On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a@xxxxxxxxxxxxx) wrote: ... > So issue your users with Yubikeys. You can enforce the Yubikey so it > requires the user to enter a PIN *and* touch the Yubikey. This means > there's an incredibly high degree of confidence that it was the user > who performed the actiion (i.e. two-factor authentication of physical > Yubikey and PIN, plus anti-keylogger because of the mandatory touching > of the Yubikey). I've been meaning to try a Yubikeys. As I understand it that would help ensure that the user is the person they should be. What is nice about runtime certificate issuance is that certificates can be tuned for particular per-user, per-instance use cases, such as "root on all DC1 webservers". Unless I've misunderstood, verification of the user and the permissions they have for potentially many roles on many servers are quite different things. Thanks very much Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev