> On Feb 11, 2017, at 12:45, Kent Borg <[email protected]> wrote: > >> On 02/10/2017 10:50 PM, John Byrnes wrote: >> You can keep your ssh keys on a PIN protected smartcard and only insert it >> when you need to log in somewhere. Your keys never leave the card. When the >> card is unplugged, an attacker has no access at all. I feel like this is >> better than a password. It also makes it easier to keep the keys >> synchronized between boxes. > > I agree. Were I needing to manage access to zillions of machines, the effort > to set up and maintain that would be worth it. >
I only access one or two machines, but I do it from a few different workstations. >> gpg-agent can allow access to GPG keys on a card with the >> --enable-ssh-support option. >> >> === >> --enable-ssh-support >> --enable-putty-support >> >> Enable the OpenSSH Agent protocol. >> >> In this mode of operation, the agent does not only implement the >> gpg-agent protocol, but also the agent protocol used by OpenSSH >> (through a separate socket). Consequently, it should be possible to >> use the gpg-agent as a drop-in replacement for the well known >> ssh-agent. >> === > > gpg-agent. Interesting. If SC4 HSM could slide in as the smartcard, that > would be cool. > I don't know if the SC4 will do that, but the NitroKey and GNUk will. http://www.fsij.org/doc-gnuk/ > Thanks, Anytime! JB _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
