[CentOS] defense-in-depth possible for sshd?

Tue Jan 10 13:55:45 UTC 2012
Bent Terp <bent at terp.se>

On Tue, Jan 10, 2012 at 2:49 PM, John Doe <jdmls at yahoo.com> wrote:

> From: Bennett Haselton <bennett at peacefire.org>
>
> > On 1/10/2012 5:16 AM, John Doe wrote:
> >>  The sshd child is running as bob; so it has bob (and not root)
> rights...
> >
> > Yes, I understand that.  What I said was that if you could take complete
> > control of the sshd process you were connecting to, even if that process
> > was completely unprivileged, you could still make it say "Accept a login
> > from 'root' with password 'foo'" and then log in as root.
>
> How would your bob owned child sshd take complete control of the
> parent root owned sshd...?
>
> JD
>
>
Or, if you simply WANT more layers, then deploy defense-in-depth in FRONT
of sshd. VPN or port-knocking springs to mind

BR Bent