Date: Wed, 30 May 2001 08:57:59 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Vivek Khera <khera@kciLink.com> Cc: Seth <seth@psychotic.aberrant.org>, stable@FreeBSD.ORG Subject: Re: adding "noschg" to ssh and friends Message-ID: <200105301557.f4UFvxh40288@earth.backplane.com> References: <15124.4635.887375.682204@onceler.kciLink.com> <20010529145609.A1209@xor.obsecurity.org> <15124.7132.963202.560009@onceler.kciLink.com> <200105292211.f4TMBpB30316@earth.backplane.com> <20010529183239.B14308@psychotic.aberrant.org> <200105292315.f4TNFOu31573@earth.backplane.com> <15125.1433.517037.245078@onceler.kciLink.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:I guess in general, that may be correct. But wouldn't you want some
:reassurance that your only "secure" connection to the machine is not
:tamered with? That is, if your machine is compromised, and the only
:way you can connect to it is via a trojaned service, then you're
:really hosed. I think ssh should be protected from this type of
:attack.
Well, lets see... what if someone modified /etc/ssh/config ? Or
what if someone added a command= directive to your public key in
~/.ssh/authorized_keys ? Or what if someone modified pam (which ssh
uses) ? Or what if someone changed the ldconfig path? etc etc etc.
So the answer is no.
:In any case, what about my other question? If I "schg" the ssh
:related executables and libs, will installworld croak or does it know
:to noschg all files first? I can't see that it does it even for the
:binaries that are schg in the system already (like rsh).
I've no idea on that one.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105301557.f4UFvxh40288>