begin quoting Todd Walton as of Tue, Jun 05, 2007 at 06:19:36AM -0500: [snip] > One wonders why DoD would specifically disallow it. If you could > integrate a RSA hard token kind of setup with each box's root access, > that seems like a much better idea than passwords alone. A lot of > overhead, sure, but for a significant gain in security. One wonders > why DoD would actually forbid such a setup.
I'm told that tanks don't have keys. If you need to use a tank *now*, you can't spare a day to track down the guy who has the key... I would /guess/ that in an emergency, they'd rather have access be a phone call away rather than relying on the network being up. Trying to give someone an RSA key over the phone is not likely to be very useful. Remember, we put "availability" into the security definition these days. You have to consider the /likely/ scenarios before scoffing too hard. (That isn't to say that the DoD isn't defending against movie-plot threats, but that's a matter for another discussion.) -- Power outages and network instability are very real real-world concerns. Stewart Stremler -- KPLUG-List@kernel-panic.org http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
