On 20 Mar 2024 15:46 +0800, from jeremy.ard...@gmail.com (jeremy ardley): > Regarding certificates, I issue VPN certificates to be installed on each > remote device. I don't use public key.
What exactly is this "certificate" that you speak of? In typical usage, it means a public key plus some surrounding metadata, but you say that you "don't use public key". > For ssh use I issue secret keys to each user and maintain matching public > keys in LDAP servers. SSHD servers can get the public keys in real time by > using the AuthorizedKeysCommand. If a secret key is compromised I simply > remove the matching public key. > > [users are locked out from uploading their public key using ssh-copy-id] So the private keys aren't private, thereby invalidating a lot of assumptions inherent in public key cryptography. Also, are you saying that you do not let users rotate their keys themselves; and if so, why on Earth not? -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
