Robert G. Brown
rgb at phy.duke.edu
Thu Jan 5 06:30:03 PST 2006
On Thu, 5 Jan 2006, Leif Nixon wrote:
>> If you do go pure host-based auth, and you want to maximize security
>> given that requirement, then you might want to guard that one host very
> I'm not following you here either. Whether you choose the "give all
> users passphrase-less keys" route or the host-based auth route, you're
> *equally* screwed if a bad guy gets root. He can su to any user and
> ssh away to his delight. (Given a standard NFS setup.)
I agree heartily. In fact, I almost wrote to say so, but I'm being
discrete these days.
SSH per se greatly increases security and (IMHO) should be used in all
cases where an analysis of its expected overhead shows that it is in the
irrelevant (<1%) range, which is in nearly all cases -- a fraction of a
second per transaction (for just one or two transactions) to start up a
job against thousands to millions of seconds of runtime, per node, for
However, if any account is compromised by any means whatsoever, you're
equally screwed regardless of how you authenticate at the shell level.
I personally don't use ssh passwords EXCEPT for root accounts and on
servers and on relatively untrusted hosts, and in the latter case it is
more to give me a small chance of detecting an intrusion before it
spreads between networks.
It is an exercise for the studio office to contemplate methodologies for
getting passwords, ssh keys, and pretty much anything else you want from
most users' accounts once you have access to them without their
knowledge. Getting them is even fairly risk free unless the user is a
Unix guru (and hence by definition a raving paranoid). Most users
wouldn't even know HOW to tell if their account has been penetrated
unless the cracker makes a mistake -- if they type "ssh host" and are
presented a password prompt, they won't think even once about whether
that is a REAL password prompt or a prompt presented by a little trojan
shell named "ssh" and placed on your path. Even a guru might miss it --
they are more likely to take note of the fact that they "logged in"
Tuesday night when in fact they didn't as opposed to checking their path
on every single potentially trojanned command (that is, all commands).
Robert G. Brown http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb at phy.duke.edu
More information about the Beowulf