savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org


From: Jim Meyering
Subject: Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade
Date: Tue, 22 Feb 2011 00:22:44 +0100

Bernie Innocenti wrote:
> On Mon, 2011-02-21 at 21:32 +0100, Jim Meyering wrote:
>
>> Your "if" clause is false, since there are plenty
>> of other, independent uses of the two tools, and besides,
>> one can use ssh-agent or gpg-agent, so you wouldn't necessarily
>> need to type any passphrase.  Using an agent is a trade-off, of course.
>>
>> Arguing to use the same passphrase for both ssh and gpg
>> is really a lost cause ;-)
>
> Uh? But I've never argued for this! :-)

Um... ok.  Good!

> The original topic was: "let's add fwknopd (which relies on the gpg key)
> as an extra layer of protection for ssh".

Not quite.  I proposed use of fwknop as a way to avoid the risk of
requiring people not on a whitelisted IP to go through fencepost.

> The point I was making is that using two keys stored on the same device
> does not significantly increase security, regardless of how many
> passwords are used to encrypt them.
>
> I guess we agree on this, don't we?

No.  It's easy to imagine only one of the two keys being
compromised, even when their private parts are on the same disk.

...
> I heard that Red Hat uses smart cards since that scary security incident
> of two years ago. I'm not sure about Fedora.
>
> Are you proposing that we pursue the same scheme for the GNU (and FSF)
> infrastructure?
>
> (it might be a good idea, long term... but in the immediate I'd prefer
> to go with something cheap and simple).

No.  As I said, IP-based restriction sounds fine.

>> No objection from me.
>> I was merely proposing a way to avoid telling people
>> to go through fencepost.
>>
>> Speaking of which, we could do both:
>> IP-whitelist-only access to ssh on port 22.
>> Allow fwknop to ssh on some other normally-closed port for those
>> who need to come in from an IP address not on the whitelist.
>
> For the reason I gave above I'm not convinced that fwknop adds all that
> much security relative to an open ssh port.

Wrong comparison.
Compare using fwknop-and-alt-ssh-port to agent-fwd-through-fencepost.
The former is more secure.

> Although, admittedly, requiring the people to bounce on fencepost also
> does not sound like a big improvement: whoever stole your ssh key could
> do this as well! There's even some extra risk in doing this: people
> would have to forward the authentication agent on fencepost.
>
>
>> > He who has SElinux still enabled cast the first stone :-)
>>
>> No stones to throw, but...
>> I've been using SELinux enabled for desktops and servers since Fedora 12.
>> Have you tried it recently?  You might be surprised to see how quickly
>> SELinux problems are fixed when you take the time to file a bug in Bugzilla.
>
> I have it enabled in permissive mode on my Fedora machines so I can
> check the audit log to see what would break if I had enabled it :-)
>
> Seriously: yes, Dan Walsh is a pretty good maintainer, but imho SElinux
> is not worth its TCO in most cases. Last month I attended a talk in

The TCO of SELinux for the vast majority (since F14, maybe since F13)
has been zero, because most things "just work."

> which it looked like the SElinux policy seems to be evolving into a
> full-featured, statically compiled, strongly typed language with macros
> and modules. Here's a transcript:

And fewer and fewer people find a need to deal with it.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]