cancel
Showing results for 
Search instead for 
Did you mean: 

enforce passphrase

 
SOLVED
Go to solution
F Verschuren
Esteemed Contributor

enforce passphrase

is if poseble to check on che client side:
that a user uses a passphrase
that the passphrase is 8 (ore more caracters)
that the passphrase hase one ore more capitals
....numbers
.... strange caracters

I have seen a server where is was not poseble to login whit a empty passphrase but I an not able te reporceduce this. please advice.
9 REPLIES 9
Laurent Menase
Honored Contributor
Solution

Re: enforce passphrase

The only way is to create an executable which calls the real ssh-keygen accessible for all users, parsing the entered field before passing them to ssh-keygen.
Then restrict other execution right of ssh-keygen and give a setuserid bit to ussh-keygen the one you wrote.

But this solution will not prevent any user to generate the key on his one pc, and copy them to your servers.
nightwich
Valued Contributor

Re: enforce passphrase

Hi Verchuren

I don't understand your true question.

When you setup a ssh key between 2 users .. You have 2 options ( put a passphrase or let in white the passphrase )..


Regards.

F Verschuren
Esteemed Contributor

Re: enforce passphrase

so it is not poseble on the client side to check if a passphrase has a non guesable string of caracters. so a server that is alowing passphrases is as bad as a server whitout passwd (restricktion)settings.
F Verschuren
Esteemed Contributor

Re: enforce passphrase

is it posseble to check if the user has a passprase ore not?
Dennis Handly
Acclaimed Contributor

Re: enforce passphrase

>is it possible to check if the user has a passphrase or not?

Looking at the two id_dsa.pub files, it isn't obvious.
Matti_Kurkela
Honored Contributor

Re: enforce passphrase

The security of SSH key authentication depends on the passphrase only if you assume that the actual SSH private key file is made accessible to absolutely everyone. Obviously, it isn't a good idea to actually do that.

When using password authentication, the primary authentication factor is the password, which supposedly only the authorized user knows. But when using SSH key authentication, the primary authentication factor is the possession of the private key.

The passphrase on a SSH private key is to safeguard against the chance that the key might fall to wrong hands; if the private key is protected in some other way (e.g. stored on a secure system, an encrypted disk or under a physical lock and key), the passphrase protection might not be necessary.

It is technically possible to make a SSH client that checks the quality of the passphrase; but because the SSH protocol is standardized, the user could always choose to use another client that does not perform the check.

It is not feasible for the SSH server to verify if the client has actually checked the passphrase quality, because nothing prevents the client from giving false information to the server.

The sshd server does not participate in the SSH key passphrase verification: the client only uses the passphrase to decrypt the private key locally.

To actually authenticate, the SSH client generates a "signature" message using the private key: if the server can verify the signature using the authorized public key, the client has proven it holds the private part of the authorized key - without disclosing the private key itself.

MK
MK
Doug O'Leary
Honored Contributor

Re: enforce passphrase

Hey;

The only way I know of to ensure a user has a passphrase on his private key is to get a copy of that private key and try to load it into a ssh-agent.

This would work if you have a limited subset of systems from which you could access all your other systems.

If, on the other hand, if you're like the vast majority of companies that allow ssh access from individual pcs, then it doesn't really cover the issue. The user could simply put a pass phrase on the key, give it to you, then take it back off again.

Passphrase generation and use has to be part of an overall policy statement - similar to not distributing passwords. There's no way to prevent one person from giving his password to another just as there are limited ways to validate passphrases on ssh keys. If you catch someone distributing their passwords or using a null passphrased key, *that's* when you get to have fun beating the miscreant.

Doug

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
F Verschuren
Esteemed Contributor

Re: enforce passphrase

Tanks all,
We are now looking in to ssh sercificates. this seems to be a option only has the same leeks as the other sollutions. It seems that ssh is more crapy than the old ways, yes it does encription but losing the abilety to check for users that does not comply to "passwd rulles" on there passphrase seems to be a open issue.
F Verschuren
Esteemed Contributor

Re: enforce passphrase

see reevius replay