Date: Wed, 30 May 2001 08:57:59 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Vivek Khera <khera@kciLink.com> Cc: Seth <seth@psychotic.aberrant.org>, stable@FreeBSD.ORG Subject: Re: adding "noschg" to ssh and friends Message-ID: <200105301557.f4UFvxh40288@earth.backplane.com> References: <15124.4635.887375.682204@onceler.kciLink.com> <20010529145609.A1209@xor.obsecurity.org> <15124.7132.963202.560009@onceler.kciLink.com> <200105292211.f4TMBpB30316@earth.backplane.com> <20010529183239.B14308@psychotic.aberrant.org> <200105292315.f4TNFOu31573@earth.backplane.com> <15125.1433.517037.245078@onceler.kciLink.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:I guess in general, that may be correct. But wouldn't you want some :reassurance that your only "secure" connection to the machine is not :tamered with? That is, if your machine is compromised, and the only :way you can connect to it is via a trojaned service, then you're :really hosed. I think ssh should be protected from this type of :attack. Well, lets see... what if someone modified /etc/ssh/config ? Or what if someone added a command= directive to your public key in ~/.ssh/authorized_keys ? Or what if someone modified pam (which ssh uses) ? Or what if someone changed the ldconfig path? etc etc etc. So the answer is no. :In any case, what about my other question? If I "schg" the ssh :related executables and libs, will installworld croak or does it know :to noschg all files first? I can't see that it does it even for the :binaries that are schg in the system already (like rsh). I've no idea on that one. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105301557.f4UFvxh40288>