We are looking at the concept of using SSH keys for remote access to linux servers as a way of removing username / password complexity requirements.

I'm interested to hear opinions on whether this is creating other PCI issues as SSH key generation does not normally have password complexity enforced. To add to this, users have the option to set no password on their ssh key in which case the issue becomes focussed upon key protection and storage.

Are there opinions on workable measures that would pass a PCI audit under this scenario?

Steve

Can the implementation ensure that access only occurs for authorised individuals, and that access is logged in sufficient detail to forensically determine 'who did what when'

This might be do-able, but possibly difficult. For instance, SSH is more or less a 'network' layer tool that provides sessions and logs that are not always linked to activity in the OS or the application(s) involved.

Lyal