Dailydave mailing list archives
Re: PCI-DSS and ssh public key question
From: Raymond Forbes <rforbes () e-stalkers net>
Date: Mon, 09 Jun 2008 20:04:54 -0700
You have to ask yourself. Can you track individual users based on their private key or will everything just show up as "root" in the logs? For PCI, you need to be able to show evidence that each transaction is associated with a particular person and you can track it. If you can do that, I think you should be ok. however, I am not an auditor, so take it for what it's worth. -Raymond Paul Wouters wrote:
Hi people, Does anyone have a definitive answer on whether ssh public key encryption, without hardware tokens, is allowed according to PCI-DSS? pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for everyone or two factor auth, and sudo passwords for everyone for audit trail. Of course, this makes changing 100 servers' configuration requiring root access either the worst job in the universe, or will see some awful "expect" wrappers to stop sysadmins from leaving their job to serve coffee at Star Bucks. Personally, I would trust ssh keys over admins (inclusding myself) not screwing up their password wrappers. It seems the answer might be depending on your auditor..... Paul ps. I know using ssh with passwords and wrappers on top of sudo wrappers sucks and is actually less secure (go find that password in the bash_history file). It is not myself I'm trying to convince here..... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- PCI-DSS and ssh public key question Paul Wouters (Jun 09)
- Re: PCI-DSS and ssh public key question Raymond Forbes (Jun 10)
- Re: PCI-DSS and ssh public key question Trygve Aasheim (Jun 10)
- Re: PCI-DSS and ssh public key question Lee Brotherston (Jun 10)
- Re: PCI-DSS and ssh public key question B.K. DeLong (Jun 10)
- Re: PCI-DSS and ssh public key question Paul Melson (Jun 10)