ssh replace rsh (was Re: Problem to save log files.)

Henning Glawe glaweh at physik.fu-berlin.de
Sun Jul 14 13:17:26 CEST 2002


On Sat, Jul 13, 2002 at 01:11:10PM +0200, Andreas Schockenhoff wrote:
> I have done this after every make-fai-nfsroot.
> cp /usr/lib/fai/nfsroot/root/.ssh/id_dsa.pub /home/fai/.ssh/authorized_keys
> cp /etc/ssh/ssh_host_dsa_key.pub /usr/lib/fai/nfsroot/root/.ssh/
if you use the PFAI version of make-fai-nfsroot, you wouldn't have to do
this; because in this version, a recursive fcopy is used for configuring
the system. just put the files into the $CONFIG/files hierarchy, using
class FAI-NFSROOT.

> Is there a new security Problem? 
I've written an (not very well tested) script to be used as COMMAND for
the authorized logsave-key. this allows only hosts to write to their own
directories on the server, and only to non-existent subdirs. besides no
other requests but 'scp' are working...
thus nobody, even if he possesses the key, can fake logs.

the only possible attack scenery would be, if someone is first takes
over a host during installation, but before install is saving the logs.
then he could save his own 'faked' logs, probably hiding his intrusion...

this special wrapper is for now not even in PFAI, but after a bit of
testing it will get there.

if anyone wants this wrapper i could post it either to the list or
private.

-- 
c u
henning



More information about the linux-fai mailing list