On 7/15/06, Jeffrey Tadlock <linux@xxxxxxxxxxxxx> wrote:
I think this is a great idea. I think we all know passwords are the bane of securing any system. Using keys only would certainly be a move to the right direction. In our case though I think there is another problem area where a password is still a weakness. The Account System is a component in how our ssh keys get distributed currently. So if someone were to compromise a sysadmin's password for the web based Account System they would then be able to edit that individual's profile and change the ssh key for that user which would be distributed across the systems they have shell access to. Now the intruder can access the systems with the ssh key pair they own (at least until the original user noticed they couldn't login anymore). At least I think that would be an attack vector that could target a password. Perhaps I am unaware of a component of the Account System or I am missing something else that would cause the above scenario to not work, so feel free to point out the obvious! If the above scenario is an accurate one though, we still are relying on passwords to secure access to the systems to some extent. It may be an area we want to look at to force some sort of check or balance to minimize even that possibility. While on the topic of security and moving beyond passwords, perhaps the group as a whole should brainstorm, check settings, etc on the system and processes from the security perspective. There are lots of intelligent individuals on the team and some time spent towards a security audit of sorts could prove useful just to make sure we are truly following best practices (or going above and beyond) and aren't assuming certain things about the system configurations that really aren't in place. -Jeffrey
We'll have to find the balance. We could go key kerberos crazy if we wanted to. On the one hand we should have a very secure system. On the other hand we cannot burden the developers. After all thats the whole reason our team exists... to aid the developers. It should also be said that I've never actually worked at a place that would end up on Slashdot if we got hacked.... I guess there's a bit of pride in me that wants to make sure that if the Fedora infrastructure ever does get hacked that it doesn't happen on my watch :-D