[Astlinux-users] System Lockdown/securement [Was: Re: LDAP authentication]

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thanks Kris! I'm honoured.
There's one further issue of absolute securement that I can't quite 
figure out yet though which is the matter of physical access. If they 
simply mount the CF card, then they can replace the original cron job 
with an insecure one, or worse yet simply remove it all and then they've 
got total control.
Then again, LDAP and Radius are both susceptible to this "brute force" 
:-P attack. However I am definitely interested in solving this. Perhaps 
using a strictly ROM FS? Unpacking an FS out of NVRAM? I'm kind of 
leaning towards the latter as it's still upgradeable, perhaps using a 
signed flashing utility, but as I understand SquashFS, it would seem to 
be the even simpler route. Does anyone have experience with this? It 
seems like a pure read-only FS (i.e. a la CD) would be ideal for 
Astlinux, and a local CF medium would provide for very fast boot times.

Regards,
Bryce Chidester
Rhino Equipment Corp.
br...@rh...
Tel: +1 (480) 940-1826 x6351
Fax: +1 (480) 961-1826
FWD: 633686 x6351
IP: asterisk.rhinoequipment.com x6351

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  PROPRIETARY MATERIAL and is thus for use only by the intended  recipient. If you received this in error, please contact the sender  and delete the email and its attachments from all computers.

Kristian Kielhofner wrote:
> On 3/5/07, Lenir Santiago <fla...@ya...> wrote:
>   
>> we have about 20 boxes in client offices which we manage for them, and what
>> we want to do is prevent root access via ssh (for security) and use a
>> maintenance account (or one for each of our techs) to login to the box if we
>> need to and if we ever need to change a password (or all passwords) we can
>> do it at the ldap server. Also if its easier, radius would also work for us.
>>
>>
>>     
>
> Hmmm...
>
>   That is interesting.
>
>   The real problem is going to be that uClibc and all of the other
> base components of AstLinux don't support NSS or PAM.  Those things
> are usually not required (or wanted) in embedded systems.
>
>   I like Bryce's SSH key idea.
>
>   