Looking at revisiting our authentication model and curious what sort of baselines you all use. Am mostly focused on Linux, but concepts could apply to Windows as well.
AD is "key" in our environment, so envision Kerberos playing a big role in this. My preference: - Administrators need some sort of two-factor authentication to obtain a valid Kerberos ticket (when they log in to Windows for example). - Linux boxen are set up to accept remote logins only via Kerberos tickets. No password auth allowed (Kerberized PuTTY works fine for this). - Emergency local accounts would need to be in place, but perhaps would tie into a two-factor PAM module (e.g. Google Authenticator). Perhaps this isn't "enough" and I should look to have two-factor even at the SSH level? I do want to be able to potentially accommodate scripted logins via SSH keys in certain situations. How are some of you doing this currently? Thanks, Ray _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
