On 01/11/13 11:40, Robert Hajime Lanning wrote:
Key can be copied. So, it does not really meet the "something you have"
aspect. The biggest issue with the "key with passphrase" is that you
have zero ability to enforce the passphrase strength or even if it exists.
Yes, replying to myself... :)
There is a way to make SSH keys work. It requires a hardware based
PKCS#11 type token (PKI based.)
If the company generates the key pair on the token and assigns the token
PIN, you have your two factor authentication.
The user must authenticate to the token, which then allows use of the
private key. The "random string" challenge is sent to the token to be
encrypted with the private key. The cypher text is sent to the server
which has the user certificate with the public key and can then verify
the encryption.
SSH supports PKCS#11 API for PKI key use.
The token enforces the presence of "something you know" and it itself is
"something you have" as the private key, once generated on the token,
can never leave the token.
--
Mr. Flibble
King of the Potato People
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
