On 30/11/21 7:14 am, James H. H. Lampert wrote:
On the topic of SSH certificates, they seem fine at first, but when you delve deeper they are a serious security risk because they are are issued by individual users and are effectively unmanaged and unmaintained. In large organisations they are a nightmare to control.I have access to a number of Amazon Linux virtual boxes, that don't like password authentication in general (preferring certificate authentication . . . which authenticates the BOX that is ssh-ing in, but not the WARM BODY between the chair and the keyboard).
The current best practice is to use a third party authenticator where access control is centrally managed. Even so, automatic authentication means you have no control over the warm body or hacking script that is using it.
-- Jeremy
OpenPGP_signature
Description: OpenPGP digital signature
