Re: Locking down ssh config in large env

From: Atro Tossavainen (atossava_at_cc.helsinki.fi)
Date: 10/01/04

  • Next message: David M. Andersen: "Re: Locking down ssh config in large env"
    To: secureshell@securityfocus.com
    Date: Fri, 1 Oct 2004 12:00:01 +0300 (EEST)
    
    

    David M Andersen from UNCC wrote:

    > You could easily do something like this:

    [patch that prevents users from changing their own configuration either
     on the command line or in their per-user configuration files removed]

    Yes, and the user can easily circumvent it, just like all the other
    proposals so far.

    Nobody's reading what I have been posting all along. That's fine,
    of course. I don't really mind...

    None of the proposed ways so far that attempt to solve the issue brought
    forward by the original poster actually do. This one is no different.

    As long as users get to run their own binaries on your system you have
    -NO-RECOURSE-WHATSOEVER- against them on the issue of freezing the SSH
    configuration so users can't change it. How many times, and how many
    different ways, do I have to say it on this list before it catches on?

    You can slow them down, and for some clueless part of the population
    you might even be able to stop them with temporary stopgap measures
    such as all of the proposals so far (until they get a clue), but you
    have no way to stop somebody who knows what they are doing unless you
    can prevent them from running their own binaries on the system.

    -- 
    Atro Tossavainen (Mr.)               / The Institute of Biotechnology at
    Systems Analyst, Techno-Amish &     / the University of Helsinki, Finland,
    +358-9-19158939  UNIX Dinosaur     / employs me, but my opinions are my own.
    < URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
    

  • Next message: David M. Andersen: "Re: Locking down ssh config in large env"