On Friday 06 February 2004 05:13 am, Christian Tismer wrote: > holger krekel wrote: > > hello users of codespeak, > > [lots 'o trouble, sorry to hear that] > > > sorry for the inconvenience, > > My immediate reaction would be to disallow password > only logins via ssh and to enforce to use keys with > non-empty passphrases.
*blink* how do you force sshd to only accept keys with non-empty passphrases? The passphrase is a client-side issue, not under the control of the server's system administrator. Having sshd only accept authentication by key and not by password would indeed strengthen security a bit (but unless all clients use passphrases and/or keep their private keys securely -- nowadays, this means on a USB key of some sort, such as those that they're starting to build into wristwatches, pens, etc -- only a bit). > Also don't use email without encryption to give new > passwords out. I have been hosed by this two times > (last millennium of course :-) However, it's quite safe for a server's sysadm to receive ssh public keys in unencrypted email. The worst a baddy can do upon intercepting that is allow the client to login to the baddy's computer in a man-in-the-middle attempt, but he could do that easily anyway with a tweaked sshd that accepts any private key -- the real defenses against MitM attacks are others (including client's awareness of the server's identification key...!!!). Alex _______________________________________________ [EMAIL PROTECTED] http://codespeak.net/mailman/listinfo/pypy-dev
