From owner-cvs-all Thu Sep 24 00:29:05 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA16646 for cvs-all-outgoing; Thu, 24 Sep 1998 00:29:05 -0700 (PDT) (envelope-from owner-cvs-all) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA16638; Thu, 24 Sep 1998 00:29:02 -0700 (PDT) (envelope-from dillon@backplane.com) Received: (dillon@localhost) by apollo.backplane.com (8.9.1/8.6.5) id AAA17646; Thu, 24 Sep 1998 00:28:37 -0700 (PDT) Date: Thu, 24 Sep 1998 00:28:37 -0700 (PDT) From: Matthew Dillon Message-Id: <199809240728.AAA17646@apollo.backplane.com> To: Mark Murray Cc: Mike Smith , asami@FreeBSD.ORG (Satoshi Asami), committers@FreeBSD.ORG Subject: Re: Security and other facilities at WC CDROM - the plan. References: <199809232357.QAA04981@dingo.cdrom.com> <199809240655.IAA21484@gratis.grondar.za> Sender: owner-cvs-all@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I'll be frank: Moving to kerberos is a *good* idea. We've been using the ssh+kerberos combination at BEST for systems accounts for two years now and it has allowed us to remove (i.e. '*'-out) passwords for all sensitive accounts (i.e. the ones we clone across all of our servers). Additionally, we removed *all* accounts from wheel group. Not even staff is in wheel anymore... it's ksu to root or nothing. This combination allows us to have a crypted root password in the password file (that only four people know), which can ONLY be used when logging into the machine's console. This plus kerberos-only logins is extremely effective in preventing critical accounts from being compromised. It works flawlessly for us. Going to kerberos is, IMHO, a much needed security bullet on WC CDROM and all other freebsd-group machines. Make sure you setup two kerberos servers rather then just one. Also, put the following line in /etc/csh.logout on all the machines. It is extremely important to destroy tickets on logout. # System-wide .logout file for csh(1). /usr/bin/klist -s && /usr/bin/kdestroy -Matt :> > :> > Will typing passwords over ssh work? There are some times (quite :> > often, actually) that my home directory is not available and I have to :> > type my password to get into paddock. :> :> It should; the connection is encrypted already at that point. : :Sure - but SSH is doing the authentication against the kerberos database, :not /etc/passwd-and-friends. Kerberos has a different encoding scheme, :so the password will need to be reregistered. A pain, I am sorry, :but necessary. I'll try to set up a tool to assist here. : :M :-- :Mark Murray :Join the anti-SPAM movement: http://www.cauce.org Matthew Dillon Engineering, HiWay Technologies, Inc. & BEST Internet Communications & God knows what else. (Please include original email in any response)