[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: ssh logins to

From: Danny Clark
Subject: Re: [Savannah-hackers-public] Re: ssh logins to
Date: Fri, 27 Feb 2009 10:40:09 -0500
User-agent: Thunderbird (X11/20090105)

Karl Berry wrote:
>     If so, we could allow access from fencepost, for instance.
> Please (pretty please) do.

IMHO this is a horrid idea. Fencepost has been cracked before, and is
probably the machine in most danger of getting cracked again in the
future due to the large number of users with shell access.

Having people go to other machines via fencepost is asking for a man in
the middle attack. Add to that that I'm sure some people who don't know
how to use ssh forwarding will probably just upload their ssh private
keys to fencepost to get this work, and I think you get to a much worse
situation than just having lists ssh be open.

If we want to not trust ssh on lists as the only thing that needs to
fail somehow to allow access, perhaps add another authentication layer,
such as fwknopd (with GnuPG public key auth) or ostiary (which I think
can only do shared secret passwords)?

Daniel JB Clark   | Sys Admin, Free Software Foundation |

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]