[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] The danger of SSH keys..

To: "Dustin Puryear" <dustin@puryear-it.com>
Subject: Re: [SAGE] The danger of SSH keys..
From: Paul Lussier <p.lussier@comcast.net>
Date: Mon, 22 Jan 2007 15:10:00 -0500
Cc: sage-members@usenix.org, general@brlug.net
In-Reply-To: <410572049.20070122085528@puryear-it.com> (Dustin Puryear'smessage of "Mon, 22 Jan 2007 08:55:28 -0600")
References: <410572049.20070122085528@puryear-it.com>
Sender: owner-sage-members@usenix.org
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux)

"Dustin Puryear" <dustin@puryear-it.com> writes:

> If I have a system that doesn't allow keys, I can check for weak
> passwords in the local system password database using various tools.
> But I can't really *ENFORCE* a check against user keys (i.e., I can't
> check for weak passwords or no passwords).
>
> How are you dealing with this?

We run a kerberos realm, but that doesn't really do more than shift
the problem, though krb5 has policies which help enforce better
passwords and the like.  On the other hand, we also allow keys as a
fallback mechanism because of the number of automated tests we run at
night that use ssh and "can't rely upon tickets"...  As a result, most
of our developers end up never kinit'ing and then fall-back to their
keys and never realize it.

-- 
Seeya,
Paul

Follow-Ups:
- Re[2]: [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>

References:
- [SAGE] The danger of SSH keys..
  - From: "Dustin Puryear" <dustin@puryear-it.com>

Prev by Date: Re: [SAGE] Subversion, passwords and ACLs
Next by Date: Re[2]: [SAGE] The danger of SSH keys..
Prev by thread: Re: Re[2]: [SAGE] The danger of SSH keys..
Next by thread: Re[2]: [SAGE] The danger of SSH keys..
Index(es):
- Date
- Thread