[brlug-general] [SAGE] The danger of SSH keys..
Dustin Puryear
dustin at puryear-it.com
Mon Jan 22 14:33:48 CST 2007
Oh what a tangled web we weave. Communication channels continue to
become stronger, and yet the end-points still remain just as
vulnerable.
---
Puryear Information Technology, LLC
Baton Rouge, LA * 225-706-8414
http://www.puryear-it.com
Author:
"Best Practices for Managing Linux and UNIX Servers"
"Spam Fighting and Email Security in the 21st Century"
Download your free copies:
http://www.puryear-it.com/publications.htm
Monday, January 22, 2007, 2:10:00 PM, you wrote:
> "Dustin Puryear" <dustin at puryear-it.com> writes:
>> If I have a system that doesn't allow keys, I can check for weak
>> passwords in the local system password database using various tools.
>> But I can't really *ENFORCE* a check against user keys (i.e., I can't
>> check for weak passwords or no passwords).
>>
>> How are you dealing with this?
> We run a kerberos realm, but that doesn't really do more than shift
> the problem, though krb5 has policies which help enforce better
> passwords and the like. On the other hand, we also allow keys as a
> fallback mechanism because of the number of automated tests we run at
> night that use ssh and "can't rely upon tickets"... As a result, most
> of our developers end up never kinit'ing and then fall-back to their
> keys and never realize it.
More information about the General
mailing list