[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Identity (SSH Key) Management in Linux

So, what works and what doesn't?
Is it different for managing PGP keys? VPN keys? POPs (Plain Ole Passwords)?

After migrating to cert/key usage, how to provide failsafe password entry
and key recovery? Are biometrics an option? How do biometrics impact things
like if you are physically incapacitated or want family members to access
private data (i.e. in the event of your untimely demise, they might want
things like account passwords).

At one large company I worked for, there was a master password logbook 
for each host machine that is kept in a safe requiring two people to access. 
Password changes were recorded in the book, and requests to look at the book
for a specific host were rigorously monitored and only "cleared" staff
did the actual looking in a particular host's book. That's a bit extreme.

What's practical for the slightly overprotective home user behind a firewall
and providing "always on" content/services to random internet users?
Is "trust the firewall completely" "good enough" to use convenient, lax
policies inside the firewall?

Plan A:
One key, stored on what permanent medium (floppy? CD? USB keychain disk?)

Not every machine has CD/USB. Have to carry it around from machine to machine.
So, you copy it everywhere. Changing/synchronizing the passphrases on all of 
them is a mess. And you might forget some places where you left it or no
longer have access to where you left it to remove it or change the passphrase.
Single point of failure for your identity.

Plan B:
Lots of keys, only for specific connections (e.g. you from A to B only)
or even specific purposes (e.g. CVS or FTP).

Plenty of passphrases to remember. And change.
Creating new keys for each new connection/computer/purpose.

Plan C: ? (Your suggestion)

The environment is several multi-boot machines, with occasional remote access.
Is synchronizing keys across each different OSes (Linux partitions) manageable?
Or is putting them on a single shared filesystem easier? (e.g. a USB keychain
disk or a shared cryptofs)?

For those playing, this is a correllary to my previous post on multi-distro setups.



To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.