Jamie Lokier <lk@tantalophile.demon.co.uk> writes:
> Eric W. Biederman wrote:
> > As long as the network console/debug interface includes basic a basic
> > check to verify that the packets it accepts are from the local network.
> > And it's outgoing packets have a ttl of one. I don't have a problem.
>
> Is there a working network console? It would be _great_ to have a
> network console to my _remote_ server, far far away on the internet.
There are bits and pieces, and a lan based kgdb is basically the same
problem security wise. When you allow any kind of control the security
cannot be in the console protocol. Therefore it can only be used on
a trusted lan and be only talk to local addresses. At the same time
if you have two remote machines on that trusted lan you can use one
to control the other. Knowing that a root exploit on one likely
becomes a root exploit on both.
And weather or not we have one at the moment, it is an active area of
research. We just need to get a useable security model. And I think
enforcing that the console be on a secure lan where every connected
machine is trusted is a good first draft, at the latter.
So I do not think this is the kind of thing that will help if you
only have one _remote_ server, far far away on the internet, but when
you start getting a collection of them it may help.
Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Nov 23 2002 - 22:00:19 EST