[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FAS and public Key auth



On Thu, 22 May 2008, brett lentz wrote:

> IMO, a good starting point for those requirements would be:
>
> 1. system runs Fedora/RHEL
> 2. system has selinux enabled and enforcing.
> 3. system uses an acceptable update schedule.
> 4. system's admins are known, and willing to be available when we need
> to contact them (within a reasonable set of hours)
> 5. the system's admins document their policy for providing root access
> to their system. this allows us to do some risk analysis.
> 6. we should be able to quickly and easily revoke the system's access to Fedora.
>

Thats the problem though, there's no way for us to enforce that in any way
without regularly checking in, etc.  What if they're not compliant and for
how long?  I think this policy should be simple or non-existant at all.
If we can't reliably say that ssh-key based auth to remote machines is a
no-risk operation for us, then we shouldn't do it.

>
> The implications for ssh-agent is fairly simple. Your private key
> still never touches the wire or the remote systems. SSH-Agent forwards
> the auth challenges to the local system you're logging in from.
>
> Here's a great diagram of the process:
> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd
>

I know your private key doesn't touch the wire or remote system.  But the
agent creates a socket in /tmp/ssh-* and I'm worried someone with access
to that socket could auth to other machines as the user.

	-Mike


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]