WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Thinking about sshd & enabling EmptyPassword login...  (Read 3360 times)

Offline timhalo

  • Newbie
  • *
  • Posts: 2
Thinking about sshd & enabling EmptyPassword login...
« on: April 03, 2012, 04:36:51 PM »
I am running Core base in a qemu guest.
I have sshd installed in the guest-vm & am considering setting PasswordAuthentication & PermitEmptyPasswords to 'yes'.

I keep the Guest isolated (as much as I know how to).
But would like some feedback whether I'm overlooking something.

Here is the network layout:

     public-internet
        |
     rinky-dink-home-router
        |
        |
      192.168.1.0/24----(qemuHost).1------192.168.175.0/30------.2(qemuGuest)
     
     [......the-for-realz-world..][...............the-vm-world..............]

Here's how I keep the Guest isolated:

On the Guest: there is no route pointed across the interface (eth0) leading to the qemu-Host.
        tc@box:~$ route -n
        Kernel IP routing table
        Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
        127.0.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 lo
        192.168.175.0   0.0.0.0         255.255.255.252 U     0      0        0 eth0

Also on the Guest, iptables permits only communication to/from the qemu-Host:
        tc@box:~$ sudo iptables -S
        -P INPUT DROP
        -P FORWARD DROP
        -P OUTPUT DROP
        -A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
        -A INPUT -s 192.168.175.1/32 -d 192.168.175.2/32 -i eth0 -j ACCEPT
        -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
        -A OUTPUT -s 192.168.175.2/32 -d 192.168.175.1/32 -o eth0 -j ACCEPT


On the Host:
- iptables permits only packets source & destined within 192.168.175.0/30 to be input or output on the interface leading to the qemu-Guest.
- iptables drops all on Forward chain.
- ip masquerading is not enabled.
- ip packet forwarding is not enabled (no routing function on the host).

In fact I don't have any of this set up automatically, I manually config tap intf & update iptables both on Host & Guest when I need to run the emulation. However I could one day make a mistake & maybe expose the Guest.

I am using the 'hostfw' function of qemu, in that any connection made to a tcp port on the host, is redirected to a port on the guest.


My question is, am I missing anything in keeping the Guest isolated? Do I already have a hole somewhere?

I am not a security type so thx for reading this far.

Offline gerald_clark

  • TinyCore Moderator
  • Hero Member
  • *****
  • Posts: 4254
Re: Thinking about sshd & enabling EmptyPassword login...
« Reply #1 on: April 03, 2012, 05:12:57 PM »
Use keys and turn off passwords completely.

Offline timhalo

  • Newbie
  • *
  • Posts: 2
Re: Thinking about sshd & enabling EmptyPassword login...
« Reply #2 on: April 04, 2012, 02:59:33 AM »
That's what I am doing currently.

But can't specify specific identity file when browsing sftp via Nautilus (host  = gnome). Hence empty-password method.
But then I found sshfs. So I've got it mounted now & guess I'll stay w/ keys.

Still am curious if I was missing something in keeping Guest isolated. If anyone else has any thoughts that'd be cool.

(I guess w/ no routing knowledge on the guest, it's sealed shut, unless someone cracks the host, in which case I've got bigger problems).