kickstarts, installs and root ssh keys
Jan-Frode Myklebust
janfrode at tanso.net
Wed Apr 11 03:54:16 UTC 2012
On Tue, Apr 10, 2012 at 11:25:46PM -0400, seth vidal wrote:
> >
> > Wouldn't it be better to have root's authorized_keys file contain the
> > pubkeys of each individual admin that should be allowed to ssh from
> > lockbox01 (prefixed with from=lockbox01 of course) ? Or is this too
> > much hassle to maintain?
> >
>
> I'm not sure how having and managing N-keys is better than having and
> managing 1-Key.
The N-keys are (according to policy,
http://lists.fedoraproject.org/pipermail/announce/2011-October/003005.html):
NEVER stored on a shared system.
ALWAYS using a strong passphrase
while the 1-key breaks these. The N-keys are already managed and
trusted. The 1-key is an addition that only loosens security.
> Either way you have to manage/maintain the key(s). And instead of
> having 1 key you have to protect from theft/compromise you have N-keys
> to protect from theft/compromise.
The N-keys are already managed/maintained by your sysadmins. You only need
to additionally manage the public parts for the distributed authorized_keys.
-jf
More information about the infrastructure
mailing list