[Wylug-help] Smoothwall with UPS

Frank Shute Frank Shute <frank at esperance-linux.co.uk>
Thu, 6 Feb 2003 15:18:04 +0000


On Sat, Feb 01, 2003 at 05:39:09PM +0000, Phil Driscoll wrote:
>
> On Friday 31 January 2003 11:17 am, Frank Shute wrote:
>
> >I've got my misgivings about Smoothwall as it happens.
> I'm sure that nothing is perfect, but I've added Tripwire to my
> Smoothwall 1.0

As you say nothing is perfect.

> setup and it seems to be doing a good job so far :)
>
> > I don't know what's so dangerous about passwordless ssh, AFAIK in
> > order to crack it you need a recognised key and you'd have to spoof
> > the IP address of the client.
>
> >From the o'reilly 'ssh snailbook' faq:
>
>  Regarding Plaintext (=3D unencrypted =3D "no-passphrase") Keys
>
>  DON'T USE THEM.
>  It is very common to see people giving out advice like this:  "Oh, autom=
atic
>  login with SSH is easy - just get rid of that pesky  passphrase! Type wh=
en
>  ssh-keygen prompts for a passphrase, and voil=E0!"
>
>  This will indeed work. However, it is equivalent to placing your account
>  password in a file in your home directory named PLEASE-STEAL-MY-PASSWORD=
.TXT,
>  doing chmod 600, and feeling very secure.

This is all very well, but they have to get into your account first to
bag your key. If that's happened then they don't exactly require ssh
to login to your account, your account has been cracked!

Admittedly, you could have your key on a number of machines & by using
a password your exposure is less. But in your case I gather you just
want to log into your firewall, in this case I reckon you're pretty
safe restricting ssh logins on the firewall from internal addresses
using known_hosts and restricting access to port 22 to specified
machines with the packet filtering and other facilities Smoothwall
presumably provides.

The advice in the O'Reilly book should be "don't use passwordless
logins if you don't know what you're doing".

>
> Thanks to all for advice on this, but I've decided to ignore it all
> :) and run a script to fake a post to the internal smoothwall web
> interface as though I had clicked on the smoothwall button. This is
> the only solution so far which doesn't require me to do something to
> the smoothwall box to reduce (however slightly) its security, given
> that I would be using the web interface on my internal network
> anyway.

There are any number of ways to skin this particular cat - use what
you're happy with I guess :)

BTW, apologies for the late reply, I've been on the road.

--

 Frank

*-*-*-*-*-*-*-*-*-*-*
   Boroughbridge.
 Tel: 01423 323019
     ---------
PGP keyID: 0xC0B341A3
*-*-*-*-*-*-*-*-*-*-*

http://www.esperance-linux.co.uk/