add keys and certificate to forwarded agent on remote host
Rory Campbell-Lange
rory at campbell-lange.net
Wed Sep 19 02:07:56 AEST 2018
On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch) wrote:
...
> So issue your users with Yubikeys. You can enforce the Yubikey so it
> requires the user to enter a PIN *and* touch the Yubikey. This means
> there's an incredibly high degree of confidence that it was the user
> who performed the actiion (i.e. two-factor authentication of physical
> Yubikey and PIN, plus anti-keylogger because of the mandatory touching
> of the Yubikey).
I've been meaning to try a Yubikeys. As I understand it that would help
ensure that the user is the person they should be.
What is nice about runtime certificate issuance is that certificates can
be tuned for particular per-user, per-instance use cases, such as "root
on all DC1 webservers".
Unless I've misunderstood, verification of the user and the permissions
they have for potentially many roles on many servers are quite different
things.
Thanks very much
Rory
More information about the openssh-unix-dev
mailing list