On Fri, 2006-07-14 at 11:57 -0400, Max Spevack wrote: > I'm sure you guys are all following the stories on slashdot about the > problems that Debian is having due to password insecurity that led to a > compromised account. > > What sort of safeguards do we have? Is this a good time to thnk about how > we can improve our security *before* there is a problem rather than after? > > Do we have some sort of general plan for what to do if one of our public > boxes is compromised, so that we don't act randomly, or forget things in > the panic of the moment? I dunno if you've been on this list before today but we've been talking about that subject quite a bit. We've already covered the idea of relying SOLELY on ssh keys for shell-level access to systems and the possibility of requiring client ssl keys for web-access. Mike brought up the idea of subdividing things a bit tighter in terms of who can login to what systems so we don't have too much 'global' access. yes, we're moving on all of these things. -sv
