Re: How to reduce sid security

To: debian-security@lists.debian.org
Subject: Re: How to reduce sid security
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Thu, 31 Jul 2003 23:10:34 -0300
Message-id: <[🔎] 20030801021034.GA9767@llama.nslug.ns.ca>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 220f0087.0307311317.4892f08f@posting.google.com>
References: <[🔎] 220f0087.0307311317.4892f08f@posting.google.com>

On Thu, Jul 31, 2003 at 02:17:46PM -0700, Boyd Moore wrote:
> I have two Debian systems behind a Linksys router, with the router
> blocking everything except returning packets. One system is debian
> "stable" (Woody), the other "unstable" (Sid).  I have read
> through just about all the PAM docs and the Debian Security Docs, but
> still
> haven't been able to find out how to make Sid allow Woody, for
> example, start an X session as a remote host - I have tried all the
> ideas that were given.

 Huh, are you asking about XDM?  I'm really not sure what you want to do.
If you want to be able to run X programs on the other machine, and have them
display on your X desktop, use ssh -X, or make forwardX11 the default for
that host.  If you want the window manager and everything to be running on
the other machine, then I guess you want XDM, but you can't use encryption
for that.

> For a while, before I updated the Sid system using dselect, I at least
> had ssh working both ways.  But now I can only ssh to Woody from Sid;
> not the other direction. I've checked all the config files and can't
> find
> where it is stopping. I get the message: "ssh_exchange_identification:
> Connection closed by remote host"

 Check /etc/hosts.allow.  Put in a   sshd: ALL  line.

> I would really like these two systems to trust each other with just
> the "host.equiv" and .rhosts files set, even though that is unsafe on
> a system exposed to the world.  But for the type work I am doing, that
> is not a problem.

 You should use ssh-keygen to create a keypair on each machine, and copy the
public key from the machine you generated it on to the other machine.  This
allows quick passwordless authentication.  It does only work on a
per-account basis, not a machine-wide thing like hosts.equiv.  (SSH does
support .shosts/.rhosts, if you enable it in the config _and_ make
/usr/bin/ssh (not sshd) setuid root, so it can bind to a port below 1024 (to
prove that it is trusted).  If you really don't care about security, you can
just install rlogin.  I always use ssh even on my trusted LAN at home
(except for big file transfers) because one tool for everything is easier.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@cor , des.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Attachment: pgpJUm4K37nZn.pgp
Description: PGP signature

Reply to:

References:
- How to reduce sid security
  - From: tbmoore@bealenet.com (Boyd Moore)

Prev by Date: How to reduce sid security
Previous by thread: How to reduce sid security
Index(es):
- Date
- Thread