Re: reauthentication

To: Jakob Schlyter <jakob%crt.se@localhost>
Subject: Re: reauthentication
From: Darren J Moffat <darrenm%eng.sun.com@localhost>
Date: Tue, 28 Aug 2001 13:04:19 -0700 (PDT)

On Tue, 28 Aug 2001, Jakob Schlyter wrote:

> if the card is removed the client can't reauthenticate (since the private
> key is only on the card).

Correct but that doesn't happen when the card is removed only when
the reauthentication triggers from the server side of the connection,
which isn't how I had read your suggestion.

If you are happy with that then it takes smartcard out of the picture
as far as the protocol is concerned but should provide you with near
to the functionality you want with a smartcard being removed.

> In fact the server would never actually know a card was been used all
> > the server knows is what authentication mech was user in ssh-userauth.
> 
> the administrator can choose only to trust public keys (raw or from x.509
> certificates) known to come from smartcards.

That isn't a protocol issue then, but a site policy dependant on
some functionality in a particular implementation and some knowlege of
their own PKI infrastructure.  Which don't get me wrong will probably work
just fine.

--
Darren J Moffat

Follow-Ups:
- Re: reauthentication
  - From: Jakob Schlyter

References:
- Re: reauthentication
  - From: Jakob Schlyter

Prev by Date: Re: reauthentication
Next by Date: Re: reauthentication
Previous by Thread: Re: reauthentication
Next by Thread: Re: reauthentication
Indexes:

Home | Main Index | Thread Index | Old Index