Re: [SAGE] The danger of SSH keys..

[Leon Towns-von Stauber <leonvs@occam.com>]

On Jan 22, 2007, at 6:55 AM, Dustin Puryear wrote:

> Other than making a policy of "Put passwords on your SSH keys", how do
> you handle the danger of some users potentially not using passwords on
> their keys?
>
> I'm interested in real-world ways to manage this issue. Policy
> statements don't cut it for me. :)
>
> If I have a system that doesn't allow keys, I can check for weak
> passwords in the local system password database using various tools.
> But I can't really *ENFORCE* a check against user keys (i.e., I can't
> check for weak passwords or no passwords).
>
> How are you dealing with this?

Checking to see that a password is set can be done; it's easy
to tell if someone's private SSH key is encrypted, and you can
script a loop through user homedirs and private key files to do
that.

Checking for weak passwords is something else, and part of a
larger problem. You're presented with the same issue trying to
crack passwords encrypted with a modern hashing algorithm, like
SHA or Blowfish, or using more secure password storage, like
Password Server on Mac OS X. Currently available computing
resources make it practically impossible to run an effective
check for weak passwords (which is, of course, exactly the
point).

AFAICT, the only real solution there is to run a check on the
password when it's set, and you have access to the cleartext
password. In the case of SSH keys, maybe you could write a
wrapper for ssh-keygen that first runs the password through
John the Ripper or something, before encrypting the SSH key.

_____________________________________________________________
Leon Towns-von Stauber          http://www.occam.com/leonvs/
"We have not come to save you, but you will not die in vain!"