[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: transfering files between *.debian.org hosts (was: people.debian.org to move to ravel)

On Sat Aug 30 16:43, Steve Langasek wrote:
> This is obviously an *incredibly* bad idea for anyone to do if they actually
> care about the security of the Debian systems.  But we're already talking
> about hard policy changes to stop users from doing things they shouldn't do
> in the first place (== using passwords when logging in to Debian servers
> from their systems), so I don't think you should underestimate the capacity
> of developers to be cleverly stupid when security is concerned.

If the idea is to remove password access to stop credentials sniffed on
one machine being used on another, how about some form of one time
password system?

The University of Cambridge computer laboratory has recently changed to
only allowing OTP or key login to machines using a system written by
Markus Kuhn, who has some claim to being a competent security
researcher and hence who's system I would trust. This system is called
OTPW, has PAM integration and is in Lenny. Markus wrote it to fix some
security flaws in the design of other OTP systems such as OPIE.

Matthew Johnson

Attachment: signature.asc
Description: Digital signature

Reply to: