On Mon, 20 Nov 2000, Dave Dykstra wrote:
> On Sat, Nov 18, 2000 at 02:08:00PM +1100, Jeff Turner wrote:
> > Auto-login means that if any user's machine is compromised, the attacker
> > has an account on the server too! The ssh auto-login feature allows
> > users to create "webs of trust" completely outside the control of the
> > sysadmin. It removes the password barrier between systems, and allows
> > breakins to quickly propagate between systems. As such it is harmful and
> > wrong, and should be switched off by default.
>
> A very smart security expert successfully pursuaded me that if a user's
> machine is compromised, all bets are off. It makes no difference whether
> you use passwords/passphrases or not, the cracker can still get in to the
> server.
So.. let's say user Joe's home computer is rooted. Must we now assume that
the attacker has access to Joe's user account on the server?
If so...
Because a sysadmin has no control over a user's computer, the safest
assumption is then that all user's home computers are compromised,
and therefore so are their accounts on the server.
So the only thing a sysadmin can really do is make sure that users can't
hurt the system EVER.
> The vital thing is to secure the user's machine, not introduce
> artificial barriers that don't make any difference anyway.
Hear hear :)
--Jeff
> The best overall solution is to use ssh-agent on a secured client
> machine rather than passphrase-less keys, because that also protects
> against physical seizure of the client machine, although most of us
> don't worry about that.
>
> - Dave Dykstra
