Re: Root password strength
On 20 Mar 2024 15:46 +0800, from jeremy.ardley@gmail.com (jeremy ardley):
> Regarding certificates, I issue VPN certificates to be installed on each
> remote device. I don't use public key.
What exactly is this "certificate" that you speak of? In typical
usage, it means a public key plus some surrounding metadata, but you
say that you "don't use public key".
> For ssh use I issue secret keys to each user and maintain matching public
> keys in LDAP servers. SSHD servers can get the public keys in real time by
> using the AuthorizedKeysCommand. If a secret key is compromised I simply
> remove the matching public key.
>
> [users are locked out from uploading their public key using ssh-copy-id]
So the private keys aren't private, thereby invalidating a lot of
assumptions inherent in public key cryptography.
Also, are you saying that you do not let users rotate their keys
themselves; and if so, why on Earth not?
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
Reply to: