[brlug-general] [SAGE] The danger of SSH keys..
Dustin Puryear
dustin at puryear-it.com
Mon Jan 22 12:15:34 CST 2007
And that last point is what concerns me.
With passwords on servers, *I* control the minimum strength. I can
require a certain complexity, that one exists, etc. With SSH keys,
that is difficult if not impossible to do.
So, to me, while SSH keys may set the bar higher initially, I
ultimately have more control with passwords.
---
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com
Author:
"Best Practices for Managing Linux and UNIX Servers"
"Spam Fighting and Email Security in the 21st Century"
Download your free copies:
http://www.puryear-it.com/publications.htm
Monday, January 22, 2007, 11:59:57 AM, you wrote:
> On Mon, 2007-01-22 at 08:55 -0600, Dustin Puryear wrote:
>> If I have a system that doesn't allow keys, I can check for weak
>> passwords in the local system password database using various tools.
>> But I can't really *ENFORCE* a check against user keys (i.e., I can't
>> check for weak passwords or no passwords).
> You can check for passphrase-less keys by attempting to load the key
> into an ssh-agent. If it loads up, then you have a key with no
> passphrase.
> Regarding strength, I'd be inclined to write a wrapper around
> ssh-keygen. You could grab the passphrase before generating the key and
> create some dummy, using that passphrase as the passwd. This would allow
> you to enforce the same password policy that you have specified via
> PAM.
> If all was well, ssh-keygen could then generate the key pair.
> Dunno how I would restrict key pair generation to just my wrapper script
> though...
> --Larry
More information about the General
mailing list