[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SAGE] The danger of SSH keys..

To: sage-members@usenix.org, general@brlug.net
Subject: [SAGE] The danger of SSH keys..
From: "Dustin Puryear" <dustin@puryear-it.com>
Date: Mon, 22 Jan 2007 08:55:28 -0600
Organization: Puryear Information Technology, LLC
Reply-To: "Dustin Puryear" <dustin@puryear-it.com>
Sender: owner-sage-members@usenix.org

Other than making a policy of "Put passwords on your SSH keys", how do
you handle the danger of some users potentially not using passwords on
their keys?

I'm interested in real-world ways to manage this issue. Policy
statements don't cut it for me. :)

If I have a system that doesn't allow keys, I can check for weak
passwords in the local system password database using various tools.
But I can't really *ENFORCE* a check against user keys (i.e., I can't
check for weak passwords or no passwords).

How are you dealing with this?

---
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com

Author:
  "Best Practices for Managing Linux and UNIX Servers"
  "Spam Fighting and Email Security in the 21st Century"

Download your free copies:
  http://www.puryear-it.com/publications.htm

Follow-Ups:
- Re: [SAGE] The danger of SSH keys..
  - From: "Dana Quinn" <dquinn@gmail.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Leon Towns-von Stauber <leonvs@occam.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Larry Underhill <lgu@pobox.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Paul Lussier <p.lussier@comcast.net>

Prev by Date: Re: [SAGE] Are cheap SSL certificates legitimate?
Next by Date: Re: [SAGE] The danger of SSH keys..
Prev by thread: Re: [SAGE] Budget pricing
Next by thread: Re: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread