Re: FC3 Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff Kinz wrote:
On Wed, Mar 09, 2005 at 05:46:55PM +0000, James Wilkinson wrote:

Jeff Kinz wrote:

Any IT dept that equates sshd to a server is either not up to snuff
technically (and in a really bad way.), or they are being duplicitous.
(Thats another word for lying)

If it's open to the outside world? Yes, I'd call that a server. There


ssh = "Secure Shell"   So this is basically a terminal session thats
being encrypted (A good thing, TM) for security reasons. (yes - you can
do VNC or X over an ssh link too, that was not it major purpose and even
in those cases it is still a terminal session)

So being able to access the command line of any machine remotely
means its a server - by this definition every windows machine is also a
server.  That does not match up with the apparent behavior of that local
It dept.

I think you'll find that the definition of a server _machine_ is a machine that, as its _primary_ function, provides various services to clients. Its primary purpose is NOT to provide interactive sessions such as a desktop environment. Remote management of such a machine (e.g. ssh or webmin) does not count.

Server _processes_, on the other hand, are processes that wait for
clients to connect, performs some task for that client, and then
eventually terminates the session.

Can desktop machines run server processes?  Sure.  Can server machines
run client processes?  Of course.  The important bit is "what is the
primary purpose of the machine?"  Server _machines_ PRIMARILY run server
_processes_, but may do other things as well.  Desktop (client)
_machines_ typically run client _processes_, but may run the occasional
server process as well (e.g. running sshd so you can get to your desktop
machine from the internet).

Perhaps the term "service" and "server" are being used interchangeably
by that local IT dept

If that's the case, they should be trained better. For example, X uses a classic client-server model, but it's reversed from what people think. The X server is the machine with the keyboard, mouse and display. The X clients are the programs (such as Gnome, Mozilla, etc.) that make use of the X server's resources.

For example, if you were to run, say, xclock on a remote machine, the
display shows up on your local machine.  Your local machine is the X
server, xclock is the X client.  So, does the fact that you are running
Gnome or KDE on your desktop (and hence an X server) make your machine a
server?  I don't think any rational IT person would think so, but
there's a hell of a lot of so-called IT people that have absolutely no
business being in the industry.

I do major amounts of work via ssh and I do consider it a service but
I don't consider the ssh daemon to be a "server" any more than I
consider a machines ability to receive email to be a "server" rather
than a "service"

Well, ssh is a service, but "service" is more of an overall description and includes client and server processes and their transactions. sshd
itself IS a server. "daemon" simply means that it runs as a detached
process (one without a parent process other than "init") that typically
also does not have its stdin, stdout or stderr connected to a terminal.


sshd can be run in "non-daemon" mode by starting it with a "-D" option:
"sshd -D".  It still accepts incoming connections and such so it's a
server, but since it doesn't detatch from the parent process, it's not a
daemon.

have been remote security vulnerabilities in both OpenSSH and SSH.com's
offerings. And I'd want to be sure that the box was being looked after,
had sensible passwords, and was being patched promptly.


Sure. As with all boxes.

Amen. ---------------------------------------------------------------------- - Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx - - VitalStream, Inc. http://www.vitalstream.com - - - - "How does that damned three seashell thing work?" - - - Sylvester Stallone, "Demolition Man" - ----------------------------------------------------------------------


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux