Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade

[Bernie Innocenti]

On Mon, 2011-02-21 at 18:27 +0100, Jim Meyering wrote: 
> Doesn't sound like you're joking...
> Please, never reuse passphrases for such important things.
> 
> Even if someone key-logs or shoulder-surfs[*] my ssh passphrase,
> they'll still have to get my private key, and none of that will
> help them get my gpg passphrase or *its* private key.

If both keys must be used in quick succession, as is the case for
logging in with fwknopd + ssh, there's no gain in having two different
passphrases!

As you said, the only effective way to improve security in a two-factor
authentication is to store the keys on different devices.  However, card
readers are relatively rare and it's unrealistic to think that most
Savannah maintainers will start using them to turn fwknopd into an
effective security measure.

Limiting ssh access to a few known IPs is easy and constitutes an
independent factor in addition to ssh authentication (although a weak
one). Given that the implementation cost is very low, why not do it?


> We can't be too paranoid... if my system were to be cracked, it'd
> be way too easy for someone to do something nasty right as I'm
> making a coreutils release, that I would then gpg-sign and upload.
> No one audits those 50K-line configure scripts.  I would hate to
> be responsible for that.

I agree that security is important, but we should find security measures
that are not too inconvenient for daily use, because otherwise people
tend to work them around or disable them. I've seen this happen many
times in corporate environments and, while GNU contributors can be
expected to be more responsible than the average developer, everyone has
a limit.

He who has SElinux still enabled cast the first stone :-)

-- 
Bernie Innocenti
Systems Administrator, Free Software Foundation