Forum OpenACS Development: public key ssh login on openacs.org

Some time ago public key ssh login on openacs.org was disabled because of temporary security reasons. Any updates on when/if it will be possible to reenable it? It's quite annoying having to type a password for every cvs action.
Collapse
Posted by Don Baccus on
As I explained when Til e-mailed privately, someone cracked a server belong to Collaboraid and was able to use public key ssh login to get to openacs.org and attempt to crack it.

We turned off public key ssh login because of this.

Allowing public key ssh login makes the openacs.org box as insecure as the least secure of all of our developer's boxes where public key ssh login.  I think it's best we leave it off  even though it's a bit inconvenient.

Keep in mind that Mike Sisk is sysadmin'ing the box on a volunteer basis.  Those of us who've sysadmin'd it in the past have agreed to let Mike to 99% of the sysadmin work because he's a professional sysadmin, it's best to have one person in charge of keeping up to date with security releases, etc etc etc.  Mike asks us for help with postgres and aolserver stuff, and myself, Jeff, Lars and a few others still maintain the CVS access control list, but the core sysadmin stuff is done by Mike.

If the box gets rooted, it will be a big inconvenience for Mike as it involves driving an hour and a half or so down to the datacenter where Furfly's boxes are hosted.

And if Mike's on a roadtrip when it is rooted, either Janine needs to take time off from MIT or openacs.org stays down until he returns or we can arrange for someone else with the needed skills to come to Waltham, Massachussets, get on the datacenter access list, and fix it.

So I think putting security first over convenience is the best thing to do.

Note that when Open Force hosted the box there was no effort  to regularly keep up with security patches - Roberto did a big upgrade to a more modern Red Hat release once but there was no regular maintenance.  We were just lucky we didn't get rooted under the circumstances.  I'm not criticizing Open Force, they hosted the box but we all agreed to play amateur sysadmin on it as volunteers.

But it's Mike's box to run so if you or others can convince Mike to turn it back on ... it's his call.

Collapse
Posted by Andrew Piskorski on
Ah, Tilmann, Don, thank you for explaining just what was really going on!

It would be awfully nice to document that somewhere, like in the CVS instructions. A link to this thread should do the trick, but I don't see how to add it.

Months ago I must have wasted at least several hours repeatedly trying to get no-password public key ssh login to work, asking people on IRC what the heck could be wrong, etc. I'm sure many others have wasted time there too...

Collapse
Posted by Don Baccus on
Since several of the people involved habituate #openacs it never dawned on me (or anyone else) that the word hadn't gotten out ... sorry about that.

We were focused on server issues, like strategizing to move openacs.org off to another server so we can rebuild openacs.org's real server with a clean and known Linux install, etc and I know the folks whose server had been cracked were also really busy undoing the harm.

Collapse
Posted by Tilmann Singer on
I think it wouldn't hurt to use the forums a little more instead of private email, as long as no one gets unfairly blamed it's better if more people know what's going on ... in this case a simple oversight as Don said though.

And many thanks to Mike and all the other volunteers for their sysadmin work of course!

Collapse
Posted by Peter Marklund on
Tilman,
to avoid entering password for cvs actions that don't modify the repository (cvs status, cvs log, cvs diff, cvs annotate etc.) you could use an alias such as

alias cvsanon="cvs -d :pserver:mailto:anonymous@openacs.org:/cvsroot"

Collapse
Posted by Andrew Piskorski on
Hey, good idea Peter, wish I'd though of that!