Re: Authentication problem from Matthew Petach on 1997-10-13 (squid-users)

From: Matthew Petach <mattp@dont-contact.us>
Date: Mon, 13 Oct 1997 11:50:43 -0700 (PDT)

Recently, Oskar Pearson talked about "Re: Authentication problem", and said
>
> Hi
>
> > Keeping a separate password file is not ideal, as I would like
> > everyone to be able to use the same password - so I thought I
> > could NFS mount the password file from our main UNIX server.
> >
> > I hope you realise the security implications of this. Every time your
> > squid does a lookup, your password file is sent over the network. The
> > passwords may be encrypted, but give me a packet sniffer, fast CPU,
> > crack, and 20MB of dictionary and it could easily be hacked.
>
> What about the following:
>
> install ssh on both machines.
>
> then generate a ssh key on the cache machine as root. Allow ssh into
> the machine with the shadow file (without a password - otherwise
> you can't script stuff).

sounds good, but I have one little suggestion...

You'd be better off doing it the other way around, i.e. having
your relatively secure "userhost" generate the key with the -N ''
flag to not use a passphrase, and put that key in /.ssh/authorized_keys
on the cache server, and _push_ the changes from the "userhost"
out to the cache machine. That way, even if the cache machine
is compromised, your "userhost" is still secure.

> Then ssh in every 1/2 hour and copy /etc/shadow with something
> like:
>
> scp userhost:/etc/shadow /usr/local/squid/etc/
>
> Note that there are still security implications - if someone cracks
> your cache machine they can hack 'userhost' without a password.. but if
> you are sure the cache is safe (ie if you use the chroot patch and
> remove the ability to 'mknod') you should be fine. You can then also ssh
> into the cache server and your password won't be sniffed then either :)

Again, if you make the key on the "userhost", and push the changes
out from "userhost" to "cache", even if the "cache" machine is
compromised, there's no way back into the "userhost" for the
attacker.

> Oskar

Matt

-- 
InterNex Information Services   |           Matthew Petach
Network Engineering             |           mpetach@internex.net
2306 Walsh Avenue               |           Tel: (408) 327-2211
Santa Clara, CA  95051          |           Fax: (408) 496-5484

Received on Mon Oct 13 1997 - 12:11:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:17 MST