[669] in athena10
Re: "Other Options" xlogin button
daemon@ATHENA.MIT.EDU (ghudson@MIT.EDU)
Tue Dec 2 18:01:05 2008
Date: Tue, 2 Dec 2008 18:00:21 -0500 (EST)
From: ghudson@MIT.EDU
Message-Id: <200812022300.mB2N0LDW015760@outgoing.mit.edu>
To: Bill Cattey <wdc@mit.edu>
CC: athena10@mit.edu
In-reply-to: <1228250792.10050.16.camel@localhost.localdomain>
> I presume that, since we're using the chroot'ed environment, I
> presume security is less of a concern than offering this feature on
> the Athena 9 platform would be.
It's somewhat undesirable for someone to be able to get a shell on a
cluster machine without a Kerberos username and password. I'm not
sure how good of a "kiosk mode" Firefox can present at this time, but
if it does have one, it would probably be best to make use of it.
(I realize there are test accounts that can be used to get a shell on
an Athena machine without identifying yourself. But that hole can be
closed on a per-test-account basis when it happens. We can't turn off
the reg applet in response.)
(I also realize you can probably get a shell in several ways via
rebooting. But that tends to draw attention, and there are also
measures we can implement to notice unexpected reboots remotely if it
becomes an issue.)
