I really like the new IP whitelisting feature for Manager login that was added a few months ago, but I'm afraid to enable it. I use Linode to host my email, so I could too easily end up in a catch-22 situation where my mail server goes down and I can't log in to fix it. How about an option to whitelist new IPs via SMS rather than email?

While you're at it, requiring some sort of phone-based verification for password resets would be good. Right now you're sending password reset URLs -- which are just as good as passwords -- over the cleartext protocol that is SMTP. While hosting my mail server on Linode does drastically cut down on the potential for a MITM attack [Edit: actually, it doesn't, since my server is in a different datacenter from mail.linode.com], this still makes me nervous and is the weakest link in my servers' security by far. Alternatively to phone verification, perhaps you could allow us to upload PGP public keys, and use them to encrypt password reset emails.

Without speaking to any of the feature suggestions you were making, note that the whitelist feature is purely for the web access to the Linode Manager, so LISH should be unaffected, in terms of letting you get access to your machine's console and repair whatever is wrong with the mail server.

-- David

db3l, that does mitigate the problem, yes. However, it's inadequate for more serious problems which require booting from a rescue system or just reimaging the node altogether. It also requires that I remember how to get to Lish without logging into the Manager to look it up

Well, you can boot into specific profiles (and list the ones you have) from the lish command prompt, so you should be able to do anything in that regard that you can do from Linode Manager. If the box is just failing to start fully, you'll have console/single user access from lish. I'm assuming you would have already set up a profile for the rescue environment (e.g., finnix boot against same disk images), which I think is a good policy, at least as far as getting the box basically back up and operational. If you hadn't, then the alternative would be the Linode API if you didn't have manager access.

I guess if you do end up at a point of the entire host being down or something else outside of your control you'll have a problem - of course, even with Linode Manager in that case you would likely not be able to interact with your failing Linode.

For remembering how to access, I'd suggest setting things up beforehand to simplify that. For example, what I have set up is a local /etc/hosts entry on my personal systems that provides an alias for the appropriate <datacenter>##.linode.com host address. Then, in my ~/.ssh/config I set up an automatic username for that alias which thus keeps track of my linode#### username. Set the appropriate ssh key for lish, and you're down to just "ssh <alias>" to get access to lish for your box at any time.

Since this is really just an emergency approach if you do have a full loss of service on your box, simultaneous with your source address changing for Linode Manager, the exposure window should be quite small to start with, and I'd think this provides enough tools to help ensure you could take care of things in that rare case.

Of course, I still don't disagree that additional whitelist management methods could be helpful - just not sure you're really risking a catch-22 in the current scenario.

Perhaps the Linode API could be expanded to permit updating the whitelist, which would probably be less back-end work then trying to integrate phone or SMS service.

-- David

Actually, I think the SMS verification for whitelisting could be done with very little backend work. Most cell phone carriers provide email-to-SMS gateways. So just send an authentication code via one of those, and then have the user enter it on a web form.