[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root password strength

On Wed, Mar 20, 2024 at 7:03 AM Michael Kjörling <2695bd53d63c@ewoof.net> wrote:
>
> On 20 Mar 2024 15:46 +0800, from jeremy.ardley@gmail.com (jeremy ardley):
> > Regarding certificates, I issue VPN certificates to be installed on each
> > remote device. I don't use public key.
>
> What exactly is this "certificate" that you speak of? In typical
> usage, it means a public key plus some surrounding metadata, but you
> say that you "don't use public key".
>
>
> > For ssh use I issue secret keys to each user and maintain matching public
> > keys in LDAP servers.  SSHD servers can get the public keys in real time by
> > using the AuthorizedKeysCommand. If a secret key is compromised I simply
> > remove the matching public key.
> >
> > [users are locked out from uploading their public key using ssh-copy-id]
>
> So the private keys aren't private, thereby invalidating a lot of
> assumptions inherent in public key cryptography.
>
> Also, are you saying that you do not let users rotate their keys
> themselves; and if so, why on Earth not?

Key continuity has turned out to be a better security property than
key rotation. It is wise to avoid gratuitous rotation schemes.

Jeff
Reply to: