I'm in the process of setting up a new Tru64 system running v5.0A. This
system will be used primarly by students in a college setting for
programming classes, web page development classes, networking classes, and
other such things. I am trying to decide if I should configure the system
to use enhanced security or not and I'm looking for suggestions or
thoughts on the matter. Here are some issues as I see them.
1. Although the machine will not carry any "mission critical" services
(except that it will be the campus's secondary name server) a similar
machine has been attacked in the past and I can only assume this new one
will be attacked in the future. College students are often interested in
breaking into systems just to see if they can... and cause other problems
as well (or in the process).
2. Enhanced security might be overkill for the machine, but on the other
hand there is educational value in showing students some of the associated
features of enhanced security.
3. By default Tru64 does not use shadow passwords. This is the biggest
security loophole that I'm worried about. Is there any way to implement
shadow passwords without going all the way to enhanced security?
4. In enhanced security users can't be removed... only retired. In my
environment users come and go at a great rate. Many users have active
accounts for only one week (they sign up for a class and then drop it and
then are never seen again). I don't feel good about accumulating a large
number of retired accounts on the machine "for no reason". Is there a way
of running with enhanced security and yet still be able to fully remove
accounts.
5. The ssh daemon I've used in the past doesn't work well with enhanced
security. It either (a) allows password controls to be bypassed or (b)
breaks X forwarding and causes oddness in the log files... depending on
how it is configured. This was with ssh v1.2.26 (I believe). Are there
other options for ssh that work properly with Tru64's enhanced security?
Peter
Received on Wed Sep 27 2000 - 17:11:49 NZST