Minimal Install Option

Bill Anderson bill at noreboots.com
Thu Aug 21 18:07:24 UTC 2003 

On Thu, 2003-08-21 at 11:21, Chris Ricker wrote:
> On Thu, 21 Aug 2003, Bill Anderson wrote:
> 
> > > Just for a few examples:
> > > 
> > > > krb5-workstation
> > > 
> > > might be good on a router -- give you secure in-band management capabilities
> > 
> > The package itself in it's description says it is for workstations.
> 
> Wrong one. I wanted pam_krb5, which was also on your list. Makes sense on 
> interior routers (as might ssh, for the same reasons/uses), doesn't on 
> exterior.

Ahh, ok. However, below, you say no logging in remotely at all, so why
pam_krb at all then? The only time someone should need to log into a
firewall/router, is for administrative purposes. If using a serial
connection (directly!) then log in as root, do what you need, and log
off. Why not su? Decreased avenue of attack should an attacker manage to
get local privileges: Mount everything nosuid. This of course disables
'su root' even if installed.

> 
> > > I definitely want this on a router
> > 
> > Why? Why should a router/firewall be downloading web pages, etc.?
> 
> to download files to it when I'm setting it up, patching it, etc.

Why not ftp clients? Or scp from the target storage machine? Or, since
in the way you describe it you'll be at the machine for it anyway,
floppy or cdrom transfer? [wget has had it's security issues too ;)]

> 
> > > > A minimal install should provide no external services beyond SSH,
> > > > especially when listed as a firewall/router install.
> > > 
> > > a firewall shouldn't provide any external services. manage them out-of-band
> > 
> > I'm not sure you are disagreeing with me here. Are you saying don't
> > remote log in to a firewall at all, or are you agreeing with me?
> 
> I'm disagreeing. The last thing a fw should do is run a service, let 
> alone one with the security history of ssh.... Manage over serial.

OK, I can see that, and in some cases I agree. Although, I am beginning
to think that for those getting RH>=10, chances are we are talking about
home/SMB users who will not have those capabilities. Thus, SSH would be
the next best thing.

The more I look at it ... Small businesses and homes are the likely
groups to be running this option. Larger businesses are the target of
other RH setups. Homes are exceedingly unlikely to be running Kerberos,
and small businesses are also unlikely. Medium businesses only slightly
more likely to be running it. 

To my understanding (correct me if I'm wrong here) Kerberos only handles
auth, it does not encrypt traffic. Thus, moving files to it using
kerberos auth will still leave those files plaintext over the wire.
Thus, for things like this ssh is a more secure -in general- option. So
when I copy over a new /etc/shadow w/o encrypting the traffic, just
using krb auth, the file is still plaintext over the wire. (should you
be transferring those kinds of things? Sometimes, it is the best choice
of those available)

-- 
Bill Anderson
RHCE #807302597505773
bill at noreboots.com

More information about the fedora-test-list mailing list