Dailydave mailing list archives
Re: PCI-DSS and ssh public key question
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 10 Jun 2008 06:39:37 -0400
On Mon, Jun 9, 2008 at 4:27 PM, Paul Wouters <paul () xelerance com> wrote:
Does anyone have a definitive answer on whether ssh public key encryption, without hardware tokens, is allowed according to PCI-DSS? pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for everyone or two factor auth, and sudo passwords for everyone for audit trail.
8.2 requires that all of your authentication schemes use at least one of password, token, cert, public key, or biometrics. SSH keys would fall into the public key category, which is, for PCI-DSS purposes, a "token." That means that for remote access (across the Internet or some other public network), you must combine it with a password. The password to unlock the client keystore doesn't count.
Of course, this makes changing 100 servers' configuration requiring root access either the worst job in the universe, or will see some awful "expect" wrappers to stop sysadmins from leaving their job to serve coffee at Star Bucks.
Starbucks has to be PCI compliant, too. There is no escape.
Personally, I would trust ssh keys over admins (inclusding myself) not screwing up their password wrappers.
Especially since 8.4 requires that you not store the password or the key to said password in clear text anywhere.
It seems the answer might be depending on your auditor.....
Bingo. PaulM _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- PCI-DSS and ssh public key question Paul Wouters (Jun 09)
- Re: PCI-DSS and ssh public key question Raymond Forbes (Jun 10)
- Re: PCI-DSS and ssh public key question Trygve Aasheim (Jun 10)
- Re: PCI-DSS and ssh public key question Lee Brotherston (Jun 10)
- Re: PCI-DSS and ssh public key question B.K. DeLong (Jun 10)
- Re: PCI-DSS and ssh public key question Paul Melson (Jun 10)