|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Paul Wouters (paul
xelerance.com)
Date: Mon Jun 09 2008 - 15:27:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi people,
Does anyone have a definitive answer on whether ssh public key encryption,
without hardware tokens, is allowed according to PCI-DSS?
pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for
everyone or two factor auth, and sudo passwords for everyone for audit
trail.
Of course, this makes changing 100 servers' configuration requiring root
access either the worst job in the universe, or will see some awful
"expect" wrappers to stop sysadmins from leaving their job to serve coffee
at Star Bucks.
Personally, I would trust ssh keys over admins (inclusding myself) not
screwing up their password wrappers.
It seems the answer might be depending on your auditor.....
Paul
ps. I know using ssh with passwords and wrappers on top of sudo wrappers
sucks and is actually less secure (go find that password in the bash_history
file). It is not myself I'm trying to convince here.....
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]