Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [] SSH Auth Bot and your account security

I am probably missing something obvious. Für die Riena instance we dont
have an HIPP instance and we dont plan to have one. (and it makes no sense
for us) Dont we need a ssh shell account to sign our p2 deliverable ?

On the other hand I dont understand why shell access is related to Git
access (vs Gerrit access). I personally never want to move to Gerrit, and
it is different from direct Git access.
I mean currently we use Git with SSH and shell access. But I know that you
can also configure Git to use the GIT user and each user uses ssh key
authentication with ssh passphrases. I.e. Stash is using that and I know
other do that too (I think Github). In that way you dont need ssh shell
access but you can still use Git (vs Gerrit). Why isnt that the better
path to move forward ?


Am 15.01.16, 18:04 schrieb " on
behalf of Denis Roy" unter < on
behalf of denis.roy@xxxxxxxxxxx>:

>As a quick follow-up: if you have a HIPP instance and a shell account,
>we won't automatically revoke your shell. I apologize if my wording
>convinced you otherwise.
>We know who you are and we know who uses the shell and who doesn't.
>We're paranoid but smart.
>On 01/15/2016 11:45 AM, Denis Roy wrote:
>> Greetings committers,
>> A handful of you have SSH access to You may have seen
>> the SSH Auth Bot block shell access to you from an unknown location at
>> some time.
>> Today we've had our first instance of unauthorized access. Fortunately,
>> the SSH Auth Bot blocked that access and prevented a potential disaster
>> for our data and our computer systems. But more importantly:
>>      _The committer informed us immediately_
>> If your account is blessed with shell access, we appreciate your
>> continued attention to the SSH Auth Bot warnings you may receive.
>> Moving forward, we'll be removing shell access from those accounts who
>> do not have a valid need for it. Basically, any project that owns a HIPP
>> instance has no real need for a shell, as the HIPP instance can run
>> shell scripts on your behalf. We'll also be adding access history to
>> your account page on, so you can audit and monitor your
>> access to our servers.
>> Once pure Git is deprecated [1] and Gerrit is used for all our repos,
>> SSH access will be entirely eliminated for all users except a few that I
>> can count on my left hand. Local SSH access is our #1 security liability
>> at the moment.
>> Thanks again for being a good Eclipse citizen.
>> Denis
>> [1]
> mailing list
>IMPORTANT: Membership in this list is generated by processes internal to
>the Eclipse Foundation.  To be permanently removed from this list, you
>must contact emo@xxxxxxxxxxx to request removal.

compeople AG
Untermainanlage 8
60329 Frankfurt/Main
fon: +49 (0) 69 / 27 22 18 0
fax: +49 (0) 69 / 27 22 18 22

Vorstand: Jürgen Wiesmaier
Aufsichtsratsvorsitzender: Christian Glanz

Sitz der Gesellschaft: Frankfurt/Main
Handelsregister Frankfurt HRB 56759
USt-IdNr. DE207665352

Back to the top