Dailydave mailing list archives
PCI-DSS and ssh public key question
From: Paul Wouters <paul () xelerance com>
Date: Mon, 9 Jun 2008 16:27:14 -0400 (EDT)
Hi people, Does anyone have a definitive answer on whether ssh public key encryption, without hardware tokens, is allowed according to PCI-DSS? pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for everyone or two factor auth, and sudo passwords for everyone for audit trail. Of course, this makes changing 100 servers' configuration requiring root access either the worst job in the universe, or will see some awful "expect" wrappers to stop sysadmins from leaving their job to serve coffee at Star Bucks. Personally, I would trust ssh keys over admins (inclusding myself) not screwing up their password wrappers. It seems the answer might be depending on your auditor..... Paul ps. I know using ssh with passwords and wrappers on top of sudo wrappers sucks and is actually less secure (go find that password in the bash_history file). It is not myself I'm trying to convince here..... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- PCI-DSS and ssh public key question Paul Wouters (Jun 09)
- Re: PCI-DSS and ssh public key question Raymond Forbes (Jun 10)
- Re: PCI-DSS and ssh public key question Trygve Aasheim (Jun 10)
- Re: PCI-DSS and ssh public key question Lee Brotherston (Jun 10)
- Re: PCI-DSS and ssh public key question B.K. DeLong (Jun 10)
- Re: PCI-DSS and ssh public key question Paul Melson (Jun 10)