[233] in resnet
Re: remote access to public workstations at night
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Mon Mar 7 01:31:20 1994
To: fihsu@MIT.EDU
Cc: resnet@MIT.EDU, Gilbert Leung <gleung@MIT.EDU>
In-Reply-To: [232] in resnet
Date: Mon, 07 Mar 94 01:30:54 EST
From: Marc Horowitz <marc@MIT.EDU>
Well, I have a few ideas to contribute:
- Require a real user-associated ATHENA.MIT.EDU kerberos principal to
log into a cluster machine remotely. This requires kerberized
clients, but that's not too hard. Make the cluster machines log such
logins to a secure central location, so there is an audit trail if
hacking occurs.
- Have a logout button on the console when someone is logged in
remotely. This gives the remote user a five minute warning,
express-style, then he gets punted. When a cluster starts filling,
initiate this process automatically for the remaining machines in the
cluster.
- Run a reactivate cycle (check disks, kill old users' processes,
etc) on every logout. In fact, this should probably happen regardless
of anything IS may do to make remote use of cluster machines possible.
- Do not allow multiple users on a single cluster machine.
- When a user logs into a cluster machine remotely, change the root
pw to something known only to ops. Change it back to the standard
public root after the user logs out (see reactivate above), and when
the machine reboots. This will prevent the easiest way of becoming
root by people logging in remotely. Yes, there are a zillion other
ways, but this is in addition to logging and and audit trail.
- Use gdss to authenticate the login locally, in absence of a srvtab.
- Limit remote use to one machine at a time.
- Make it possible to exclude users who abuse the system.
Although remote use of cluster machines is a difficult security
problem, I believe it is solvable. However, it would require a lot of
work. New dialup hardware may well be cheaper.
