On Sat, Sep 30, 2017 at 9:28 AM, Roy Smith <r...@panix.com> wrote: > What’s the current best practice for auth on ToolForge? > > I have a passphrase on my public ssh key. I’ll be accessing toolforge from > my MacBook which is protected with Apple’s Touch ID fingerprint scanner. > I’ll be nailing up a tmux session. > > So, most of the time, there will be an active ssh session into wfmlabs > protected only by my fingerprint touch. If the ssh session goes down (i.e. > reboot or network change), it’ll be a touch plus my ssh passphrase. > > Is this considered an appropriate level of protection for this environment?
Having a strong passphrase on your private ssh key is recommended. Using an ssh-agent to hold your ssh key when decrypted is reasonable. Keeping an ssh session open via screen or tmux is acceptable. I would expect these three things to be in common use by a number of Toolforge / Cloud VPS users and administrators. The only thing that is semi-unique about the setup you describe is the use of biometric auth for unlocking your laptop. I don't see that that makes your key handling practices inherently weaker (or stronger) than having a passphrase for unlocking. Bryan -- Bryan Davis Wikimedia Foundation <bd...@wikimedia.org> [[m:User:BDavis_(WMF)]] Manager, Cloud Services Boise, ID USA irc: bd808 v:415.839.6885 x6855 _______________________________________________ Cloud mailing list Cloud@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/cloud
