Re: Force non-empty pass-phrase?
- From: mark <mark@xxxxxxxxxx>
- Date: Fri, 28 Apr 2006 09:21:47 +1000
On Thu, 27 Apr 2006 00:52:27 -0400, Richard E. Silverman wrote:
mark> Does anybody know of a way to enforce a policy where ssh key"mark" == mark <mark@xxxxxxxxxx> writes:
mark> pass-phrases should not be empty? It is one of the "weaknesses"
mark> of ssh as I see it that an administrator can't actually impose
mark> this constraint on access to his own server.
He can't, because it makes no sense. The server never sees the user's
private key. It has no control over where or how the key is stored. It's
like suggesting there's a lock out there that can "require" that you not
keep the key in your pocket.
Richard, of course I realise that it doesn't "make sense" wrt to the
fundamental design of ssh. The pass-phrase is only pertinent to
unlocking the user's private key and that is that. But surely it does
make "make sense" that an administrator may have a personal opinion that
users should not be allowed to use empty pass-phrases on their keys?
What I am saying is that it has always seemed to me a bit of a
deficiency of ssh that an administrator can not actually enforce this
policy on users to whom he is granting access to his server?
I guess it would be possible to write a script for root to traverse over
unix users client side home areas attempting to do some kind of
ssh-keygen operation on their keys and confirming that a pass-phrase is
prompted for? This doesn't address remote putty users etc, though.
- Prev by Date: Re: Dynamic (-D) proxy using OpenSSH Cygwin.. not working..
- Next by Date: Different Authentication meathods for Different users
- Previous by thread: Re: Force non-empty pass-phrase?
- Next by thread: Re: Force non-empty pass-phrase?