- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- enforce passphrase
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-20-2010 11:12 PM
тАО04-20-2010 11:12 PM
that a user uses a passphrase
that the passphrase is 8 (ore more caracters)
that the passphrase hase one ore more capitals
....numbers
.... strange caracters
I have seen a server where is was not poseble to login whit a empty passphrase but I an not able te reporceduce this. please advice.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-20-2010 11:41 PM
тАО04-20-2010 11:41 PM
SolutionThen restrict other execution right of ssh-keygen and give a setuserid bit to ussh-keygen the one you wrote.
But this solution will not prevent any user to generate the key on his one pc, and copy them to your servers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2010 07:05 AM
тАО04-22-2010 07:05 AM
Re: enforce passphrase
I don't understand your true question.
When you setup a ssh key between 2 users .. You have 2 options ( put a passphrase or let in white the passphrase )..
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-22-2010 11:56 PM
тАО04-22-2010 11:56 PM
Re: enforce passphrase
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2010 12:02 AM
тАО04-23-2010 12:02 AM
Re: enforce passphrase
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2010 12:17 AM
тАО04-23-2010 12:17 AM
Re: enforce passphrase
Looking at the two id_dsa.pub files, it isn't obvious.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2010 02:51 AM
тАО04-23-2010 02:51 AM
Re: enforce passphrase
When using password authentication, the primary authentication factor is the password, which supposedly only the authorized user knows. But when using SSH key authentication, the primary authentication factor is the possession of the private key.
The passphrase on a SSH private key is to safeguard against the chance that the key might fall to wrong hands; if the private key is protected in some other way (e.g. stored on a secure system, an encrypted disk or under a physical lock and key), the passphrase protection might not be necessary.
It is technically possible to make a SSH client that checks the quality of the passphrase; but because the SSH protocol is standardized, the user could always choose to use another client that does not perform the check.
It is not feasible for the SSH server to verify if the client has actually checked the passphrase quality, because nothing prevents the client from giving false information to the server.
The sshd server does not participate in the SSH key passphrase verification: the client only uses the passphrase to decrypt the private key locally.
To actually authenticate, the SSH client generates a "signature" message using the private key: if the server can verify the signature using the authorized public key, the client has proven it holds the private part of the authorized key - without disclosing the private key itself.
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-23-2010 08:03 AM
тАО04-23-2010 08:03 AM
Re: enforce passphrase
The only way I know of to ensure a user has a passphrase on his private key is to get a copy of that private key and try to load it into a ssh-agent.
This would work if you have a limited subset of systems from which you could access all your other systems.
If, on the other hand, if you're like the vast majority of companies that allow ssh access from individual pcs, then it doesn't really cover the issue. The user could simply put a pass phrase on the key, give it to you, then take it back off again.
Passphrase generation and use has to be part of an overall policy statement - similar to not distributing passwords. There's no way to prevent one person from giving his password to another just as there are limited ways to validate passphrases on ssh keys. If you catch someone distributing their passwords or using a null passphrased key, *that's* when you get to have fun beating the miscreant.
Doug
------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2010 11:12 PM
тАО06-15-2010 11:12 PM
Re: enforce passphrase
We are now looking in to ssh sercificates. this seems to be a option only has the same leeks as the other sollutions. It seems that ssh is more crapy than the old ways, yes it does encription but losing the abilety to check for users that does not comply to "passwd rulles" on there passphrase seems to be a open issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2010 11:13 PM
тАО06-15-2010 11:13 PM