On Sat, Sep 30, 2017 at 9:28 AM, Roy Smith <roy(a)panix.com> wrote:
What’s the current best practice for auth on
ToolForge?
I have a passphrase on my public ssh key. I’ll be accessing toolforge from my MacBook
which is protected with Apple’s Touch ID fingerprint scanner. I’ll be nailing up a tmux
session.
So, most of the time, there will be an active ssh session into wfmlabs protected only by
my fingerprint touch. If the ssh session goes down (i.e. reboot or network change), it’ll
be a touch plus my ssh passphrase.
Is this considered an appropriate level of protection for this environment?
Having a strong passphrase on your private ssh key is recommended.
Using an ssh-agent to hold your ssh key when decrypted is reasonable.
Keeping an ssh session open via screen or tmux is acceptable. I would
expect these three things to be in common use by a number of Toolforge
/ Cloud VPS users and administrators.
The only thing that is semi-unique about the setup you describe is the
use of biometric auth for unlocking your laptop. I don't see that that
makes your key handling practices inherently weaker (or stronger) than
having a passphrase for unlocking.
Bryan
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Manager, Cloud Services Boise, ID USA
irc: bd808 v:415.839.6885 x6855