FAS and public Key auth
Mike McGrath
mmcgrath at redhat.com
Thu May 22 15:19:54 UTC 2008
On Thu, 22 May 2008, brett lentz wrote:
> IMO, a good starting point for those requirements would be:
>
> 1. system runs Fedora/RHEL
> 2. system has selinux enabled and enforcing.
> 3. system uses an acceptable update schedule.
> 4. system's admins are known, and willing to be available when we need
> to contact them (within a reasonable set of hours)
> 5. the system's admins document their policy for providing root access
> to their system. this allows us to do some risk analysis.
> 6. we should be able to quickly and easily revoke the system's access to Fedora.
>
Thats the problem though, there's no way for us to enforce that in any way
without regularly checking in, etc. What if they're not compliant and for
how long? I think this policy should be simple or non-existant at all.
If we can't reliably say that ssh-key based auth to remote machines is a
no-risk operation for us, then we shouldn't do it.
>
> The implications for ssh-agent is fairly simple. Your private key
> still never touches the wire or the remote systems. SSH-Agent forwards
> the auth challenges to the local system you're logging in from.
>
> Here's a great diagram of the process:
> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd
>
I know your private key doesn't touch the wire or remote system. But the
agent creates a socket in /tmp/ssh-* and I'm worried someone with access
to that socket could auth to other machines as the user.
-Mike
More information about the infrastructure
mailing list