On Tue, 21 Nov 2000, Roeland Meyer wrote:
>
>
> > -----Original Message-----
> > From: Jeff Turner [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, November 20, 2000 7:53 PM
>
> > On Mon, 20 Nov 2000, Dave Dykstra wrote:
> >
> > > On Sat, Nov 18, 2000 at 02:08:00PM +1100, Jeff Turner wrote:
> > > > Auto-login means that if any user's machine is
> > compromised, the attacker
> > > > has an account on the server too! The ssh auto-login
> > feature allows
> > > > users to create "webs of trust" completely outside the
> > control of the
>
> > > A very smart security expert successfully pursuaded me that
> > if a user's
> > > machine is compromised, all bets are off. It makes no
> > difference whether
> > > you use passwords/passphrases or not, the cracker can still
> > get in to the server.
>
> It was demonstrated to me, how trivial "cracking root" was, once someone
> obtains a shell account. Even with a shadow file.
So.. joe user's home computer is cracked. The attacker then types:
[root@home]# su joe
[joe@home]$ ssh server
Because Joe has configured ssh to "auto-login", the attacker now is on
the server.
[joe@server]$
Now, you're saying that this is equivalent to:
[root@server]#
I'm saying it isn't :) On a properly configured system (no known holes),
the worst the attacker can do is `rm -rf /home/joe`. Thus the ssh password
is primarily to protect *joe*, who wants to limit the damage to his
stuff.
> > So.. let's say user Joe's home computer is rooted. Must we
> > now assume that
> > the attacker has access to Joe's user account on the server?
>
> Yes. A root-kit installation will shortly follow.
Joe's user account != root
>
> > Because a sysadmin has no control over a user's computer, the safest
> > assumption is then that all user's home computers are compromised,
> > and therefore so are their accounts on the server.
> >
> > So the only thing a sysadmin can really do is make sure that
> > users can't
> > hurt the system EVER.
>
> No can do. Rather, the only way to do this is to not have users.
Make that "TRY to make sure users can't hurt the system EVER".
The point is that it's better to expend effort making sure the system
cannot be hurt by users *whatever* their intentions, than to try to
guarantee that only users with good intentions can log in.
--Jeff
>
> > > The vital thing is to secure the user's machine, not introduce
> > > artificial barriers that don't make any difference anyway.
> >
> > Hear hear :)
>
