| 1 |
On Wed, 17 Sep 2008 14:21:41 +0200 |
| 2 |
Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 3 |
|
| 4 |
> On Wednesday 17 September 2008 13:16:57 Jil Larner wrote: |
| 5 |
> > Hello, |
| 6 |
> > |
| 7 |
> > You cannot. The reason for this is simple : you can copy as many |
| 8 |
> > times as you wish it your private key in any place. Even if you |
| 9 |
> > were able to check-up that a private key is passphrase-protected, |
| 10 |
> > it wouldn't mean every single copy of that key is protected so. And |
| 11 |
> > the interest of the private key is that only the owners possesses |
| 12 |
> > it and hides it; thus you shouldn't think about a mensual |
| 13 |
> > submission of the keyfile to automatically check it is protected, |
| 14 |
> > because it would open a serious security hole. |
| 15 |
> |
| 16 |
> Agreed. The hole I would like to close (or make smaller) is that the |
| 17 |
> key is the main security between the user's desktop machine and the |
| 18 |
> core routers on my network. We originally switched to ssh keys |
| 19 |
> because users will gladly share passwords with each other without |
| 20 |
> regard for consequences, and the administration of this is a |
| 21 |
> nightmare. |
| 22 |
> |
| 23 |
> Keys make for better security, but I would like it to be even better. |
| 24 |
> I also want to have my facts 100% straight - if I tell my boss "it |
| 25 |
> can't be done" I like to show research to back it up. There's nothing |
| 26 |
> worse than saying something can't be done, and someone else in the |
| 27 |
> room immediately says how it can be done ... :-) |
| 28 |
|
| 29 |
You could use keys AND passwords for the SSH. It should be trivial to |
| 30 |
set PAM up for it... |
Archives