Hi, On Fri, May 09, 2003 at 12:07:12AM +1000, Russell Coker wrote: > On Thu, 8 May 2003 22:36, Andrew Suffield wrote: > > Security should be end-to-end, not point-to-point. The sheer number of > > times a site has been compromised because their "secure" network > > wasn't and somebody was using rsh... > > Even that isn't enough IMHO. > > I have my machines configured such that ssh can't provide administrative > access, and even if someone cracks sshd it can't grant such access. Then > after someone logs in via ssh they have to re-authenticate before getting > full access. This really leaves me wondering. Do you go through this trouble for *any* network, even the small one between, say, your webserver farm and a MySQL server, which, ahum, incidentally also authenticates based on source IP, username and cleartext password? You're not saying you tunnel that trough SSH, do you? If not, I hope we've finally recognised that there are different classes of networks with different security requirements. Cheers, Emile. -- E-Advies - Emile van Bergen emile@e-advies.nl tel. +31 (0)70 3906153 http://www.e-advies.nl
Attachment:
pgpSXnSawM9jm.pgp
Description: PGP signature