Re: SSH revised

[Marcus Brinkmann]

At Tue, 28 Mar 2006 11:18:25 +0200,
Christian Helmuth <address@hidden> wrote:
> On Tue, Mar 28, 2006 at 10:34:54AM +0200, Marcus Brinkmann wrote:
> > > Is the bottom line of this a) you don't care about MAC or b) HURD does not
> > > care about MAC? IMO Mandatory Access Control is something somebody who
> > > operates a server really wants...
> > 
> > I care about user freedom.  My understanding of the term MAC does not
> > have anything to do with use of specific protocols to log on to the
> > machine remotely.  Maybe if you explain how you understand the term
> > MAC here, and why you think that the suggested mechanism violates it,
> > I can respond to that.
> 
> My use case was "limit SSH to protocol version 2, because I (the owner)
> consider it as safe enough for my system". An operating system for the
> future should provide me with powerful tools sufficient for my needs and
> no vague doubts should hinder this. Say: If it's crap I'll don't "buy" it.

The assumption you seem to be making is that the protocol of the SSH
client-server connection used by one user has any impact on the
security parameters of the rest of the system.  That is a bogus
assumption.  It is only true if there is only one SSH server that all
users must share, while different users have different security
requirements.  In the system I want to build, that should not be the
case.

> > And again:  That somebody wants something is not a sufficient reason
> > to do it (in fact, not even a necessary reason).
> 
> I understand this as: You don't care about anything somebody wants or
> doesn't want including "user freedom", correct?

Incorrect.  But as long as we are having this discussion at the level
of "I want, you want", without looking into why somebody would want
it, we won't make any technical contribution.

> Personally, I do not like the new course this discussion takes, because it
> becomes too political...

WordNet suggests as one meaning of political:

     2: of or relating to your views about social relationships
         involving authority or power; "political opinions"

It seems to me unavoidable that a discussion about the power of the
system administrator over the users has political over-, under- and
middletones.  As long as we are clear about the politics involved and
the ideological background, I don't see a problem.  It is only if it
is attempted to hide an ideological motive that discussion becomes
problematic.

It should not be problematic in any way to say that a system that
should conform to one political view needs to have one set of security
parameters, and a system that should conform to another political view
needs to have another set of security parameters.  In fact, it is very
interesting to analyse these dependencies, as they also work the other
way round: You can deduce from the desired set of security parameters
the political assumptions being made (that does not mean to judge them).

So, if you (or somebody else) wants a certain feature, then I am
actually interested in learning _why_ you would want that.

Can we built a system that makes it easy for users to keep their
accounts safe and protected (optionally with the administrators help),
and preserves maximum system integrity, while still giving any
particular user complete flexibility over the authentication mechanism
they want to use, including empty passwords?  I think so.  Let's
assume we can build such a system, do you still have an objection?  If
yes, what would it be?

Thanks,
Marcus