[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] The danger of SSH keys..

To: Dustin Puryear <dustin@puryear-it.com>
Subject: Re: [SAGE] The danger of SSH keys..
From: Larry Underhill <lgu@pobox.com>
Date: Mon, 22 Jan 2007 12:59:57 -0500
Cc: sage-members@usenix.org, general@brlug.net
In-Reply-To: <410572049.20070122085528@puryear-it.com>
References: <410572049.20070122085528@puryear-it.com>
Reply-To: lgu@pobox.com
Sender: owner-sage-members@usenix.org

On Mon, 2007-01-22 at 08:55 -0600, Dustin Puryear wrote:

> If I have a system that doesn't allow keys, I can check for weak
> passwords in the local system password database using various tools.
> But I can't really *ENFORCE* a check against user keys (i.e., I can't
> check for weak passwords or no passwords).

You can check for passphrase-less keys by attempting to load the key
into an ssh-agent. If it loads up, then you have a key with no
passphrase. 

Regarding strength, I'd be inclined to write a wrapper around
ssh-keygen. You could grab the passphrase before generating the key and
create some dummy, using that passphrase as the passwd. This would allow
you to enforce the same password policy that you have specified via
PAM. 

If all was well, ssh-keygen could then generate the key pair. 

Dunno how I would restrict key pair generation to just my wrapper script
though... 

--Larry

Follow-Ups:
- Re[2]: [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>

References:
- [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>

Prev by Date: Re[2]: [SAGE] The danger of SSH keys..
Next by Date: Re: [SAGE] The danger of SSH keys..
Prev by thread: Re: [SAGE] The danger of SSH keys..
Next by thread: Re[2]: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread