Re: Requiring non-empty passphrase.
From: Brian Lund (blund_at_iastate.edu)
Date: Wed, 28 Apr 2004 15:28:23 -0500 To: email@example.com
-----BEGIN PGP SIGNED MESSAGE-----
I would say no. Public keys are not encrypted with passphrases, it is
the private keys that are encrypted. When a client wants to log in
with their key, it must be decrypted before it can be used for
authentication. The trick is that this decryption of the private key
is done on the client side and the server never sees the private key
in any form, encrypted or otherwise.
Now if you are the system admin you could do something like allowing
only keys generated on the server to be used for login or something
using some clever scripts. But if any user can put a random public
key in the server and log in using the associated private key, there
is no way given current public/private key standards to tell if that
private key was encrypted or not. All you as the system admin have
access to is the public key which is the same either way.
Quite frankly I think that this is the lesser of two evils. The idea
behind public/private key authentication is I (the user) convince you
(the server) that I know something (in this case my private key)
without actually telling you what it is. So not only do you not know
my secret, but neither would anyone else who's listening in. I
suppose I could tell you I've encrypted my private key, but would you
just take my word for it? And if I actually gave you the key to
verify that, even if it was encrypted all you would need to do is
guess my passphrase to pretend to be me, which gives no more security
than simple password authentication. And more importantly, that's all
anyone else who's listening in would have to do.
Maybe too much information, but I hope I helped answer your question :)
Iowa State Cyber Corps
PGP Key ID: 0x22314551
Steven Carter wrote:
|Is there a way to require public keys with non-empty passphrases?
|like PermitEmptyPasswords except for public keys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----