Thoughts on NOPASSWD and disabling agent forwarding on publictest machines?

Ricky Zhou ricky at fedoraproject.org
Mon Aug 17 18:18:08 UTC 2009


On 2009-08-16 09:23:37 PM, Mike McGrath wrote:
> I'm conflicted on this, there's valid points here but also the risks are
> fairly low.  As far as disabling agent forwarding, that's trivial to
> re-enable if the box gets rooted.
Yeah, that's true - what Jeremy suggested sounds like a better idea (and
perhaps it could be added to CSI).  

> Specifically we're trying to protect against a rooted publictest box
> becoming a password harvester right?
Yup (and SSH agent harvesters as well).  The goal is that if a
publictest machine were compromised (since it'd probably be one of the
easier targets), any damage would be confined to that machine as much as
possible.

Thanks,
Ricky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20090817/ab2fe367/attachment.bin 


More information about the infrastructure mailing list