[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is Skolelinux safe?

Jonas, thank you for taking the efford of summarizing the thread
from the norwegian list. 

<sarcasm and annoyance>
i read it partly but i did not get the
impression that people really cared for input from other (english
speaking) people and the competence level was not above average
all the time, either.

I wondered why the discussion was conducted on that list in the
first place, and concluded it was more for entertainment and
chit-chat because people would *of cause* not want to be rude by
excluding anyone from the discussion by using "private" languages.
</sarcasm and annoyance>

* Jonas Smedegaard (dr@jones.dk) [040309 02:36]:
> ~ 2d) Login securely, and tunnel X communication securely. With Lessdisks
> this is done by the script sdm using SSH. With lessdisks 4 (not yet
> ackaged for Debian) it seems to be also somehow possible (but only
> optional?) using SSH.
> ~ 2e) If access is needed from local client to personal files on server
> (e.g. when running some applications locally) do it securely. Lessdisks
> uses a Debian chroot so any Debian-supported secure filesystem can be
> used. Simplest to setup secure filesystems seems to be SFS and
> NFS-over-SSH[6].

both 2d and 2e are rather fragile tunnels. ssh is not meant to be
used for this kind of job. ipsec is the right tool for the job
and is in the debian kernel for some time. with that one can
tunnel traffic nicely. cyphers like blowfish or AES can be used
even on lowend machines without performance hit.

if the servers need to encrypt larger ammounts of data (high
traffic volume, many clients) it can help a lot to utilize
hardware random number generators. sometimes those are integrated
into the chipset and are highly costeffectiv that way.

generally servers are much more vulnerable when RPC and the
portmapper are used. this is an invitation for hacking and
penetration. an other filesystem then NFS would be a long term
and more robust solution. AFS supports kerberos and strong
encription/hashing, but has some license issues and is
non-trivial to set up (it is not in the (debian) kernel either).
Kurt told me yesterday that Chris Hübsch of AFS fame would be
happy to help us getting it integrated.

I propose to investigate that further.

Reply to: