1

This occurred to me when looking at the security model wireguard is using. Instead of relying on users credentials and Radius authenticating central server each user has a private key used to authenticate VPN. This is modeled after SSH PKI.

But how does it work when users switch computers. In big organisation it is common for employees to move around a lot and login to different machines. Is the idea for them to only have access VPN, SSH from their own desks? Or are the keys stored on some local network file share?

Daniel Krajnik
  • 11
  • 2
  • 1
    In my experience, PKI private keys are typically contained in a smart card or some other device that the user carries with them, and require a pin number or password to access/unlock. It would be unwise (generally) to keep them in permanent storage on a workstation, or especially on a network drive. – pmdba Feb 24 '21 at 23:35
  • Thanks @pmdba that makes sense. Just checked though that openssh didn't have option for hardware key like yubikey until the quite recent version 8.2. As much as I like this solution I understand that it wasn't a standard practice. How have enterprises managed private keys then? Thumbdrives? – Daniel Krajnik Feb 25 '21 at 18:51

0 Answers0