[CentOS] Mystery of email authentication

Mon Dec 26 13:21:05 UTC 2011
夜神 岩男 <supergiantpotato at yahoo.co.jp>

On 12/26/2011 09:45 PM, Timothy Murphy wrote:
> 夜神 岩男 wrote:
>
>
>> The hard part is developing an initial understanding of how certificates
>> are interpreted and managed -- and where insecurity in the system can
>> arise. Key and certificate management is, in fact, the hardest part of
>> staying cryptographically secure at the present time. Unfortunately this
>> seems to be too much trouble for most large system administrators, even
>> at enormously connected places like universities, so it just gets
>> ignored and MitM attacks are more commonplace than most people realise.
>> The effects of such are generally minimal enough that most people don't
>> even know they've been snooped, however, which is a testament to how
>> unimportant most of our private data/lives really are anyway.
>
> Thanks again for your lucid explanation.
>
> I do feel there is a serious lack of what I would call "low-level"
> documentation in RedHat/CentOS/Fedora on authentication.

There is a lack, in a grand sense, but a lot of it is considered 
non-OS-specific specialist knowledge and is covered in other places 
thoroughly. To that end the Fedora and RedHat docs tend to include 
extensive references to security texts elsewhere. Understanding Kerberos 
and TLS, for example, requires at least a lay understanding of both 
public key and symmetric key encryption, and how those structures can be 
combined to make such encryption sub-systems work. Explaining those 
things is beyond the scope of the Fedora/RH docs, but the references to 
Kerberos docs, and the Kerberos references to general encryption docs do 
cover the subject in detail -- but most people (even system operators) 
tend to not follow the chain of references nearly so far as to learn all 
that. (Instead they get the 4-day "certification" version for "...the 
low, low seminar-only price of just $4,300! Come on today, bring a 
friend for a $1,000 cash back voucher! Impress your manager and totally 
snow government contract hiring departments into thinking you know your 
stuff!")

> On your last point, I do agree that many people seem to elevate
> their personal security to an absurd level,
> as though there are people in China who are desperate to find out
> their "secrets".
> Apart from credit card and bank account details
> I don't think most of us have anything of interest to declare.

Generally, no. Besides, finding a single person in all the mess is 
itself another mess -- which is why it happens a lot less than people 
fear. On the other hand the principle is what is important here. I don't 
want you reading mail between me and my mother. Why? No real reason. But 
just because its my life, not yours.

Of course, if we really cared about that we'd go back to remebering that 
http is a broadcast, deliberately insecure protocol and can't be made 
secure via redirects. Period. And then maybe we'd suddenly remember that 
the "web" was never intended to be an applications development 
environment as much as it naturally *is* a massively linked bulletin 
system... and maybe we'd even remember that World of Warcraft is, in 
very real terms, cloud computing... blah blah blah. There are many 
places the current market is way off base today. And that's not going to 
change anytime soon...

> Speaking of China, I do find that according to logwatch/shorewall
> the majority of people trying to enter my system
> seem to live in that country.
> Maybe it is just that there are so many of them?
> Or are chinese naturally more inquisitive?

No, the Chinese really do have a massive, concerted government cracking 
program to crack literally everything. They conduct what is known as 
mosaic intelligence, where no collected piece is considered individually 
important and targeted intelligence is considered infeasable, but enough 
non-sensitive data collected in a wide enough arc can be assembled in 
such a way as to predict whatever the really sensitive data should be. 
And this is workable with a program as large as theirs.

This used to be a specific area of speciality/concern for me for 
professional reasons (more on the human collection side, not signal 
collections, though) and it really is a concern. But it is a general 
threat, not a specific one, and doesn't generally need to alarm an 
individual as much as it should alarm large organizations and governments.

Blah blah. This is getting pretty OT, so I'll end this chain of thought 
here.

	Back on your email question...
I did push some requests around your school server our of curiosity, and 
the -ssh option alone works but does give a warning ("this is 
certificate is worthless, but I'm continuing anyway" sort of message). 
If you get a chance or even can it might be a good thing to talk to the 
admin about that -- he might not even know the situation, perhaps not 
being the one who set things up to begin with.