Yes, you're right. Two-factor is definitely a well-established option that would solve this problem. As stated, it is required for the VPN connection. It isn't required for the servers. By "too much overhead" I'm referring to the fact that we don't have the man hours to put a solution in place at the moment and I've already received resistance from my boss and the lead engineer on RSA even with soft tokens. Neither wants to deal with the infrastructure needed. It needs to be remembered that we're the contractor on this project and the requirements are stipulated by the contracting agency. If they aren't willing to pay for something we don't use it. At this point, it would be hard to rationalize adding RSA or a similar technology when we already have 2500 licenses for Phonefactor (even though they're already pre-allocated for other uses and quite honestly, I don't like the cumbersome nature of it). Disabling root is also not an option as they haven't stipulated it be done. It can certainly be pitched, but they'll expect rationalization and honestly, I don't think I can come up with an argument that is compelling enough to convince them. Especially since I'm not convinced myself that it is a good idea.
-Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama On Wed, Nov 2, 2011 at 9:47 AM, Edward Ned Harvey <[email protected]> wrote: >> From: Edward Ned Harvey [mailto:[email protected]] >> >> whatever (keepass >> etc) mechanism you're using. > > FWIW, I'm using encfs and dropbox. Works very well to sync & communicate > certain secure information amongst the IT team. > > _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
