On Thu, Nov 16, 2006 at 07:01:41PM +0100, Daniel Hartmeier wrote: > +When Certkey user authentication fails either because no CAL server can be > +reached or because one CAL server delivers a valid reply marking the user key > +as invalid, the user key can still be used with other authentication methods > +(publickey) to gain access (if found in authorized_keys). Maybe it should be possible to enable CAL even for the traditional publickey authentication. That would enforce an online check even if Certkey isn't used. You could then revoke user keys and they wouldn't work even if they're present in the traditional authorized_keys files. Of course, if you do that and the CALs go down, the only way to login is using passwords. You don't expect CALs to disable these, too, I hope ;) DanielReceived on Thu Nov 16 2006 - 20:03:57 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:02 UTC