FAS and public Key auth

Mike McGrath mmcgrath at redhat.com
Thu May 22 15:19:54 UTC 2008

On Thu, 22 May 2008, brett lentz wrote:

> IMO, a good starting point for those requirements would be:
> 1. system runs Fedora/RHEL
> 2. system has selinux enabled and enforcing.
> 3. system uses an acceptable update schedule.
> 4. system's admins are known, and willing to be available when we need
> to contact them (within a reasonable set of hours)
> 5. the system's admins document their policy for providing root access
> to their system. this allows us to do some risk analysis.
> 6. we should be able to quickly and easily revoke the system's access to Fedora.

Thats the problem though, there's no way for us to enforce that in any way
without regularly checking in, etc.  What if they're not compliant and for
how long?  I think this policy should be simple or non-existant at all.
If we can't reliably say that ssh-key based auth to remote machines is a
no-risk operation for us, then we shouldn't do it.

> The implications for ssh-agent is fairly simple. Your private key
> still never touches the wire or the remote systems. SSH-Agent forwards
> the auth challenges to the local system you're logging in from.
> Here's a great diagram of the process:
> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd

I know your private key doesn't touch the wire or remote system.  But the
agent creates a socket in /tmp/ssh-* and I'm worried someone with access
to that socket could auth to other machines as the user.


More information about the Fedora-infrastructure-list mailing list