[Gllug] Cost of RedHat vs Ubuntu desktop support

Nix nix at esperi.org.uk
Sat Jul 11 12:37:31 UTC 2009


On 11 Jul 2009, James Laver uttered the following:
>                        scp them over (no (s)ftp, that might be a  
> security risk too).

But, but, but, the authorization and authentication is identical.  Hell,
both of them run ssh(1) under the covers. scp is just 'ssh cat' (pretty
much); sftp is just a nifty mechanism by which the 'cat' is replaced
with something else (a full-blown protocol, implemented by shoving stuff
out of stdin and stdout into ssh/sshd: that's all SSH subsystems are).

I cannot imagine how this could be considered a security hole. If
anything scp is more of a security hole than sftp, because it reads
.ssh/config on the remote machine and thus could end up doing things
*other* than cat(1). That can't happen with sftp because the program run
is always that named in the Subsystem line in sshd_config, which is
under root's control.

>                      Especially considering that for the first two  
> months, I was subject to the most harsh web filters that locked down  
> such work-unsafe sites as SOURCEFORGE. thanks, guys.

At one point ours blocked lists.gnu.org ('free software download'), MARC
('proxy avoidance'), and Oracle ('extreme', extreme what? Extreme
SQL?). Thankfully they are not totally insane so unblocked them lot when
we pointed out that the classifications were demented and that 'free
software' does not equal 'theft' and that actually, um, quite a lot of
the business is critically dependent on free software. Oh, and on
Oracle, blocking that is probably a bad idea too.

They tried locking down Google as a proxy avoidance site once but the
outcry was such that they had to reverse it instantly. One wonders
what planet the idiot who decided to do *that* had been on for the
previous ten years.

> It's such places that make me glad I'm not a permie, I don't think I'd  
> be able to cope.

You can slowly force changes if you're permie, generally by doing what
you think right and ensuring that by the time upper management hears of
it, it is pervasive and cannot be revoked without everyone screaming.
I must have done that a dozen times by now.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list