Forum OpenACS Development: Re: public key ssh login on openacs.org

Collapse
Posted by Don Baccus on
As I explained when Til e-mailed privately, someone cracked a server belong to Collaboraid and was able to use public key ssh login to get to openacs.org and attempt to crack it.

We turned off public key ssh login because of this.

Allowing public key ssh login makes the openacs.org box as insecure as the least secure of all of our developer's boxes where public key ssh login.  I think it's best we leave it off  even though it's a bit inconvenient.

Keep in mind that Mike Sisk is sysadmin'ing the box on a volunteer basis.  Those of us who've sysadmin'd it in the past have agreed to let Mike to 99% of the sysadmin work because he's a professional sysadmin, it's best to have one person in charge of keeping up to date with security releases, etc etc etc.  Mike asks us for help with postgres and aolserver stuff, and myself, Jeff, Lars and a few others still maintain the CVS access control list, but the core sysadmin stuff is done by Mike.

If the box gets rooted, it will be a big inconvenience for Mike as it involves driving an hour and a half or so down to the datacenter where Furfly's boxes are hosted.

And if Mike's on a roadtrip when it is rooted, either Janine needs to take time off from MIT or openacs.org stays down until he returns or we can arrange for someone else with the needed skills to come to Waltham, Massachussets, get on the datacenter access list, and fix it.

So I think putting security first over convenience is the best thing to do.

Note that when Open Force hosted the box there was no effort  to regularly keep up with security patches - Roberto did a big upgrade to a more modern Red Hat release once but there was no regular maintenance.  We were just lucky we didn't get rooted under the circumstances.  I'm not criticizing Open Force, they hosted the box but we all agreed to play amateur sysadmin on it as volunteers.

But it's Mike's box to run so if you or others can convince Mike to turn it back on ... it's his call.