shfs - SSH

This is a discussion on shfs - SSH ; Hi, does anybody have shfs in use? Best Regards, Oliver...

+ Reply to Thread
Results 1 to 4 of 4

Thread: shfs

  1. shfs

    Hi,

    does anybody have shfs in use?



    Best Regards,

    Oliver


  2. Re: shfs


    "Oliver Block" wrote in message
    news:4eqrv6F1fvfq0U1@news.dfncis.de...
    > Hi,
    >
    > does anybody have shfs in use?
    >
    >
    >
    > Best Regards,


    I've played with it. It's awfully cute, and makes me itch to build chroot
    cages for SSH users to prevent them from ounting "sshhost::/" remotely and
    playing around.



  3. Re: shfs

    Nico Kadel-Garcia wrote:

    [ shfs ]

    > It's awfully cute, and makes me itch to build chroot cages for SSH
    > users to prevent them from ounting "sshhost::/" remotely and playing
    > around.


    Why do you want to prevent this?

    Paul

  4. Re: shfs


    "Paul Hink" wrote in message
    news:slrne8gkr2.3d7.email@siesta.cruxwan.de...
    > Nico Kadel-Garcia wrote:
    >
    > [ shfs ]
    >
    >> It's awfully cute, and makes me itch to build chroot cages for SSH
    >> users to prevent them from ounting "sshhost::/" remotely and playing
    >> around.

    >
    > Why do you want to prevent this?


    Actually mounting remote filesystems via SSH makes those SSH server's local
    files accessible to any local user on the SSH client in a way that an active
    SSH session has not previously supported, in a way that SSH chroot cages for
    casual SSH users would help protect against.

    Not all sys-admins are smart enough to use shadow passwords and non-DES
    passwords, leaving it possible for anyone with SSH access to run very
    successful brute force cracking against the server's /etc/passwd file. And
    because not all users are careful enough to keep their home directories set
    to "user-only" access, or to use non-DES passwords and restrict read
    permissions in .htpasswd files that are locally accessible in their web
    repositories. And because there are easily a dozen other such attack
    approaches which people are not sufficiently careful about, ranging from
    syslogs to files kept in /tmp, including read access to MySQL databases
    where user account informain may be stored, to read access to LDAP account
    management databases.

    I've also seen way, way too many systems where user's files are generally
    accessible, either deliberately for NFS access as a matter of policy, or
    because some inexperienced system adminastrator has created their own set of
    user account creation tools which used "mkdir /home/username" without using
    a "umask before that step or "chmod 700" after that step to prevent general
    access to new accounts.

    I could go on, but I think that addresses most of my concerns.



+ Reply to Thread