Randy Calvert Posted January 12, 2022 Posted January 12, 2022 It is recommended by Invision to store information regarding FTP/SFTP and ACP login to our communities in order for IPS staff to be able to more quickly provide support when needed. I understand and support this as I appreciate being able to reduce the amount of time going back and forth trying to get access. However I would like to see IPS add additional controls on how it accesses our sites. For example: IPS staff ask us to disable 2FA for an account used by support. This literally opens a back door to our site. We should not be forced to enable/disable 2FA access for IPS to provide support. There are ways to staff to be able to share a 2FA token. We could technically create a second Admin group that does not require 2FA access, but again it opens an avenue for an attacker to potentially work around the existing controls. IPS does not support password-less FTP/SFTP access. Passwords are a huge security risk. They open the door to brute force attack unnecessarily for those who choose a more secure method of using keys. Please consider allowing us to store a key file for access instead of just a password. I understand not everyone needs/wants the additional layers of security, however I would hope IPS would be willing to consider supporting additional these additional capabilities for those that do add additional layers of controls to their community.
Runar Posted January 12, 2022 Posted January 12, 2022 I agree completely, especially regarding password-less server access. My way of solving this issue is to leave the support account in the member group, and only make it an administrator when I actually need support. In addition to this, I have disabled password-less access to my servers and it’s never been necessary to change this. I did once try to configure SFTP with access to the necessary files only, but on my current setup this is disabled as well.
Recommended Posts