You can tell people to lock their SSH keys keys with a password and store them on an encrypted drive, but counting on users is something I never do. People can strip the password encoded off a key, or chose to use some what ssh client that stores the key password in a non encrypted file. <br>
<br>I used to like LDAP and Kerberos but a high percentage of admins hate LDAP auth. People who know LDAP and/or Kerberos are a serious minority. I have had the fight multiple times (the infamous LDAP is more more thing to break) argument. So I have moved on with my life.<br>
<br>My argument is: I use SSH keys because the client server interaction is not based on
short text strings that are easy to give away. I can push out keys to
appropriate servers and control access. <br><br>I definitely understand why people do not like NOPASSWD, but I just do not get having a password for sudo when it does not take one to get into the system. I do not count the password the user chose to lock there key as a password.<br>
<br><br><div class="gmail_quote">On Sat, Jan 7, 2012 at 8:32 PM, Pete Wright <span dir="ltr"><<a href="mailto:pete@nomadlogic.org">pete@nomadlogic.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On Sat, 07 Jan 2012 17:25:31 -0800, Edward Capriolo <<a href="mailto:edlinuxguru@gmail.com" target="_blank">edlinuxguru@gmail.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
It isn't lazyness. When I was "sold" on SSH keys the concept was that<br>
passwords are hard to rotate and not safe because people write them down on<br>
napkins, share them, etc. So since I have "bought into" this philosophy it<br>
seems contradictory to me to have sudo use a password.<br>
</blockquote>
<br>
well your keys are locked with a password, aren't they? so i'm not sure that is a good argument to use ssh key based authentication...<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
-p<br>
<br>
-- <br>
Pete Wright<br>
<a href="mailto:pete@nomadlogic.org" target="_blank">pete@nomadlogic.org</a><br>
<a href="http://www.nomadlogic.org" target="_blank">www.nomadlogic.org</a><br>
</font></span></blockquote></div><br>