On Mon, 17 Aug 2009, Ricky Zhou wrote: > On 2009-08-16 09:23:37 PM, Mike McGrath wrote: > > I'm conflicted on this, there's valid points here but also the risks are > > fairly low. As far as disabling agent forwarding, that's trivial to > > re-enable if the box gets rooted. > Yeah, that's true - what Jeremy suggested sounds like a better idea (and > perhaps it could be added to CSI). > > > Specifically we're trying to protect against a rooted publictest box > > becoming a password harvester right? > Yup (and SSH agent harvesters as well). The goal is that if a > publictest machine were compromised (since it'd probably be one of the > easier targets), any damage would be confined to that machine as much as > possible. > On a related note, I would like to have a policy of rebuilding the test boxes more often then we do. Just a thought. -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
