Hacker Newsnew | comments | show | ask | jobs | submit login

SSH keys also never expire and are easy to copy/steal. Key-based auth is officially discouraged at the day job (for laptop-to-desktop type things) for exactly this reason.



Expiring an ssh-key is easy, just remove the public key from authorized_keys. Dealing with theft is also straightforward: just add a passphrase to the key -- the time it takes to crack your pass phrase should be more than the time it takes for you to run ssh-keygen && ssh-copy-id.

-----


The issue is lack of key management for ssh keys in a lot of environments, especially for accounts not always used. You can wrap protection around it, but you ay be better off just using a different authentication system (Kerberos? Something else?) in large environments.

-----


Expiring an ssh-key on YOUR machine is "easy". Ensuring it's really gone on every, single UNIX-like box anywhere in your company is less easy. Oh, and what happens when you restore a home directory or entire machine from tape? Are you absolutely sure you remembered to delete every SSH key you wanted to "expire" at some point?

SSH keys do not satisfy a "fail closed" security model: they're there unless you explicitly remove them (and keep them removed). Certificates, tickets, and other expiring credentials eventually go away and lock users out unless they're explicitly renewed.

-----


Thank you

People often consider ssh keys to be a panacea and to think of passwords as outdated

-----


We throw an OTP (One time Password) into the mix using Yubikeys:

http://www.yubico.com/products/yubikey-hardware/yubikey/

-----


Yep, I've been meaning to get one of these. I really dislike being unable to enforce a password on your private keys.

I've also been using Duo Security as my new 2FA solution and I like it a lot (it also has support for using Yubikeys to provide your OTP.)

-----


You require both key-based AND password auth with OTP? Or is the OTP at a higher layer, e.g. VPN.

-----


Thanks for the link. :)

-----




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: