Hi Bryan,
A) My default answer is always going to be add it to the wiki with
sensitive portions redacted and point to SVN files that are encrypted.
This follows in kind to how extremely, sensitive items
B) In my line of work, it is absolutely a failure of any security audit
to use a default password. It also shouldn't be written even on this list.
What you should do is use the pub key at
http://people.apache.org/~kmcgrail/ and encrypt a file with the
password. <soapbox>Ideally, you already have a key for me that chains
to a circle of trust so you know for sure it's me. They actually have
key signing parties and stuff for this. I've found it to be a PITA and
doesn't make me feel better that the key is valid. It's not like we are
trained in verifying fake IDs so it's nothing but an illusion of
trust.</soapbox>
Dave, can you decrypt
https://svn.apache.org/repos/asf/spamassassin/sysadmins/accounts/example.enc?
There is a example.enc.README to help explain more of the process.
*Reminder: *Bryan, you need to get your public key on
http://people.apache.org/~bvest/
Regards,
KAM
On 5/15/2017 4:01 PM, Dave Jones wrote:
I setup nesedit and wanted to pass this along. We can put this in the
wiki after we have properly vetted any security issues but I think I
have it pretty secure.
1. Open an SSH tunnel from your desktop:
ssh -f sa-vm1.apache.org -L 8090:localhost:8090 -N
2. Open http://localhost:8090 from your desktop browser
3. Login with admin/admin
Do we need to change the default admin password? My thought was it's
not externally accessible (port 8090 listens on 127.0.0.1 and this
port is not opened on the local firewall) and everyone on the server
is trusted by SSH keys and has root access anyway.
I think it's secure from the outside and the default admin password is
fine in this case.