On Fri, 2014-02-28 at 17:27 +0000, Nordgren, Bryce L -FS wrote:
> Am I overlooking something, or is this likely to be an effective means
> of delegating small project support while sideboarding potential Evil?
Well, there area always caveats, mostly that you will find exceptions
you have to permit for whatever reason, so you generally need a workable
exception mechanism when that happens, auditing can be a suitable
mitigation factor in those cases.
That said I think JR also gave excellent points.
Esp wrt 2FA which, incidentally, we are almost done implementing in
FreeIPA. With 2FA you substantially reduce the threat of stolen
passwords, when you have to allow password login on less trusted
machines, at least for human accounts.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list