[svlug] Configuring Server - SSH Trouble + Security Considerations
ericv at cruzio.com
Thu Oct 26 17:59:54 PDT 2006
On Thu, 26 Oct 2006 17:51:45 -0700, Rick Moen wrote
> Quoting Don Marti (dmarti at zgp.org):
> > Is there a way for you, the administrator of the
> > server, to tell ssh hopping, like this:
> > ssh -At lron.example.edu ssh xenu.linuxmafia.com
> > from risky private key copying?
> Sorry, I really don't.
> Please note, as well, that using globally unique (across systems) access
> tokens -- either passwords or keypairs -- in no way defeats the
> token-stealing routine I described. Not at all. This is a problem
> because I'm _reasonably_ certain it's now the standard method among
> Basically, it's an inevitably consequence of the fact that an SSH tunnel
> is only as trustable as both endpoints' security plus that of the tunnel
> itself. If you distrust one of the endpoints, the best you can do is
> either (1) never expose tokens there (but rather only at the other
> (2) S/Key or OPIE OTP authetication, or (3) a SecureID fob or equivalent.
That's why I always pushed content to my web wervers via SSH rather than allow
them to pull. Similar for lightweight backup jobs. Even though I locked them
down tight, they were always considered "ceremonially unclean".
Eric N. Valor
(sent from my web client)
More information about the svlug