1 |
On Wed, 17 Sep 2008 14:21:41 +0200 |
2 |
Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
3 |
|
4 |
> On Wednesday 17 September 2008 13:16:57 Jil Larner wrote: |
5 |
> > Hello, |
6 |
> > |
7 |
> > You cannot. The reason for this is simple : you can copy as many |
8 |
> > times as you wish it your private key in any place. Even if you |
9 |
> > were able to check-up that a private key is passphrase-protected, |
10 |
> > it wouldn't mean every single copy of that key is protected so. And |
11 |
> > the interest of the private key is that only the owners possesses |
12 |
> > it and hides it; thus you shouldn't think about a mensual |
13 |
> > submission of the keyfile to automatically check it is protected, |
14 |
> > because it would open a serious security hole. |
15 |
> |
16 |
> Agreed. The hole I would like to close (or make smaller) is that the |
17 |
> key is the main security between the user's desktop machine and the |
18 |
> core routers on my network. We originally switched to ssh keys |
19 |
> because users will gladly share passwords with each other without |
20 |
> regard for consequences, and the administration of this is a |
21 |
> nightmare. |
22 |
> |
23 |
> Keys make for better security, but I would like it to be even better. |
24 |
> I also want to have my facts 100% straight - if I tell my boss "it |
25 |
> can't be done" I like to show research to back it up. There's nothing |
26 |
> worse than saying something can't be done, and someone else in the |
27 |
> room immediately says how it can be done ... :-) |
28 |
|
29 |
You could use keys AND passwords for the SSH. It should be trivial to |
30 |
set PAM up for it... |