Re: Force non-empty pass-phrase?
- From: "Nico Kadel-Garcia" <nkadel@xxxxxxxxxxx>
- Date: Fri, 28 Apr 2006 12:43:20 -0400
Paul Hink wrote:
mark <mark@xxxxxxxxxx> wrote:
I guess it would be possible to write a script for root to traverse
over unix users client side home areas attempting to do some kind of
ssh-keygen operation on their keys and confirming that a pass-phrase
is prompted for?
I would not allow any SSH server to execute arbitrary code with the
permissions of my client side user account. (And this could not
prevent "malicious" users from deliberately using a key with a blank
passphrase either. The client could always manipulate the server's
control process and its environment.)
I've done that as an administrator in NFS based environments, and given
users gentle warnings about NFS published home directories with no password
SSH keys in them. It's a serious no-no in such an environment, since anyone
can pretend to be the user with a simple NFS client and access all their
files.
.
- Follow-Ups:
- Re: Force non-empty pass-phrase?
- From: Paul Hink
- Re: Force non-empty pass-phrase?
- References:
- Force non-empty pass-phrase?
- From: mark
- Re: Force non-empty pass-phrase?
- From: Richard E. Silverman
- Re: Force non-empty pass-phrase?
- From: mark
- Re: Force non-empty pass-phrase?
- From: Paul Hink
- Force non-empty pass-phrase?
- Prev by Date: Re: Force non-empty pass-phrase?
- Next by Date: Re: Force non-empty pass-phrase?
- Previous by thread: Re: Force non-empty pass-phrase?
- Next by thread: Re: Force non-empty pass-phrase?
- Index(es):
Relevant Pages
|
|
