Re: SSH certificates - restricting to host groups

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 1/31/20 5:21 PM, Brian Candler wrote:
> On 31/01/2020 15:37, Michael Ströder wrote:
>> (BTW: yubikey is slow. So if you have admins accessing many machines in
>> one go you will get a notable latency during first SSH connection.)
> 
> I meant using a single Yubikey as the CA sign the certificates.

Ah, I've misread that. Just using temporary key/cert files makes things
easier at the client side.

> I'm thinking of an organization where the number of admins is in the low
> tens.  The end-game of having daily keys and certs loaded directly into
> ssh-agent is very appealing, but I'm not sure we're ready to jump right
> there yet.  Getting people over to certs and starting to rip out
> ~/.ssh/authorized_keys is an important first step.

I'm not sure I get your reasoning why having longer cert validity period
makes things easier for the user. IMHO the opposite is true.

If your installation just works on all required OS platforms (client and
server) it's pretty easy to teach people how to use it to get a
short-term user cert once or twice a day. Anyway they have to be capable
to do this at any time no matter how long the cert validity period is.

Ciao, Michael.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux