Date: Thu, 16 Nov 2006 22:03:56 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Andre Oppermann <andre@freebsd.org>, tech@openbsd.org, openssh-unix-dev@mindrot.org, freebsd-current@freebsd.org, markus@openbsd.org Subject: Re: OpenSSH Certkey (PKI) adding CAL (online verification) Message-ID: <20061116210356.GL14649@insomnia.benzedrine.cx> In-Reply-To: <20061116180141.GH14649@insomnia.benzedrine.cx> References: <20061115142820.GB14649@insomnia.benzedrine.cx> <455B29A4.3000601@freebsd.org> <20061115174747.GE26418@bofh.cns.ualberta.ca> <20061116180141.GH14649@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 16, 2006 at 07:01:41PM +0100, Daniel Hartmeier wrote: > +When Certkey user authentication fails either because no CAL server can be > +reached or because one CAL server delivers a valid reply marking the user key > +as invalid, the user key can still be used with other authentication methods > +(publickey) to gain access (if found in authorized_keys). Maybe it should be possible to enable CAL even for the traditional publickey authentication. That would enforce an online check even if Certkey isn't used. You could then revoke user keys and they wouldn't work even if they're present in the traditional authorized_keys files. Of course, if you do that and the CALs go down, the only way to login is using passwords. You don't expect CALs to disable these, too, I hope ;) Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061116210356.GL14649>