tech-security: Re: i386 IO access and chroot()

Subject: Re: i386 IO access and chroot()
To: None <tech-security@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 07/15/2001 00:42:51
[ On Saturday, July 14, 2001 at 23:36:28 (-0400), Michael Richardson wrote: ]
> Subject: Re: i386 IO access and chroot() 
>
> 
>   I want to restrict *root* in a *jail* from binding less than 1024.

Ah, OK.  I see.  That makes sense...

>   SSH can emulate "rhost" <1024 stuff if you insist. That is not the default.

I know it's not the default -- that's the "separate issue" I mentioned.
It may as well be the default though because that's the implied level of
trust anyway.

>   Most use of ssh does not require any of this.

You must implicitly and completely trust the OS and hardware, and even
the physical environment, etc. on both ends.  You may as well trust the
client OS to have properly and securely authenticated the user and to
not be spoofing the client user's ID when it comes a knockin' on your
door.  There's not really much point to doing any more authentication if
you're going to go on and set up a secure channel to the client host.

In other words not using the "shost" style authentication suggests a
misunderstanding of the SSH trust model and can therefore lead to a
false sense of security.  I'm not yet so paranoid as to require all my
SSH clients to receive, out-of-band, pre-assigned keys, but I'm getting
there!  ;-)

(the problem of course with pre-assigned keys is that it creates a
one-to-many relationship instead of the more desirable many-to-many
relationship.  you really need a PGP/SSL-like web of trust with signed
certificates and trusted certificate authorities to make key assignment
a workable proposition.)

(yes I've su'ed from an SSH session started by an only semi-trusted
Java-based SSH client downloaded from my machine to a browser running on
a "wild", but net-booted, PC at an Internet cafe in a foreign country.
but I did change my root password immediately upon my return!  and I
checked for out-of-place activity afterwards too!  ;-)

>   My goal is further restricting even root.

I now understand -- and I would like to see such features too!

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>