On Tue, Apr 10, 2012 at 11:25:46PM -0400, seth vidal wrote: > > > > Wouldn't it be better to have root's authorized_keys file contain the > > pubkeys of each individual admin that should be allowed to ssh from > > lockbox01 (prefixed with from=lockbox01 of course) ? Or is this too > > much hassle to maintain? > > > > I'm not sure how having and managing N-keys is better than having and > managing 1-Key. The N-keys are (according to policy, http://lists.fedoraproject.org/pipermail/announce/2011-October/003005.html): NEVER stored on a shared system. ALWAYS using a strong passphrase while the 1-key breaks these. The N-keys are already managed and trusted. The 1-key is an addition that only loosens security. > Either way you have to manage/maintain the key(s). And instead of > having 1 key you have to protect from theft/compromise you have N-keys > to protect from theft/compromise. The N-keys are already managed/maintained by your sysadmins. You only need to additionally manage the public parts for the distributed authorized_keys. -jf _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
