[1845] in SIPB_Linux_Development
Re: suggestion for /etc/athena/inetd.conf
daemon@ATHENA.MIT.EDU (Edwin Foo)
Mon Oct 6 02:16:21 1997
Date: Mon, 06 Oct 1997 02:14:52 -0400
To: Erik Nygren <nygren@MIT.EDU>
From: Edwin Foo <efoo@MIT.EDU>
Cc: "Kevin 'Bob' Fu" <fubob@MIT.EDU>, linux-dev@MIT.EDU, net-defense@MIT.EDU
In-Reply-To: <199710060400.AAA22493@zocalo.mit.edu>
Hi,
>* In order to notify users of security problems that require attention,
> we need to be able to contact them in some way. One approach is for
> the machine to prompt for the owner's email address at install-time.
> This address could either be used to add the user to an announcement-only
> list, or could be used by the machine to send mail about things
> like needing to run update.pl when it changes.
The NetBSD-Athena install script mails something to the SIPB whenever you
install it, I believe. We could do well to emulate it and make it do the
things that Erik is suggesting here.
>* Make the system default to only allowing secure connections.
> As part of this, we should also include ssh in the distributions.
> (Apparently, there's a modified version that works with PAM).
> Users can enable insecure telnet themselves, but a comment
> in inetd.conf could discourage this. Also distribute
> kerberized telnet and ssh client binaries for lots of platforms
> so that people don't have any excuse. We have to make it
> as easy as possible for people to use them without any/much
> effort and without being sysadmins on the machines they're
> logging in from. I think NetOps is working on this...
If there is ssh for Windows, that would be nice, but so far I have only
been able to find a commercial implementation that costs money. Granted, we
have kerberized telnet for Windows, so I guess we don't really need ssh for
Windows, but for MIT students who telnet back onto campus from off-site
(people on 6A assignment, for example, or summertime), it is next to
impossible to get HostExplorer because the MIT server limits it to 18.*. If
anyone knows how to get ssh for windows, please post here.
>* Possibly have a script that checks for standard indications
> of break-ins (ie, weird files in /dev, changed login binary,
> etc) and notifies the machine owner.
I am currently working on getting the TripWire system to run on my own
machine -- this basically is a system for detecting unauthorized changes to
system files through use of hashes and the like. Another project I am
thinking about is using S/Key systems for local users instead of relying on
ssh and/or cleartext passwords (because ssh unfortunately isn't publicly
available on all platforms) Once I get it done I could try releasing it as
a RPM file for others. Is there interest?
>* Make subsystems (such as samba) not start up even if they are
> installed, but make it easy for users to enable them.
> Also comment out unnecessary things in inetd.conf.
I think that making it easy to enable won't help anything, unfortunately.
Too many people think that "enabling" everything under the sun makes their
Linux box cool and don't bother to consider the consequences. We should
actually go one step further and make it such that even if Samba is
enabled, it's default configuration is _much_ more secure than it is now
and allows only basic connectivity. Anyone who wants to do more with their
system ought to have to make the effort to at least read the man page on it
and understand what is going on, not just uncomment some line in inetd.conf.
>I suggested having a meeting last week but Thursday was a bad time.
>Do people think a meeting would be useful, or should we just discuss
>issues here? Either way, something really needs to get done.
I think a meeting would be good -- I'm willing to be the first confirmed
participant. There are lots of things that would just take a while to
discuss over email, where instead a conference with the linux-dev people
present as well as everyone else could probably accomplish lots in a short
time.
-Edwin
------------------------------------------------------------------------
The FooBunny | MIT Computer Science '98 - Systems and Architecture
efoo@mit.edu | DEC Cambridge Research Lab - Parallel Computing Group
(617) 225-8826 | Residential Computing Consultant (RCC) - Next House
"Love must be sincere; Hate what is evil; cling to what is good."
- Romans 12:9 <><
------------------------------------------------------------------------
