secure shell system

Tod Hansmann tod at todandlorna.com
Sun Apr 18 20:30:44 MDT 2010


Last time I looked at this I decided I had two options (specific for my 
needs at the moment).

1) Chrooted jails.  Basically give everyone a numbed down vps.  Put them 
in home dirs and lock them out of everything else, and it's pretty 
simple.  There's some complex configuration decisions to make, but it's 
a straightforward concept.

2) Locked down home directories.  It makes some security testing 
involved, and certainly isn't ideal, but I didn't have that big of a 
security concern as the users all knew each other and it was fairly 
public info they were running there anyway.  Keeping them from root 
stuff is easy.  Keeping them from other people's stuff mostly lies in 
the needs of the user themselves, but apparmor might help significantly 
with that.

I do avoid selinux, because I have never seen much of a need for it.  
Always seems to cause problems with a load of things I want to do with 
my server and working through them, while not impossible by any means, 
takes more time than I want to spend on the minor security buffs it offers.

-Tod Hansmann

On 4/18/2010 12:24 PM, Christer Edwards wrote:
> I've been doing some research recently on securing and limiting shell
> access to a server. I thought I would pose the question here.
> Hopefully we'll all get something beneficial out of the discussion,
> and it'll give us a break from name calling on the Net Neutrality
> thread. :P
>
> Suppose you were given the task of building a system that would allow
> dozens of users shell access. This system would be used for clients or
> developers to run utilities, etc. Keeping security, privacy and
> resource limitations in mind, consider the following questions:
>
> What operating system / distribution would you use? Why?
> What would you use to ensure privacy between users (home folders,
> personal files, etc)
> What would you use to ensure users don't use too many resources (cpu,
> memory, disk space, etc)
> What would your partitioning scheme look like? Why?
> What other security/privacy/resource utilities would you implement on
> your system?
>
> (This is not a homework assignment and it is not a work project. I'm
> simply interested in gathering information on the topic.)
>
>    


More information about the PLUG mailing list