Hi Bryan,

A) My default answer is always going to be add it to the wiki with sensitive portions redacted and point to SVN files that are encrypted. This follows in kind to how extremely, sensitive items

B) In my line of work, it is absolutely a failure of any security audit to use a default password. It also shouldn't be written even on this list.

What you should do is use the pub key at http://people.apache.org/~kmcgrail/ and encrypt a file with the password. <soapbox>Ideally, you already have a key for me that chains to a circle of trust so you know for sure it's me. They actually have key signing parties and stuff for this. I've found it to be a PITA and doesn't make me feel better that the key is valid. It's not like we are trained in verifying fake IDs so it's nothing but an illusion of trust.</soapbox>

Dave, can you decrypt https://svn.apache.org/repos/asf/spamassassin/sysadmins/accounts/example.enc? There is a example.enc.README to help explain more of the process.

*Reminder: *Bryan, you need to get your public key on http://people.apache.org/~bvest/

Regards,
KAM

On 5/15/2017 4:01 PM, Dave Jones wrote:
I setup nesedit and wanted to pass this along. We can put this in the wiki after we have properly vetted any security issues but I think I have it pretty secure.

1. Open an SSH tunnel from your desktop:

ssh -f sa-vm1.apache.org -L 8090:localhost:8090 -N

2. Open http://localhost:8090 from your desktop browser

3. Login with admin/admin

Do we need to change the default admin password? My thought was it's not externally accessible (port 8090 listens on 127.0.0.1 and this port is not opened on the local firewall) and everyone on the server is trusted by SSH keys and has root access anyway.

I think it's secure from the outside and the default admin password is fine in this case.


Reply via email to