-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Another alternative is to turn off password authentication and allow
only public key.  This way the brute forcers can guess all they want and
never get lucky.  If you need a "card" you can always put your encrypted
private key / public key pair on a thumb drive which is a very low cost
option that fits on your keychain.  I believe this approach is
reasonably platform independent (but I don't us windows so I do not
speak with authority on this).

Cheers,
Bob Blair


Brett Viren wrote:
> Faye Gibbins <[log in to unmask]> writes:
> 
>> Dr Andrew C Aitchison wrote:
>>
>>> ssh-agent means that although the ssh keys aren't stored on disk
>>> they *are* held in memory much of the time. Given that many laptops
>>> are suspended and rarely rebooted, do you have a way of ensuring
>>> that the machine regularly reconfirms the user's identity ?
>>>
>> Kerberosized ssh.
> 
> Another, somewhat arcane, option is to use OpenPGP smart cards along
> with GnuPG's gpg-agent.  The keys remain on the card and the card does
> the PGP authentication.  Take the card out of the reader and no
> subsequent authentication can be done.
> 
> I've evaluated this method and it does work but requires some amount
> of effort to set up.  As far as I know there is only one supplier[1].
> I also don't expect it to work on non-Linux platforms.  But, besides
> all these negatives, it is a nice solution that also gives the user
> the usual benefits of PGP.
> 
> 
> -Brett.
> 
> [1] http://www.g10code.com/p-card.html

- --
Robert E. Blair, Room E277, Building 362
Argonne National Laboratory (High Energy Physics Division)
9700 South Cass Avenue, Argonne, IL 60439, USA
Phone: (630)-252-7545  FAX: (630)-252-5782
GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFI5NenOMIGC6x7/XQRAr+zAJ9mWyN9D06N49OiQEdwT1A1NMhA0ACgumk9
odDk4dw+dAWr0Q88RTmTGF4=
=1PEQ
-----END PGP SIGNATURE-----