On Wed, Feb 03, 2010 at 05:39:40PM -0500, seph spake thusly: > When I asked my auditor about this, their opinion was that though ssh > keys with a good passphrase can count on 2 factors, it fairly hard to > enforce the mandated password requirements on ssh keys. So they don't > think they'll meet the requirements.
I too am doubtful. What if I generate the key and encrypt it myself and give the key and passphrase to the other person? And then use a configuration management system to ensure that only the encrypted key I generated will ever be in the authorized_keys files? Is there any way ssh can be changed to indicate in the key itself whether the key is encrypted that cannot be faked? I really want to avoid having to purchase proprietary SecureID tokens. Anyone have reasonably priced PKI tokens they are using that work well with Linux? -- Tracy Reed http://tracyreed.org
pgpaTBTyXFlyH.pgp
Description: PGP signature
_______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
