[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Re: [ #670138]

From: Jim Meyering
Subject: Re: [Savannah-hackers-public] Re: [ #670138] Dom0 upgrade
Date: Tue, 22 Feb 2011 00:22:44 +0100

Bernie Innocenti wrote:
> On Mon, 2011-02-21 at 21:32 +0100, Jim Meyering wrote:
>> Your "if" clause is false, since there are plenty
>> of other, independent uses of the two tools, and besides,
>> one can use ssh-agent or gpg-agent, so you wouldn't necessarily
>> need to type any passphrase.  Using an agent is a trade-off, of course.
>> Arguing to use the same passphrase for both ssh and gpg
>> is really a lost cause ;-)
> Uh? But I've never argued for this! :-)

Um... ok.  Good!

> The original topic was: "let's add fwknopd (which relies on the gpg key)
> as an extra layer of protection for ssh".

Not quite.  I proposed use of fwknop as a way to avoid the risk of
requiring people not on a whitelisted IP to go through fencepost.

> The point I was making is that using two keys stored on the same device
> does not significantly increase security, regardless of how many
> passwords are used to encrypt them.
> I guess we agree on this, don't we?

No.  It's easy to imagine only one of the two keys being
compromised, even when their private parts are on the same disk.

> I heard that Red Hat uses smart cards since that scary security incident
> of two years ago. I'm not sure about Fedora.
> Are you proposing that we pursue the same scheme for the GNU (and FSF)
> infrastructure?
> (it might be a good idea, long term... but in the immediate I'd prefer
> to go with something cheap and simple).

No.  As I said, IP-based restriction sounds fine.

>> No objection from me.
>> I was merely proposing a way to avoid telling people
>> to go through fencepost.
>> Speaking of which, we could do both:
>> IP-whitelist-only access to ssh on port 22.
>> Allow fwknop to ssh on some other normally-closed port for those
>> who need to come in from an IP address not on the whitelist.
> For the reason I gave above I'm not convinced that fwknop adds all that
> much security relative to an open ssh port.

Wrong comparison.
Compare using fwknop-and-alt-ssh-port to agent-fwd-through-fencepost.
The former is more secure.

> Although, admittedly, requiring the people to bounce on fencepost also
> does not sound like a big improvement: whoever stole your ssh key could
> do this as well! There's even some extra risk in doing this: people
> would have to forward the authentication agent on fencepost.
>> > He who has SElinux still enabled cast the first stone :-)
>> No stones to throw, but...
>> I've been using SELinux enabled for desktops and servers since Fedora 12.
>> Have you tried it recently?  You might be surprised to see how quickly
>> SELinux problems are fixed when you take the time to file a bug in Bugzilla.
> I have it enabled in permissive mode on my Fedora machines so I can
> check the audit log to see what would break if I had enabled it :-)
> Seriously: yes, Dan Walsh is a pretty good maintainer, but imho SElinux
> is not worth its TCO in most cases. Last month I attended a talk in

The TCO of SELinux for the vast majority (since F14, maybe since F13)
has been zero, because most things "just work."

> which it looked like the SElinux policy seems to be evolving into a
> full-featured, statically compiled, strongly typed language with macros
> and modules. Here's a transcript:

And fewer and fewer people find a need to deal with it.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]