on Mon, Apr 22, 2002, Shawn McMahon (smcmahon@eiv.com) wrote: > begin Karsten M. Self quotation: > > > > > > Unless the other machine is not administrated by you, > > > > There are few X11-capable systems whic won't allow users to run > > arbitrary clients. Including an ssh client run from floppy or a > > user-installed directory. > > Karsten, have you ever worked somewhere large enough that you didn't > control the policies for every machine you were required to use? Get the policy changed. Or -- see my last alternative -- have the policy maker assume full responsibility for system exploits which may be traced to insecure alternatives. Any alternative means you're being asked to compromise security of your systems *and* are likely taking responsibility for the consequences. This is called accountability without responsibility. As a professional, it's a proposition I won't accept. Yes, I'd be willing to walk on that count. I've never worked at a site in which I was responsible for system security in which SSH wasn't available and installed on all available systems. I'm aware that many companies have sorely lacking security procedures. I've worked (not in a systems admin role) inside several -- names you'd recognize, probably carry them in your wallet -- and have raised the issues there. > I have. There are MANY X11-capable systems who's administrators will > not allow users to run arbitrary clients, install arbitrary software, > or access the floppy drives. > > Hell, I'm not driving to Memphis or flying to Singapore to put a > floppy in a drive every time I need to use somebody else's server to > get my job done. Funny. I travelled the world last year and carried a bootable GNU/Linux system for just such occasions. Highly recommend the LNX-BBC (http://www.lnx-bbc.org/). Was on-site at a client's site last week, brought a floppy with PuTTY, and used it. > > If you need to find a client for your platform, see a comprehensive list > > at: > > > > http://www.linuxmafia.com/pub/linux/security/ssh-clients > > I've got a client for the platforms in question. It's not worth > getting fired to install it. There is a serious problem at your site. You've raised this issue? > > X11 forwarding effects server only. For the client, this is > > command-line configurable. > > And the server's config can prevent it. I'll presume one end or the other is under your control. > > There's simply no excuse _not_ to use SSH over any network more > > complex than PLIP. > > Which doesn't prevent other people from making bad decisions. I am > not the president of the company. I am responsible for security and > software and policy decisions on a few hundred servers, and even there > I am not the ultimate authority; management is. Ah...the penny drops. You're not responsible for security. You're the fall guy if someone else's broken policy compromises your systems. Accountability without responsibility. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? zIWETHEY: Rattlestar Techlectica: http://z.iwethey.org/forums/
Attachment:
pgpRat5r6LXy4.pgp
Description: PGP signature