Re: people.debian.org to move to ravel
On Thu, Aug 28, 2008 at 09:31:41PM +0200, Peter Palfrader wrote:
> On Thu, 28 Aug 2008, Steve Langasek wrote:
>>> Ravel (...) Also, ssh logins are restricted to key based logins,
>>> password based logins are not allowed.
>> What's the reason for this authentication policy, which differs
>> from (AFAIK) all developer-public debian.org hosts to date? Is
>> this a sign of a broader policy change coming down the line?
> It is. Limiting an attacker's ability to easily jump from one
> compromised box to another is something we really want to have. Not
> tomorrow, but eventually.
I'm not sure the no-passwords policy helps much by itself; I get the
impression people will just put a ssh key in their homes on Debian
machines and add it to the authorized keys in LDAP.