savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org


From: Jim Meyering
Subject: Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade
Date: Mon, 21 Feb 2011 21:32:53 +0100

Bernie Innocenti wrote:
> On Mon, 2011-02-21 at 18:27 +0100, Jim Meyering wrote:
>> Doesn't sound like you're joking...
>> Please, never reuse passphrases for such important things.
>>
>> Even if someone key-logs or shoulder-surfs[*] my ssh passphrase,
>> they'll still have to get my private key, and none of that will
>> help them get my gpg passphrase or *its* private key.
>
> If both keys must be used in quick succession, as is the case for
> logging in with fwknopd + ssh, there's no gain in having two different
> passphrases!

Your "if" clause is false, since there are plenty
of other, independent uses of the two tools, and besides,
one can use ssh-agent or gpg-agent, so you wouldn't necessarily
need to type any passphrase.  Using an agent is a trade-off, of course.

Arguing to use the same passphrase for both ssh and gpg
is really a lost cause ;-)

> As you said, the only effective way to improve security in a two-factor

That's not the only way.
It helps when you're not confident that an on-disk (or on-USB-fob)
private key is sufficiently safe.

> authentication is to store the keys on different devices.  However, card
> readers are relatively rare and it's unrealistic to think that most
> Savannah maintainers will start using them to turn fwknopd into an
> effective security measure.

They're not that rare, now.
I'm pretty sure all fedora-infrastructure admins now use them.

> Limiting ssh access to a few known IPs is easy and constitutes an
> independent factor in addition to ssh authentication (although a weak
> one). Given that the implementation cost is very low, why not do it?

No objection from me.
I was merely proposing a way to avoid telling people
to go through fencepost.

Speaking of which, we could do both:
IP-whitelist-only access to ssh on port 22.
Allow fwknop to ssh on some other normally-closed port for those
who need to come in from an IP address not on the whitelist.

>> We can't be too paranoid... if my system were to be cracked, it'd
>> be way too easy for someone to do something nasty right as I'm
>> making a coreutils release, that I would then gpg-sign and upload.
>> No one audits those 50K-line configure scripts.  I would hate to
>> be responsible for that.
>
> I agree that security is important, but we should find security measures
> that are not too inconvenient for daily use, because otherwise people
> tend to work them around or disable them. I've seen this happen many
> times in corporate environments and, while GNU contributors can be
> expected to be more responsible than the average developer, everyone has
> a limit.
>
> He who has SElinux still enabled cast the first stone :-)

No stones to throw, but...
I've been using SELinux enabled for desktops and servers since Fedora 12.
Have you tried it recently?  You might be surprised to see how quickly
SELinux problems are fixed when you take the time to file a bug in Bugzilla.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]