Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Nov 2006 10:50:53 -0800 (PST)
From:      Lamont Granquist <lamont@scriptkiddie.org>
To:        "Wolfgang S. Rupprecht" <wolfgang+gnus200611@dailyplanet.dontspam.wsrcc.com>
Cc:        freebsd-current@freebsd.org, openssh-unix-dev@mindrot.org, tech@openbsd.org
Subject:   Re: OpenSSH Certkey (PKI)
Message-ID:  <Pine.GSO.4.60.0611161041090.17566@sploit.scriptkiddie.org>
In-Reply-To: <87ac2rjqaf.fsf@arbol.wsrcc.com>
References:  <20061115142820.GB14649@insomnia.benzedrine.cx> <87odr8i53w.fsf@arbol.wsrcc.com> <20061116135627.GA26343@tortuga.leo.org> <87ac2rjqaf.fsf@arbol.wsrcc.com>

next in thread | previous in thread | raw e-mail | index | archive | help


On Thu, 16 Nov 2006, Wolfgang S. Rupprecht wrote:
>     +A user certificate is an authorization made by the CA that the
>     +holder of a specific private key may login to the server as a
>     +specific user, without the need of an authorized_keys file being
>     +present. The CA gains the power to grant individual users access
>     +to the server, and users do no longer need to maintain
>     +authorized_keys files of their own.

User-maintained authorized_keys files tend to be SOX auditing violations 
(anyone with access to the account can grant anyone else access with any 
notification or audit trail).  It also lends itself to abuses where 
software/generic accounts tend to accumulate the public keys of all the 
developers desktop accounts.  The kerberos .k5login file is similarly 
problematic.  I would love to see a CA-based approach which would solve 
both the authentication and authorization pieces in a way that could be 
wrapped with proper auditing on the granting of privs, particularly if it 
was simple enough that it was widely adopted instead of authorized_keys 
even at very small sites.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.60.0611161041090.17566>