passphrase quality
Dan Astoorian
djast at cs.toronto.edu
Sat Nov 17 09:35:00 EST 2001
On Fri, 16 Nov 2001 17:26:36 EST, Darren Moffat writes:
>
> Having said that I agree with the comment ssh-keygen shouldn't be pamified,
> what you might want to do though is follow the pam model and have a
> pluggable set of rules that guide a user into choosing a good passphrase.
Kind of like cracklib (which pam_cracklib uses)?
Cf. http://www.users.dircon.co.uk/~crypto/).
However, note that:
- cracklib is designed for passwords, not passphrases (it's aimed at
*short* strings);
- the dictionary that it checks against won't necessarily be the same on
all systems, so any kind of consistency would be nontrivial to
maintain.
Cracklib is simple enough to hook into ssh-keygen, and although it's
better than nothing as far as enforcing/encouraging passphrase quality
goes, I doubt it's worthwhile to try to support it officially.
(You'd need at least two separate configuration options--one for the
location of the library, and another for the location of the
dictionary.)
--
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast at cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
More information about the openssh-unix-dev
mailing list