Thoughts on NOPASSWD and disabling agent forwarding on publictest machines?
Mike McGrath
mmcgrath at redhat.com
Mon Aug 17 19:44:58 UTC 2009
On Mon, 17 Aug 2009, Ricky Zhou wrote:
> On 2009-08-16 09:23:37 PM, Mike McGrath wrote:
> > I'm conflicted on this, there's valid points here but also the risks are
> > fairly low. As far as disabling agent forwarding, that's trivial to
> > re-enable if the box gets rooted.
> Yeah, that's true - what Jeremy suggested sounds like a better idea (and
> perhaps it could be added to CSI).
>
> > Specifically we're trying to protect against a rooted publictest box
> > becoming a password harvester right?
> Yup (and SSH agent harvesters as well). The goal is that if a
> publictest machine were compromised (since it'd probably be one of the
> easier targets), any damage would be confined to that machine as much as
> possible.
>
On a related note, I would like to have a policy of rebuilding the test
boxes more often then we do. Just a thought.
-Mike
More information about the infrastructure
mailing list