Re: [gentoo-user] Re: scripted iptables-restore

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: scripted iptables-restore
Date: Fri, 18 Oct 2013 06:44:52 +0200	[thread overview]
Message-ID: <5260BCC4.9010109@gmail.com> (raw)
In-Reply-To: <20131018023014.GA29789@waltdnes.org>

On 18/10/2013 04:30, Walter Dnes wrote:
> On Thu, Oct 17, 2013 at 08:59:15AM +0200, Alan McKinnon wrote
> 
>> Accessing the actual backend network is a two stage process: ssh key to
>> the jump host, then password to get onto the actual destination.
>>
>> So it's "two factor" as a generic English language phrase, not "two
>> factor" as a technical description of an exact thing. Keep in mind that
>> English is a highly overloaded language :-)
> 
>   I apologize.  That is arguably a two factor system.  When you said
> "ssh key and password", I "jumped to delusions", assuming that it was a
> standard ssh connection with the option of either key or password.  Does
> the jump host restrict you to logging on to the account corresponding to
> the key?  I.e. would John Smith got to the jump host with his key, could
> he log in to the Jane Doe account, or only John Smith.

I built it myself, so I done did it rite :-)

It's very much one key to one user and the only jump host the general
user (i.e. customer support) can use is the main advertised one.
Infrastructure people and my friends in NetOps have other ways of
getting into the network but those are very restricted access.

When building this, we found something interesting - dudes were sharing
keys. The mind boggles as to why anyone thought this a good idea but
that's what they were doing. I suspect some people found ssh-keygen
and/or PuTTY too difficult to wrap their wits around.

But the fix was simple - with 700+ users and 250+ hosts to manage, we do
user deployment centrally with no way to bypass it. The database field
containing the public key string was given a unique index. No more
duplicate keys :-)

-- 
Alan McKinnon
alan.mckinnon@gmail.com

next prev parent reply	other threads:[~2013-10-18  4:50 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-03 19:27 [gentoo-user] Where to put advanced routing configuration? Grant Edwards
2013-10-03 20:28 ` Kerin Millar
2013-10-04 16:25   ` [gentoo-user] " Grant Edwards
2013-10-04 21:58   ` [gentoo-user] " Michael Orlitzky
2013-10-04 22:33     ` Dragostin Yanev
2013-10-11  7:18     ` [gentoo-user] " Martin Vaeth
2013-10-13 10:08       ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Martin Vaeth
2013-10-13 14:14         ` [gentoo-user] scripted iptables-restore Michael Orlitzky
2013-10-13 15:19           ` [gentoo-user] " Martin Vaeth
2013-10-13 16:37             ` Michael Orlitzky
2013-10-13 20:07               ` Martin Vaeth
2013-10-13 21:45                 ` William Kenworthy
2013-10-14 12:08                   ` Martin Vaeth
2013-10-14 13:27                     ` William Kenworthy
2013-10-13 22:02                 ` Michael Orlitzky
2013-10-14 11:49                   ` Martin Vaeth
2013-10-14 14:26                     ` Michael Orlitzky
2013-10-14 18:49                       ` Martin Vaeth
2013-10-14 19:17                         ` Michael Orlitzky
2013-10-14 20:31                           ` Alan McKinnon
2013-10-15  1:06                             ` Michael Orlitzky
2013-10-14 18:23                 ` Tanstaafl
2013-10-14 18:52                   ` Martin Vaeth
2013-10-14 19:40                     ` Tanstaafl
2013-10-14 20:45                   ` Alan McKinnon
2013-10-16 23:21                     ` Walter Dnes
2013-10-17  6:59                       ` Alan McKinnon
2013-10-18  2:30                         ` Walter Dnes
2013-10-18  4:44                           ` Alan McKinnon [this message]
2013-10-18 10:23                           ` Tanstaafl
2013-10-18 11:19                             ` Alan McKinnon
2013-10-18 14:05                               ` Tanstaafl
2013-10-18 14:33                                 ` Alan McKinnon
2013-10-14  5:54           ` [gentoo-user] " Pandu Poluan
2013-10-14  5:57         ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Pandu Poluan
2013-10-14 11:52           ` [gentoo-user] " Martin Vaeth
2013-10-13 10:26     ` [gentoo-user] Where to put advanced routing configuration? shawn wilson
2013-10-13 13:53       ` Michael Orlitzky
2013-10-13 13:57       ` [gentoo-user] " Martin Vaeth
2013-10-05 21:01 ` [gentoo-user] " thegeezer
2013-10-06 16:16 ` [gentoo-user] " Grant Edwards

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5260BCC4.9010109@gmail.com \
    --to=alan.mckinnon@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox