Trust & security
You should always assume:
- If somebody can login to a host as a user, they can get root/Administator on that host.
- If somebody can get root/Administrator on a host, they can see anything that you type on that host (via keyboard or tty sniffing), even if you use an encrypted network connection.
For that reason, there are a few ways to look "trust" & system security:
- Host A can be said to trust host B if someone from host B can log in to host A.
- A user can be said to trust a host if the user believes that it is safe to type confidential information, such as important passwords, at that host.
If you are a system administrator, you need to take extra care to protect passwords that can be used to log in to, or become root/Administrator on, large numbers of hosts. For that reason, such passwords should only be typed on hosts that you have reason to believe are secure (such hosts are sometimes referred to as "trusted hosts" within SCS). A general rule of thumb is that trusted hosts only have accounts for people that you trust to be careful, take take good security precautions with their own passwords, and follow the same rules of computing-related trust that you do.
One way to avoid typing passwords at hosts that you administer is to use your Kerberos root instance to allow Kerberized telnet & SSH autologins to remote hosts. See the section on security in the local Unix administrators guide for details. Another way is to use SSH public key authentication. If you need local console access to such hosts, one method is to set a temporary local root password that is unique to that host.
The following off-site links will open in a new browser window:
- Trust & SATAN
- A discussion of "trust" from a host-centered perspective.