Date: Thu, 8 Nov 2001 10:29:44 -0500 From: Kutulu <kutulu@kutulu.org> To: Anthony Atkielski <anthony@atkielski.com> Cc: Giorgos Keramidas <charon@labs.gr>, questions@FreeBSD.ORG Subject: Re: Lockdown of FreeBSD machine directly on Net Message-ID: <20011108102944.C10218@pr0n.kutulu.org> In-Reply-To: <003401c1682d$7a623cc0$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 08, 2001 at 09:15:06AM %2B0100 References: <15330.23714.263323.466739@guru.mired.org> <00b501c1637b$1cd2f880$0a00000a@atkielski.com> <20011102095554.A38169@student.uu.se> <00d801c1637c$d3264640$0a00000a@atkielski.com> <20011102055416.B67495@klatsch.org> <012101c16391$3f31ca80$0a00000a@atkielski.com> <20011108045340.A2965@hades.hell.gr> <003401c1682d$7a623cc0$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 08, 2001 at 09:15:06AM +0100, Anthony Atkielski wrote: > Giorgos writes: > > > Think of the damage that someone can do, if > > they come with a floppy and steal the keypair > > that you use to SSH as root. > > An important prerequisite to good security is physical security of the server. > If you allow direct physical access to the machine, all bets are off. Some Exactly. To address the specific case Giorgos presents: if someone with a floppy can get the keypair you use to SSH as root, they can already read files that should only be root-readable, which means they've either: 1) Already logged on as root, or 2) Bypassed the file security. In this case, they can also get a copy of master.password and run it through a password decryption program, and possibly even replace system binaries. To say that a particular security measure is useless because someone with physical access to the machine can bypass it, makes pretty much ALL security measures useless. All you can do is take every precaution to physically secure the machine, then work on securing it more from those who can't get to it physically (which is hopefully, everyone else). --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011108102944.C10218>