Re: Is Skolelinux safe?
tir, 09.03.2004 kl. 13.03 skrev Andreas Schuldei:
> Jonas, thank you for taking the efford of summarizing the thread
> from the norwegian list.
> <sarcasm and annoyance>
> i read it partly but i did not get the
> impression that people really cared for input from other (english
> speaking) people and the competence level was not above average
> all the time, either.
> I wondered why the discussion was conducted on that list in the
> first place, and concluded it was more for entertainment and
> chit-chat because people would *of cause* not want to be rude by
> excluding anyone from the discussion by using "private" languages.
> </sarcasm and annoyance>
Sometimes discussions like theis starts on the norwegian list because
the one who starts the discussion is no developer and/or do not know
about the developer list. Other times it is because they do not want to
write in english. So we are trying to force this kind of discussions
over to the right list ass we did this time. The problem is that we use
to much time before we do this. Working on it ;-)
> * Jonas Smedegaard (email@example.com) [040309 02:36]:
> > ~ 2d) Login securely, and tunnel X communication securely. With Lessdisks
> > this is done by the script sdm using SSH. With lessdisks 4 (not yet
> > ackaged for Debian) it seems to be also somehow possible (but only
> > optional?) using SSH.
> > ~ 2e) If access is needed from local client to personal files on server
> > (e.g. when running some applications locally) do it securely. Lessdisks
> > uses a Debian chroot so any Debian-supported secure filesystem can be
> > used. Simplest to setup secure filesystems seems to be SFS and
> > NFS-over-SSH.
> both 2d and 2e are rather fragile tunnels. ssh is not meant to be
> used for this kind of job. ipsec is the right tool for the job
> and is in the debian kernel for some time. with that one can
> tunnel traffic nicely. cyphers like blowfish or AES can be used
> even on lowend machines without performance hit.
> if the servers need to encrypt larger ammounts of data (high
> traffic volume, many clients) it can help a lot to utilize
> hardware random number generators. sometimes those are integrated
> into the chipset and are highly costeffectiv that way.
> generally servers are much more vulnerable when RPC and the
> portmapper are used. this is an invitation for hacking and
> penetration. an other filesystem then NFS would be a long term
> and more robust solution. AFS supports kerberos and strong
> encription/hashing, but has some license issues and is
> non-trivial to set up (it is not in the (debian) kernel either).
> Kurt told me yesterday that Chris Hübsch of AFS fame would be
> happy to help us getting it integrated.
> I propose to investigate that further.