passphrase quality

Dan Astoorian djast at cs.toronto.edu
Sat Nov 17 09:35:00 EST 2001


On Fri, 16 Nov 2001 17:26:36 EST, Darren Moffat writes:
> 
> Having said that I agree with the comment ssh-keygen shouldn't be pamified,
> what you might want to do though is follow the pam model and have a
> pluggable set of rules that guide a user into choosing a good passphrase.

Kind of like cracklib (which pam_cracklib uses)?

Cf. http://www.users.dircon.co.uk/~crypto/).

However, note that:

- cracklib is designed for passwords, not passphrases (it's aimed at
  *short* strings);

- the dictionary that it checks against won't necessarily be the same on
  all systems, so any kind of consistency would be nontrivial to
  maintain. 

Cracklib is simple enough to hook into ssh-keygen, and although it's
better than nothing as far as enforcing/encouraging passphrase quality
goes, I doubt it's worthwhile to try to support it officially.

(You'd need at least two separate configuration options--one for the
location of the library, and another for the location of the
dictionary.)

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican



More information about the openssh-unix-dev mailing list