Project

General

Profile

Actions
Copy link

communication #151495

closed

Jump host SSH only authentication

Added by firstyear 6 months ago. Updated 20 days ago.

Status:
Resolved
Priority:
High
Assignee:
crameleon
Category:
Core services and virtual infrastructure
Target version:
-
Start date:
2023-11-27
Due date:
% Done:

0%

Estimated time:

Description

The current jump hosts allow both password and ssh key auth. Password authentication is insecure, and given it's usage in our VPN config exposes us to possible "full breach" scenarioes.

Jump hosts should require SSH key authentication exclusively to mitigate this risk.

In future all hosts should require SSH key authentication only - passwords should be limited to sudo-access only.

Actions
Copy link
 #1

Updated by crameleon 6 months ago

  • Category set to Core services and virtual infrastructure
  • Private changed from Yes to No

I agree we should stop allowing passphrase based SSH authentication.

Actions
Copy link
 #2

Updated by crameleon 20 days ago

  • Status changed from New to Resolved
  • Assignee set to crameleon

Already deployed:

$ ssh -o PreferredAuthentications=password thor1.infra.opensuse.org
crameleon@thor1.infra.opensuse.org: Permission denied (publickey,keyboard-interactive).

... for all machines, not only jump hosts.

Cheerio,
Georg

Actions
Copy link

Also available in: Atom PDF