[Beowulf] Newbie

Leif Nixon nixon at nsc.liu.se
Thu Jan 5 08:14:12 EST 2006


Dan Stromberg <strombrg at dcs.nac.uci.edu> writes:

> Aside from the fact that IP addresses can be spoofed, if you go pure
> host-based, then anyone on the host in question can do what they need to
> do.

SSH trusted host authentication involves verification of the host key,
so IP address spoofing isn't enough. I'm not sure what you mean by
"anyone on the host in question can do what they need to do".

> If you do go pure host-based auth, and you want to maximize security
> given that requirement, then you might want to guard that one host very
> carefully.

I'm not following you here either. Whether you choose the "give all
users passphrase-less keys" route or the host-based auth route, you're
*equally* screwed if a bad guy gets root. He can su to any user and
ssh away to his delight. (Given a standard NFS setup.)

-- 
Leif Nixon                       -            Systems expert
------------------------------------------------------------
National Supercomputer Centre    -      Linkoping University
------------------------------------------------------------
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list