Re: defense-in-depth possible for sshd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, Jan 10, 2012 at 2:49 PM, John Doe <jdmls@xxxxxxxxx> wrote:

> From: Bennett Haselton <bennett@xxxxxxxxxxxxx>
>
> > On 1/10/2012 5:16 AM, John Doe wrote:
> >>  The sshd child is running as bob; so it has bob (and not root)
> rights...
> >
> > Yes, I understand that.  What I said was that if you could take complete
> > control of the sshd process you were connecting to, even if that process
> > was completely unprivileged, you could still make it say "Accept a login
> > from 'root' with password 'foo'" and then log in as root.
>
> How would your bob owned child sshd take complete control of the
> parent root owned sshd...?
>
> JD
>
>
Or, if you simply WANT more layers, then deploy defense-in-depth in FRONT
of sshd. VPN or port-knocking springs to mind

BR Bent
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux