Tracy Reed wrote:
>> The proper way to do it (Plan A) is to use keys only, but ensure
>> your keys are themselves protected by password.
>
> Ensure how? I think making it clear that creating an unencrypted key
> is a firing offense is good enough but others disagree and insist on
> technical measures.
>
> I do a lot of PCI security work these days. I have a good book on PCI
> security (I don't recall the name at the moment and don't have it on
> hand) which explicitly says that encrypted ssh keys (key plus
> password) counts as two factor authentication for the purposes of
> PCI. But brings us to the classic question: It may check the box
> saying "must have two factor auth" but is it really secure enough?
This is where you get into tokens.
I prefer PKI tokens.
You generate the key pair on the token and the private key never leaves
it. You would issue PKI tokens, initialized with their keys.
Using PKCS#11 openssh and putty (among others) support PKI tokens.
Then if the server uses LDAP to store public keys for SSH and you
disable local authorized_keys (so the user cannot add other keys), you
can enforce fairly secure two factor auth.
--
END OF LINE
--MCP
_______________________________________________
Discuss mailing list
Discuss@lopsa.org
http://lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
