Re: Don't try this at home kids

To: debian-user@lists.debian.org
Subject: Re: Don't try this at home kids
From: Jeremy Ardley <jeremy@ardley.org>
Date: Tue, 30 Nov 2021 07:29:30 +0800
Message-id: <[🔎] afdd967e-36a9-74b9-9e4d-1477c90de695@ardley.org>
In-reply-to: <[🔎] d0da3bcb-6650-4ef1-d9a5-2819aae0339d@touchtonecorp.com>
References: <[🔎] 4oo985q9-pp1o-p837-r65q-o89q2qoo187@ehcgherq-qhpx.pbz> <[🔎] 5ee7ca26-da2e-a872-875e-28e8a3707473@ardley.org> <[🔎] d0da3bcb-6650-4ef1-d9a5-2819aae0339d@touchtonecorp.com>


On 30/11/21 7:14 am, James H. H. Lampert wrote:

I have access to a number of Amazon Linux virtual boxes, that don'tlike password authentication in general (preferring certificateauthentication . . . which authenticates the BOX that is ssh-ing in,but not the WARM BODY between the chair and the keyboard).

On the topic of SSH certificates, they seem fine at first, but when youdelve deeper they are a serious security risk because they are areissued by individual users and are effectively unmanaged andunmaintained. In large organisations they are a nightmare to control.

The current best practice is to use a third party authenticator whereaccess control is centrally managed. Even so, automatic authenticationmeans you have no control over the warm body or hacking script that isusing it.



--
Jeremy

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

References:
- Don't try this at home kids
  - From: Bob Bernstein <poobah@ruptured-duck.com>
- Re: Don't try this at home kids
  - From: Jeremy Ardley <jeremy@ardley.org>
- Re: Don't try this at home kids
  - From: "James H. H. Lampert" <jamesl@touchtonecorp.com>

Prev by Date: Re: Don't try this at home kids
Next by Date: Re: Don't try this at home kids
Previous by thread: Re: Don't try this at home kids
Next by thread: Re: Don't try this at home kids
Index(es):
- Date
- Thread