|Main Archive Page > Month Archives > openssh-unix-dev archives|
Matthew Miller wrote:
> On Thu, May 19, 2011 at 03:51:46PM +0200, Wout Mertens wrote:
>> Why not simply give each user their own private key and add/remove it from
>> the authorized_keys at the appropriate times?
> With that model, there's a lot to keep track of. Individual users must keep
> track of their keys, and the various authorized_keys files must be managed
> carefully. There's no way to enforce "good" behavior with private key files:
> they might have no passphrase, they might get copied around or stolen --
> potentially without the users' knowledge. And if there are a large number of
> accounts on different systems accessed in this way, one needs a system to
> manage those (and it's likely things will get overlooked).
> I'm open to entertaining more conversations of this nature, but I think it's
> really off-topic for this list and I don't want to trouble everyone with it
> -- I think it'd be better to send me such messages directly. Thanks.
Maybe you could use a CA issuing short-lived certificates to your clients?
openssh-unix-dev mailing list