IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: reauthentication
On Tue, 28 Aug 2001, Jakob Schlyter wrote:
> if the card is removed the client can't reauthenticate (since the private
> key is only on the card).
Correct but that doesn't happen when the card is removed only when
the reauthentication triggers from the server side of the connection,
which isn't how I had read your suggestion.
If you are happy with that then it takes smartcard out of the picture
as far as the protocol is concerned but should provide you with near
to the functionality you want with a smartcard being removed.
> In fact the server would never actually know a card was been used all
> > the server knows is what authentication mech was user in ssh-userauth.
>
> the administrator can choose only to trust public keys (raw or from x.509
> certificates) known to come from smartcards.
That isn't a protocol issue then, but a site policy dependant on
some functionality in a particular implementation and some knowlege of
their own PKI infrastructure. Which don't get me wrong will probably work
just fine.
--
Darren J Moffat
Home |
Main Index |
Thread Index |
Old Index