[Nix-dev] security - observing changes - example authorizedKeys
Eelco Dolstra
eelco.dolstra at logicblox.com
Sun Jul 22 07:34:31 CEST 2012
Hi,
On 21/07/12 22:59, Marc Weber wrote:
> I just had a look at the user.name.openssh.authorizedKeys.keys
> option:
>
> - That you can choose adding a section /overriding everything is great
>
> problems:
>
> - it doesn't get run in the activation phase (?) - Thus you have to
> restart sshd (which is non obvious without reading code)
The sshd job is restarted automatically if any dependency of the job (including
the value of authorizedKeys) changes, so this is not an issue AFAIK.
> How to fix? Add it to the activation phase & ensure its run after the
> code creating the users ..
The use of activation scripts should be minimized because they're slow and are
not executed in parallel.
> That's only one use case. Checking ports, permissions on files (eg home
> directories) and much more should be checked regularly if you want feel
> save.
>
> Does this make sense?
>
> Has anybody else thought about how this should be implemented?
I'm sure there are penetration testing tools that do this for you.
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list