On 02/10/2017 10:50 PM, John Byrnes wrote:
You can keep your ssh keys on a PIN protected smartcard and only
insert it when you need to log in somewhere. Your keys never leave the
card. When the card is unplugged, an attacker has no access at all. I
feel like this is better than a password. It also makes it easier to
keep the keys synchronized between boxes.
I agree. Were I needing to manage access to zillions of machines, the
effort to set up and maintain that would be worth it.
gpg-agent can allow access to GPG keys on a card with the
--enable-ssh-support option.
===
--enable-ssh-support
--enable-putty-support
Enable the OpenSSH Agent protocol.
In this mode of operation, the agent does not only implement the
gpg-agent protocol, but also the agent protocol used by OpenSSH
(through a separate socket). Consequently, it should be possible to
use the gpg-agent as a drop-in replacement for the well known
ssh-agent.
===
gpg-agent. Interesting. If SC4 HSM could slide in as the smartcard, that
would be cool.
Thanks,
-kb
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
