Support Keys

[Bluto]

IPS Support, beyond answering a question via ticket, is useless to me.

Now, I'm not saying the Support Staff is useless, quite the opposite - they're very helpful.  

Since I'm the rare individual that subscribes to a high level of security on my server, I use keys.  Having this setup, IPS can't seem to provide me with a key so I can provide IPS access to my server.

I've asked many times in the past for IPS to provide a key option, but all that is provided is password FTP/SFTP access options only.

Am I asking for something which is unreasonable?

All that I get is the stock IPS response about not providing the access information.

Anyway, I'd love to get IPS 4 stars on Yelp, but without the ability above, well you know.

#1019304

[Aiwa]

That’s been the norm for years, user / pass auth or bust. 

I’m with you in that I don’t allow FTP, but only SFTP via key auth. That said, I don’t generally have any tickets that would require FTP. 😉 

The answer I’ve seen in the past revolves around providing a consistent service standard. If Tech A provides a key, only they can log in, Tech B can’t log in. If IPS uses / shares a key between all, that gets around that issue, but they must pass their private key around internally. If, somehow that key got out, it would compromise any number of communities that didn’t remove it from their authorized keys. You’d have a single key that could potentially breach a number of clients. That in and of itself would be a security issue. 

If security is that much of an issue to you, I wouldn’t see providing FTP access as an option to begin with.  

Depends on the ticket content on whether or not FTP is required. I’d like to think most tickets these days can be resolved without it. 

[Bluto]

Yea, IPS is pretty good a solving issues without server access.

Since it appears to be a small number of people using keys, I would think the idea of a private key security issue would be rare.  IPS could protect themselves by requiring me to activate the Key option making it my responsibility to remove their key from my server.  Heck they could charge me $10 a year for the access.  Let me know where to pay and I'll pay that $10.

Long term I would hope the industry as a whole moves to keys or something better, I don't see it going back to passwords.  With that being said, preparing for the future and working out any kinks in a key based IPS support system, I would think, would be the future system for client server access.  Having a few clients with key access would allow the IPS team and the IPS developers to fine tune a solid system.

I'm ok with limited SFTP access for IPS for a specific timeframe.  That's the thing, security isn't an issue for me.  My security is fine.  My security shouldn't have to go backwards to allow access.

It is what it is.  I won't get support.  No one is interested in keys.

I'm a rebel, I use NGINX and KEYS!!!

[maddog107_merged]

I have been asking for key support for years from IPB. My server does not accept passwords. The workaround was to configure sshd so that it *does* accept passwords from the IPB IP's but everything else it requires keys. Not great but at least it supports my security requirements. 

[Aiwa]

That’s true, I had forgotten that all techs have access to, or used to, that affords them a static IP. So IP based security measures could be used to bypass key Auth for the specific IPS IP. 

[Bluto]

That must be an interesting setup with passwords for some and keys for others.  I've never even attempted to do that (was always either one or the other).

[maddog107_merged]

@Bluto

 

At the very end of your sshd_config (has to be at the very end) add 

# IPS Support IPs
Match Address 52.1.xxx.xxx,50.28.xxx.xxx,50.28.xxx.xxx
    PasswordAuthentication yes

 

Not sure if im allowed to provide the IPS IPs, you can ask them and they will give them to you. There are not that many. 

[Mark H]

Yes, if you ask for our corporate IP Addresses in a ticket, we are happy to provide those so you can whitelist them.