[Discuss] deadmanish login?
Kent Borg
kentborg at borg.org
Sat Feb 11 12:45:20 EST 2017
On 02/10/2017 10:50 PM, John Byrnes wrote:
> You can keep your ssh keys on a PIN protected smartcard and only
> insert it when you need to log in somewhere. Your keys never leave the
> card. When the card is unplugged, an attacker has no access at all. I
> feel like this is better than a password. It also makes it easier to
> keep the keys synchronized between boxes.
I agree. Were I needing to manage access to zillions of machines, the
effort to set up and maintain that would be worth it.
> gpg-agent can allow access to GPG keys on a card with the
> --enable-ssh-support option.
>
> ===
> --enable-ssh-support
> --enable-putty-support
>
> Enable the OpenSSH Agent protocol.
>
> In this mode of operation, the agent does not only implement the
> gpg-agent protocol, but also the agent protocol used by OpenSSH
> (through a separate socket). Consequently, it should be possible to
> use the gpg-agent as a drop-in replacement for the well known
> ssh-agent.
> ===
gpg-agent. Interesting. If SC4 HSM could slide in as the smartcard, that
would be cool.
Thanks,
-kb
More information about the Discuss
mailing list