Now, onto my rant...just because I can't keep away :)
On Tue, Jul 08, 1997 at 04:24:15PM -0700, Dale Babiy had written:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At 11:54 AM 7/8/97 -0700, Luther D. Keal wrote:
> >I've got a subscriber that wants shell access. He's using a Linux
> box
> >with Minicom router as the dial-up media.
> >
> >He just wants shell access.
>
> Umm, 'Just' and shell access don't go into the same sentance.
Sure they do.
He just wants shell access to the ISP, is that bad? Oh, yeah, it is
because of your paranoia. I will list some below.
> 2) If he has a linux box he already has a shell account. If he has a
> PPP connection from you, he's on the net. There's only really one
> (honest) reason I can think of why he'd want to do a minicom
> connection to you rather then a full blown PPP one and that's because
> he doesn't have the knowlege. I'd invest in teaching him instead,
> reasons follow.
There are reasons to use a shell account at an ISP.
screen(1) comes to mind, is very secure, and let's do you things you
can't do easily via other means.
Security also comes to mind. The ISP is *normally* more secure than
the end user's box so why wouldn't the end user wanna protect his box?
There is also the idea of someone who has a dedicated link to you and
this person needs to do tests from time to time, so he uses your shell
box as a stomping ground for testing things that would be skewed by
his own link.
> Why I wouldn't (and YKnet does not) do this:
Glad you aren't my ISP.
> Think security. Sure Unix is multiuser and is supposed to prevent
> any one user from getting access he's not intitled to. Unfortunatly
> bugtraq (and if you don't follow this mailing list you should) is
> full of examples of situations where unix system security can and has
> been compromised. If we were to offer shell access here's how we'd
> do it (and how I told our board that we would do it if we had to).
>
> Unix box<--Internal Frame Relay Cloud-->Border Router<-->Inet
Unix security is only as good as the administration behind it.
Everyone gets hacked, everyone has a small problem, but those of us
that care more for the customer than for our sense of paranoia will do
what it takes to do the best job we can to keep these kinds of
services in place for our customers.
You list UNIX, shall we move into the NT route as well? More buggy in
many ways (like being logged in as a user, then run a problem, whoops,
you are now classed as an administrator. Listed on nt-bugtraq and
reposted bugtraq). Then again, you can't telnet into that GUI piece
of shit and get real work done.
Nah, get onto these mailing lists, keep up on them (even better than
keeping up with Portmaster-users :) and you should be okay overall.
People make mistakes and it can be hard sometimes to learn what needs
to be done, but learning is half the phun...pun intended.
> That minimizes the chance of someone on the Unix box gaining any
> unauthorized access to internal traffic. An even better solution
> would be to put an extra ethernet card in the border router and plug
> the unix box into it, unfortunatly, due to co-location problems we
> can't do that. Anything short of the configuration above is an
> invitation to packer sniffers, etc. And even with that configuration
> the box would have to ONLY do shell accounts and be completely
> sacrficable. (Ie: users keep their own backups, because if there's a
> security problem I'm gonna slash and burn the disk and reformat and
> reinstall.)
Internal traffic?
Maybe you should look at segmentation and ethernet switching, or maybe
it is time to redesign your internal network, which I can do but my
time isn't cheap.
Your paranoia is leaking onto the floor...
> I've seen too many ISPs just in my local small town environment have
> big security problems to take this stuff lightly any more.
Darn, so why don't you do better and let them learn the ins and outs
of what they need to do.
Don't try to shove your paranoia down other peoples throats because
you are too lazy (implied) to secure up your network or redesign it so
that customers don't have access to your sensitive data.
> >I'm using PM-3 and a Linux box for authentication.
> >
> >How do I set up the PM-3 and/or the Radius to shut off PPP for his
> session
> >so he comes straight in thru the PM-3 and into the Unix shell
> account.
>
> Don't do it. Teach him how to configure PPP.
No, do it but keep in mind the work you need to do to keep up on
security and buggy applications.
It isn't hard work at all if you just do it instead of mulling over it
all the time or being too lazy to work with the equipment or software
you have installed.
-- Mike Horwath IRC: Drechsau LIFE: Lover drechsau@yuck.net Visi: info@visi.com drechsau@Geeks.ORG Twin Cities area Internet Access: 612-288-0880 for more info The founding member of Minn. Coalition for Internet Accessibility