On Mon, Jan 05, 2004 at 08:00:46PM +0100, Nicolas Bertolissio wrote: > Suite à la compromission, j'ai envoyé à l'adresse qui avait été indiquée > ma clé ssh pour pouvoir me connecter avec cette méthode et je n'ai donc > pas de mot de passe sur ces machines.
> Quand j'essaye de me connecter, sur gluck pas de problème il me demande > bien ma phrase de passe pour ma clé rsa, mais j'ai essayé sur d'autres > machines (auric et klecker) et là il me demande un mot de passe sur la > machine, et forcément je n'en ai pas puisque je n'en ai pas demandé de > nouveau. Auric et klecker ont été fermés après la compromission, par question de securité (ils sont ftp-master.debian.org et security.debian.org, bien sur). http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200312/msg00001.html Where can I login? ------------------ There's been a fair bit of talk post-compromise about restricting access to machines running (core) services. At the moment, the only thing I'm (personally) doing is not enabling non-services accounts on auric (ftp-master) and klecker (security, non-US, qa, nm, www-master) immediately. Obviously, it's useful for random developers to have access to e.g. the postgres database of the archive, so the current plan if the restricted nature of auric becomes permanent is to mirror the system daily to another box that would be unrestricted. [This would have the added bonus of giving us a hot spare for disasters/arson attacks etc.] Basically the whole issue of what, if anything, to restrict is still up in the air. I'm looking for input/opinions/discussion on this. If you need access to the machines running the archives, please tell me (or probably better yet, start a thread on debian-devel) why. On a similar note some of our boxes are currently overloaded and services are generally inelegantly distributed; there's certainly going to be some juggling of them coming up. It's not decided what/when/where/how yet though, more details before it happens. -- Steve Langasek postmodern programmer
pgpkdAbdloqwj.pgp
Description: PGP signature