[TriLUG] Getting SSH to work at MSEC level 4 in Mandrake

Jon Carnes jonc at nc.rr.com
Mon May 3 11:54:51 EDT 2004 

On Mon, 2004-05-03 at 11:41, Aaron S. Joyner wrote:
> I had difficulty with almost this problem not long ago.  My problem was 
> slightly different, but related.  Tanner saved me the many hours of 
> searching I'm sure it would have entailed to find the right solution.  
> :)  A friend of mine had installed Mandrake on his computer, and 
> inadvertently chosen MSEC 4 during the install ("it seemed like the 
> right thing, after all, more security is better, right?").  When he 
> couldn't make anything work I got called in to figure out what was going on.
> 
> For future reference, and those not intimately familiar with Mandrake, 
> there is a daemon which runs periodically that resets certain 
> security-related parameters.  I discovered quickly that SSH was running 
> through inetd and locked down by TCP wrappers -- but my instinct was to 
> open things up more completely -- the user running this system didn't 
> need hosts.deny to contain ALL:ALL, so I commented that to open up the 
> very few services that inetd was offering.  Unfortunately, an hour or so 
> later things broke again, because the configuration was reset by the 
> msec(?) security daemon.  Jon's change of sshd: ALL to hosts.allow is 
> the "Mandrake Happy" way of effecting the same change.  Note that you 
> can also tone down this setting through the GUI under Security, but I 
> haven't seen the interface myself so I will spare you my failed attempts 
> at description.
> 
> I find it unfortunate that the installer presents security related 
> options with out dire warnings about the compatibility and feature 
> trade-offs associated with each "Security Level".  Unfortunately, new 
> users are often lulled into thinking "Sure, I want more security" so 
> they choose a setting that is unfortunately higher than their ability to 
> competently run.  The net result often being that they are turned off by 
> "this linux thing" and give up, going back to their comfortable Windows 
> world.  I'm not suggesting that these security related enhacements are 
> in any way bad, but the installer should emphasise the inherent security 
> of the lower levels compared to other OSes, and the potential pitfalls 
> associated with the higher level of security.  I imagine the information 
> is buried in the documentation, and perhaps there is a link to that 
> documentation on that page - not having completely installed Mandrake 
> before myself, I just don't know.  But regardless of the level of 
> information present, it appears to me that it's not enough.  :)
> 
> Aaron S. Joyner

I agree that MSec should come with some dire warnings: Using MSec will
cause user to scratch head and re-do several normal setup items ad
infinitum until they finally break down and read the MSec documentation:
http://www.mandrakeuser.org/docs/mdoc/ref/prog-msec.html

Jon

More information about the TriLUG mailing list