PowerDNS web interface

[Dave Jones <da...@apache.org>]

I setup nesedit and wanted to pass this along.  We can put this in the 
wiki after we have properly vetted any security issues but I think I 
have it pretty secure.

1. Open an SSH tunnel from your desktop:

ssh -f sa-vm1.apache.org -L 8090:localhost:8090 -N

2. Open http://localhost:8090 from your desktop browser

3. Login with admin/admin

Do we need to change the default admin password?  My thought was it's 
not externally accessible (port 8090 listens on 127.0.0.1 and this port 
is not opened on the local firewall) and everyone on the server is 
trusted by SSH keys and has root access anyway.

I think it's secure from the outside and the default admin password is 
fine in this case.

-- 
Dave

Re: PowerDNS web interface

[Dave Jones <da...@apache.org>]

LP has still not had a data breach to date.  Even if they did, they 
don't store anything but an encrypted blob of random bits.  They have 
responded quickly to all issues and patched things fast.  The last issue 
was reported to them on a Saturday via Twitter and they had it fixed 
within 4 hours.  You can't ask for better responsibility by a major 
security company like LP.

I guess we need to figure out how to create a recovery key and get the 
credentials to that central LP account.

Dave

On 05/15/2017 05:35 PM, Greg Stein wrote:
> We currently keep many credentials in LastPass (*). ... If y'all would like
> to construct a recovery key for SA, then we'll happily store that into the
> ASF LastPass account.
> 
> Cheers,
> -g
> 
> (*) after a couple LP security notices, we are considering other options,
> but that's neither here/there. if we switch vault providers in six
> months... we'll *still* have one for an SA recovery key.
> 
> 
> On Mon, May 15, 2017 at 5:27 PM, Kevin A. McGrail <kevin.mcgrail@mcgrail.com
>> wrote:
> 
>> Greg,
>>
>> Dave Jones brings up a good point about longevity of encrypted things for
>> the foundation.  Could infra maintain a key that can be added to things for
>> a backdoor?
>>
>> See below for a snapshot of the relevant thread for background.
>>
>> Regards,
>> KAM
>>
>> KAM:
>> What you should do is use the pub key at http://people.apache.org/~
>> kmcgrail/ and encrypt a file with the password.  <soapbox>Ideally, you
>> already have a key for me that chains to a circle of trust so you know for
>> sure it's me.  They actually have key signing parties and stuff for this.
>> I've found it to be a PITA and doesn't make me feel better that the key is
>> valid.  It's not like we are trained in verifying fake IDs so it's nothing
>> but an illusion of trust.</soapbox>
>>
>> Dave: My concern is I can sign it with your (Kevin's) key and even Brian's
>> key so the two of you can open it but what happens if another 5 or 10 years
>> go by and we 3 are no longer volunteering as SA sysadmins?  The next
>> generation of sysadmins won't be able to open these files.
>>
>> There has to be a better way where we use an encrypted file with a master
>> password that we share and is recorded in a save place for the future.
>>
>> I use LastPass for this and I have my master password in an envelope in a
>> safe for my wife to open in the event I am no longer on this planet. I have
>> instructed her to take this envelope to any of my techie friends and they
>> would know how to help her get access of all of my online accounts.  We
>> need something like this for this team.
>>
>> KAM: The first consideration is that the method above with SVN is
>> considered acceptable to the foundation and exists already.  It long
>> predates me and has a strong encryption pedigree.  It also doesn't rely on
>> a service being in business since it uses all open source software and
>> files that you can mirror today.
>>
>> What I have done that is similar to what you describe is that my
>> passphrase for my private key is in my safe.  So should I leave this mortal
>> coil, the data is all recoverable.
>>
>> Also, we are trying to move away from master passwords as much as
>> possible.  Sharing of root credentials should be avoided as just a general
>> security mantra.
>>
>> KAM: Do you feel strongly enough about it to debate it with infra and see
>> what their thoughts are?
>>
>> Dave: Not that strongly.  I will be glad to go along with the existing
>> standards.  Seems like there should be an escrow-ed key from the foundation
>> or something that we would also sign with for the future.
>>
>>
> 

Re: PowerDNS web interface

[Greg Stein <gs...@gmail.com>]

Definitely the latter, and I'll leave it to @fluxo to coordinate with you
on security.

For the former, we could probably arrange some shared groups and whatnot. I
don't recall our specific plan with LP and ability to construct various
groups. And given that we might switch providers, I'm not keen on spending
time to figure it out, beyond a simple archival of your key and passphrase.

Longer term, we could look at more direct support for our PMCs. Not sure
what form that would take, as you're the first to ask for such. (note:
likely not cuz you're the first to need it, but that you're the first with
a security mindset)

Does that work for y'all?

On Mon, May 15, 2017 at 5:49 PM, Kevin A. McGrail <kevin.mcgrail@mcgrail.com
> wrote:

> Is lp available for projects?
>
> And/Or do you envision we create a key for say sysadmins@s.a.o and give
> you the private key and also a passphrase out if band. Then we add
> sysadmins@s.a.o to any thing we encrypt as a recipient and that is a
> safety valve?
> Regards,
> KAM
>
>
> On May 15, 2017 6:35:56 PM EDT, Greg Stein <gs...@gmail.com> wrote:
>>
>> We currently keep many credentials in LastPass (*). ... If y'all would
>> like to construct a recovery key for SA, then we'll happily store that into
>> the ASF LastPass account.
>>
>> Cheers,
>> -g
>>
>> (*) after a couple LP security notices, we are considering other options,
>> but that's neither here/there. if we switch vault providers in six
>> months... we'll *still* have one for an SA recovery key.
>>
>>
>> On Mon, May 15, 2017 at 5:27 PM, Kevin A. McGrail <
>> kevin.mcgrail@mcgrail.com> wrote:
>>
>>> Greg,
>>>
>>> Dave Jones brings up a good point about longevity of encrypted things
>>> for the foundation.  Could infra maintain a key that can be added to things
>>> for a backdoor?
>>>
>>> See below for a snapshot of the relevant thread for background.
>>>
>>> Regards,
>>> KAM
>>>
>>> KAM:
>>> What you should do is use the pub key at http://people.apache.org/~kmcg
>>> rail/ and encrypt a file with the password.  <soapbox>Ideally, you
>>> already have a key for me that chains to a circle of trust so you know for
>>> sure it's me.  They actually have key signing parties and stuff for this.
>>> I've found it to be a PITA and doesn't make me feel better that the key is
>>> valid.  It's not like we are trained in verifying fake IDs so it's nothing
>>> but an illusion of trust.</soapbox>
>>>
>>> Dave: My concern is I can sign it with your (Kevin's) key and even
>>> Brian's key so the two of you can open it but what happens if another 5 or
>>> 10 years go by and we 3 are no longer volunteering as SA sysadmins?  The
>>> next generation of sysadmins won't be able to open these files.
>>>
>>> There has to be a better way where we use an encrypted file with a
>>> master password that we share and is recorded in a save place for the
>>> future.
>>>
>>> I use LastPass for this and I have my master password in an envelope in
>>> a safe for my wife to open in the event I am no longer on this planet. I
>>> have instructed her to take this envelope to any of my techie friends and
>>> they would know how to help her get access of all of my online accounts.
>>> We need something like this for this team.
>>>
>>> KAM: The first consideration is that the method above with SVN is
>>> considered acceptable to the foundation and exists already.  It long
>>> predates me and has a strong encryption pedigree.  It also doesn't rely on
>>> a service being in business since it uses all open source software and
>>> files that you can mirror today.
>>>
>>> What I have done that is similar to what you describe is that my
>>> passphrase for my private key is in my safe.  So should I leave this mortal
>>> coil, the data is all recoverable.
>>>
>>> Also, we are trying to move away from master passwords as much as
>>> possible.  Sharing of root credentials should be avoided as just a general
>>> security mantra.
>>>
>>> KAM: Do you feel strongly enough about it to debate it with infra and
>>> see what their thoughts are?
>>>
>>> Dave: Not that strongly.  I will be glad to go along with the existing
>>> standards.  Seems like there should be an escrow-ed key from the foundation
>>> or something that we would also sign with for the future.
>>>
>>>
>>

Re: PowerDNS web interface

["Kevin A. McGrail" <ke...@mcgrail.com>]

Is lp available for projects?  

And/Or do you envision we create a key for say sysadmins@s.a.o and give you the private key and also a passphrase out if band.  Then we add sysadmins@s.a.o to any thing we encrypt as a recipient and that is a safety valve?
Regards,
KAM

On May 15, 2017 6:35:56 PM EDT, Greg Stein <gs...@gmail.com> wrote:
>We currently keep many credentials in LastPass (*). ... If y'all would
>like
>to construct a recovery key for SA, then we'll happily store that into
>the
>ASF LastPass account.
>
>Cheers,
>-g
>
>(*) after a couple LP security notices, we are considering other
>options,
>but that's neither here/there. if we switch vault providers in six
>months... we'll *still* have one for an SA recovery key.
>
>
>On Mon, May 15, 2017 at 5:27 PM, Kevin A. McGrail
><kevin.mcgrail@mcgrail.com
>> wrote:
>
>> Greg,
>>
>> Dave Jones brings up a good point about longevity of encrypted things
>for
>> the foundation.  Could infra maintain a key that can be added to
>things for
>> a backdoor?
>>
>> See below for a snapshot of the relevant thread for background.
>>
>> Regards,
>> KAM
>>
>> KAM:
>> What you should do is use the pub key at http://people.apache.org/~
>> kmcgrail/ and encrypt a file with the password.  <soapbox>Ideally,
>you
>> already have a key for me that chains to a circle of trust so you
>know for
>> sure it's me.  They actually have key signing parties and stuff for
>this.
>> I've found it to be a PITA and doesn't make me feel better that the
>key is
>> valid.  It's not like we are trained in verifying fake IDs so it's
>nothing
>> but an illusion of trust.</soapbox>
>>
>> Dave: My concern is I can sign it with your (Kevin's) key and even
>Brian's
>> key so the two of you can open it but what happens if another 5 or 10
>years
>> go by and we 3 are no longer volunteering as SA sysadmins?  The next
>> generation of sysadmins won't be able to open these files.
>>
>> There has to be a better way where we use an encrypted file with a
>master
>> password that we share and is recorded in a save place for the
>future.
>>
>> I use LastPass for this and I have my master password in an envelope
>in a
>> safe for my wife to open in the event I am no longer on this planet.
>I have
>> instructed her to take this envelope to any of my techie friends and
>they
>> would know how to help her get access of all of my online accounts. 
>We
>> need something like this for this team.
>>
>> KAM: The first consideration is that the method above with SVN is
>> considered acceptable to the foundation and exists already.  It long
>> predates me and has a strong encryption pedigree.  It also doesn't
>rely on
>> a service being in business since it uses all open source software
>and
>> files that you can mirror today.
>>
>> What I have done that is similar to what you describe is that my
>> passphrase for my private key is in my safe.  So should I leave this
>mortal
>> coil, the data is all recoverable.
>>
>> Also, we are trying to move away from master passwords as much as
>> possible.  Sharing of root credentials should be avoided as just a
>general
>> security mantra.
>>
>> KAM: Do you feel strongly enough about it to debate it with infra and
>see
>> what their thoughts are?
>>
>> Dave: Not that strongly.  I will be glad to go along with the
>existing
>> standards.  Seems like there should be an escrow-ed key from the
>foundation
>> or something that we would also sign with for the future.
>>
>>

Re: PowerDNS web interface

[Greg Stein <gs...@gmail.com>]

We currently keep many credentials in LastPass (*). ... If y'all would like
to construct a recovery key for SA, then we'll happily store that into the
ASF LastPass account.

Cheers,
-g

(*) after a couple LP security notices, we are considering other options,
but that's neither here/there. if we switch vault providers in six
months... we'll *still* have one for an SA recovery key.


On Mon, May 15, 2017 at 5:27 PM, Kevin A. McGrail <kevin.mcgrail@mcgrail.com
> wrote:

> Greg,
>
> Dave Jones brings up a good point about longevity of encrypted things for
> the foundation.  Could infra maintain a key that can be added to things for
> a backdoor?
>
> See below for a snapshot of the relevant thread for background.
>
> Regards,
> KAM
>
> KAM:
> What you should do is use the pub key at http://people.apache.org/~
> kmcgrail/ and encrypt a file with the password.  <soapbox>Ideally, you
> already have a key for me that chains to a circle of trust so you know for
> sure it's me.  They actually have key signing parties and stuff for this.
> I've found it to be a PITA and doesn't make me feel better that the key is
> valid.  It's not like we are trained in verifying fake IDs so it's nothing
> but an illusion of trust.</soapbox>
>
> Dave: My concern is I can sign it with your (Kevin's) key and even Brian's
> key so the two of you can open it but what happens if another 5 or 10 years
> go by and we 3 are no longer volunteering as SA sysadmins?  The next
> generation of sysadmins won't be able to open these files.
>
> There has to be a better way where we use an encrypted file with a master
> password that we share and is recorded in a save place for the future.
>
> I use LastPass for this and I have my master password in an envelope in a
> safe for my wife to open in the event I am no longer on this planet. I have
> instructed her to take this envelope to any of my techie friends and they
> would know how to help her get access of all of my online accounts.  We
> need something like this for this team.
>
> KAM: The first consideration is that the method above with SVN is
> considered acceptable to the foundation and exists already.  It long
> predates me and has a strong encryption pedigree.  It also doesn't rely on
> a service being in business since it uses all open source software and
> files that you can mirror today.
>
> What I have done that is similar to what you describe is that my
> passphrase for my private key is in my safe.  So should I leave this mortal
> coil, the data is all recoverable.
>
> Also, we are trying to move away from master passwords as much as
> possible.  Sharing of root credentials should be avoided as just a general
> security mantra.
>
> KAM: Do you feel strongly enough about it to debate it with infra and see
> what their thoughts are?
>
> Dave: Not that strongly.  I will be glad to go along with the existing
> standards.  Seems like there should be an escrow-ed key from the foundation
> or something that we would also sign with for the future.
>
>

Re: PowerDNS web interface

["Kevin A. McGrail" <ke...@mcgrail.com>]

Greg,

Dave Jones brings up a good point about longevity of encrypted things 
for the foundation.  Could infra maintain a key that can be added to 
things for a backdoor?

See below for a snapshot of the relevant thread for background.

Regards,
KAM

KAM:
What you should do is use the pub key at 
http://people.apache.org/~kmcgrail/ and encrypt a file with the 
password.  <soapbox>Ideally, you already have a key for me that chains 
to a circle of trust so you know for sure it's me.  They actually have 
key signing parties and stuff for this.  I've found it to be a PITA and 
doesn't make me feel better that the key is valid.  It's not like we are 
trained in verifying fake IDs so it's nothing but an illusion of 
trust.</soapbox>

Dave: My concern is I can sign it with your (Kevin's) key and even 
Brian's key so the two of you can open it but what happens if another 5 
or 10 years go by and we 3 are no longer volunteering as SA sysadmins?  
The next generation of sysadmins won't be able to open these files.

There has to be a better way where we use an encrypted file with a 
master password that we share and is recorded in a save place for the 
future.

I use LastPass for this and I have my master password in an envelope in 
a safe for my wife to open in the event I am no longer on this planet. I 
have instructed her to take this envelope to any of my techie friends 
and they would know how to help her get access of all of my online 
accounts.  We need something like this for this team.

KAM: The first consideration is that the method above with SVN is 
considered acceptable to the foundation and exists already.  It long 
predates me and has a strong encryption pedigree.  It also doesn't rely 
on a service being in business since it uses all open source software 
and files that you can mirror today.

What I have done that is similar to what you describe is that my 
passphrase for my private key is in my safe.  So should I leave this 
mortal coil, the data is all recoverable.

Also, we are trying to move away from master passwords as much as 
possible.  Sharing of root credentials should be avoided as just a 
general security mantra.

KAM: Do you feel strongly enough about it to debate it with infra and 
see what their thoughts are?

Dave: Not that strongly.  I will be glad to go along with the existing 
standards.  Seems like there should be an escrow-ed key from the 
foundation or something that we would also sign with for the future.

Re: PowerDNS web interface

[Dave Jones <da...@apache.org>]

On 05/15/2017 04:58 PM, Kevin A. McGrail wrote:
> On 5/15/2017 5:37 PM, Dave Jones wrote:
>>
>> My concern is I can sign it with your (Kevin's) key and even Brian's 
>> key so the two of you can open it but what happens if another 5 or 10 
>> years go by and we 3 are no longer volunteering as SA sysadmins?  The 
>> next generation of sysadmins won't be able to open these files.
>>
>> There has to be a better way where we use an encrypted file with a 
>> master password that we share and is recorded in a save place for the 
>> future.
>>
>> I use LastPass for this and I have my master password in an envelope 
>> in a safe for my wife to open in the event I am no longer on this 
>> planet. I have instructed her to take this envelope to any of my 
>> techie friends and they would know how to help her get access of all 
>> of my online accounts.  We need something like this for this team. 
> 
> The first consideration is that the method above with SVN is considered 
> acceptable to the foundation and exists already.  It long predates me 
> and has a strong encryption pedigree.  It also doesn't rely on a service 
> being in business since it uses all open source software and files that 
> you can mirror today.
> 
> What I have done that is similar to what you describe is that my 
> passphrase for my private key is in my safe.  So should I leave this 
> mortal coil, the data is all recoverable.
> 
> Also, we are trying to move away from master passwords as much as 
> possible.  Sharing of root credentials should be avoided as just a 
> general security mantra.
> 
> Do you feel strongly enough about it to debate it with infra and see 
> what their thoughts are?
> 

Not that strongly.  I will be glad to go along with the existing 
standards.  Seems like there should be an escrow-ed key from the 
foundation or something that we would also sign with for the future.

> Regards,
> 
> KAM
> 
> 

Re: PowerDNS web interface

["Kevin A. McGrail" <km...@apache.org>]

On 5/15/2017 5:37 PM, Dave Jones wrote:
>
> My concern is I can sign it with your (Kevin's) key and even Brian's 
> key so the two of you can open it but what happens if another 5 or 10 
> years go by and we 3 are no longer volunteering as SA sysadmins?  The 
> next generation of sysadmins won't be able to open these files.
>
> There has to be a better way where we use an encrypted file with a 
> master password that we share and is recorded in a save place for the 
> future.
>
> I use LastPass for this and I have my master password in an envelope 
> in a safe for my wife to open in the event I am no longer on this 
> planet. I have instructed her to take this envelope to any of my 
> techie friends and they would know how to help her get access of all 
> of my online accounts.  We need something like this for this team. 

The first consideration is that the method above with SVN is considered 
acceptable to the foundation and exists already.  It long predates me 
and has a strong encryption pedigree.  It also doesn't rely on a service 
being in business since it uses all open source software and files that 
you can mirror today.

What I have done that is similar to what you describe is that my 
passphrase for my private key is in my safe.  So should I leave this 
mortal coil, the data is all recoverable.

Also, we are trying to move away from master passwords as much as 
possible.  Sharing of root credentials should be avoided as just a 
general security mantra.

Do you feel strongly enough about it to debate it with infra and see 
what their thoughts are?

Regards,

KAM


-- 
Kevin A. McGrail
Asst. Treasurer, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project

Re: PowerDNS web interface

[Dave Jones <da...@apache.org>]

On 05/15/2017 03:52 PM, Kevin A. McGrail wrote:
> Hi Bryan,
> 
> A) My default answer is always going to be add it to the wiki with 
> sensitive portions redacted and point to SVN files that are encrypted. 
> This follows in kind to how extremely, sensitive items
> 
> B) In my line of work, it is absolutely a failure of any security audit 
> to use a default password.  It also shouldn't be written even on this list.

I have changed the default admin password and will put it in the 
sysadmins repo properly encrypted.

> 
> What you should do is use the pub key at 
> http://people.apache.org/~kmcgrail/ and encrypt a file with the 
> password.  <soapbox>Ideally, you already have a key for me that chains 
> to a circle of trust so you know for sure it's me. They actually have 
> key signing parties and stuff for this.  I've found it to be a PITA and 
> doesn't make me feel better that the key is valid.  It's not like we are 
> trained in verifying fake IDs so it's nothing but an illusion of 
> trust.</soapbox>
> 
> Dave, can you decrypt 
> https://svn.apache.org/repos/asf/spamassassin/sysadmins/accounts/example.enc? 
> There is a example.enc.README to help explain more of the process.
> 

My concern is I can sign it with your (Kevin's) key and even Brian's key 
so the two of you can open it but what happens if another 5 or 10 years 
go by and we 3 are no longer volunteering as SA sysadmins?  The next 
generation of sysadmins won't be able to open these files.

There has to be a better way where we use an encrypted file with a 
master password that we share and is recorded in a save place for the 
future.

I use LastPass for this and I have my master password in an envelope in 
a safe for my wife to open in the event I am no longer on this planet. 
I have instructed her to take this envelope to any of my techie friends 
and they would know how to help her get access of all of my online 
accounts.  We need something like this for this team.


> *Reminder: *Bryan, you need to get your public key on 
> http://people.apache.org/~bvest/
> 
> Regards,
> KAM
> 
> On 5/15/2017 4:01 PM, Dave Jones wrote:
>> I setup nesedit and wanted to pass this along.  We can put this in the 
>> wiki after we have properly vetted any security issues but I think I 
>> have it pretty secure.
>>
>> 1. Open an SSH tunnel from your desktop:
>>
>> ssh -f sa-vm1.apache.org -L 8090:localhost:8090 -N
>>
>> 2. Open http://localhost:8090 from your desktop browser
>>
>> 3. Login with admin/admin
>>
>> Do we need to change the default admin password?  My thought was it's 
>> not externally accessible (port 8090 listens on 127.0.0.1 and this 
>> port is not opened on the local firewall) and everyone on the server 
>> is trusted by SSH keys and has root access anyway.
>>
>> I think it's secure from the outside and the default admin password is 
>> fine in this case.
>>
> 
> 

Re: PowerDNS web interface

["Kevin A. McGrail" <ke...@mcgrail.com>]

Hi Bryan,

A) My default answer is always going to be add it to the wiki with 
sensitive portions redacted and point to SVN files that are encrypted.  
This follows in kind to how extremely, sensitive items

B) In my line of work, it is absolutely a failure of any security audit 
to use a default password.  It also shouldn't be written even on this list.

What you should do is use the pub key at 
http://people.apache.org/~kmcgrail/ and encrypt a file with the 
password.  <soapbox>Ideally, you already have a key for me that chains 
to a circle of trust so you know for sure it's me. They actually have 
key signing parties and stuff for this.  I've found it to be a PITA and 
doesn't make me feel better that the key is valid.  It's not like we are 
trained in verifying fake IDs so it's nothing but an illusion of 
trust.</soapbox>

Dave, can you decrypt 
https://svn.apache.org/repos/asf/spamassassin/sysadmins/accounts/example.enc? 
There is a example.enc.README to help explain more of the process.

*Reminder: *Bryan, you need to get your public key on 
http://people.apache.org/~bvest/

Regards,
KAM

On 5/15/2017 4:01 PM, Dave Jones wrote:
> I setup nesedit and wanted to pass this along.  We can put this in the 
> wiki after we have properly vetted any security issues but I think I 
> have it pretty secure.
>
> 1. Open an SSH tunnel from your desktop:
>
> ssh -f sa-vm1.apache.org -L 8090:localhost:8090 -N
>
> 2. Open http://localhost:8090 from your desktop browser
>
> 3. Login with admin/admin
>
> Do we need to change the default admin password?  My thought was it's 
> not externally accessible (port 8090 listens on 127.0.0.1 and this 
> port is not opened on the local firewall) and everyone on the server 
> is trusted by SSH keys and has root access anyway.
>
> I think it's secure from the outside and the default admin password is 
> fine in this case.
>