openssh-unix-dev May 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: Might a patch to ssh-agent to allow relaxi

Re: Might a patch to ssh-agent to allow relaxing of peer euid check be accepted?

From: Ángel González <keisial_at_nospam>
Date: Fri May 20 2011 - 14:28:34 GMT
To: Matthew Miller <mattdm@mattdm.org>

Matthew Miller wrote:
> On Thu, May 19, 2011 at 03:51:46PM +0200, Wout Mertens wrote:
>> Why not simply give each user their own private key and add/remove it from
>> the authorized_keys at the appropriate times?
> With that model, there's a lot to keep track of. Individual users must keep
> track of their keys, and the various authorized_keys files must be managed
> carefully. There's no way to enforce "good" behavior with private key files:
> they might have no passphrase, they might get copied around or stolen --
> potentially without the users' knowledge. And if there are a large number of
> accounts on different systems accessed in this way, one needs a system to
> manage those (and it's likely things will get overlooked).
>
> I'm open to entertaining more conversations of this nature, but I think it's
> really off-topic for this list and I don't want to trouble everyone with it
> -- I think it'd be better to send me such messages directly. Thanks.
Maybe you could use a CA issuing short-lived certificates to your clients?

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev