Servers and security

We'll have two physical machine that will host one or several VM. I don't see any reason that we use something else than a Linux distribution.

@jclvanier give us a link that summarize well the security concern we may have with SSH access.

The security should be a balance between:
* securing accesses;
* giving the ability to easily access when there is some emergency, and we don't have our usual computer with us;
* being able block/revert situations moving badly.
* keeping the infra simple, understandable and easy to manage.

If one of the weakest point is the password, we may think about a password policy. However, it may have some issues, we don't always remember the complex passwords. So we may forget it and not being able to fix a problem, or write it somewhere, and it's a security hole.

I like the ssh public key mechanism, and feel it should remain that way. The real question is choosing ease of access or high security. Of course, high security should win. So all infra guys should either copy their public keys to all machines they'd be using to access the servers or create a diff. one for each machine and install all their keys in sshd's config on server. I'd prefer the first method.

@anuragbhandari so I guess the best is to let people be free of adding or not they ssh key, if I understand you correctly. I agree with this vision.
I guess then we may add a security with a ssh password policy, wdyt?

So to be sure we agree or not, let's have a decision.

We can have both :
-- ssh key for every day use
-- strong passwords for allowing access the servers from rarely used machines.
If someone forget his password, we can send him another one in a cyphered file. This supposes that every one has to create a couple of gpg keys.

We should enforce both, but should remember to use a different passphrase for the Key and for the normal login.

@johncave we can't unfortunately check the password of ssh key, or if there is any.
In fact, we must also thing that we have one other way to access the server threw the java console (or IPMI if it's up again)

My idea would be to secure the hosts and for ssh key to them, and don't force ssh key for CT.
WDYT?

@jclvanier technically we can, but we have to think about consequences.
If someone steal a key and have password to it, he has a free access to an account. Anyway, there is a better protection against password sniffing.
Then the failure point is again the password for sudo. So As the hosts are what needs to be protected over the VM, I suggest to force ssh key use for it.

So we all finally agreed on forcing ssh access through keys?