Subject: Re: sshd and read-only filesystem
To: None <>
From: gabriel rosenkoetter <>
List: tech-security
Date: 07/10/2001 18:32:02
On Tue, Jul 10, 2001 at 10:01:33PM +0200, Emmanuel Dreyfus wrote:
> You may want to setup a firewall or sniffer with the filesystem mounted
> read-only and securelevel=2, or even with a read-only boot media (hard
> disk write protected using a jumper, CDROM, or why not just an EPROM if
> we are running on an embeded device?), so that if it is compromised you
> remain absolutely certain that rebooting the system will bring back a
> clean state.

If you're going to that much trouble, couldn't you just hack sshd
slightly for your specific set up to not care about pty ownership?

For that matter, for a firewall, how about allowing ssh to the
machine as root, but only ever do it with public/private key
authentication from a machine inside the FW?

(I'm playing devil's advocate here. I actually like /dev-on-mfs
most. Is there some reason /dev *must* be ro?)

       ~ g r @