Re: Locking down ssh config in large env

From: Atro Tossavainen (atossava_at_cc.helsinki.fi)
Date: 10/01/04

  • Next message: David M. Andersen: "Re: Locking down ssh config in large env" 
    To: secureshell@securityfocus.com
Date: Fri, 1 Oct 2004 12:00:01 +0300 (EEST)

    David M Andersen from UNCC wrote:

    > You could easily do something like this:

    [patch that prevents users from changing their own configuration either
     on the command line or in their per-user configuration files removed]

    Yes, and the user can easily circumvent it, just like all the other
    proposals so far.

    Nobody's reading what I have been posting all along. That's fine,
    of course. I don't really mind...

    None of the proposed ways so far that attempt to solve the issue brought
    forward by the original poster actually do. This one is no different.

    As long as users get to run their own binaries on your system you have
    -NO-RECOURSE-WHATSOEVER- against them on the issue of freezing the SSH
    configuration so users can't change it. How many times, and how many
    different ways, do I have to say it on this list before it catches on?

    You can slow them down, and for some clueless part of the population
    you might even be able to stop them with temporary stopgap measures
    such as all of the proposals so far (until they get a clue), but you
    have no way to stop somebody who knows what they are doing unless you
    can prevent them from running their own binaries on the system. 

    -- 
Atro Tossavainen (Mr.)               / The Institute of Biotechnology at
Systems Analyst, Techno-Amish &     / the University of Helsinki, Finland,
+358-9-19158939  UNIX Dinosaur     / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
  • Next message: David M. Andersen: "Re: Locking down ssh config in large env"

    Relevant Pages

    • Re: moving from 10 to 11, not so nice
      ... it's slow usually don't bother removing all the eye-candy that is there ... There's nothing the in the binaries that make it slow. ... It's the default configuration that makes it slow, ...
      (alt.os.linux.suse)
    • Re: trn binaries for MacOSX?
      ... I never found any binaries, but I found that compiling the sources isn't ... picked a generic "BSD" configuration (when asked by the Configure ... script), and the rest pretty much ran as scripted. ...
      (comp.sys.mac.apps)
    • Re: SolutionConfigurationName
      ... projects have different configuration names and all of them have ... How do i unify all these binaries into ... one top level directory. ... I thought of setting all outputdirs to ...
      (microsoft.public.vstudio.general)