Meeting Log - 2008-04-30
Ricky Zhou
ricky at fedoraproject.org
Thu Apr 30 21:02:47 UTC 2009
19:59 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Who's here?
19:59 * ricky
19:59 * skvidal is
20:00 * nirik waves from the back of the room.
20:00 < mmcgrath> So I'm going to go quickly through some things so we can talk about authentication.
20:00 * jeremy squints and tries to see if he can make out the front of the room from the top of the cheap seats ;)
20:01 * lmacken is here
20:01 -!- mdomsch [n=Matt_Dom at cpe-70-124-62-55.austin.res.rr.com] has joined #fedora-meeting
20:01 < mmcgrath> First lets go through this last release
20:01 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- The release
20:01 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- The preview release
20:01 < mmcgrath> all in all it went well, the bit flip issue being the main issue.
20:02 < mmcgrath> we've suggested an earlier bit flip time though I don't think we've heard that's how it will be from releng.
20:02 < jwb> i decree yes
20:02 < mdomsch> f13 wasn't excited by it
20:02 < mdomsch> but it would solve the problem at least temporarily
20:02 < mmcgrath> also interestingly was this grap -
20:02 < mmcgrath> h
20:02 < mmcgrath> http://mmcgrath.fedorapeople.org/MirrorRediness-11-Preview.html
20:02 < mdomsch> and the early fanboys will be pleased
20:02 -!- stickster_afk is now known as stickster
20:02 < mmcgrath> showing, in 3 hour intervals, mirrors being ready, then not ready, then ready, then not ready.
20:02 * ricky doens't see why it would ever drop like that
20:03 < mdomsch> not sure either
20:04 < mdomsch> the 3-hour cycle matches that of a crawler run
20:04 < mdomsch> (which now will take <2 hours)
20:04 < mmcgrath> mdomsch: and of course my script started failing after that, but I do have the last 24 hours.
20:04 < mmcgrath> I'll try to get that graphed and up after the meeting is up.
20:04 < mmcgrath> I accidently started appending the output from sleep :)
20:05 < mmcgrath> Ok, so all in all thats what happened there.
20:05 -!- kital [n=Joerg_Si at fedora/kital] has quit Read error: 113 (No route to host)
20:05 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Authentication
20:05 -!- RadicalRo [n=radical at 77.36.4.49] has quit Remote closed the connection
20:05 < smooge> i am herew
20:05 < mmcgrath> So on to the meat of the meeting.
20:05 < mmcgrath> smooge: hey
20:05 < mmcgrath> So there's been lots of discussion on f-i-l recently and I think it's mostly just re-hashing of stuff that's been on many of our minds for a while
20:06 < mmcgrath> dgilmore and I have started looking at yubikey and lmacken is already a user.
20:06 < mmcgrath> AFAIK, it's looking pretty solid.
20:06 < smooge> cool.
20:06 < mmcgrath> So lets flash forward and pretend we have a yubikey or some other hardware style key thing implemented.
20:06 * lmacken would love to see yubikey's with a fedora logo on it :)
20:06 < mmcgrath> What do we want that environment to look like?
20:06 < mmcgrath> lmacken: yeah I told dgilmore we need to get mizmo to get some stickers made :)
20:07 < mmcgrath> At the core of what *I* want
20:07 < mmcgrath> is two factor authentication.
20:07 < mmcgrath> for all of sysadmin-main.
20:07 < mmcgrath> and make it optional for others.
20:07 < mmcgrath> but what all that means is unclear to me.
20:07 < mmcgrath> So where did LDAP come in?
20:07 < smooge> hmmm at a previous place had our 2 factor item connected to the kerberos server. This allowed us to have a 4 hour reauth time etc.. might be overkill etc
20:08 < ricky> The LDAP discussion came in as a response to the talk about a FAS PAM module.
20:08 < mmcgrath> I started looking at LDAP because we regularly have uses for it but have to say no because we don't have it installed.
20:08 < ricky> Which might be a completely separate thing from 2 factor auth
20:08 < mmcgrath> And from the pam module
20:08 < smooge> so you plug in the key, do your login, and the kerberos authorizes you, the LDAP authenticates (or vice versa)
20:08 < mmcgrath> ricky: right, completely separate but linked in this way...
20:08 < mmcgrath> If the yubikey server goes down, we can't auth.
20:08 < mmcgrath> which means our 'cached' nss setup now, isn't that important.
20:09 < mmcgrath> additionally.
20:09 < smooge> you then get a cookie from the kerberos server that can be cached for X time
20:09 < mmcgrath> we can do different auth for different bits if we want.
20:09 < mmcgrath> for example ssh key to get into a server, but yubikey to auth on it.
20:09 < ricky> Would requiring yubikey for sudo auth be enough?
20:10 < mmcgrath> ricky: not sure, this is all the stuff we have to discuss and think about.
20:10 < ricky> That's the main place where passwords come into play, but that doesn't help much for SSH keys.
20:10 < mmcgrath> smooge: how do you think that type of setup would work in Fedora?
20:10 < ricky> smooge: Is there any way to make it optional without getting in the way of non-token people (ie they don't need to go though an extra prompt or anything)?
20:10 < mmcgrath> jeremy: also, IIRC, did you mention some concerns about running kerberos in Fedora because "clients connecting to two different kerberos networks is painful" ?
20:10 < mmcgrath> or something similar
20:11 < jeremy> mmcgrath: yes
20:11 < jeremy> you can't (easily) have credentials from two kerberos realms at once
20:11 < mmcgrath> so that's something to keep in mind.
20:11 < jeremy> unless you set up cross-realm auth. but that has to be done for every domain you want to allow it with
20:11 < mmcgrath> especially since fedora is secondary for so many people. IE: it's not their primary purpose
20:11 < smooge> well ricky we had multiple layers of authorization. Most people just needed to use the OTP from the cryptocard for getting access. Sysadmins needed a key fob for root access
20:11 < ricky> Something like yubikey would solve a lot of the problems of kerberos though - passwords hashes would pretty much never get sent, correct?
20:12 < mmcgrath> ricky: correct
20:12 < smooge> mmcgrath, I would use the kerberos in the method that ricky mentioned.
20:12 < mmcgrath> smooge: but what about the two kerberos realm problem?
20:12 < ricky> That is an issue worry with something like plain LDAP though, although if somebody can get to a point where they can sniff the traffic, it's already pretty bad.
20:12 < smooge> Most people don't need it.. but some might and those would be the admins etc...
20:13 < smooge> we did cross auth for zones we cared about and where we did not you just do a kdestroy
20:13 < jeremy> smooge: constantly having to kdestroy/kinit is a royal pain
20:14 * jeremy used to do so between rht and ncsu. finally gave up on caring about having ncsu tickets regularly
20:14 < smooge> jeremy, I don't know if I did it that many times.
20:14 < smooge> I had a script that executed that did my logins in the non-cross auth realm
20:15 < ricky> One nice thing about something like LDAP + Kerberos is that it can be rolled out in small pieces.
20:16 < mmcgrath> So I guess my question is, what does kerberos buy us if we're using otp keys anyway?
20:16 < smooge> I am not wedded to kerberos.. its just a way we used to get around dealing with needing multiple cryptocard servers etc
20:16 < mmcgrath> from a security point of view, not much it seems.
20:16 < jeremy> smooge: it would cause major amounts of pain for rht devs doing rhel builds + fedora builds (since at that point, keeping ssl certs _also_ would be kind of overkill. at which point, we'd be using krb for koji atuh)
20:16 < mmcgrath> from the client point of view they have to use the otp more often, but at the cost of greatly complicating any existing kerberos users (which would affect lots of RH employees)
20:16 < jeremy> man, one of these days I need to learn how to type
20:16 < ricky> Kerberos would limit the number of services that we *really* make sure are secure.
20:16 -!- tibbs [n=tibbs at fedora/tibbs] has quit "Konversation terminated!"
20:17 < mmcgrath> ricky: I take it you mean that as a benefit of kerberos?
20:17 < smooge> jeremy, I understand which is why I am not wed to it. Its more of a way to deal with it without inventing kerberos lite (as I have seen a lot places do).
20:17 < ricky> mmcgrath: At least that what I thought people usually try to get out of it
20:18 < smooge> however, sometimes inventing kerberos-lite is what is needed
20:19 < mmcgrath> I think kerberos is going to be a non starter I'm afraid, since it'd only work if we required it everywhere and I don't think we can do that without making life difficult for any of our contributors who are already using kerberos elsewhere.
20:19 < smooge> mmcgrath, kerberos has 'single-sign-on' inconvenience with a way to secondary log access/actions.
20:19 < jeremy> smooge: honestly, kerberos++ really needs to be done taking into account the need of multiple identies. I don't know how much the ipa people have thought about it, though, as I know a lot of their focus is basically "replace AD" :) but that's probably getting way off-topic for this discussion
20:19 < smooge> jeremy, agreed (on all 3 accounts :)).
20:19 < mmcgrath> So, lets say our goal is two facter authentication using a hardware key like yubikey.
20:20 < smooge> mmcgrath, agreed with no kerberos.
20:20 < mmcgrath> So lets leave implementation on the back burner for now and we can think about it for next week.
20:20 < mmcgrath> And lets look at some of our services and how this would affect that.
20:20 < mmcgrath> The big one is things in our critical path, cvs, uploading to cvs, and koji
20:21 < mmcgrath> I really don't think we can be in a position to require packagers to get a hardware key.
20:21 < mmcgrath> even with an unlimited budget, I think it'd be painful without people hours.
20:21 -!- GeroldKa [n=GeroldKa at fedora/geroldka] has joined #fedora-meeting
20:21 < smooge> mmcgrath, I don't think it would buy much if we did.
20:21 < mmcgrath> anyone disagree with that?
20:21 < ricky> Agreed.
20:21 < ricky> But we still need to consider it from the perspective of people that do need keys.
20:22 < mmcgrath> So then we'll be in a scenario where some hardware key is supported but optional... There's a slight bootstrap problem there.
20:22 < mmcgrath> IE: If it's a checkbox in FAS to say "I want to use my yubikey"
20:22 < mmcgrath> After that point, it requires the yubikey to log in.
20:23 < mmcgrath> So what do we do if they lose the yubikey?
20:23 < smooge> mmcgrath, I would say that its critical for things like people who sign packages, people who have 'root' access, etc
20:23 < mmcgrath> smooge: by critical you mean required?
20:23 < mdomsch> smooge+_
20:23 < mdomsch> ++
20:23 < ricky> Just curious - what is the process for initializing the yubikey for auth? Where would that fit in?
20:23 < mmcgrath> ricky: I haven't gotten that far yet actually. You can put your own keys on there, but by default it uses the yubikey server.
20:23 < lmacken> ricky: doesn't require initialization on the key itself... should work out of the box. It also has a write-only section that allows you to replace the AES key
20:23 < smooge> mmcgrath, good first question. There needs to be a procedure for deauthorizing a key tested and built before we allow for people to use them
20:24 < ricky> But somewhere, it has to be registered that this key gives access to this user, right?
20:24 -!- philip_ [n=philip at unaffiliated/philip] has quit Read error: 104 (Connection reset by peer)
20:24 < mmcgrath> smooge: yeah and this is a farily constant (though infrequent) problem.
20:24 < mmcgrath> Since we have no real way to verify someone is who they say they are.
20:24 < lmacken> yes, just like a credit card... if you lose it, you can ensure that the lost key can never be used
20:24 < mdomsch> FI buys the keys, distributes them
20:24 < smooge> mmcgrath, we were reauthorizing cards at places where I worked quite a bit... it happens quite a bit.
20:24 < mmcgrath> mdomsch and I know eachother fairly well, if he tells me his laptop has been stolen.
20:24 < smooge> it was a major cost part of my group.
20:24 < mmcgrath> It becomes very difficult for me to verify mdomsch is mdomsch
20:25 < smooge> you have to have a secondary trusted path for people.
20:25 < mmcgrath> ricky: this reminds me, we need a question and answer bit in fas.
20:25 < mmcgrath> smooge: yeah
20:25 < smooge> that would probably be a 'help' desk in the SIP section. The person would need to dial in a code and then that would deauthorize the fas for that UID/code
20:26 < mmcgrath> Phone is a good method of verification, I don't think we're currently using it like that.
20:26 < mmcgrath> Someone at pycon was doing something similar with asterisk.
20:26 < mmcgrath> though our asterisk setup can't dial out.
20:26 < mmcgrath> anywho, that's something that needs to get done but is a bit off topic.
20:27 < mmcgrath> So we want to be in a situation where we require yubikeys for some subset of people.
20:27 < mmcgrath> What would our multiauth look like?
20:27 * nirik notes if you have a question and answer thing you should let the user fill in both.
20:27 < mmcgrath> would we use password + otp?
20:27 < mmcgrath> nirik: <nod>
20:28 < ricky> Is there any option other than password + otp? That's the two factor part, right?
20:28 < nirik> canned security questions are really nasty... especially since they are often something someone can find out easily.
20:28 < mmcgrath> what would our other auth method be besides the otp I guess is my question.
20:28 < mmcgrath> ricky: I thought ssh key + otp might be good.
20:28 < mdomsch> mmcgrath, for what resources are we concerned
20:28 < mdomsch> ?
20:28 < mmcgrath> mdomsch: thats a good question as well.
20:28 < mmcgrath> obviously we wouldn't want to require otp for the otp server..
20:28 < mdomsch> for connecting using ssh, ssh key + otp would reduce liklihood of stolen ssh keys being used to ssh in
20:28 < mmcgrath> Unless there's some sort of failover state.
20:29 < ricky> We can't do SSH key + OTP for sudo though
20:29 < mdomsch> ricky, right
20:29 < mmcgrath> ricky: correct, but would two factor in, and otp sudo work?
20:29 < mmcgrath> I think that seems reasonable.
20:29 < mmcgrath> although the stolen laptop bag becomes a problem.
20:29 < mmcgrath> since we still have to trust users to encrypt their ssh keys
20:29 < mdomsch> 2-factor tends to be "something I have, and something I know"
20:30 < mmcgrath> <nod>
20:30 < mdomsch> yubikey and/or ssh keys are "something I have"
20:30 < mmcgrath> and ssh key isn't really something you know.
20:30 < ricky> SSH keys seem too close to "two things I have"
20:30 -!- CheekyBoinc [n=cheekybo at fedora/CheekyBoinc] has joined #fedora-meeting
20:30 < mmcgrath> So we'd do fas password and otp?
20:30 < mdomsch> seemingly
20:30 < ricky> As much as I hate typing my password, that probably seems like the best way.
20:31 < mdomsch> so again, what are we trying to protect?
20:31 < mmcgrath> mdomsch for me it's stolen credentials.
20:31 < mdomsch> sudo by someone in sysadmin-main
20:31 < ricky> What I got was "protecting against stealing passwords"
20:31 < CheekyBoinc> I've a problem with checking out a package. I had to renew my ssh key and client cert because of hdd failure. The error is:
20:31 < ricky> sudo or any access to sensitive machines.
20:31 < mmcgrath> CheekyBoinc: please /join #fedora
20:31 < mmcgrath> CheekyBoinc: we're having an infrastructure meeting.
20:31 < CheekyBoinc> k :P
20:32 < ricky> Or you might ask in #fedora-admin if it's about the account sysytem
20:32 < ricky> **system
20:32 < mmcgrath> CheekyBoinc: yeah sorry you want #fedora-admin
20:32 < CheekyBoinc> okay thank you :)
20:32 < CheekyBoinc> #fedora-admin
20:32 < ricky> /j #fedora-admin
20:32 < CheekyBoinc> woops ^^
20:32 -!- CheekyBoinc [n=cheekybo at fedora/CheekyBoinc] has left #fedora-meeting ["Verlassend"]
20:32 < mmcgrath> So would we blanket protect all servers (minus otp server)?
20:32 < mmcgrath> or pick specific ones?
20:33 < mmcgrath> for example...
20:33 < mmcgrath> trying to update and build a new package and re-typing your password and press the yubikey becomes quite painful
20:33 < mmcgrath> you'd have to do it many times
20:34 < mmcgrath> but if we're just looking to protect sudo access it becomes easier.
20:34 < ixs> mmcgrath: what about the low-tech approach of trusting your admins to encrypt your keys?
20:35 < mmcgrath> ixs: we have a policy of that now, and had assumed people were doing it but I'm not comfortable with that approach any more.
20:35 < smooge> most places I have dealt with two factor have not allowed ssh keys because of the 'something we have' problem
20:35 < ricky> We already do that, but I now we're also considering the situation where somebody can log keystrokes.
20:35 < mmcgrath> ixs: especially since if comsone could get their password, they'd be able to update the ssh key in fas.
20:35 < mmcgrath> smooge: but what about ssh key to get in and do 'normal user stuff'
20:35 < ixs> mmcgrath: when I was with RH we considered smartcard auth for a possible openvpn setup (instead of the cisco one).
20:35 < mmcgrath> but require the key to do sudo level stuff?
20:35 < ixs> mmcgrath: that would work, as it's a rather controlled usergroup and you can force your users to do that.
20:36 < ixs> mmcgrath: sox compliance would be one possible excuse.
20:36 < smooge> mmcgrath, not really but the places with two-factor auth all are places that don't want to be in the news (again)
20:36 < ixs> mmcgrath: for fedora contributors? never gonna work. for fedora admins? doubtful.
20:36 < mmcgrath> hmm
20:36 < smooge> in this case we are looking at doing two factor auth for people who we are giving higher levels of trust versus bottom level of trust.
20:36 < ricky> I think we've already ruled out requiring anything of all contributors.
20:36 < mmcgrath> ixs: sorry I missed something, you can "force your users" to do what?
20:37 < smooge> in that case you usually need to work out a way for that person to become someone else somehow.
20:37 < ricky> Does not requiring two factor auth on certain services undermine the "something you know" part required for auth to the other services?
20:37 < ixs> mmcgrath: Red Hat IT could force all Red Hat employees to use a smartcard based system for authentication. You probably can't do that with fedora contributors...
20:38 < ixs> mmcgrath: I couldn't think of a better way of decimating the number of contributors... :)
20:38 < ricky> ixs: See above, we already established that we're not forcing contributors to do this :-)
20:38 < mmcgrath> ixs: yeah we're not talking about the scope of fedora contributors.
20:38 < mmcgrath> just our admins.
20:38 < mdomsch> and just for sudo
20:38 < mdomsch> and package signing
20:39 -!- themayor [n=jack at 66.187.234.199] has quit
20:39 < mmcgrath> mdomsch: although I could think of other servers that could use it
20:39 < ricky> I'm not crazy about the idea of protecting sudo more than access to sensitive machines.
20:39 < mmcgrath> yeah like the signing
20:39 < mmcgrath> or backup1
20:39 < mmcgrath> ricky: look at the cvs1 use case
20:39 < mdomsch> hmm
20:39 < smooge> how hard would it be to look at multiple 'roles' for people.
20:39 < smooge> s/roles/roles-n-accounts/
20:40 < mmcgrath> smooge: not following, give me a use case
20:40 < mdomsch> so ssh into sensitive machines could require ssh key and yubikey?
20:40 < smooge> I mean the other way I saw it done was I login in as smooge
20:40 < ixs> mmcgrath: but it applies to admins as well, to a certain degree. Two factor auth is hard, says security-barbie, let's go shopping. And unfortunately, it's often doubtful if the hassle of introducing it is worth it...
20:40 < ricky> ixs: If we enforce it, there's no getting around it though
20:40 < smooge> I want to become root/sign/etc I need to login to an account that is not allowed to ssh in as. sudo/su sjsmooge
20:40 < mmcgrath> mdomsch: maybe, I'm not sure if that's technically possible. ssh key auth is done by sshd, I'm not sure if you can mix it with pam. IE: I think that's a "if either succeeds" not "if both succeed"
20:41 < mmcgrath> ixs: I'm pretty sure it'll be wirth it in this case.
20:41 * ricky is reminded of kerberos principals :-)
20:41 < smooge> From that account I can sudo/sign/etc but I can't from the original account
20:41 < mmcgrath> err worth
20:41 < ixs> ricky: I'm not talking about circumventing it... But on the other hand, consider a local root exploit. You will be getting owned, even with a locked down sudo.
20:42 < mdomsch> mmcgrath, sshd uses pam by default
20:42 < mmcgrath> ixs: you have to remember that has never happened to us, stolen credentials has and I'd at least like to be able to say "the way we got owned in the past can't happen now"
20:42 < ricky> ixs: That's why I said I wasn't comfortable with just protecting sudo and ignoring access to sensitive machines
20:42 < mmcgrath> mdomsch: but I think pam gets bypassed with ssh key auth.
20:42 < mmcgrath> smooge: that's not too hard, I believe we do that in some scenarios now
20:43 < mdomsch> smooge, MIT had that concept too. user 'mdomsch' and user 'mdomsch.root'
20:43 < ixs> ricky: krb is great in theory. In the real world it's often useless as people are not passing tickets but ask for the password and verify that. The implementation is made out of fail...
20:43 < smooge> mmcgrath, it does. there is a reason why the 2 way kerberos patches have to circumvent the ssh-key stuff
20:43 < skvidal> mmcgrath: pam is still involved with ssh_key_auth
20:43 < mmcgrath> ixs: you're a negative nancy :-P
20:43 < skvidal> mmcgrath: you can deny access to a user even though they have a valid ssh key
20:43 < skvidal> mmcgrath: pam_access, for example
20:43 < mmcgrath> skvidal: but could you force ssh to require an ssh key and a valid password?
20:43 < ixs> mmcgrath: Sure, I have been around a bit doing security consluting... :)
20:44 < ixs> mmcgrath: the real world out there sucks. hamsters through straws.
20:44 -!- jnettlet [n=jnettlet at c-76-24-25-45.hsd1.ma.comcast.net] has joined #fedora-meeting
20:44 < smooge> ixs, we can always go with the RMS method. Put the root password in /etc/motd because well someones going to find a local root exploit someday anyway
20:44 < skvidal> mmcgrath: I don't know for sure - I think I'd need to spend some time with opensshd to figure that out
20:45 < ixs> smooge: that would be one possibility. After all, local security is said to be non existing under unix... :)
20:45 < ixs> smooge: but I was actually thinking a bit more realisitic then RMS.
20:45 < ricky> So the main question that we have now is where we enforce it and where we don't.
20:45 < mdomsch> smooge, that's the theory I use for my FON wireless AP at home. guest/guest is perfectly fine by me for those users that find it...
20:45 < mdomsch> and the web page says so
20:45 < ricky> Have we decided that we want to enforce it on shell access and sudo to sensitive machines?
20:45 < smooge> ricky, I would say that is what we should aim for
20:46 < smooge> eh.. backup... we want to enforce it for sudo normally and shellaccess to sensitive machines
20:46 < ricky> OK, so what remains is pretty much cvs, hosted, and fedorapeople, right?
20:46 < ricky> smooge: Good catch
20:46 < ricky> Those are the ones that are likely to get annoying with a token.
20:47 < mmcgrath> ricky: OH! I just thought of something.....
20:47 < ixs> mmcgrath: granted, being able to say that stolen credentials will not happen again is worth a lot. Two factor auth could offer that guarantee. Requiring the admins to use passwords on their keys does the same with less hassle. Drawback: you cannot enforce it. However: With smartcards you cannot really enforce it either... I've seen people removing the password from smartcards, leave them in the reader or even better, write nice ...
20:47 < mmcgrath> ricky: mdomsch: does the "can't use ssh_key" scenario become easier if we use controlmaster auto ?
20:47 < ixs> ... wrappers entering the password as the pin cannot always be disabled...
20:47 -!- warren [n=warren at redhat/wombat/warren] has quit "Leaving"
20:48 < ixs> mmcgrath: users usually find a way of circumventing security measures... be it post-its under the keyboard or smartcard systems...
20:48 < mmcgrath> it does.
20:48 < ricky> mmcgrath: that's a good point :-)
20:48 < mmcgrath> mdomsch: what do you think fo that?
20:48 < mdomsch> reading...
20:48 < smooge> ixs, that in the end is a personell matter.. no amount of technical fixes can fix humanity.
20:48 < ricky> That reduces it to one annoying auth per bunch of commits, etc.
20:49 < smooge> however we can reduce risk
20:49 < mmcgrath> smooge: but I'm trying to fix that :) <lets out evil laugh>
20:49 < ixs> smooge: that's actually my point all along.
20:49 < mmcgrath> ricky: yeah
20:49 * mdomsch doesn't use controlmaster normally
20:49 < ricky> Short of giving your password *and* token away, it's kind of hard to circumvent this without being being purposely evil :-)
20:49 < mdomsch> so I don't know the implications thereof
20:49 < smooge> ixs, your way of saying it comes across as we shouldn't bother mitigating risk
20:49 < mmcgrath> mdomsch: yeah, AFAIK it's as secure as using ssh agent
20:49 < mdomsch> yes
20:50 < mmcgrath> but becomes a problem if you drop your primary connection.
20:50 < mmcgrath> but that's an implementation detail, we can look at things as we're testing.
20:50 < mdomsch> one more thought -
20:50 < mdomsch> puppet git commits
20:50 < mdomsch> don't require sudo
20:50 < mmcgrath> mdomsch: technically they do
20:50 < mdomsch> mmcgrath, ?
20:51 < mmcgrath> if you sudo -l on puppet1 you'll see -
20:51 < ricky> Everybody has sudo for the command that syncs the repo to /var/lib/puppet
20:51 < mmcgrath> /usr/local/bin/syncPuppetMaster.sh
20:51 < mmcgrath> so the commit generates an email, and as part of that sudo syncs puppet.
20:51 < ricky> I don't think we have much to gain from requiring passwords there.
20:51 < mmcgrath> AFAIK there's no way to make a puppet update without generating an email first.
20:51 < mmcgrath> and while that's not preventative, it is an audit trail.
20:51 < ricky> Not unless we require tokens of *all* people with access to puppet.
20:51 < ixs> smooge: not exactly. Asking for password protected ssh keys is a very good idea. This is not very invasive. ssh-agent makes it easy. Requiring passwords "constantly", be it short expire times or anything else, will push some people to circumvent it. And in that case you have actually less security then before. On paper it's looking very fine, but the reality is different.
20:52 * ricky has been wondering if there's a way to delay or get around puppet mail.
20:52 < mmcgrath> ricky: depends on how much usability we're willing to give up
20:52 < mmcgrath> oh you mean just in normal usage.
20:52 < ricky> For example, DoS bastion and make a puppet commit to turn the mail server off
20:52 -!- yn1v [n=neville at static35-77.MAN-PI.cablenet.com.ni] has quit "Leaving"
20:52 < mmcgrath> ricky: yeah that'd work, it's an attack vector.
20:52 < ricky> But that's a whole other thing
20:52 -!- JukeBoxHero [n=gorillaJ at fedora/hitboxx] has quit Remote closed the connection
20:52 < mmcgrath> but still, we have to trust our admins at some point.
20:53 < mmcgrath> but I see mdomsches point about requiring sudo on puppet.
20:53 < mmcgrath> sudo would be that last "prove you are who you say you are"
20:53 < mmcgrath> I think it's worth thinking about.
20:53 < smooge> mmcgrath, trust but verify is my motto :)
20:53 < mmcgrath> especially since it's as easy as removing the "NOPASSWD" line from sudo to use if we implement a hardware key.
20:53 < ricky> An attacker would be perfectly happy with abusing trust
20:54 < skvidal> smooge: thank you mr. president
20:54 < skvidal> ricky: smooge was making a joke from the gipper
20:54 < ricky> That does make sense (puppet sudo) to require auth from everybody.
20:55 < mmcgrath> Ok, so we're almost out of time and I'm sure we'll be discussing this many more times before we do anything about it so I'm going to open the floor.
20:55 < ricky> Ah, hehe.
20:55 < mdomsch> mmcgrath, could be as easy as requiring ssh+git to commit to the trees
20:55 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Open Floor
20:55 < mdomsch> possibly
20:55 < mmcgrath> mdomsch: thats true
20:55 < ricky> Or just passwords on the sudo
20:55 < mmcgrath> Anyone have anything to discuss? (We can keep discussing this :)
20:55 < mdomsch> ricky, yeah, that's probably easier
20:56 -!- Sonar_Guy [n=Who at fedora/sonarguy] has joined #fedora-meeting
20:56 * ricky wouldn't mind a summary of what we've determined so far.
20:56 < ricky> It's easy to get lost in all of the side conversations
20:56 < smooge> ixs, I have found that the people who wish to circumvent passwords are the sort to not want them for their ssh-agent either. at which point we are back to zero. There will always be people who do not like the fact the world doesn't really revolve around them (it revolves around skvidal)
20:56 < mmcgrath> ricky: I can write one up after the meeting.
20:56 < skvidal> smooge: and you wouldn't believe how dizzy that makes me
20:56 < ricky> Sounds good
20:58 < mmcgrath> anyone have anything else to discuss? We've got 2 minutes.
20:58 -!- Bob-Laptop [n=EvilBob at fedora/bobjensen] has joined #Fedora-Meeting
20:59 < mmcgrath> hehe boy I know how to quiet a room :)
20:59 * ricky makes a plug for people to test the anti-ctrl-c stuff
20:59 < mmcgrath> ricky: yeah send a follow up to the list about that.
21:00 < mmcgrath> ricky: I'll make sure to test it a couple of times by tomorrow.
21:00 < ricky> (https://www.redhat.com/archives/fedora-infrastructure-list/2009-April/msg00084.html)
21:00 < ricky> Will do, thanks
21:00 < ricky> If anybody has suggestions on how to make it easier for people to test, I'm all eas
21:00 < ricky> **ears
21:00 < mmcgrath> So everyone think on this auth stuff some this afternoon. The future is wide open there and no decisions have actually been made yet.
21:00 < ricky> We can make it open to all packagers, for example.
21:01 < mmcgrath> ricky: lets talk after the meeting.
21:01 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Meeting End
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090430/68760277/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list