savannah-hackers-public
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org

From: Jim Meyering
Subject: Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org
Date: Sun, 08 Mar 2009 17:43:44 +0100 
Ward Vandewege wrote:
> On Thu, Mar 05, 2009 at 06:38:46AM -0600, Karl Berry wrote:
>> I realized last night there's another significant issue with access to
>> lists -- the mailing list feature on savannah relies on being able to
>> get over to lists and run a command to create or delete a list.  We
>> don't want to lose that functionality.  I do not know if
>>
>> Ward's original proposal was to limit incoming ssh on lists to the
>> personal machines of savannah hackers.  Let me take that one step
>> further: how about if it is limited only to savannah itself?
>
> That would work.
>
>> I realize that does not address every conceivable security issue, but is
>> it acceptable?  It is surely an improvement (from your point of view)
>> over allowing access from everywhere on the one hand, and does not
>> require extra work and software from us on the other.  Everything's a
>> tradeoff ...
>
> Absolutely. What I'm trying to achieve here is not having lists ssh
> accessible from all over the internet. Ideally we would do that in the least
> complicated way: static firewall rules. It's totally fine for the sysadmins
> to have to maintain that list of static firewall rules, and add/remove/modify
> IP addresses for people that need to be able to ssh into lists. We already do
> that for other machines. I want to minimize the effort required from the
> community (by not requiring extra software, etc) while improving security.
>
> Restricting ssh logins to savannah would be great from my perspective. And
> I'm happy to add any other static IPs that you guys want access from.
>
> What do you think?

Fine by me, however, since I'm a bit paranoid, I'd much prefer
to provide the static IP of my desktop system than to forward
ssh-auth info through a system (even as secure as it is) like
sv.gnu.org.  IMHO, typing a password should not be an option,
except perhaps for an ssh daemon running on a separate port
that is enabled only after some sort of _secure_ port knocking.

BTW, if you like the idea of port knocking, this one is particularly cool:

  http://www.cipherdyne.org/fwknop/docs/SPA.html
reply via email to
[Prev in Thread] Current Thread [Next in Thread]