Re: PCI-DSS and ssh public key question

[Raymond Forbes <rforbes () e-stalkers net>]

You have to ask yourself.  Can you track individual users based on their 
private key or will everything just show up as "root" in the logs?

For PCI, you need to be able to show evidence that each transaction is 
associated with a particular person and you can track it.  If you can do 
that, I think you should be ok.

however, I am not an auditor, so take it for what it's worth.

-Raymond

Paul Wouters wrote:
> Hi people,
>
> Does anyone have a definitive answer on whether ssh public key encryption,
> without hardware tokens, is allowed according to PCI-DSS?
>
> pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for
> everyone or two factor auth, and sudo passwords for everyone for audit
> trail.
>
> Of course, this makes changing 100 servers' configuration requiring root
> access either the worst job in the universe, or will see some awful
> "expect" wrappers to stop sysadmins from leaving their job to serve coffee
> at Star Bucks.
>
> Personally, I would trust ssh keys over admins (inclusding myself) not
> screwing up their password wrappers.
>
> It seems the answer might be depending on your auditor.....
>
> Paul
>
> ps. I know using ssh with passwords and wrappers on top of sudo wrappers
> sucks and is actually less secure (go find that password in the bash_history
> file). It is not myself I'm trying to convince here.....
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>   

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave