Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Hallgrimur H. Gunnarsson" <hhg@g.o>
To: Lisa Seelye <lisa@g.o>
Cc: Ian Leitch <port001@g.o>, Alex Veber <coronalvr@g.o>, Gentoo Dev <gentoo-dev@g.o>
Subject: Re: [gentoo-dev] disabling password authentication on dev.gentoo.org
Date: Tue, 02 Dec 2003 17:52:20
Message-Id: 20031202174658.GA3209@data.is
In Reply to: Re: [gentoo-dev] disabling password authentication on dev.gentoo.org by Lisa Seelye
1 On 02.12.2003 Lisa Seelye <lisa@g.o> wrote:
2 > On Tue, 2003-12-02 at 09:45, Ian Leitch wrote:
3 > > On Tue, 2003-12-02 at 16:14, Alex Veber wrote:
4 > >
5 > > > I am not sure its a good Idea, I work on Gentoo from home and from school
6 > > > uploading and downloading files all the time, the computers at school are
7 > > > public and I can't put my key in there (If I forget to logout or something).
8 > >
9 > > You could ssh to home, then ssh to dev... if its not too much trouble.
10 >
11 > That's what I do. And I've gotten so good at typing my "strong"
12 > password I can do it even with people watching and they won't get it. ;)
13
14 What about those who're watching you from inside the computer? Their
15 eyes are keen and their memory is long-lasting. Disabling password
16 authentication is a security measure, but it is no panacea. By forcing
17 developers to use keys you eliminate the problem of using passwords
18 in general, such as weak passwords or the use of the same password for
19 multiple places.
20
21 But some people complain, they say that a key is more inconvenient
22 than a password, for example, the key isn't as portable as a password,
23 you can't use it anywhere. My reply is, you shouldn't be using it
24 anywhere. You should never access a valuable resource from a computer
25 that you don't trust.
26
27 To force the use of keys exposes those who go around giving their
28 password to any computer they see. If you don't trust a computer well
29 enough to keep your key permanently on it, you shouldn't access gentoo
30 from that computer.
31
32 But it is true, sometimes security brings inconvenience. But I think
33 the idea of "ssh to home and then to gentoo" as a remedy for accessing
34 gentoo from an untrusted place is really bad. You've just given the
35 attacker your home computer in addition to gentoo.
36
37 -- hhg
38
39 --
40 gentoo-dev@g.o mailing list

Replies

Subject Author
Re: [gentoo-dev] disabling password authentication on dev.gentoo.org Tavis Ormandy <taviso@g.o>
Report Message
Find on MARC Find on Google Groups