OpenSSH Certkey (PKI) adding CAL (online verification)
Daniel Hartmeier
daniel at benzedrine.cx
Thu Nov 16 13:03:57 PST 2006
On Thu, Nov 16, 2006 at 07:01:41PM +0100, Daniel Hartmeier wrote:
> +When Certkey user authentication fails either because no CAL server can be
> +reached or because one CAL server delivers a valid reply marking the user key
> +as invalid, the user key can still be used with other authentication methods
> +(publickey) to gain access (if found in authorized_keys).
Maybe it should be possible to enable CAL even for the traditional
publickey authentication. That would enforce an online check even if
Certkey isn't used. You could then revoke user keys and they wouldn't
work even if they're present in the traditional authorized_keys files.
Of course, if you do that and the CALs go down, the only way to login is
using passwords. You don't expect CALs to disable these, too, I hope ;)
Daniel
More information about the freebsd-current
mailing list