Tracy Reed <tr...@ultraviolet.org> writes: > I do a lot of PCI security work these days. I have a good book on PCI > security (I don't recall the name at the moment and don't have it on > hand) which explicitly says that encrypted ssh keys (key plus > password) counts as two factor authentication for the purposes of > PCI. But brings us to the classic question: It may check the box > saying "must have two factor auth" but is it really secure enough?
When I asked my auditor about this, their opinion was that though ssh keys with a good passphrase can count on 2 factors, it fairly hard to enforce the mandated password requirements on ssh keys. So they don't think they'll meet the requirements. seph _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
