[mosh-devel] Concerns about mosh's security at the Broad Institute
Hayden Metsky
hayden at mit.edu
Sun Aug 9 17:53:08 EDT 2015
Hi John,
Thank you for the comments! And thanks to others as well who
have responded; we'll let the conversation continue longer before
we present anything to Broad IT.
On Sat, Aug 8, 2015 at 5:05 PM, john hood <cgull at glup.org> wrote:
>
> When you say "login server", what exactly do you mean? Is this a
> bastion host that you can ssh to, and then connect to internal hosts
> from? (That's what I'll assume here.)
>
It's not a bastion host. As far as I understand, the 'login servers' have
full access to all filesystems/data, programs, etc. that an internal host
would have. I believe it is inside the firewall. It does not run iptables,
so
there may be some kind of device sitting in front of it. The primary
difference between it and an internal host is that it is accessible to the
outside world but imposes strict memory limits on users (10 MB) and
offers just 1 virtualized core. So a user would generally ssh into this and
then connect to an internal host (with more resources). I'm not aware
of any bastion host at the Broad.
> Is the concern here that servers running Mosh could be used as DDoS
> reflectors, or that opening UDP ports would allow Broad-internal hosts
> to be useful for DDoS bots wanting to generate UDP?
>
The team's primary concern is the first issue, which you addressed well.
Best,
Hayden
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mosh-devel/attachments/20150809/f43f8b24/attachment.html
More information about the mosh-devel
mailing list