Re: How to reduce sid security
Peter Cordes <email@example.com> wrote in message news:<fxZR.firstname.lastname@example.org>...
> On Thu, Jul 31, 2003 at 02:17:46PM -0700, Boyd Moore wrote:
> > I have two Debian systems behind a Linksys router, with the router
> > blocking everything except returning packets. One system is debian
> > "stable" (Woody), the other "unstable" (Sid). I have read
> > through just about all the PAM docs and the Debian Security Docs, but
> > still
> > haven't been able to find out how to make Sid allow Woody, for
> > example, start an X session as a remote host - I have tried all the
> > ideas that were given.
> Huh, are you asking about XDM? I'm really not sure what you want to do.
> If you want to be able to run X programs on the other machine, and have them
> display on your X desktop, use ssh -X, or make forwardX11 the default for
> that host. If you want the window manager and everything to be running on
> the other machine, then I guess you want XDM, but you can't use encryption
> for that.
Well, it was really two issues here: one about XDM and the other about ssh.
> > For a while, before I updated the Sid system using dselect, I at least
> > had ssh working both ways. But now I can only ssh to Woody from Sid;
> > not the other direction. I've checked all the config files and can't
> > find
> > where it is stopping. I get the message: "ssh exchange identification:
> > Connection closed by remote host"
> Check /etc/hosts.allow. Put in a sshd: ALL line.
Thanks. That fixed ssh.
> > I would really like these two systems to trust each other with just
> > the "host.equiv" and .rhosts files set, even though that is unsafe on
> > a system exposed to the world. But for the type work I am doing, that
> > is not a problem.
> You should use ssh-keygen to create a keypair on each machine, and copy the
> public key from the machine you generated it on to the other machine. This
> allows quick passwordless authentication. It does only work on a
> per-account basis, not a machine-wide thing like hosts.equiv. (SSH does
> support .shosts/.rhosts, if you enable it in the config and make
> /usr/bin/ssh (not sshd) setuid root, so it can bind to a port below 1024 (to
> prove that it is trusted). If you really don't care about security, you can
> just install rlogin. I always use ssh even on my trusted LAN at home
> (except for big file transfers) because one tool for everything is easier.
I thought I had rlogin, but I see it is pointing to /etc/alternatives...
You have given me another avenue to search.
> #define X(x,y) x##y
> Peter Cordes ; e-mail: X(peter@cor , des.ca)
> "The gods confound the man who first found out how to distinguish the hours!
> Confound him, too, who in this place set up a sundial, to cut and hack
> my day so wretchedly into small pieces!" -- Plautus, 200 BC