Re: add keys and certificate to forwarded agent on remote host

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a@xxxxxxxxxxxxx) wrote:
...
> So issue your users with Yubikeys.  You can enforce the Yubikey so it
> requires the user to enter a PIN *and* touch the Yubikey.  This means
> there's an incredibly high degree of confidence that it was the user
> who performed the actiion (i.e. two-factor authentication of physical
> Yubikey and PIN, plus anti-keylogger because of the mandatory touching
> of the Yubikey).

I've been meaning to try a Yubikeys. As I understand it that would help
ensure that the user is the person they should be.

What is nice about runtime certificate issuance is that certificates can
be tuned for particular per-user, per-instance use cases, such as "root
on all DC1 webservers".

Unless I've misunderstood, verification of the user and the permissions
they have for potentially many roles on many servers are quite different
things.

Thanks very much 
Rory
 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux