Peter Jordan <[email protected]> writes: > Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
>> Not without applying custom patches that are rather a hack. You can, >> however, do PKINIT, which lets you use smart cards that can do X.509 >> authentication (some of which are quite inexpensive these days). >> We're evaluating the DESfire cards for our purposes. > hmmm, that does not solve the problem, when i have to login from a > insecure computer (ie Internet cafe) . I know, you have not connect to > your network from insecure computers, but sometimes you have not the > choice. Yeah, you're right -- that's a very hard one. Even ssh public key isn't horribly attractive in that situation. You're basically betting that whoever has hacked that cafe system has only installed a keyboard logger and hasn't bothered to do something that would let them grab your ssh private key as well. But yes, you don't want to get Kerberos tickets on an insecure system. As portable systems (handhelds, laptops, etc.) and ubiquitous wireless becomes more common, hopefully there will be less need to use computers that you don't physically control. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
