[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to reduce sid security

tbmoore@bealenet.com (Boyd Moore) wrote in message news:<fFb1.2ht.5@gated-at.bofh.it>...
> Peter Cordes <peter@llama.nslug.ns.ca> wrote in message news:<fxZR.57j.5@gated-at.bofh.it>...
> > On Thu, Jul 31, 2003 at 02:17:46PM -0700, Boyd Moore wrote:
> > > I have two Debian systems behind a Linksys router, with the router
> > > blocking everything except returning packets. One system is debian
> > > "stable" (Woody), the other "unstable" (Sid).  I have read
> > > through just about all the PAM docs and the Debian Security Docs, but
> > > still
> > > haven't been able to find out how to make Sid allow Woody, for
> > > example, start an X session as a remote host - I have tried all the
> > > ideas that were given.
> > 
> >  Huh, are you asking about XDM?  I'm really not sure what you want to do.
> > If you want to be able to run X programs on the other machine, and have them
> > display on your X desktop, use ssh -X, or make forwardX11 the default for
> > that host.  If you want the window manager and everything to be running on
> > the other machine, then I guess you want XDM, but you can't use encryption
> > for that.
> Well, it was really two issues here: one about XDM and the other about ssh.
> > 
> > > For a while, before I updated the Sid system using dselect, I at least
> > > had ssh working both ways.  But now I can only ssh to Woody from Sid;
> > > not the other direction. I've checked all the config files and can't
> > > find
> > > where it is stopping. I get the message: "ssh exchange identification:
> > > Connection closed by remote host"
> > 
> >  Check /etc/hosts.allow.  Put in a   sshd: ALL  line.
> Thanks. That fixed ssh.
> > 
> > 
> > > I would really like these two systems to trust each other with just
> > > the "host.equiv" and .rhosts files set, even though that is unsafe on
> > > a system exposed to the world.  But for the type work I am doing, that
> > > is not a problem.
> > 
> >  You should use ssh-keygen to create a keypair on each machine, and copy the
> > public key from the machine you generated it on to the other machine.  This
> > allows quick passwordless authentication.  It does only work on a
> > per-account basis, not a machine-wide thing like hosts.equiv.  (SSH does
> > support .shosts/.rhosts, if you enable it in the config  and  make
> > /usr/bin/ssh (not sshd) setuid root, so it can bind to a port below 1024 (to
> > prove that it is trusted).  If you really don't care about security, you can
> > just install rlogin.  I always use ssh even on my trusted LAN at home
> > (except for big file transfers) because one tool for everything is easier.
> > 
> I thought I had rlogin, but I see it is pointing to /etc/alternatives...
> You have given me another avenue to search.  
> Thanks again.
> > -- 
> > #define X(x,y) x##y
> > Peter Cordes ;  e-mail: X(peter@cor , des.ca)
> > 
> > "The gods confound the man who first found out how to distinguish the hours!
> >  Confound him, too, who in this place set up a sundial, to cut and hack
> >  my day so wretchedly into small pieces!" -- Plautus, 200 BC
> > 
> > --
> Boyd

Well I did have rlogin, that is it points to netkit-rlogin.  I finally
got rsh to work by commenting out the ALL: PARANOID line in
hosts.deny.  I thought that the  hosts.allow overrode the hosts.deny,
but apparently they have reversed the priority.  Now rsh, rlogin, etc.
works, but still not remote X windows.

I have gone through the xauth routine to make sure the .Xauthority
files are the same for the same user on both hosts.  And I have set
the xhost + on both machines, but I always get the "Can't open display
..." message.

Thanks if you can help

Reply to: