TOTD: Should we be using a separate identity system for the accounts that are used to manage infrastructure components?
Not just separate account as in the classic “username-adm” approach, but a completely separate directory stack that requires MFA on *all of the things*
Not really an option in the cloud systems, but anything on-prem could follow this model and it allows us to be really draconian about controlling modifications in a way that is too inconvenient on the general directory system
Erik Ableson /
npub1xu…e05eg
2023-10-24 15:55:16
Author Public Key
npub1xu57l3wtwrg5kl99ct347hdhdxjt9832xgqu2n3qqw53hlwsdeqqae05egPublished at
2023-10-24 15:55:16Event JSON
{
"id": "5398e4fa5a8c36abc5a61b986946d8d222788e2faf84eec29ef8e4e23414394b",
"pubkey": "3729efc5cb70d14b7ca5c2e35f5db769a4b29e2a3201c54e2003a91bfdd06e40",
"created_at": 1698162916,
"kind": 1,
"tags": [
[
"proxy",
"https://mastodon.infrageeks.social/users/erik/statuses/111290804883966245",
"activitypub"
]
],
"content": "TOTD: Should we be using a separate identity system for the accounts that are used to manage infrastructure components?\n\nNot just separate account as in the classic “username-adm” approach, but a completely separate directory stack that requires MFA on *all of the things*\n\nNot really an option in the cloud systems, but anything on-prem could follow this model and it allows us to be really draconian about controlling modifications in a way that is too inconvenient on the general directory system",
"sig": "5425ed66d1af6ad2d7218d76f22546676763466e4d5e169bc8966f2c86822cb3b941d4a28a2b4657f7ef3b19011563493587d6ae119513e1d0ed387cb8637c63"
}