new openssh (new paranoia-patch)

Björn Lindberg d95-bli at nada.kth.se
Wed Aug 18 07:15:05 PDT 2004


"Rainer P. Feller" <Rainer-Peter.Feller at physik.uni-hamburg.de> writes:

> On Wed, 2004-08-18 at 15:45, Bennett Todd wrote:
> > Thanks many times over, both for the original posting and for the
> > answers.
> > 
> > Now you've got me seriously curious, though; what kind of scenario
> > are you thinking of with the paranoia patch? I've tried to cons up
> > fantasies of where I might want to use it, and they all seem pretty
> > dystopian.
> 
> You want a usefull scenario?
> o.k. here it is ;-)
> 
> A loginserver, you log into an environment where every single executable
> file is on a read-only-filesystem if a file is on a r/w-filesystem it is
> not executable, /lib/ld-linux.so belongs to nobody and has a s-flag
> in this loginserver there are 3 network interfaces and you want every
> traffic into the loginenvironment to come trough eth0 and every traffic
> out of the loginenvironment to eth1 you don't want anybody to be able to
> use the 3rd interface which is connected to a backupserver.
> then you have to be able to override comandline parameters given by a
> user and for this you need to patch the ssh-client.

Couldn't you just configure the sshd on the backup server to only
accept connections from a certain user?


Björn



More information about the lfs-chat mailing list