current-users: Re: BSD/PAM Authentication requirements

Subject: Re: BSD/PAM Authentication requirements
To: None <current-users@netbsd.org>
From: Michael C. Richardson <mcr@sandelman.ottawa.on.ca>
List: current-users
Date: 11/23/1998 18:11:20
-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Ted" == Ted Lemon <mellon@hoffman.vix.com> writes:

    >> 1. you can ftp/telnet to from some IP addresses (or some ttys), but
    >> SSH only with RSA Auth to from others.

    Ted> Firewall.

  Got one. It doesn't really help, and even if I got a better one (I've
written better ones), the administrative overhead is too high.
  I want to allow FTP in for the anon account from anywhere, and I want to be
able to FTP as me from a box next to it (both behind the firewall on a third
interface), but I don't want someone to be able to use the FTP service to run
dictionary attacks on my password because they could use it to access my
account via SSH. (a la rootshell)
  Yet, this machine is one that I want to be able to SSH into without RSA
authentication, but I don't want my pop users to be able to get into their
accounts via SSH without RSA.

    >> 2. accounts can ftp, pop, but not SSH in.

    Ted> Will logincap actually do this?

  I have no idea. You asked why we need *something* --- I'm listing
requirements that I have.

    >> 3. accounts can POP in, and SSH in, but not with a password, at the
    >> same time, the same IP may have to be permitted to telnet in to use a
    >> different account (i.e. one that doesn't let them out of the program)

    Ted> What about this?

    >> 4. all of the above, but now with CryptoCard, SecureID and s/key.
    >> i.e. you can telnet in with your password from host1, you must use
    >> your SSH RSA Auth key from host2, but I'll let you do FTP with
    >> SecureID from host3.

    Ted> And this?

    Ted> Would you be offended if I pointed out that you've described an
    Ted> surprisingly complicated authentication scheme?  Is this really what

  I know it is complicated. 

    Ted> you want, or are you being forced into it because of failings of the
    Ted> technology that's currently available?

  If I could encrypt absolutely everything, could provide the programs to do
this to anyone, and for any platform, and could provide SPKI certificates to
authorize each access (or PKIX AA certs) then I wouldn't need this stuff. 

    Ted> Anytime I see complexity and security in the same place, I get
    Ted> *real* nervous.

  Me too. That's why I run SSHD with "PasswordAuthentication no" and rc.conf,
inetd=NO on my secure systems. The problems occur on my *insecure* systems
where I need to be able to other things, yet I don't really want to give the
whole system away.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.


 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNlnrldiXVu0RiA21AQGX0wMArCp3Sbr5ataL05xoG4L31OQEsju1v3Mj
E07xDRIJ+X6dp3LpFNbwYEwvzs9K7hBM9xMWQkyK90c0M0ktRNNsZjg2e/9OGHKA
R9NSAzotRvFRs/QWbO2Y7q63uQFOxbNf
=SSzk
-----END PGP SIGNATURE-----