[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: connexion ssh aux serveurs Debian

On Mon, Jan 05, 2004 at 08:00:46PM +0100, Nicolas Bertolissio wrote:
> Suite à la compromission, j'ai envoyé à l'adresse qui avait été indiquée
> ma clé ssh pour pouvoir me connecter avec cette méthode et je n'ai donc
> pas de mot de passe sur ces machines.

> Quand j'essaye de me connecter, sur gluck pas de problème il me demande
> bien ma phrase de passe pour ma clé rsa, mais j'ai essayé sur d'autres
> machines (auric et klecker) et là il me demande un mot de passe sur la
> machine, et forcément je n'en ai pas puisque je n'en ai pas demandé de
> nouveau.

Auric et klecker ont été fermés après la compromission, par question de
securité (ils sont ftp-master.debian.org et security.debian.org, bien


                          Where can I login?

There's been a fair bit of talk post-compromise about restricting
access to machines running (core) services.  At the moment, the only
thing I'm (personally) doing is not enabling non-services accounts on
auric (ftp-master) and klecker (security, non-US, qa, nm, www-master)
immediately.  Obviously, it's useful for random developers to have
access to e.g. the postgres database of the archive, so the current
plan if the restricted nature of auric becomes permanent is to mirror
the system daily to another box that would be unrestricted.  [This
would have the added bonus of giving us a hot spare for
disasters/arson attacks etc.]

Basically the whole issue of what, if anything, to restrict is still
up in the air.  I'm looking for input/opinions/discussion on this.  If
you need access to the machines running the archives, please tell me
(or probably better yet, start a thread on debian-devel) why.

On a similar note some of our boxes are currently overloaded and
services are generally inelegantly distributed; there's certainly
going to be some juggling of them coming up.  It's not decided
what/when/where/how yet though, more details before it happens.
Steve Langasek
postmodern programmer

Attachment: pgpPGQzklibSO.pgp
Description: PGP signature

Reply to: