Re: Force non-empty pass-phrase?

On Thu, 27 Apr 2006 00:52:27 -0400, Richard E. Silverman wrote:
"mark" == mark <mark@xxxxxxxxxx> writes:
mark> Does anybody know of a way to enforce a policy where ssh key
mark> pass-phrases should not be empty? It is one of the "weaknesses"
mark> of ssh as I see it that an administrator can't actually impose
mark> this constraint on access to his own server.

He can't, because it makes no sense. The server never sees the user's
private key. It has no control over where or how the key is stored. It's
like suggesting there's a lock out there that can "require" that you not
keep the key in your pocket.

Richard, of course I realise that it doesn't "make sense" wrt to the
fundamental design of ssh. The pass-phrase is only pertinent to
unlocking the user's private key and that is that. But surely it does
make "make sense" that an administrator may have a personal opinion that
users should not be allowed to use empty pass-phrases on their keys?
What I am saying is that it has always seemed to me a bit of a
deficiency of ssh that an administrator can not actually enforce this
policy on users to whom he is granting access to his server?

I guess it would be possible to write a script for root to traverse over
unix users client side home areas attempting to do some kind of
ssh-keygen operation on their keys and confirming that a pass-phrase is
prompted for? This doesn't address remote putty users etc, though.

.

Relevant Pages

  • Re: Force non-empty pass-phrase?
    ... WT> mark schrieb: ... mark> of ssh as I see it that an administrator can't actually impose ... mark> this constraint on access to his own server. ... >> enforce this policy on users to whom he is granting access to his ...
    (comp.security.ssh)
  • Re: ssh warning about man in middle attack
    ... >>> It is also possible that the host key has just been changed. ... this machine that you are trying to SSH to, ... The administrator has installed a new server with the same IP number? ...
    (comp.os.linux.security)
  • Re: ssh warning about man in middle attack
    ... >>> It is also possible that the host key has just been changed. ... this machine that you are trying to SSH to, ... The administrator has installed a new server with the same IP number? ...
    (comp.security.ssh)
  • problems when opening an ssh session
    ... I have an account on a Solaris 2.6 machine in which the administrator has ... which I have installed OpenSSH versions 3.4p1 and 3.5p1 respectively. ... Now if I open a connection from the SSH 3.2.0 client to the OpenSSH 3.5p1 ... server everything works properly, but if I open a connection from the SSH ...
    (SSH)
  • Re: Force non-empty pass-phrase?
    ... mark> of ssh as I see it that an administrator can't actually impose ... mark> this constraint on access to his own server. ... fundamental design of ssh. ...
    (comp.security.ssh)