[auton-users] SSH Security Info

[predragp at andrew.cmu.edu]

Dear Autonians,

This is an important ssh info concerning overall lab network security
which is related to today's maintenance work I performed on 14 Linux
desktops. In a preparation to turn on LDAP I have restricted ssh access to
Linux desktops only to desktops owners, auton-local, and backup accounts
(backup doesn't have a real access it is only rsync command without ttu
command).

It occurred to me during the recent e-mail exchange with Jarod concerning
new OpenVPN gateway that due to public IP address and LDAP enabled all
Linux desktops could be used by anyone in the Lab as a ssh gateway to
computing nodes but more importantly it could be used by anyone outside
the lab to stage an attack to our internal network. By restricting ssh
access on desktops to very few selected account I am practically
eliminating large set of attack vectors. Yes We also run things as
sshguard and fail2ban if people are curious.

I would also like to add that unlike before your VPN tunnels can be only
used for access to our internal network 192.168.6.0/24 and that VPN
clients can't see each other.

Finally I realize that some desktops potentially need to be accessed by
additional users. For example it looks like Jarod have given permission to
several people to access his desktop. If that is the case please let me
know by an e-mail which users need to be able to have access to your
desktop. By default those users should have only local accounts so they
will not be in LDAP database and consequently unable to use your desktop
to access internal network.

Thank you for your attention!

Predrag