Menu
▾
▴
[Astlinux-users] System Lockdown/securement [Was: Re: LDAP authentication]
|
From: Bryce C. <br...@rh...> - 2007-03-06 07:41:17
|
Thanks Kris! I'm honoured. There's one further issue of absolute securement that I can't quite figure out yet though which is the matter of physical access. If they simply mount the CF card, then they can replace the original cron job with an insecure one, or worse yet simply remove it all and then they've got total control. Then again, LDAP and Radius are both susceptible to this "brute force" :-P attack. However I am definitely interested in solving this. Perhaps using a strictly ROM FS? Unpacking an FS out of NVRAM? I'm kind of leaning towards the latter as it's still upgradeable, perhaps using a signed flashing utility, but as I understand SquashFS, it would seem to be the even simpler route. Does anyone have experience with this? It seems like a pure read-only FS (i.e. a la CD) would be ideal for Astlinux, and a local CF medium would provide for very fast boot times. Regards, Bryce Chidester Rhino Equipment Corp. br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. Kristian Kielhofner wrote: > On 3/5/07, Lenir Santiago <fla...@ya...> wrote: > >> we have about 20 boxes in client offices which we manage for them, and what >> we want to do is prevent root access via ssh (for security) and use a >> maintenance account (or one for each of our techs) to login to the box if we >> need to and if we ever need to change a password (or all passwords) we can >> do it at the ldap server. Also if its easier, radius would also work for us. >> >> >> > > Hmmm... > > That is interesting. > > The real problem is going to be that uClibc and all of the other > base components of AstLinux don't support NSS or PAM. Those things > are usually not required (or wanted) in embedded systems. > > I like Bryce's SSH key idea. > > |
