Re: Re[2]: [SAGE] The danger of SSH keys..

[Theodore Tso <tytso@mit.edu>]

On Mon, Jan 22, 2007 at 12:15:34PM -0600, Dustin Puryear wrote:
> And that last point is what concerns me.
> 
> With passwords on servers, *I* control the minimum strength. I can
> require a certain complexity, that one exists, etc. With SSH keys,
> that is difficult if not impossible to do.

You said, "real world" when you kicked off this thread, right?

In the real world, the *users* control whether or not an obnoxious
password policy causes them to write the password which is placed on
sticky note attached to their workstation.  In another real world
example, the security office set some obnoxious password policy that
caused passwords to be impossible to remember, and then required
changing said obnoxious passwords every 30 days.  But this was at a
company where the traders were making bazillions of dollars every day,
and rule #1 was "thou should not piss off the traders, for they make
your company rich and can go find a job with the competition".  So the
company hired a set of runners who were given the traders' passwords,
and every morning before the traders came in, the runners would run
around to all of the trading workstations and log in the traders so
they wouldn't have to. 

The bottom line here is that you have to be reasonable.  If the
password policy is too draconian, people *will* work around it,
whatever way they can.  And the only way you can prevent that is with
policy; but if that's the case, why not trust your users (shocking
concept, I know) and rely on a policy statement in the first place?
You can always back it up with some random scans of people's home
directories looking for unprotected keys.

						- Ted