Am Mittwoch, 15. März 2006 19:08 schrieb Stewart Stremler: > begin quoting Dexter Filmore as of Wed, Mar 15, 2006 at 06:46:46PM +0100: > > Am Samstag, 11. M?rz 2006 00:00 schrieb Tracy R Reed: > > [snip] > > > > You would only need to put your public key on the remote machine. > > > Normally you email it to the admin and he installs it for you in lieu > > > of setting you a password and telling you the password. > > > > Even better was if ssh sent the public key to that machine and emailed > > the admin with a request to allow the key to login. > > One would have to code that into ssh of course or similar. > > Why?
To have an official standard. > A usb stick is basically just a very long password that you have to keep > written down somewhere. Stick your USB stick into an untrusted computer, > and your key is compromised, just like a fixed password would be. If all that can be read is my public key? > > Go one step further ... use a smart-card; to communicate with the remote > system, the local system streams data to the smart card, and the smart > card encrypts/decrypts it. Include a challenge-response mechanism in > there as well, and you have something worthwhile. An untrusted computer > can't do anything to you after the fact, but only while you're using it. USB sticks - spread, can attach almost to any half way modern computer. Smart card reader - about as common as BeOS. I agree on your security thoughts, but what good is a key that doesn't fit any lock. > > (Best is a laptop -- you keep your keys, input system, and display system > all under *your* control. Trusted endpoints, untrusted network.) > Laptop on my keyring will have me lose my pants a lot in public. not good. ;) > > What I would want is a key that not only grants me access to the local > > machine but to any machine on the network I'm supposed to have access to. > > That would be equivalent to having one key to your car, your front door, > your side door, your safe, your suitcases, etc. If that key - and the locks! - are sufficiently secure - alright. -- -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d--(+)@ s-:+ a- C+++(++++) UL+>++++ P+>++ L+++>++++ E-- W++ N o? K- w--(---) !O M+ V- PS++(+) PE(-) Y++ PGP t++(---)@ 5 X+(++) R+(++) tv--(+)@ b++(+++) DI+++ D G++ e* h>++ r%>* y? ------END GEEK CODE BLOCK------ http://www.stop1984.com http://www.againsttcpa.com -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
