Changes between Version 4 and Version 5 of ssh_security_policy
- Timestamp:
- Oct 23, 2011, 5:50:44 PM (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
ssh_security_policy
v4 v5 5 5 The following policies guide secure shell access to our servers: 6 6 7 * All root passwords have 15 character randomly generated passwords shared in encrypted form with a limited number of [wiki:support-team support team members]. May First/People Link root administrators store these passwords in encrypted files on encrypted disks.7 * All root passwords have 15 character randomly generated passwords shared in encrypted form with a limited number of [wiki:support-teamall-servers-root-access support team members]. May First/People Link root administrators store these passwords in encrypted files on encrypted disks. 8 8 9 * Key-based root ssh access is enabled on all servers. ssh will be configured to prevent password-based root access (not implemented!). Note: This feature requires running ssh from Lenny which currently (2008-03-23) is only available in Debian Testing (Lenny). Rationale: There are arguments for turning off root ssh access on servers that allow password-based authentication to avoid dictionary attacks. However, with an upgrade to a version of ssh that enables us to allow password-based authentication for members while requiring key-based only authentication for root, we can avoid this weakness. In addition, with randomly generated 30 character passwords, the chances of cracking them with a dictionary-based approach comparable if not harder than cracking an ssh public key to gain access. And, our public keys are [wiki:mfpl_admin_public_ssh_keys published].9 * Key-based root ssh access is enabled on all servers. ssh is configured to prevent password-based root access. 10 10 11 11 * All MFPL root administrators secure their private key with a password and only save them non-shared computers with encrypted disks.