Re: Forcing new password at login (w/o requiring an old password) (sudo related)

From: Richard E. Silverman (res_at_qoxp.net)
Date: 08/23/05 

Date: 22 Aug 2005 22:20:36 -0400

>>>>> "AG" == Andrew Gideon <c182driver@gideon.org> writes:

    AG> With SSH, we can have someone create a keypair for their new
    AG> account, send us the public key, and they've the ability to log
    AG> in. No passwords exchanged, no security issues.

There are security issues nonetheless. Unless you use strong
authentication on the email (e.g. GPG, S/MIME), you don't know who sent
it. Anyone could send you a public key, forging the email address of
someone with a new account from whom you're expecting a message.

And if you've done the prerequisite work to enable secure email, you could
just as well use it to send a password securely. Now, SSH publickey
authentication has several advantages over passwords per se, but that's a
separate issue. 

-- 
  Richard Silverman
  res@qoxp.net

Relevant Pages

  • [NEWS] UTStarcom B-NAS 1000 and B-RAS 1000 Security Flaw
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... with known passwords. ... Issanni 1000) One account is approximately equal ... Management user with limited write privileges ...
    (Securiteam)
  • Re: On password expiration
    ... If you are very concerned about the security of the system, ... forcing your users to change their passwords every X number of days is ... been dormant for X numbers of days, an account lockdown policy to ... organizational policy prohibiting employees from writing down their ...
    (microsoft.public.security)
  • Re: Confidentiality of information in my system ..
    ... data like credit card numbers and passwords in my system, ... Once you're in the account, ... Pretty much only by watching for misuse of your information. ... Regularly changing passwords is a very basic security measure. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Call for LAMP Standardization -- Installations/User-Group Admin
    ... >> passwords, rather than real passwords, in the users table. ... Though actually we use db security, ... The install creates a new local Linux account that will be used by ... >> the PHP pages to authenticate to the database, ...
    (comp.lang.php)
  • Re: Windows 2003 hacked?
    ... would be sure to change the passwords of all the administrators on the ... administrator accounts and physically secure the computer to some degree. ... Also enable auditing of logon events and account management. ... Microsoft Baseline Security Analyzer on it and refer to the link below at ...
    (microsoft.public.windows.server.security)