Frank Cusack writes:
> I disagree. [Arguably] RSA authentication using a smartcard is much
> more secure then RSA using a private key stored on disk. The current
> definitions do not allow for specifying that RSA must be done via
> a smartcard.
Yes it can. If the adminstrator only allows putting public keys of
such keys that are on the smartcard to authorized_keys files, then he
can limit that only rsa authentication can only use smartcard.
BTW. There is no real difference compared to the RSA private key on
the disk and in smartcard. The authentication is same, only thing that
differs is how easy it is to stole the private key. Note that when you
are using smartcards the pin/passphrase is propably much much more
easier than what you use for the key that is on the disk, so getting
the pin by looking over persons shoulder is much easier.
> I'm not saying that authentications /should/ be classified according
> to technology, only that there definitely should to be a way to
> "mandate" that an authentication uses a certain technology.
> That said, I don't know how to FORCE a user to use a smartcard
> vs. a disk-based key -- a "non-compliant" client implementation
> could ignore any flag from the server saying "use x technology".
There is no way you can do that anyways. The user can write his own
client that can fake to do a smartcard authentication when it is doing
normal disk based private key authentication. I dont see any use for
that kind of false security.
> > and it even contains
> > advantage compared to this method, it can use users native language
> > when printing out most of the prompts.
> I don't follow you. This example can use the user's native language.
How? The server doesn't know how to speak Finnish. My client does know
that. If we use the built-in messages without embedded strings then
the client can print out dialogs in Finnish, but if the server sends
me a message saying that "Change your password", my client doesn't
know what the server is asking, and cannot translate it to "Vaihda
salasanasi".
--
[EMAIL PROTECTED] Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
