[881] in NetBSD-Development
Re: NetBSD configuration for dialup
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jul 21 17:49:35 1995
To: Sam Hartman <hartmans@MIT.EDU>
Cc: bug-dialup@MIT.EDU, pc-dialup@MIT.EDU
In-Reply-To: Your message of "Fri, 21 Jul 1995 17:37:35 EDT."
<199507212137.RAA16081@tertius.mit.edu>
Date: Fri, 21 Jul 1995 17:48:46 EDT
From: Greg Hudson <ghudson@MIT.EDU>
> Basically, this deals with ways of securing the dialups.
I'm opposed to just about everything you proposed, for two reasons
(some of which you mentioned yourself):
1. They're limiting, and will make administration more costly.
This makes it less likely for PC dialups to be accepted by
the dialup maintainers.
2. They will require the machine to be rebooted into
single-user mode (causing an outage) to perform many
maintenance tasks which could otherwise be done online.
The Decstation dialups certainly don't have any of the measures you
suggested here (except lack of a packet filter, and AFS in the
kernel), and to my knowledge we haven't had serious trouble with
security (people logging in and running "crack" wouldn't be solved by
any of the measures mentioned). I generally consider it poor to go to
a lot of effort to counter social problems which don't yet exist.
On the practical side, conversations with Charles have left me with
the impression that NetBSD security levels aren't very airtight right
now, so it's probably not worth using them until they are.
