Date: Thu, 16 Nov 2006 10:50:53 -0800 (PST) From: Lamont Granquist <lamont@scriptkiddie.org> To: "Wolfgang S. Rupprecht" <wolfgang+gnus200611@dailyplanet.dontspam.wsrcc.com> Cc: freebsd-current@freebsd.org, openssh-unix-dev@mindrot.org, tech@openbsd.org Subject: Re: OpenSSH Certkey (PKI) Message-ID: <Pine.GSO.4.60.0611161041090.17566@sploit.scriptkiddie.org> In-Reply-To: <87ac2rjqaf.fsf@arbol.wsrcc.com> References: <20061115142820.GB14649@insomnia.benzedrine.cx> <87odr8i53w.fsf@arbol.wsrcc.com> <20061116135627.GA26343@tortuga.leo.org> <87ac2rjqaf.fsf@arbol.wsrcc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Nov 2006, Wolfgang S. Rupprecht wrote: > +A user certificate is an authorization made by the CA that the > +holder of a specific private key may login to the server as a > +specific user, without the need of an authorized_keys file being > +present. The CA gains the power to grant individual users access > +to the server, and users do no longer need to maintain > +authorized_keys files of their own. User-maintained authorized_keys files tend to be SOX auditing violations (anyone with access to the account can grant anyone else access with any notification or audit trail). It also lends itself to abuses where software/generic accounts tend to accumulate the public keys of all the developers desktop accounts. The kerberos .k5login file is similarly problematic. I would love to see a CA-based approach which would solve both the authentication and authorization pieces in a way that could be wrapped with proper auditing on the granting of privs, particularly if it was simple enough that it was widely adopted instead of authorized_keys even at very small sites.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.60.0611161041090.17566>