[TriLUG] security vs. services @ trilug.org

Kevin - The Alchemist - Sonney alchemist at darkcanvas.com
Wed May 8 14:25:36 EDT 2002


On Wed, 2002-05-08 at 14:03, Chris Hedemark wrote:
> Agreed.  My contention though is that to date our approach to managing
> trilug.org has been security minded to the exclusion of services in some
> cases (or extremely long delays).

As I recall, when you had a full-time job, you weren't always as
responsive as I would have liked *grin*. 

> Going back to the ssh discussion for a moment... we recently had a
> problem on fatalpha that myself and a few others helped to resolve (more
> details at the meeting).  Without ssh, I would have been powerless to
> help, and we'd likely continue being a spam relay until someone could
> get to Inflow and fix the problem in person.  I also ssh in from time to
> time to upgrade software packages, such as Mailman.  Without ssh, I fear
> we'll be creating an environment that promotes the use of old insecure
> software.

Oh, ssh is on the box - it's not that ssh is left off, it's that we're
limiting ssh access to the box. Every member of trilug doesn't need an
ssh login to every box. While I agree that it's cool, it's not always
practical or secure. Admins (and should you need it, you'd get it) have
ssh to all boxes in the rack. 

Given that we have 4 boxes now, until we get a "universal login" - NIS
or Kerberos or something - managing "everyone gets ssh to everywhere"
becomes difficult to manage for the volunteer staff. If JonC, say, has
to add a user account to five boxes five times a month, that's not much.
but if 10 people need their passwords resent on those same five boxes,
it gets tricky.

There are scripts and tools to make that easier, but they also increase
the security risk. We're trying to maintain a balance between services,
security and time to manage it. 

-- 
--------------------------------------------
--      Kevin "The Alchemist" Sonney      --
--  ICQ: 4855069            AIM: ksonney  --
--------------------------------------------
320C 0336 3BC4 13EC 4AEC  6AF2 525F CED7 7BB6 12C9
"It's not stupid...it's ADVANCED"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020508/addca955/attachment.pgp>


More information about the TriLUG mailing list