On Mon, Nov 28, 2005 at 02:39:17PM +0000 or thereabouts, David McBride wrote:
> Steve Traylen wrote:
>
> >As has been said before it is not any one but a valid user with logging.
>
> That doesn't mean much. It is utterly trivial for a site admin to steal
> someone else's credentials and do very bad things.
A delegated one which is not accepeted at the GK. It is just as easy to steal
the identity of a running ssh-agent as it is to steal a non-delegated proxy.
I have root, I can become you. I realise things like the RB by design start
to accumulate proxies but this is why the users choose an RB they trust
just as they should only ssh agent forward to something they trust.
>
> (The principle of least priviledge asserts that entities in a system
> should have the minimum set of capabilities to do their job, which this
> violates in a very real way.)
>
> >What is the difference between a fork job manager and ssh?
>
> My CE doesn't let anyone SSH into it with GSI.
No nor does mine, the question still stands, what can one do with a valid
GSI credential and an entry in the grid-mapfile compared to someone with
a valid password or installed key file and entry in the passwd file.
>
> >In fact the fork job manager gives you more logging since at least it logs
> >the name of the binary the user initially runs.
>
> I would assert that the name of the binary that an attacker is running
> on your site is not _particularly_ helpful when it comes to security
> incidents as the attacker can rename it at will..
I never said it was useful just that it is more logging than ssh gives you.
I am of course being annoying here, My faith in the quality of
the OpenSSH code far exceeds that of the globus-gatekeeper. You are suggesting
is is inherently weaker by design though for some reason.
Steve
>
> Cheers,
> David
> --
> David McBride <[log in to unmask]>
> Department of Computing, Imperial College, London
--
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/
|