Re: OpenSSH Certkey (PKI) adding CAL (online verification)

From: Daniel Hartmeier <daniel_at_benzedrine.cx>
Date: Thu, 16 Nov 2006 22:03:56 +0100
On Thu, Nov 16, 2006 at 07:01:41PM +0100, Daniel Hartmeier wrote:

> +When Certkey user authentication fails either because no CAL server can be
> +reached or because one CAL server delivers a valid reply marking the user key
> +as invalid, the user key can still be used with other authentication methods
> +(publickey) to gain access (if found in authorized_keys).

Maybe it should be possible to enable CAL even for the traditional
publickey authentication. That would enforce an online check even if
Certkey isn't used. You could then revoke user keys and they wouldn't
work even if they're present in the traditional authorized_keys files.

Of course, if you do that and the CALs go down, the only way to login is
using passwords. You don't expect CALs to disable these, too, I hope ;)

Daniel
Received on Thu Nov 16 2006 - 20:03:57 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:02 UTC