Re: SSH revised

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH revised

From:	Marcus Brinkmann
Subject:	Re: SSH revised
Date:	Sat, 25 Mar 2006 02:42:47 +0100
User-agent:	Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Fri, 24 Mar 2006 16:49:07 +0100,
Lluis <address@hidden> wrote:
> 
> El Fri, Mar 24, 2006 at 03:44:32PM +0100, Marcus Brinkmann ens deleità amb 
> les següents paraules:
> [...]
> >> ok, so:
> >> 
> >> - an ssh server S listens on socket T 
> >> - S recieves a petition to login into Anna's account 
> >> - S looks up Anna's associated identificator, A
> > 
> > Yeah.  I am not sure if A should be a globally unique ID or a 
> > capability itself.
> 
> when talking about identificator, I was really thinking about a capability, 
> but there must be a "hashed table" of capabilities (or identificators), 
> mapping them through their string identificator
> 
> whether it should really be a single number or a capability, in fact is not 
> really important for the outlined steps I listed, as it should make no 
> difference on the logger, it's up to it how to handle this details (in fact 
> I would use a plain identificator, as it conveys no special or implicit 
> privileges, and a capability could be "shared" to get acces to other 
> services)

I agree it makes no difference here.  The only difference is in
maintenance.  For example, if you use plain identifiers, they must not
be reused.  That's easy enough to guarantee in this case if you use a
lot of bits.  Capabilities do not have this problem, but they are more
expensive to compare.

> >> and the "login" process for the client to the global logger can be a 
> >> registration of "classes", each class of event associated with an user 
> >> identification (to make all this process administrable through the 
> >> classical ways of user add and remove from groups)
> > 
> > I don't understand this.  What do you want to administrate?
> 
> I think I meant that you could give a user access to some class of events 
> just through a 'useradd <user> <group>', as every event-class is associated 
> with a valid group of recieve-waiting users (and having a "special" 
> capability related to a user is like being part of the group that user 
> stands for, if I understood your last mails about groups)

I was thinking that the event recipient should be either "everybody"
or a particular user, and the event class is just a data payload and
does not convey any semantics to the log server.

Group notifications can be handled if we consider a group to be just
another "user", and if the actual dispatch of the event happens in the
group itself (this would require that the user log daemon listens not
only on the system log server, but also on the log servers of the
groups the user is in).  It seems to me that the system code does not
need to be burdened with this.

> > content of the "directory" that contains the information about the 
> > terminal, ie the terminal type (set of logical and physical devices). 
> > The user will need drivers for any interesting combination (the system 
> > can provide default drivers).
> 
> right, and one of the things that should be there is a capability to the 
> socket through which the connection is going on (or maybe a cap. to a 
> wrapper for the connection, as it could be mirrored)

I'm with you.

> what confuses me is when you talk about directories... I know it's the 
> same, but I better understand it like a cap. bundle (that, in the end, is 
> probably all accessible through just one cap.)

This "just one cap" is the directory :) What is a directory?  A
directory is a vector of pairs (string, cap).  The only simpler object
I can imagine is a cap vector without strings, and cap sets.  Cap
vectors without string have inefficient sparse representations, and
cap sets do not allow to distinguish the capabilities in the set.  So,
it seems to me that what you want is what I call a directory.

> >> the problem I see in here, is, what happens when an invalid username is 
> >> given? is there a dummy ssh handler to avoid leaking information?
> > 
> > The list of user names is not secret.  If you really want, you could 
> > make a dummy user that rejects all authentication attempts.
> 
> isn't it? for me it should be, the knowledge about a username being 
> available or not on a system can give me information enough to try a 
> directed attack to that account... that's related to why finger disappeared 
> as a publicly available service on many of the systems out there... (yes, 
> finger gives us much more information than just a username)

Do you really use a username like "p6.#wwQz"?

I am not sure what type of directed attacks you mean.  Maybe you can
follow up to clarify?

However, the username _by definition_ is not a secret, in the same
sense that my name "Marcus Brinkmann" is not a secret.  I believe that
any attack that is possible due to knowledge of the username indicates
a flaw in a different aspect of the system (I accept challenges to
this belief :)

Thanks,
Marcus

[Prev in Thread]

Current Thread

[Next in Thread]

address@hidden: Re: SSH revised], Lluis, 2006/03/24
- Re: address@hidden: Re: SSH revised], Marcus Brinkmann, 2006/03/24
  - Re: Re: SSH revised, Lluis, 2006/03/24
    - Re: SSH revised, Marcus Brinkmann <=
    - Re: SSH revised, Lluis, 2006/03/27
    - Re: SSH revised, Marcus Brinkmann, 2006/03/26

Prev by Date: Re: Re: SSH revised
Next by Date: Re: SSH revised
Previous by thread: Re: Re: SSH revised
Next by thread: Re: SSH revised
Index(es):
- Date
- Thread