Re: Enforce Passphrase on keys



On Thu, 2008-07-03 at 09:31 -0500, Michael Wisniewski wrote:
Hi!

I've been trying to dig around and find a way to enforce passphrases
on private keys when you authenticate. The closest post that I can
find would be...

http://marc.info/?l=openssh-unix-dev&m=106941429416956&w=2

---
if openssl rsa -noout -passin pass:none -in /path/to/key ; then
echo user is a dork
fi
---

However, how does one go about implementing this if their private key
is on the local system? If the private key is on your server, you
could probably put it in a login script. But being that it is on the
local system, how would you go about verifying the passphrase?

The reason why I'm going down this road is because we have had
problems where a user's private key is compromised. Some user's do
not use passphrases on their private keys. Once a key is copied off
the system, the attacker then logs in without worrying about
passwords. My idea is to have the server deny the connection if a
passphrase does not exist on a private key.


Thanks!

don't thing something like this is possible. the way to go is to enforce
the security policies on the local system (so it does not get
compromised) and user education. appropriate action against the user who
did not follow company security policies should be taken, let them be
aware of that.

other method would be to replace the keys authentication with something
more scalable, e.g. Kerberos.

Martin.



Relevant Pages

  • Re: What can a hacker do with a user private key?
    ... > If you have someone's private key, you're a big step closer to having access ... but I've implemeneted ssh for a number of clients over ... interactive scripts; however, ... testing for null passphrases... ...
    (comp.security.ssh)
  • Re: Requiring non-empty passphrase.
    ... I would say no. Public keys are not encrypted with passphrases, ... The trick is that this decryption of the private key ... is done on the client side and the server never sees the private key ...
    (SSH)
  • Enforce Passphrase on keys
    ... I've been trying to dig around and find a way to enforce passphrases ... how does one go about implementing this if their private key ... local system, how would you go about verifying the passphrase? ... My idea is to have the server deny the connection if a ...
    (SSH)
  • Re: Feature request
    ... You cannot enforce any kind of passphrases at all. ... to encrypt the private key; it is on the client side, ... PB> the webserver keeps the public key and the belonging fingerprint. ...
    (comp.security.ssh)
  • Re: Computer Certificate Private Key
    ... Only v2 certificate templates give you the control that you desire. ... I have auto enrollment for computer template. ... It is not a security breach if *you* decide to put the private key on the ... >>> If I use different computer and i tried to authenticate, to IAS, ...
    (microsoft.public.security)