cannot do what you are asking it to do, in fact I don't think there are many TCP/IP Applications that can. The MAC address is WELL below the layer 5,6,7 that most internet applications reside in. Many applications can pick up layer 3 and 4 data (IP Address and port) but the layer 2 information (MAC) is usually only a concern for the O/S Kernel. Some of the other options discussed in this thread might be a better solution. -- Phillip Hofmeister Network Administrator/Systems Engineer IP3 Inc. http://www.ip3security.com PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #163: RPC_PMAP_FAILURE
Re: MAC-based ssh
On Fri, 2 May 2003, Phillip Hofmeister wrote: On Fri, 02 May 2003 at 12:26:04PM +0200, Hans van Leeuwen wrote: I have decided to do this thrue SSH by putting the client key in authorized_keys2. But this seems a little risky, so I was wondering if it was possible to get sshd to only allow the client MAC-address. SSHD cannot do what you are asking it to do, in fact I don't think there are many TCP/IP Applications that can. The MAC address is WELL below the layer 5,6,7 that most internet applications reside in. Doesn't TCP/IP have only at most 4 layers? Peter Ondraska Many applications can pick up layer 3 and 4 data (IP Address and port) but the layer 2 information (MAC) is usually only a concern for the O/S Kernel. Some of the other options discussed in this thread might be a better solution. -- Phillip Hofmeister Network Administrator/Systems Engineer IP3 Inc. http://www.ip3security.com PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #163: RPC_PMAP_FAILURE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MAC-based ssh
On Fri, May 02, 2003 at 12:26:04PM +0200, Hans van Leeuwen wrote: My company has created an application that allows remote users to edit their DNS-records. This app needs to restart bind on the remote nameservers. bind never needs to be restarted, use rndc or dns updates with key. bastian -- Captain's Log, star date 21:34.5...