Emile Snyder wrote:
On Wed, 2005-04-20 at 08:24, K. Richard Pixley wrote:
Pretty much any authentication possible under linux is available through
apache. This includes authentication by user, by host, all of the PAM
I'm curious about the host trust mode. What prevents a user on that
host from taking whatever secret the host is using to authenticate
itself and moving it to a new machine?
The same thing that currently prevents monotone users from sharing
private keys - administrative wisdom. It's the same motivation most
people use when they take their car keys with them rather than leaving
them in a parked car's ignition switch.
When I decide to trust a machine, it's not just that I trust that the
technical details will allow us to talk. I'm also trusting the
administrator(s) of that machine to be competent and to perform due
diligence toward security of those secrets.
In typical unix, host level secrets are not available to basic users
but are instead available only to administrators. Granted, shared
systems aren't so common anymore and jacking a hard disk is more a
question of access to the building the machine is stored in than it is
a software security issue.
If you are particularly concerned about this problem, then you should
already be concerned about the user key issue in monotone. There are
strong methods for solving both - kerberos, for instance. All of these
require some key things monotone currently does not: namely,
administrative control. Not centralized control, mind you, we can do
most of these things strongly with peer-to-peer networking and circles
of trust.
--rich
|