[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Use opie on Debian central servers to prevent password sniffing?

From: Philippe Troin <phil@fifi.org>
>I haven't look at OPIE for ages, but when using it with ssh, doesn't
>it force you to turn privilege separation off in /etc/ssh/sshd_config?

Yes, using opie and pam and sshd all at once requires turning off
privilege separation for sshd.

Opie protects against a local root exploit anywhere on the machine
causing a bunch of cascading compromises.

Sshd privilege separation protects against an exploit in openssh
allowing remote compromise of a bunch of machines.

I don't know which risk is bigger.

Hey, maybe using exec-shield would decrease the chances of the openssh
bugs being exploitable?  That would also make other local root
exploits harder.  But maybe that has already been done.

-- 
Tim Freeman                                                  tim@fungible.com
I xeroxed a mirror. Now I have an extra xerox machine.       -- Steven Wright
Reply to: