Re: Taking over root on legacy AWS account
On Wed, Aug 24, 2022 at 09:12:23PM +0100, Marcin Kulisz wrote:
> On 2022-08-23 22:55:27, Ross Vandegrift wrote:
> > On Fri, Aug 12, 2022 at 05:37:33PM +0100, Marcin Kulisz wrote:
>
> snip
>
> > > My take on the latter would be that one of the delegates if we'd have a chair
> > > would be holding MFA to this account and this would be passed along this line to
> > > the next one and it should be an obligation of the chair to do it be.
> > >
> > > I would nominate Ross as the person usually charring our meetings.
> > >
> > > Any other ideas or suggestions how to do it?
> >
> > Bastian suggested storing it in the password repo [1]. I like that since it
> > supports providing access to multiple people via their gpg keys. I don't quite
> > understand how to use pwstore, but the idea seems simple enough.
>
> From my PoV this is not about passwords but more about MFA which IMO we should
> have on the root account and I don't think that password repo will help in this
> situation.
>
> Even if we're not going to use it at all and all will be done via individual
> accounts we need to take proper measures to secure it and IMO MFA is a basic
> measure to take hence my question still stands: how are we going to do it?
The idea was to treat the OTP secret like another password - it's a string, and
you could use it with e.g. python3-pyotp to get a token. But this does
undermine the "multi-factor" part, and leaves the reset issue that Bastian
raised.
Ross
Reply to: