> Hmm, that might work for a small scale setup or where users relatively > infrequently login to bastions. > > Less so when you're talking hundreds to thousands of hosts, or where > frequent logins are a part of the daily experience -- perhaps due to > side effects of various organizational policies?
Question:: Why are you logging into that many hosts? We have hundreds of systems, but I login to very few of them. Typically we login to an Admin host, which we can then jump to the other hosts, and have convenient admin scripts- scripts that take action against many hosts. Most of the time, most of our work is done by CFengine. I'm in the middle of determining our Bastion host design, and I've got 2 things in mind: 1) system that's an IP restricted ssh system, preferably w/ SSH keys. 2) system w/ no IP restrictions, but maybe 2 factor auth. (Doesn't exist yet) Neither box has any real admin scripts, or much on it. It's supposed to serve as the system you login to, and then ssh to the correct admin box. I'll have to look at jumpsh, It might be nice to really limit the use of the box to a small number of hosts inside the perimeter. Part of my reasoning for this is to have an external box we keep fully up to date on security patches, without worrying about it impacting any other services on it. I might suggest the alternative port, just to keep the annoying script kiddies from filling up my logs, but it's not a huge issue. What do people think of SSH with SSH keys *only* ? Is it strong enough to be a non-IP locked system? -- I'd expect to have at most 8 users with SSH keys- the Linux SA group. They could be counted on to notify the group in the event of a stolen laptop, which in mind is the only real attack vector. We don't have any PCI issues anymore. Also: does anyone have any decent suggestions for 2 factor systems that are free? I'd prefer not to have to carry any kind of token. The group has Blackberries, and iphones, + laptops, basically. Matthew Matthew Barr [email protected] cell: 646-765-6878 _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
