[Discuss] deadmanish login?
john at johnbyrnes.info
john at johnbyrnes.info
Sat Feb 11 14:33:37 EST 2017
> On Feb 11, 2017, at 12:45, Kent Borg <kentborg at borg.org> wrote:
>
>> On 02/10/2017 10:50 PM, John Byrnes wrote:
>> You can keep your ssh keys on a PIN protected smartcard and only insert it when you need to log in somewhere. Your keys never leave the card. When the card is unplugged, an attacker has no access at all. I feel like this is better than a password. It also makes it easier to keep the keys synchronized between boxes.
>
> I agree. Were I needing to manage access to zillions of machines, the effort to set up and maintain that would be worth it.
>
I only access one or two machines, but I do it from a few different workstations.
>> gpg-agent can allow access to GPG keys on a card with the
>> --enable-ssh-support option.
>>
>> ===
>> --enable-ssh-support
>> --enable-putty-support
>>
>> Enable the OpenSSH Agent protocol.
>>
>> In this mode of operation, the agent does not only implement the
>> gpg-agent protocol, but also the agent protocol used by OpenSSH
>> (through a separate socket). Consequently, it should be possible to
>> use the gpg-agent as a drop-in replacement for the well known
>> ssh-agent.
>> ===
>
> gpg-agent. Interesting. If SC4 HSM could slide in as the smartcard, that would be cool.
>
I don't know if the SC4 will do that, but the NitroKey and GNUk will.
http://www.fsij.org/doc-gnuk/
> Thanks,
Anytime!
JB
More information about the Discuss
mailing list