[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] The danger of SSH keys..
Hal Pomeranz wrote:
>> If you're not up to coding it yourself you could submit a feature
>> request (with associated offer to fund development if you really want
>> it). If the OpenSSH folks added it themselves it could likely be managed
>> via an associated config option.
>>
>
> The problem with doing this is a config option is that any such checks
> would of course have to be implemented in the client binaries (including
> ssh-keygen). The problem is that there's no way to enforce global
> administrative policies on the client side, because the user can always
> override configuration settings in ssh_config with command-line options.
> It's similar to the problem of trying to enforce StrictHostKeyChecking
> across an entire site.
>
>
True, and it doesn't get around people installing their own client binaries.
I wonder if there'd be value in extending the SSH protocol to also allow
encrypting the public key with a passphrase, which could then be
validated for length on the server during initial handshake.
Bryan