Re: HEAD's UP: possible 0day SSH exploit in the wild
Michael Stone wrote: [A way to enforce non-empty passwd on ssh-keys] > You can't, which is why it is useful to have both passwords and keys > simultaneously--you can enforce a policy on a password. To cite Noah Meyerhans from his recent mail - my users would shoot me if I ever tried such a thing. Sadly, I'm not their bossbut they are more or less my customers, so putting a security policy in place requiring the previously stated mechanism would be more like starting a war than a small skirmish. Sebastian -- baboo -- Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: HEAD's UP: possible 0day SSH exploit in the wild
Jim Popovitch wrote: > > ALLOW rules and SSH-keys. > > Is there a way to force keys AND passwd verification? Normally you'd want to DISABLE PasswordAuthentication and ChallengeResponseAuthentication - unless you have a special and well-maintained setup like e.g. One-Time-Pads or such - because both can potentially be brute-forced way faster than SSH-keys..unless you happen to use a key generated with one of those "funny" buggy random-sources from the past, in which case a well-maintained sshd nowadays will simply reject your key. Something that would indeed be interesting is a way to enforce that the PRIVATE KEY is password-protected - sadly, you can't see this from the public key, and I'm not aware of any possibility to query the client concerning this specific matter. Sebastian -- baboo -- Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org