Date: Fri, 6 Apr 2001 00:12:49 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Jan Grant" <Jan.Grant@bristol.ac.uk> Cc: "freebsd-questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: SSHD Problems... Message-ID: <001701c0be68$fcdb98a0$1401a8c0@tedm.placo.com> In-Reply-To: <Pine.GSO.4.31.0104051112080.14755-100000@mail.ilrt.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jan Grant > >The difference here is that PAM and login levels are part of the base >system because they need integration at that level. Kerberos and ssh are >system utilities that can be built on top, true. I'm less convinced of >the necessity of kerberos (it needs a lot of in-depth understanding to >get right, like most sysadmin tasks) but ssh is becoming a requirement. >I'd rather have it maintained and built as part of my buildworld cycle, >though, than have to look after it myself. > I can allow pam and login levels to go by but it pissed me off when they turned on ssh by default and it really pissed me off when they turned on Kerberos by default. Not only that but the way that ssh was done is asinine - they do the initial key generation by halting the boot to do it, instead of making it run in the background and letting the boot continue. On a 486/33 it takes at least 2 minutes to generate the keys so your stuck sitting there while the system plays with itself during the first boot on a fresh installation. At the least if they wanted to have ssh active with keys ready-made, the could have used a little finnesse. But, security freaks generally take the smash-n-hammer approach so this isn't that surprising. >> Yet, all the security stuff >> _is_ deemed absolutely critical > >It's becoming so in this day and age. Only on some networks. I use FreeBSD a lot on internal nets and there's no reach from the outside to those systems, and I also happen to use FreeBSD a lot for routing, and you can't initiate a ssh session from most Cisco's, so when your daisy chaining from router to router to reach a remote FreeBSD system (very common on large WANS) ssh does absolutely nothing for you. Also, I think even the security people will tell you that the practice of passing the key during the _first_ initial connection via ssh basically destroys the entire integrity of the ssh transaction - key passing is supposed to be out-of-band, not in-band. Basically what it boils down to is that security is most important in ONE area: setting up Internet servers. Corporate nets are a different matter - most servers there are supposed to be available internally, why would someone break into a server they already have full access to? Sysadmin is about understanding >your environment and setting up your systems appropriately. If you don't >need it, turn it off. > How about: if you need it, turn it on? >> Don't you see a disconnection from reality >> here? > >Uhh, yeah, but probably not the same one that you do. > I'm just pointing out that slap the word "security" into the discussion and all the sudden the dogs are up on their hind legs barking a storm. For most things, FreeBSD takes the attitude that "if you want it, YOU go to the trouble of adding it in and switching it on" For security, they appear to be taking the attitude of "if you _don't_ want it, then YOU go to the trouble of switching it off and removing it" In short, the philosophy is completely inconsistet. The former philosophy comes from the point of view that "you know what's best for your servers, we just provide the tools" The latter philosophy comes from the point of view that "WE know what's best for your servers, we are going to supply it and force it down your throat" I've had enough of that from Windows, I don't need it from FreeBSD. >jan > >PS. I can't believe I just said "chill". Yech. > That ought to be proof to anyone of how quickly discussions over security descend into madness. ;-) Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001701c0be68$fcdb98a0$1401a8c0>