Google
  Web www.spinics.net

Re: kickstarts, installs and root ssh keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, 10 Apr 2012 23:38:30 +0200
Jan-Frode Myklebust <janfrode@xxxxxxxxx> wrote:

> On Tue, Apr 10, 2012 at 05:11:14PM -0400, seth vidal wrote:
> > 
> > 1. allow lockbox01-only and ssh-key-only access, as root, via ssh to
> > our systems. This would be an ssh key only on lockbox and owned by
> > root
> 
> I'm no fan of passphrase-less ssh-keys..  as they turn
> read-random-file vulnerabilities into full root exploits.
> 
> Wouldn't it be better to have root's authorized_keys file contain the
> pubkeys of each individual admin that should be allowed to ssh from
> lockbox01 (prefixed with from=lockbox01 of course) ? Or is this too
> much hassle to maintain?
> 

I'm not sure how having and managing N-keys is better than having and
managing 1-Key.

Either way you have to manage/maintain the key(s). And instead of
having 1 key you have to protect from theft/compromise you have N-keys
to protect from theft/compromise.



-sv

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure



[Home]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]

Powered by Linux

Google
  Web www.spinics.net