port-pmax: Re: PMAX and PVM

Subject: Re: PMAX and PVM
To: None <mcmahill@mtl.mit.edu>
From: Andreas Kotes <count@flatline.de>
List: port-pmax
Date: 01/18/2000 05:05:30
Hi!

On Mon, 17 Jan 2000 mcmahill@mtl.mit.edu wrote:
> > On Mon, 17 Jan 2000 mcmahill@mtl.mit.edu wrote:
> 
> > > and get a prompt.  This means you need Rhosts with RSA authentication set
> > > in /etc/sshd_config (the default).  However, the ssh binary needs to be
> > > set to suid for this to work.
> > 
> > no, not really, and this is not the 'most secure' way to do this.
> 
> really?  Without changing anything else, changing the perms on the ssh
> binary made the difference between RhostsRSAAuthentication working and not
> working.  I'm not an expert though and I do admit I don't like suid progs.

it IS necessary for RhostsRSAAuthentication, but one shouldn't use that,
if avoidable!

RhostsRSAAuthentication only works if the TCP connection originates from a
privileged port (<1024), that's why the setuid bit is required. using
personalities to just allow only this would be a wise possibility, but
these aren't always available.

> > I don't know the software you're talking about, but using RSA host
> > authentication isn't optimal. better use RSA authentication by key, and
> > configure the authorized_keys on the target system to allow only
> > accesses from a specific IP, executing ONLY the necessary, not allowing to
> > forward any ports, and not giving a pty.
> > you can avoid being asked for the passphrase of the identity by not
> > setting one, but you really should only use it for this tasks and with
> > this restrictions then.
> > 
> > consider having a closer look at the manpages of ssh(1), ssh-keygen(1) and
> > sshd(8)
> 
> yes it is not optimal.  yes, please look closely at the suggested reading
> if your machine is on a public network.

definitely. but I (personally) don't draw a line between public and
non-public networks. I usually take care to have well-documented, thorough
security on all my hosts, and consider everyone doing the same.
there's nothing worse than security by obsurity, as it is no security at
all. you should not weaken yourself by not utilizing the knowledge you
already have, but rather sharpen your senses by always applying it where
possible, and extending it when you can afford the time (and it depends
on your job if you 'not have the time' or 'don't need to have the time' or
'act irresponsible by not forcing yourself to have the time').

Kind regards

   Andreas Kotes

-- 
  -= Andreas Kotes - mailto:count@flatline.de - Questions? Just ask =-
 -= Are you doing what you are able to do to support peace on earth? =-
-= Commercial use of my email address NOT allowed. PGP key available. =-