Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade

[Bernie Innocenti]

On Mon, 2011-02-21 at 21:32 +0100, Jim Meyering wrote:

> Your "if" clause is false, since there are plenty
> of other, independent uses of the two tools, and besides,
> one can use ssh-agent or gpg-agent, so you wouldn't necessarily
> need to type any passphrase.  Using an agent is a trade-off, of course.
> 
> Arguing to use the same passphrase for both ssh and gpg
> is really a lost cause ;-)

Uh? But I've never argued for this! :-)

The original topic was: "let's add fwknopd (which relies on the gpg key)
as an extra layer of protection for ssh".

The point I was making is that using two keys stored on the same device
does not significantly increase security, regardless of how many
passwords are used to encrypt them.

I guess we agree on this, don't we?


> > As you said, the only effective way to improve security in a two-factor
> 
> That's not the only way.
> It helps when you're not confident that an on-disk (or on-USB-fob)
> private key is sufficiently safe.

Sure.


>> authentication is to store the keys on different devices.  However,
>> card readers are relatively rare and it's unrealistic to think that
>> most Savannah maintainers will start using them to turn fwknopd into
>> an effective security measure.

> They're not that rare, now.
> I'm pretty sure all fedora-infrastructure admins now use them.

I heard that Red Hat uses smart cards since that scary security incident
of two years ago. I'm not sure about Fedora.

Are you proposing that we pursue the same scheme for the GNU (and FSF)
infrastructure?

(it might be a good idea, long term... but in the immediate I'd prefer
to go with something cheap and simple).


> No objection from me.
> I was merely proposing a way to avoid telling people
> to go through fencepost.
> 
> Speaking of which, we could do both:
> IP-whitelist-only access to ssh on port 22.
> Allow fwknop to ssh on some other normally-closed port for those
> who need to come in from an IP address not on the whitelist.

For the reason I gave above I'm not convinced that fwknop adds all that
much security relative to an open ssh port.

Although, admittedly, requiring the people to bounce on fencepost also
does not sound like a big improvement: whoever stole your ssh key could
do this as well! There's even some extra risk in doing this: people
would have to forward the authentication agent on fencepost.


> > He who has SElinux still enabled cast the first stone :-)
> 
> No stones to throw, but...
> I've been using SELinux enabled for desktops and servers since Fedora 12.
> Have you tried it recently?  You might be surprised to see how quickly
> SELinux problems are fixed when you take the time to file a bug in Bugzilla.

I have it enabled in permissive mode on my Fedora machines so I can
check the audit log to see what would break if I had enabled it :-)

Seriously: yes, Dan Walsh is a pretty good maintainer, but imho SElinux
is not worth its TCO in most cases. Last month I attended a talk in
which it looked like the SElinux policy seems to be evolving into a
full-featured, statically compiled, strongly typed language with macros
and modules. Here's a transcript:

http://meetbot.fedoraproject.org/fudcon-room-1/2011-01-30/fudcon-room-1.2011-01-30-16.58.log.txt

-- 
Bernie Innocenti
Systems Administrator, Free Software Foundation