[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] The danger of SSH keys..
> It doesn't seem like it would be monumentally hard to add a check in the
> various OpenSSH binaries to require a non-empty key passphrase of a
> certain minimum length.
Agree with this part.
> If you're not up to coding it yourself you could submit a feature
> request (with associated offer to fund development if you really want
> it). If the OpenSSH folks added it themselves it could likely be managed
> via an associated config option.
The problem with doing this is a config option is that any such checks
would of course have to be implemented in the client binaries (including
ssh-keygen). The problem is that there's no way to enforce global
administrative policies on the client side, because the user can always
override configuration settings in ssh_config with command-line options.
It's similar to the problem of trying to enforce StrictHostKeyChecking
across an entire site.
--
Hal Pomeranz, Founder/CEO Deer Run Associates hal@deer-run.com
Network Connectivity and Security, Systems Management, Training