[882] in NetBSD-Development
Re: NetBSD configuration for dialup
daemon@ATHENA.MIT.EDU (Matt Braun)
Fri Jul 21 18:03:43 1995
To: Greg Hudson <ghudson@MIT.EDU>
Cc: Sam Hartman <hartmans@MIT.EDU>, bug-dialup@MIT.EDU, pc-dialup@MIT.EDU
In-Reply-To: Your message of "Fri, 21 Jul 1995 17:48:46 EDT."
<199507212148.RAA07050@lola-granola.MIT.EDU>
Date: Fri, 21 Jul 1995 18:02:20 EDT
From: Matt Braun <mhbraun@MIT.EDU>
>> The Decstation dialups certainly don't have any of the measures you
>> suggested here (except lack of a packet filter, and AFS in the
>> kernel), and to my knowledge we haven't had serious trouble with
>> security (people logging in and running "crack" wouldn't be solved by
>> any of the measures mentioned). I generally consider it poor to go to
>> a lot of effort to counter social problems which don't yet exist.
Currently, the dialups hace their srvd mounted readonly. Becasue of a bug in
Utrix, it is oftem impossible to unmount the /srvd with the machine multiuser,
so we already have to go singleuser to make some modifications. In addtion to
this, the dialups havec an integrity checker that compares files to knwon
states, so if the klogin were modified, it would require atleast some work to
change the prototypes.
Unless you are planning on using the dialups for their cpu (*gasp*), running
crack is useless. There are not encrypted passwords in /etc/passwd to be
cracked (including root).
>> On the practical side, conversations with Charles have left me with
>> the impression that NetBSD security levels aren't very airtight right
>> now, so it's probably not worth using them until they are.
I would be interested in a quantification of this. especially a comparision
with the other platform we are planning to try out, solaris.
Matt
