[clug] Wanted: Developer to securely implement a restricted SSH shell
steve jenkin
sjenkin at canb.auug.org.au
Mon Jan 4 23:29:48 MST 2010
Nathan O'Sullivan wrote on 5/01/10 9:32 AM:
>
>> Looking at your web specs, as a client I'd be uneasy about using a CGI
>> to upload a public SSH key. Even if the key isn't munged in some way,
>> how do I know that it isn't swapped and someone else is accessing my
>> DomU?
>>
> If you do not trust $PROVIDER to do the simple task of writing a file to
> disk, would you trust them to reliably host a Xen domU for you?
Not my point - I might trust $PROVIDER, but still feel uneasy using a CGI.
What if Evil-Dude cracks CUSTOMER login can they take over their
account/assume their identity?
If they upload a bogus public SSH key (or replace an existing one), how
can you, $PROVIDER, tell?
Could be excessive paranoia :-)
More information about the linux
mailing list