<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 14 Apr 2024, 12:15 Baptiste Jonglez via cfarm-users, <<a href="mailto:cfarm-users@lists.tetaneutral.net">cfarm-users@lists.tetaneutral.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 09-04-24, David Malcolm via cfarm-users wrote:<br>
> I was wondering if the compile farm has any policies/procedures for<br>
> aging out long-dormant users (to minimize exposure in case of stolen<br>
> credentials).<br>
<br>
Good question. We have no such policy currently. We can of course<br>
disable accounts, but it currently happens only when people explicitly<br>
indicate they don't need access to the farm anymore, or in case of serious<br>
abuse.<br>
<br>
We have both long-term users and short-term users, so a policy would have<br>
to account for all cases.<br>
<br>
> For example, I've sponsored a few GSoC contributors over the years as<br>
> cfarm users, and some haven't stayed around within FLOSS.<br>
> <br>
> FWIW, a similar discussion for Sourceware can be seen here:<br>
> <a href="https://inbox.sourceware.org/overseers/ZhQZXogZMozVjIYn@elastic.org/T/#t" rel="noreferrer noreferrer" target="_blank">https://inbox.sourceware.org/overseers/ZhQZXogZMozVjIYn@elastic.org/T/#t</a><br>
<br>
It would not be straightforward to track all SSH access on the farm, both<br>
for privacy reasons and technical reasons (the farm has very diverse<br>
systems, and some people run jobs via cron).<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">What are the privacy reasons?</div><div dir="auto"><br></div><div dir="auto">It's a free, public service offered to the community, why should users have any expectation of being able to use it in secret? </div><div dir="auto"><br></div><div dir="auto">If you don't want the cfarm admins to be aware of whether or not you are using the service, you should pay for your own access to another service. </div><div dir="auto"><br></div><div dir="auto">I don't think it would be unreasonable to say that if you're only running jobs via cron that you need to login via ssh once every 6 months to keep your account active. </div><div dir="auto"><br></div><div dir="auto">So it seems the only obstacle is a technical one of actually measuring who is logging in via ssh, which surely can be solved. Audit logs must exist which record who logs in. And if they don't exist on some more exotic systems, require everybody to login to one of the less exotic systems at least once every 6 months. </div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
</blockquote></div></div></div>