RE: Logging into SSH

• Previous message: Darren Tucker: "Re: 3.7.1p2 client ignores rsa2 public key authentication on HPUX 10.20"
• Maybe in reply to: Richard Watson: "Logging into SSH"
• Next in thread: Dave Howe: "Re: Logging into SSH"
• Reply: Dave Howe: "Re: Logging into SSH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Dave Howe'" <DaveHowe@cmn.sharp-uk.co.uk>, "Email List: Secure Shell" <secureshell@securityfocus.com>
Date: Fri, 27 Feb 2004 13:40:19 +1100

>
> Richard Watson wrote:
> > Hi,
> > Does anybody know how to force SSH to require username/password AND
> > public key authentication before allowing a login?
> [Dave Howe]
> why would you want to? I suppose it would be possible, but
> only by recompiling. the public key should be password
> protected anyhow...
>
Because using only public key authentication removes centralised policy
control over the "secret" (ie your private key). Corporate security can tell
you that you MUST protect your private key with a passphrase, the passphrase
can't be just "mysshkey", and that you should change it on at least a
semi-regular basis until they are blue in the face, but they can't FORCE you
to apply this (good) advice. If you leave your private key unprotected and
someone gets hold of it (doh!), then if the server requires BOTH public key
auth AND password auth, there is also a secondary layer of protection where
these policies can be enforced.

I'd be happy for someone to correct me on this or suggest a scheme whereby
some of these policies can be mandated, because it's a big black mark
against the public key mechanism IMHO. <flame suit on>

Duncan Ball

• Previous message: Darren Tucker: "Re: 3.7.1p2 client ignores rsa2 public key authentication on HPUX 10.20"
• Maybe in reply to: Richard Watson: "Logging into SSH"
• Next in thread: Dave Howe: "Re: Logging into SSH"
• Reply: Dave Howe: "Re: Logging into SSH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]