Re: Please explain OpenSSH double authentication lack

Nico Kadel-Garcia wrote:
Chuck wrote:

You should be able to enforce the use of encrypted private keys
through policy management. Even just something that scans the HD when
they connect to your network for id_[rd]sa files and looks for the
string ENCRYPTED.

Well, yes. But when I've done that, I've actually gotten yelled at. For
doing tasks not on my tasklist, but the real reason was that people who
found it inconvenient, even if I had helped them set up Pageant to manage
their keys.

It's also very difficult to scan directories that are not NFS or CIFS
published: laptops are the worst offenders, where people simply leave
unlocked keys, lists of passwords, etc. even while they go on the road,
where thieves and crackers will have physical access. Then there's the
frequent, unannounced publication of the C: drive as the share C$ on Windows
XP Pro: I've used that gaping hole to quietly probe a problem machine, and
to demonstrate the risks of having no Administrator password. And the same
people who use passphraseless SSH keys are the same ones likely to have no
Administrator password. "We have firewall! We trust our coworkers! They
signed a non-disclosure agreement! Etc., etc., etc."



Our company runs a winscript file whenever you log on to the network to
do some drive mappings and stuff like that. It shouldn't be too
difficult to add a check that the private key is encrypted.
.

Relevant Pages

  • Re: Please explain OpenSSH double authentication lack
    ... through policy management. ... they connect to your network for id_sa files and looks for the ... unlocked keys, lists of passwords, etc. even while they go on the road, ... to demonstrate the risks of having no Administrator password. ...
    (comp.security.ssh)
  • Re: Is Dynamic WEP Secure Enough?
    ... Forgive me for my ignorance and please correct me if I am wrong OR if I have wrongly understood these/ any of the replies to the Dynamic WEP question ... different users changing their keys at different points in time ... The physical security that is existing on the ground that can contribute and hence the probability of finding out a parking lot hacker ... WEP can be cracked in less than ten minutes (even on a network without ...
    (Security-Basics)
  • Re: local area connections
    ... Don't edit the reg. ... Type the following commands at a command prompt ... > in the registry i found referrences to the previous> numbers but there were also four other keys in the same> dir that the referrences to the numbers were in. ... >>shows up under network adapters. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Renewing IP Address failed
    ... connection to use when I'm away from my wireless router. ... At first, going to Network ... >for replacing the winsock and winsock2 registry keys: ... deleting the Winsock keys. ...
    (microsoft.public.windowsxp.network_web)
  • Re: NetworkManager: A Users Review
    ... system-config-network, any scripts, or anything, just a clean FC5 ... services to start on start, and network to not, rebooted. ... and had a prior configuration set up manually. ... switched it to use 128 bit keys. ...
    (Fedora)