Re: How to forbid unencrypted Keys?

• Previous message: Jerry: "Re: funky data corruption putty .57"
• In reply to: Wolfgang: "How to forbid unencrypted Keys?"
• Next in thread: Wolfgang: "Re: How to forbid unencrypted Keys?"
• Reply: Wolfgang: "Re: How to forbid unencrypted Keys?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 20 Mar 2005 19:42:10 +0000 (UTC)

Wolfgang <nobody@pappnas.de> said:
>I wonder why the SSH-Protokol dont care for the client Keys. My problem
>ist, I am responsible for the security on a central server, on which a
>lot of people use interactive login. I noticed serveral time, that due
>to their ease or lack of understanding sometimes people use unencrypted
>keys (and not ssh-agents). Because I am not able the scan the keys on
>all clients I want to restrict access only to encrypted keys. Is there a
>patch to openssh availible or any other ideas.

Other idea: I'm not sure whether there is any reliable way for the server
to find out how the key is stored on the client. The simple way would be
to have the client tell the server "yes, the key was retrieved from
encrypted storage" or "the key was stored as plaintext" - but then,
I don't see a way how the client could prove this.

>and furtheron the clients shouldnt use unencrypted keys on this server,
>are there a tool out there to scan secret keys for encryption (yes I
>have root ;-).

Root you may have, but do you have the (legal) authority - perhaps,
as this concerns the security of the system, and other connected
systems - but still, make sure you stay within confines of your local
legislation.

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

• Previous message: Jerry: "Re: funky data corruption putty .57"
• In reply to: Wolfgang: "How to forbid unencrypted Keys?"
• Next in thread: Wolfgang: "Re: How to forbid unencrypted Keys?"
• Reply: Wolfgang: "Re: How to forbid unencrypted Keys?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Full-Disclosure] SSH vs. TLS ... > frowned upon by network ops and security. ... > - There must be a secure means by which all server keys are distributed to ... > appropriate ssh clients. ... > servers from using expired keys. ... (Full-Disclosure) Re: Trying to set so that only the clients default printer is map ... All you should have to do is create the last few keys of: ... This is a client side fix, as specified in the support instructions you ... SDE - Terminal Services ... registry change was on the client, not the server - Was I mistaken? ... (microsoft.public.windows.terminal_services) passwordless ssh logins with shared _HOST_ keys - not working. ... I am trying to allow _all users_ on CLIENT to login to ... SERVER without a password. ... I am not interested in user keys _at all_ ... CLIENT can login to SERVER without a password. ... (freebsd-hackers) RE: MS RAS (pptp + MSCHAPv1) ... I'm not sure whether this tool already supports MS-Chap and have not seen ... Client requests a login challenge from the Server. ... Each of these keys is used to encrypt the challenge. ... (Pen-Test) RE: OpenSSH_3.5p1 server, PC clients cannot connect ... Have you checked your host keys on the server to ... OpenSSH_3.5p1 server, PC clients cannot connect ... Here are some additional notes from the logs, and from the client ... dies immediately after this DEBUG log entry: ... (SSH)