[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] The danger of SSH keys..

To: SAGE Members Mailing List <sage-members@usenix.org>
Subject: Re: [SAGE] The danger of SSH keys..
From: Josh Smith <irilyth@infersys.com>
Date: Mon, 22 Jan 2007 12:26:32 -0500
In-Reply-To: <34f63e5e69e99445d121422c14c3ce89@occam.com>
Organization: Evil Geniuses For A Better Tomorrow
References: <410572049.20070122085528@puryear-it.com> <34f63e5e69e99445d121422c14c3ce89@occam.com>
Sender: owner-sage-members@usenix.org

I think the issue is that in many situations people can generate keys on
machines over which you don't have any control whatsoever. If I can log in
to your server from my laptop, you don't have any way to ensure that I've
put a good passphrase on my private key; whereas if I'm logging in with a
password, you can do things on the server side to ensure that I've chosen
a good one.

Then again, you can't control what I do with my excellent password; I
might write it down on a post-it stuck to my monitor, or repeat it aloud a
hundred times in the same room as my pet parrot, or put it in my profile
on MySpace, or whatever. There's only so much you can do to prevent users
from screwing up; telling them what to do, and punishing them if you catch
them not doing it, may be your best bet in many cases. (And if you can't
justify something more hardcore, like physical token based security, or
whatever.)

                                      -Josh (irilyth@infersys.com)

Follow-Ups:
- Re[2]: [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>

References:
- [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>
- Re: [SAGE] The danger of SSH keys..
  - From: Leon Towns-von Stauber <leonvs@occam.com>

Prev by Date: Re: [SAGE] The danger of SSH keys..
Next by Date: Re: [SAGE] The danger of SSH keys..
Prev by thread: Re: [SAGE] The danger of SSH keys..
Next by thread: Re[2]: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread