Re: [Savannah-hackers-public] Re: ssh logins to lists.gnu.org

[Sylvain Beucler]

Hi,

I suggest we avoid wasting more time on this issue.  People pointed a
month (or two) ago several solutions that do not involve non-standard
and inconvenient setups, namely disabling password-based
authentication (which is actually already in place) and running
fail2ban.

In addition I do not think it's good to make Savannah access a
requirement for people who want to contribute to lists.gnu.org, which
is something that can happen independently, or as a first step before
getting more access.

Cheers,

-- 
Sylvain


On Sun, Mar 08, 2009 at 05:43:44PM +0100, Jim Meyering wrote:
> Ward Vandewege wrote:
> > On Thu, Mar 05, 2009 at 06:38:46AM -0600, Karl Berry wrote:
> >> I realized last night there's another significant issue with access to
> >> lists -- the mailing list feature on savannah relies on being able to
> >> get over to lists and run a command to create or delete a list.  We
> >> don't want to lose that functionality.  I do not know if
> >>
> >> Ward's original proposal was to limit incoming ssh on lists to the
> >> personal machines of savannah hackers.  Let me take that one step
> >> further: how about if it is limited only to savannah itself?
> >
> > That would work.
> >
> >> I realize that does not address every conceivable security issue, but is
> >> it acceptable?  It is surely an improvement (from your point of view)
> >> over allowing access from everywhere on the one hand, and does not
> >> require extra work and software from us on the other.  Everything's a
> >> tradeoff ...
> >
> > Absolutely. What I'm trying to achieve here is not having lists ssh
> > accessible from all over the internet. Ideally we would do that in the least
> > complicated way: static firewall rules. It's totally fine for the sysadmins
> > to have to maintain that list of static firewall rules, and 
> > add/remove/modify
> > IP addresses for people that need to be able to ssh into lists. We already 
> > do
> > that for other machines. I want to minimize the effort required from the
> > community (by not requiring extra software, etc) while improving security.
> >
> > Restricting ssh logins to savannah would be great from my perspective. And
> > I'm happy to add any other static IPs that you guys want access from.
> >
> > What do you think?
> 
> Fine by me, however, since I'm a bit paranoid, I'd much prefer
> to provide the static IP of my desktop system than to forward
> ssh-auth info through a system (even as secure as it is) like
> sv.gnu.org.  IMHO, typing a password should not be an option,
> except perhaps for an ssh daemon running on a separate port
> that is enabled only after some sort of _secure_ port knocking.
> 
> BTW, if you like the idea of port knocking, this one is particularly cool:
> 
>   http://www.cipherdyne.org/fwknop/docs/SPA.html