Re: kickstarts, installs and root ssh keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 11 Apr 2012 05:54:16 +0200
Jan-Frode Myklebust <janfrode@xxxxxxxxx> wrote:

> On Tue, Apr 10, 2012 at 11:25:46PM -0400, seth vidal wrote:
> > > 
> > > Wouldn't it be better to have root's authorized_keys file contain
> > > the pubkeys of each individual admin that should be allowed to
> > > ssh from lockbox01 (prefixed with from=lockbox01 of course) ? Or
> > > is this too much hassle to maintain?
> > > 
> > 
> > I'm not sure how having and managing N-keys is better than having
> > and managing 1-Key.
> 
> The N-keys are (according to policy,
> http://lists.fedoraproject.org/pipermail/announce/2011-October/003005.html):
> 
> 	NEVER stored on a shared system.
> 	ALWAYS using a strong passphrase
> 
> while the 1-key breaks these. The N-keys are already managed and
> trusted. The 1-key is an addition that only loosens security.
> 
> 
> > Either way you have to manage/maintain the key(s). And instead of
> > having 1 key you have to protect from theft/compromise you have
> > N-keys to protect from theft/compromise.
> 
> The N-keys are already managed/maintained by your sysadmins. You only
> need to additionally manage the public parts for the distributed
> authorized_keys.
> 


okay - I think you've misunderstood me.

I would like to allow us to have a root ssh key.
This key would only exist on lockbox01.
This key would be protected.

so if an admin wanted to do something with this key they would need to:

1. login to bastion
2. login to lockbox
3. sudo as root to run the command

1 and 2 require their own key
3 requires their password and, potentially, the password to the
root key.

What does any of the above have to do with the policy about users ssh
keys?

-sv



_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure



[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux