[petsc-users] petsc externalpackage directory

Satish Balay balay at mcs.anl.gov
Tue Feb 2 23:25:26 CST 2016


On Tue, 2 Feb 2016, Barry Smith wrote:

> 
> > On Feb 2, 2016, at 11:08 PM, Jed Brown <jed at jedbrown.org> wrote:
> > 
> > Satish Balay <balay at mcs.anl.gov> writes:
> > 
> >> On Tue, 2 Feb 2016, Barry Smith wrote:
> >> 
> >>>  How do the "firewalls" help if users scp over the EXACT same files that the firewall blocked? 
> >> 
> >> I'm not sure how things are setup - but I suspect:
> >> 
> >> - one can ssh on to the net [perhaps using a securecard]
> > 
> > If you ssh with RemoteForward, then that host can ssh back to the client
> > machine (without needing a password).  This is very handy and also
> > defeats the firewall.
> 
>    I think Satish has it backwards; can can ssh and scp INTO the machine from outside,

Yeah - thats what I tried to say. Bad choice of words [should have said 'secure net' aka 'firewalled network' or the remote-machine-with-firewall]

> thus manually copy in tarballs and other sources of infection but you cannot ssh, scp, curl, wget or anything OUT of the machine to GET infected tarballs. Of course the end result is still that you have infected tarballs on your machine but now the sys admin can say it is your fault and not his or hers.

I think the primary concern here is open network paths that can be exploited by other means [not the stuff 'users' copy over]
And even in case of 'infected' tarballs - one usual thingy that such 'inections' do is -  get more (damaging/latest) stuff to run using wget (or equivalent)..
Without the 'network path' such things get blocked..

Satish


More information about the petsc-users mailing list