FAS and public Key auth
opensource at till.name
Fri May 23 11:53:48 UTC 2008
On Thu May 22 2008, Mike McGrath wrote:
> On Thu, 22 May 2008, Jeremy Katz wrote:
> > And the risk isn't increased by us allowing third-party groups to do
> > auth via FAS. This risk is present whenever any user logs in to another
> > machine with agent forwarding. Which is requested by the user/client --
> > not the machine being logged into
> The risk does increase as far as targeting goes though. If you were to do
> this type of attack right now, how would you go about doing it and what
> machines would you use? If we start allowing third party machines that
> have basically no barrier to entry it becomes much easier to plan and
> execute the attack.
One can still provide services to Fedora maintainers without using FAS, e.g. a
ppc machine that can be used by maintainers to debug their package on that
arch. Then the maintainers would send their ssh public key by themself to the
administrator of the machine.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080523/f61ec493/attachment.bin
More information about the infrastructure