Re: PCI-DSS and ssh public key question

["Paul Melson" <pmelson () gmail com>]

On Mon, Jun 9, 2008 at 4:27 PM, Paul Wouters <paul () xelerance com> wrote:
> Does anyone have a definitive answer on whether ssh public key encryption,
> without hardware tokens, is allowed according to PCI-DSS?
> pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for
> everyone or two factor auth, and sudo passwords for everyone for audit
> trail.

8.2 requires that all of your authentication schemes use at least one
of password, token, cert, public key, or biometrics. SSH keys would
fall into the public key category, which is, for PCI-DSS purposes, a
"token."  That means that for remote access (across the Internet or
some other public network), you must combine it with a password.  The
password to unlock the client keystore doesn't count.

> Of course, this makes changing 100 servers' configuration requiring root
> access either the worst job in the universe, or will see some awful
> "expect" wrappers to stop sysadmins from leaving their job to serve coffee
> at Star Bucks.

Starbucks has to be PCI compliant, too.  There is no escape.


> Personally, I would trust ssh keys over admins (inclusding myself) not
> screwing up their password wrappers.

Especially since 8.4 requires that you not store the password or the
key to said password in clear text anywhere.


> It seems the answer might be depending on your auditor.....

Bingo.

PaulM
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave