Changes between Version 4 and Version 5 of ssh_security_policy


Ignore:
Timestamp:
Oct 23, 2011, 1:50:44 PM (9 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ssh_security_policy

    v4 v5  
    55The following policies guide secure shell access to our servers:
    66
    7  * All root passwords have 15 character randomly generated passwords shared in encrypted form with a limited number of [wiki:support-team support team members]. May First/People Link root administrators store these passwords in encrypted files on encrypted disks.
     7 * All root passwords have 15 character randomly generated passwords shared in encrypted form with a limited number of [wiki:support-teamall-servers-root-access support team members]. May First/People Link root administrators store these passwords in encrypted files on encrypted disks.
    88
    9  * Key-based root ssh access is enabled on all servers. ssh will be configured to prevent password-based root access (not implemented!). Note: This feature requires running ssh from Lenny which currently (2008-03-23) is only available in Debian Testing (Lenny). Rationale: There are arguments for turning off root ssh access on servers that allow password-based authentication to avoid dictionary attacks. However, with an upgrade to a version of ssh that enables us to allow password-based authentication for members while requiring key-based only authentication for root, we can avoid this weakness. In addition, with randomly generated 30 character passwords, the chances of cracking them with a dictionary-based approach comparable if not harder than cracking an ssh public key to gain access. And, our public keys are [wiki:mfpl_admin_public_ssh_keys published].
     9 * Key-based root ssh access is enabled on all servers. ssh is configured to prevent password-based root access.
    1010
    1111 * All MFPL root administrators secure their private key with a password and only save them non-shared computers with encrypted disks.