experiences with openssh automation
Robert Brockway
rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
Tue Aug 9 19:57:28 UTC 2005
On Tue, 9 Aug 2005, Henry Spencer wrote:
> On Tue, 9 Aug 2005, Robert Brockway wrote:
> > ...Allowing
> > automated access via ssh to an account that can sudo to root is just
> > opening a window for exploitation.
>
> So is connecting the computer to a network in the first place. :-) These
> things are tradeoffs; they're not automatically and inherently bad ideas.
Hi Henry. While that is true, it is a matter of degrees. Removing host
key checking then allowing an account in without a passphrase and allowing
it to sudo without a password is providing a vector directly to root
access.
The owner of the systems in question can do as they please but I really
recommend against this course of action. It offers little and risks much.
Not using a "default deny" policy on a firewall is not automatically and
inherently a bad idea in security theory either, but you know what I'd
want some pretty serious justification to do anything else.
Rob
--
Robert Brockway B.Sc. Phone: +1-416-669-3073
Senior Technical Consultant Email: support-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
OpenTrend Solutions Ltd. Web: www.opentrend.net
We are open 24x7x365 for technical support. Call us in a crisis.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list