Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org

savannah-hackers-public

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org

From:	Danny Clark
Subject:	Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org
Date:	Fri, 27 Feb 2009 10:40:09 -0500
User-agent:	Thunderbird 2.0.0.19 (X11/20090105)

Karl Berry wrote:
>     If so, we could allow access from fencepost, for instance.
> 
> Please (pretty please) do.

IMHO this is a horrid idea. Fencepost has been cracked before, and is
probably the machine in most danger of getting cracked again in the
future due to the large number of users with shell access.

Having people go to other machines via fencepost is asking for a man in
the middle attack. Add to that that I'm sure some people who don't know
how to use ssh forwarding will probably just upload their ssh private
keys to fencepost to get this work, and I think you get to a much worse
situation than just having lists ssh be open.

If we want to not trust ssh on lists as the only thing that needs to
fail somehow to allow access, perhaps add another authentication layer,
such as fwknopd (with GnuPG public key auth) or ostiary (which I think
can only do shared secret passwords)?

-- 
Daniel JB Clark   | Sys Admin, Free Software Foundation
pobox.com/~dclark | http://www.fsf.org/about/staff#danny

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org, Danny Clark <=
- Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org, Karl Berry, 2009/02/27

Prev by Date: Re: [Savannah-hackers-public] Savannah non-GNU mirror: file deletion/rename
Next by Date: Re: [Savannah-hackers-public] Savannah non-GNU mirror: file deletion/rename
Previous by thread: [Savannah-hackers-public] savannah
Next by thread: Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org
Index(es):
- Date
- Thread