On Wed, 11 Apr 2012 05:54:16 +0200 Jan-Frode Myklebust <janfrode@xxxxxxxxx> wrote: > On Tue, Apr 10, 2012 at 11:25:46PM -0400, seth vidal wrote: > > > > > > Wouldn't it be better to have root's authorized_keys file contain > > > the pubkeys of each individual admin that should be allowed to > > > ssh from lockbox01 (prefixed with from=lockbox01 of course) ? Or > > > is this too much hassle to maintain? > > > > > > > I'm not sure how having and managing N-keys is better than having > > and managing 1-Key. > > The N-keys are (according to policy, > http://lists.fedoraproject.org/pipermail/announce/2011-October/003005.html): > > NEVER stored on a shared system. > ALWAYS using a strong passphrase > > while the 1-key breaks these. The N-keys are already managed and > trusted. The 1-key is an addition that only loosens security. > > > > Either way you have to manage/maintain the key(s). And instead of > > having 1 key you have to protect from theft/compromise you have > > N-keys to protect from theft/compromise. > > The N-keys are already managed/maintained by your sysadmins. You only > need to additionally manage the public parts for the distributed > authorized_keys. > okay - I think you've misunderstood me. I would like to allow us to have a root ssh key. This key would only exist on lockbox01. This key would be protected. so if an admin wanted to do something with this key they would need to: 1. login to bastion 2. login to lockbox 3. sudo as root to run the command 1 and 2 require their own key 3 requires their password and, potentially, the password to the root key. What does any of the above have to do with the policy about users ssh keys? -sv _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
