[Gllug] Selective SSH logins

Daniel P. Berrange dan at berrange.com
Wed Aug 27 09:10:15 UTC 2008


On Wed, Aug 27, 2008 at 05:23:26AM +0100, Nix wrote:
> On 26 Aug 2008, Daniel P. Berrange outgrape:
> 
> > And if you have  NFS home directories, and aren't requiring Keberized NFS
> > clients, then SSH keys are worse than useless thanks to NFS' complete lack
> > of a security model
> 
> That depends very much on your network topology. If your NFS servers and
> clients are within the same trust boundary, or you only share non-
> security-important state, and especially if you export read-only, I
> can't see the problem.

Sure, if you can guarentee that no Joe Random user can plug in an ethernet
cable to their laptop, and you control who has root on every client on
your network you are 'secure'. Few places I know go to those lengths though.

Daniel
-- 
|: http://berrange.com/     -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/    -o-   http://gtk-vnc.sourceforge.net :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080827/ad4cf0b9/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list