Re: Please explain OpenSSH double authentication lack
- From: "Nico Kadel-Garcia" <nkadel@xxxxxxxxxxx>
- Date: Wed, 26 Jul 2006 11:44:56 -0400
Chuck wrote:
You should be able to enforce the use of encrypted private keys
through policy management. Even just something that scans the HD when
they connect to your network for id_[rd]sa files and looks for the
string ENCRYPTED.
Well, yes. But when I've done that, I've actually gotten yelled at. For
doing tasks not on my tasklist, but the real reason was that people who
found it inconvenient, even if I had helped them set up Pageant to manage
their keys.
It's also very difficult to scan directories that are not NFS or CIFS
published: laptops are the worst offenders, where people simply leave
unlocked keys, lists of passwords, etc. even while they go on the road,
where thieves and crackers will have physical access. Then there's the
frequent, unannounced publication of the C: drive as the share C$ on Windows
XP Pro: I've used that gaping hole to quietly probe a problem machine, and
to demonstrate the risks of having no Administrator password. And the same
people who use passphraseless SSH keys are the same ones likely to have no
Administrator password. "We have firewall! We trust our coworkers! They
signed a non-disclosure agreement! Etc., etc., etc."
.
- Follow-Ups:
- References:
- Please explain OpenSSH double authentication lack
- From: brontolo
- Re: Please explain OpenSSH double authentication lack
- From: Chuck
- Re: Please explain OpenSSH double authentication lack
- From: Nico Kadel-Garcia
- Re: Please explain OpenSSH double authentication lack
- From: Chuck
- Please explain OpenSSH double authentication lack
- Prev by Date: Re: Please explain OpenSSH double authentication lack
- Next by Date: Re: Please explain OpenSSH double authentication lack
- Previous by thread: Re: Please explain OpenSSH double authentication lack
- Next by thread: Re: Please explain OpenSSH double authentication lack
- Index(es):
Relevant Pages
|
