Re: SSH revised

[Christian Helmuth]

Hi,

On Mon, Mar 27, 2006 at 09:45:45PM +0200, Marcus Brinkmann wrote:
> > I think these do not match with MAC-alike system policies. If an
> > administrator/owner wants to restrict the options a specific user has to
> > enter the system via SSH, there must remain a small "system" ssh server
> > part. An example could be the limitiaton to SSH2.
> 
> There are two responses to that.  The first is: Why would an
> administrator want to do that?  And the second is: Given the answer to
> the first question, is this something that we want to support?

My assumptions was that any administrator (or platform owner or you) wants
complete control over possible entry points into his server.

> There are three possible outcomes to this: (1) there is no consistent
> argument why the admin would want to do that, or (2) there is a
> consistent argument, but it is in conflict with ideological
> assumptions we make, or (3) there is a consistent answer, and it does
> not conflict with our ideological assumptions.
> 
> Only if the result is (3) it is worth considering to support this.
> And even then it may be rejected because of cost-benefit analysis or
> other factors.

Is the bottom line of this a) you don't care about MAC or b) HURD does not
care about MAC? IMO Mandatory Access Control is something somebody who
operates a server really wants...

Cheers
-- 
Christian Helmuth

TU Dresden, Dept. of CS
Operating Systems Group
http://os.inf.tu-dresden.de/~ch12