Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Paul Wouters (paulxelerance.com)
Date: Mon Jun 09 2008 - 15:27:14 CDT
Does anyone have a definitive answer on whether ssh public key encryption,
without hardware tokens, is allowed according to PCI-DSS?
pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for
everyone or two factor auth, and sudo passwords for everyone for audit
Of course, this makes changing 100 servers' configuration requiring root
access either the worst job in the universe, or will see some awful
"expect" wrappers to stop sysadmins from leaving their job to serve coffee
at Star Bucks.
Personally, I would trust ssh keys over admins (inclusding myself) not
screwing up their password wrappers.
It seems the answer might be depending on your auditor.....
ps. I know using ssh with passwords and wrappers on top of sudo wrappers
sucks and is actually less secure (go find that password in the bash_history
file). It is not myself I'm trying to convince here.....
Dailydave mailing list