SCIENTIFIC-LINUX-USERS Archives

October 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Security Breach
From:
Brett Viren <[log in to unmask]>
Reply To:
Brett Viren <[log in to unmask]>
Date:
Thu, 2 Oct 2008 10:04:33 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (28 lines) 
Faye Gibbins <[log in to unmask]> writes:

> Dr Andrew C Aitchison wrote:
>
>> ssh-agent means that although the ssh keys aren't stored on disk
>> they *are* held in memory much of the time. Given that many laptops
>> are suspended and rarely rebooted, do you have a way of ensuring
>> that the machine regularly reconfirms the user's identity ?
>>
>
> Kerberosized ssh.

Another, somewhat arcane, option is to use OpenPGP smart cards along
with GnuPG's gpg-agent.  The keys remain on the card and the card does
the PGP authentication.  Take the card out of the reader and no
subsequent authentication can be done.

I've evaluated this method and it does work but requires some amount
of effort to set up.  As far as I know there is only one supplier[1].
I also don't expect it to work on non-Linux platforms.  But, besides
all these negatives, it is a nice solution that also gives the user
the usual benefits of PGP.


-Brett.

[1] http://www.g10code.com/p-card.html

ATOM RSS1 RSS2