Trust & security
You should always assume:
- If somebody can login to a Unix/Linux host as a user, they can get root on that host.
- If somebody can get root on a host, they can see anything that you type on that host (via keyboard or tty sniffing), even if you use an encrypted network connection.
For that reason, there are a few ways to look "trust" & system security:
- Host A can be said to trust host B if someone from host B can login (especially if they login as root) to host A.
- A user can be said to trust a host if the user types confidential information, such as important passwords, at that host.
If you are a system administrator, you need to take extra care to protect passwords that can be used to login to, or become root on, large numbers of hosts. For that reason, such passwords should only be typed on hosts that you have reason to believe are secure (such hosts are sometimes referred to as "trusted hosts" within SCS). A general rule of thumb is that trusted hosts only have accounts for people that you trust to be careful and take reasonable security precautions with their own passwords.
One way to avoid typing passwords at hosts that you administer to use your Kerberos root instance to allow Kerberized telnet & SSH autologins to remote hosts. See section on security in the local Unix administrators guide for details. If you need local console access to such hosts, one method is to set a temporary local root password that is unique to that host.
The following off-site links will open in a new browser window:
- Trust & SATAN
- A discussion of "trust" from a host-centered perspective.