Walt, On Wed, Apr 1, 2009 at 11:54 AM, Walt Farrell <wfarr...@us.ibm.com> wrote:
> > SSH private/public keys do not have appropriate management controls, > however. The Security Administrator can not expire them, nor control their > strength, for example. > > I take your point, but I don't completely agree - - With ACLs you can prohibit all but the Security Administrator the right to add and remove keys from the ~.ssh/authorized_keys file. This is the approach that most *nix security audits recommend (not the abolishment of public-private keys). - The SSH public key *protocol* should not be confused with the Ported Tools *implementation*. Many *nix SSH users have pam modules, and/or have implemented patches to the OpenSSH code that implement alternative keystores such as hw and LDAP, smartcards, etc. There's even a patch to OpenSSH (the Roman Petrov patch) that adds X.509 support via OpenSSL, although it doesn't comply over the wire with the RFC. Kirk Wolf Dovetailed Technologies http://dovetail.com PS> A user can't patch the Ported Tools port of OpenSSH since source is not available. We have a restaurant in the Midwest where the chefs work behind the counter, and their slogan is "In sight it must be right". Closed-source security software should be considered an oxymoron, but this is the wrong forum for that view :-) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
