![]() For the record, I like Mumble's (nearly) entirely passwordless system. I won't go into those here as I'm sure it's been discussed elsewhere. See this example by DigitalOcean.Īdding password support to log in like SSH allows has many merits and drawbacks. The client certificates need only be signed once by an administrator. SSH supports signing client certificates so that they don't need to even be distributed by the users in the first place. There is however an even better option, though a little more confusing to set up. Yet this is the easiest way to achieve passwordless logins everywhere while enabling key revocation practices. Yes, the keys are a little bit of a hassle to distribute, especially for the novice. I manually distribute those keys (using a handful of techniques) to all the ( authorized_keys file on) servers I want to authenticate to. The implementation that I think would be best would follow the practices of SSH.įor each client that I want to connect from via SSH, I generate a public/private key pair (sometimes with, sometimes without, passphrases). Currently, only a single instance of a registered user can be on the server at any given point in time.īut that's another feature that would be nice to have - to be able to connect from both your phone and your desktop at the same time - having access to the same groups, permissions, and so on on both devices. Step 4 is something that we don't support today. The same user is now connected twice, but using two different certificates.From the desktop client, tell the server to add its certificate to your user registration.Connect to the server with your phone client.Connect to the server with your desktop client.If we want to allow yourself to perform the operation, the only sound flow I can come up with is: It could be an imposter performing a social engineering attack. Why? Because the admin cannot know if the new device and certificate is in fact you. Ideally, it should be possible to authenticate the new certificate yourself - without admin intervention. Say you're on your phone, and want to register yourself with that certificate, and couple that registration to your existing user. ![]() But how would you do it in practice? (This is assuming the multi-device scenario.)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |