[Gllug] ssh authentification
Benjamin Donnachie
benjamin at py-soft.co.uk
Tue Jul 18 13:30:50 UTC 2006
Benjamin Donnachie wrote:
>> The problem is that it's very difficult to enforce that. If a staff
>> member wants to install a passwordless keypair that gives them access
>> to your systems, how do you prevent it?
Just had another idea - though possibly impractical on a large scale...
Issue OpenPGP cards, these also protect the authentication key with a
pin/password, and card readers to all users. Then follow the
instructions at [1] to set up gpg-agent to mimic ssh-agent on the user's
machine and to add the keys to the ssh server, making sure that users
cannot subsequently add their own public keys.
I use this to protect the admin account on my server and it works very well.
Take care,
Ben
[1] http://cyphertext.de/ssh-openpgpcard-howto.txt
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list