ssh private keys on our systems
Darren VanBuren
onekopaka at gmail.com
Thu Sep 29 22:03:27 UTC 2011
On Sep 29, 2011 12:16 PM, "seth vidal" <skvidal at fedoraproject.org> wrote:
>
> Hi,
>
> I'd like to put a new policy in place which goes something like this:
>
> If you upload your private keys (encrypted or not) we will remove them,
> then we will remove your public keys from FAS and force you to login and
> give a new one in FAS.
>
> We do the last step on the basis that your private key, being on a
> networked, multi-user machine is now exposed to the world and
> potentially compromised. So we can no longer trust it.
>
> thoughts?
>
> Thanks,
> -sv
>
>
>
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
I'm definitely saying +1. I'm guilty of putting my keys on bastion though,
but I deleted them a while back.
Is there a way we can make users not able to write to that file, or have a
cron job automatically sweep and delete private keys, as well as notify
users that we found a private key, and it was deleted, and their public key
in FAS if it was also removed, and that they have to add a new one (maybe
even ensure it's different) ?
Darren VanBuren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20110929/92f36677/attachment.html
More information about the infrastructure
mailing list