Re: Use opie on Debian central servers to prevent password sniffing?
From: Philippe Troin <phil@fifi.org>
>I haven't look at OPIE for ages, but when using it with ssh, doesn't
>it force you to turn privilege separation off in /etc/ssh/sshd_config?
Yes, using opie and pam and sshd all at once requires turning off
privilege separation for sshd.
Opie protects against a local root exploit anywhere on the machine
causing a bunch of cascading compromises.
Sshd privilege separation protects against an exploit in openssh
allowing remote compromise of a bunch of machines.
I don't know which risk is bigger.
Hey, maybe using exec-shield would decrease the chances of the openssh
bugs being exploitable? That would also make other local root
exploits harder. But maybe that has already been done.
--
Tim Freeman tim@fungible.com
I xeroxed a mirror. Now I have an extra xerox machine. -- Steven Wright
Reply to: