Brian Candler
2022-Mar-07 17:54 UTC
Does a known security issue allow ssh login via system accounts?
On 07/03/2022 17:40, Philipp Marek wrote:>> That's a nice thing about pam_yubico with real Yubikeys: they can be validated against the Yubico cloud API, without any local secrets. > Just to make sure I understand you correctly - a cloud service determines whether some access to your server is to be granted?Yes: a cloud service run by security experts, almost certainly more secure and better managed than I could build myself. And in any case, it's a second factor on top of private/public keys that I do manage locally. (They used to provide code for you to host your own validation server - but I've just checked and found that's end-of-life)
Thorsten Glaser
2022-Mar-07 18:01 UTC
Does a known security issue allow ssh login via system accounts?
On Mon, 7 Mar 2022, Brian Candler wrote:> Yes: a cloud service run by security experts, almost certainly more secure and > better managed than I could build myself. And in any case, it's a second > factor on top of private/public keys that I do manage locally.Hope you have an axe nearby then ?? bye, //mirabilos -- Infrastrukturexperte ? tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn ? http://www.tarent.de/ Telephon +49 228 54881-393 ? Fax: +49 228 54881-235 HRB AG Bonn 5168 ? USt-ID (VAT): DE122264941 Gesch?ftsf?hrer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg **************************************************** /?\ The UTF-8 Ribbon ??? Campaign against Mit dem tarent-Newsletter nichts mehr verpassen: ??? HTML eMail! Also, https://www.tarent.de/newsletter ??? header encryption! ****************************************************
Stuart Henderson
2022-Mar-07 18:02 UTC
Does a known security issue allow ssh login via system accounts?
On 2022/03/07 17:54, Brian Candler wrote:> On 07/03/2022 17:40, Philipp Marek wrote: > > > That's a nice thing about pam_yubico with real Yubikeys: they can be validated against the Yubico cloud API, without any local secrets. > > Just to make sure I understand you correctly - a cloud service determines whether some access to your server is to be granted? > > Yes: a cloud service run by security experts, almost certainly more secure > and better managed than I could build myself. And in any case, it's a second > factor on top of private/public keys that I do manage locally. > > (They used to provide code for you to host your own validation server - but > I've just checked and found that's end-of-life)and written in PHP...