root on ports

Bryan Dumm bdumm at bobby.bcpub.com
Fri Feb 16 00:50:00 PST 2001


On Thursday 15 February 2001 22:25, you wrote:
> On Thursday 15 February 2001 16:06, Fabio Fracassi wrote:
> > but anyone with read access to the profile can still take the encrypted
> > password to get root access! Or not?
>
> That is correct. If you keep the profile with the password, but put "rm -rf
> /" instead of everything else, you just killed the whole system.
>
> Maybe the password would need to be asked by the frontend to the user
> before starting, and then kept somewhere safe? Of course, if the building
> is killed, fails, is terminated, or simply ends, there should be no way of
> finding that password.

<rant mode>

Ok first off, Why would we use SSH with ALFS? It's not in this 
email, but why? Why make SSH a requirement for network ALFS?
This is not right, even if SSH does have things like ssh-agent.

Ok second of all, everyone keeps talking about man in the middle attacks,
where you are intercepting and changing the profile to do evil deads....

Well look @ what I have been saying. Maybe a clear example will help....

Ok use sitting @ frontend. Frontend says hey I got these elements that
have user="root" in them, got that root password? User types that in, and
the frontend only does some simple passwd encryption, say just plain
old crypt(). Now if you are paranoid, add ssl to that transaction. If you are
even more paranoid. Add say some md5 checksumming to your profile.

It would not be a "BIG" deal, to have md5 with the SECRET for that encryption,
decryption of that profile. Even if someone intercepted and altered the
profile on the way to the backend. Now if you were really paranoid about 
your SECRET being discovered(as it would need to be on both sides). You 
could have rotation schemes of your SECRET, or say a rotation scheme on 
one side(server), and one of those handy-dandy password device thingies. 
The ones where you enter a personal password, and based on the time of 
day, etc. it will tell you the SECRET. 

What I am getting @ though, is this is all alfs_app designer stuff. Not
ALFS.pm stuff. ALFS.pm should rely on simple techniques there I believe
to accomplish it's goal of getting <make_install user="root"> to run......

Also please remember that <password> being in the profile, would only 
be there for the profile sent to the backend. It would not be in chap5 or 
any packages profile like that... No reason to return it in the %messages 
either. 

If you wanted to build your alfs_app to require ssh for all of this, that 
should be the alfs_app desire, not a requirement of alfs.....

</rant mode>

Bryan







More information about the alfs-discuss mailing list