Questions about SSH key management in SSH login

Dear all

I’m a new hand in user account management and authentication area. And
thank you provide this powerful and useful tool to integrate many kinds of
authentication mechanism.
My question is about ssh login with public key and otp.
I use AuthorizedKeysCommand config in sshd_config to get public key
by privacyidea-authorizedkeys.
The question is why we need to set privacyidea admin password to get public
key? Doesn’t it enhance hack privacyidea server risk?
Could we modify it like otp authentication which all authentication actions
are done in privacy server? Or just get public key without admin password.

Harvey

Hello Harvey,

The SSH public keys follow a basic framework in privacyIDEA to assign
authentication objects to machines.

These authentication objects are usually not public knowledge (e.g. for
offline OTP and Yubikey Pre Boot authentication)
This is why the API requires authentication.

But you should strip down the rights of the account, which is fetching
the SSH public keys.

Kind regards
CorneliusAm Donnerstag, den 23.06.2016, 19:25 -0700 schrieb Harvey Chang:

Dear all

I’m a new hand in user account management and authentication area. And
thank you provide this powerful and useful tool to integrate many
kinds of authentication mechanism.
My question is about ssh login with public key and otp.
I use AuthorizedKeysCommand config in sshd_config to get public key
by privacyidea-authorizedkeys.
The question is why we need to set privacyidea admin password to get
public key? Doesn’t it enhance hack privacyidea server risk?
Could we modify it like otp authentication which all authentication
actions are done in privacy server? Or just get public key without
admin password.

Harvey

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/87b34b49-9a5a-4669-b9a7-7ea24d1274f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)