well in case of a getting rooted, use encrypted home directorys ;)
Claes Comly
On Tue, 21 Nov 2000, Jeff Turner wrote:
>
>
> On Mon, 20 Nov 2000, Dave Dykstra wrote:
>
> > On Sat, Nov 18, 2000 at 02:08:00PM +1100, Jeff Turner wrote:
> > > Auto-login means that if any user's machine is compromised, the attacker
> > > has an account on the server too! The ssh auto-login feature allows
> > > users to create "webs of trust" completely outside the control of the
> > > sysadmin. It removes the password barrier between systems, and allows
> > > breakins to quickly propagate between systems. As such it is harmful and
> > > wrong, and should be switched off by default.
> >
> > A very smart security expert successfully pursuaded me that if a user's
> > machine is compromised, all bets are off. It makes no difference whether
> > you use passwords/passphrases or not, the cracker can still get in to the
> > server.
>
> So.. let's say user Joe's home computer is rooted. Must we now assume that
> the attacker has access to Joe's user account on the server?
>
> If so...
>
> Because a sysadmin has no control over a user's computer, the safest
> assumption is then that all user's home computers are compromised,
> and therefore so are their accounts on the server.
>
> So the only thing a sysadmin can really do is make sure that users can't
> hurt the system EVER.
>
> > The vital thing is to secure the user's machine, not introduce
> > artificial barriers that don't make any difference anyway.
>
> Hear hear :)
>
>
> --Jeff
>
> > The best overall solution is to use ssh-agent on a secured client
> > machine rather than passphrase-less keys, because that also protects
> > against physical seizure of the client machine, although most of us
> > don't worry about that.
> >
> > - Dave Dykstra
>
>
>
>
