|
|
|
|
|
|
by subway
3008 days ago
|
|
|
If you're using straight passwords, sure, an ssh key (ideally in a directory) is going to beat a password-only login, but that ssh key is still subject to credential theft. I'm in the process of migrating an environment off of ssh-key authentication over to password+otp based kerberos (FreeIPA, though AD makes this easy too). A single password+otp login gets an 8 hour (non-renwable, in this environment) ticket. At the end of those 8 hours, users have to obtain another ticket with a password+otp. What's particularly nifty about this scheme is that it's useful for not only ssh access, but internal https services as well. |
|
|