[cfarm-users] Aging inactive cfarm users?
Jonathan Wakely
jwakely.gcc at gmail.com
Sun Apr 14 13:46:21 CEST 2024
On Sun, 14 Apr 2024, 12:15 Baptiste Jonglez via cfarm-users, <
cfarm-users at lists.tetaneutral.net> wrote:
> On 09-04-24, David Malcolm via cfarm-users wrote:
> > I was wondering if the compile farm has any policies/procedures for
> > aging out long-dormant users (to minimize exposure in case of stolen
> > credentials).
>
> Good question. We have no such policy currently. We can of course
> disable accounts, but it currently happens only when people explicitly
> indicate they don't need access to the farm anymore, or in case of serious
> abuse.
>
> We have both long-term users and short-term users, so a policy would have
> to account for all cases.
>
> > For example, I've sponsored a few GSoC contributors over the years as
> > cfarm users, and some haven't stayed around within FLOSS.
> >
> > FWIW, a similar discussion for Sourceware can be seen here:
> > https://inbox.sourceware.org/overseers/ZhQZXogZMozVjIYn@elastic.org/T/#t
>
> It would not be straightforward to track all SSH access on the farm, both
> for privacy reasons and technical reasons (the farm has very diverse
> systems, and some people run jobs via cron).
>
What are the privacy reasons?
It's a free, public service offered to the community, why should users have
any expectation of being able to use it in secret?
If you don't want the cfarm admins to be aware of whether or not you are
using the service, you should pay for your own access to another service.
I don't think it would be unreasonable to say that if you're only running
jobs via cron that you need to login via ssh once every 6 months to keep
your account active.
So it seems the only obstacle is a technical one of actually measuring who
is logging in via ssh, which surely can be solved. Audit logs must exist
which record who logs in. And if they don't exist on some more exotic
systems, require everybody to login to one of the less exotic systems at
least once every 6 months.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tetaneutral.net/pipermail/cfarm-users/attachments/20240414/9f2e5d2b/attachment.htm>
More information about the cfarm-users
mailing list