passphrase quality

Ladner, Eric (CLAD) CLAD at chevrontexaco.com
Sun Nov 18 10:16:03 EST 2001


I think the responses to the original email are missing his topic
as he stated it.

He was asking for ssh to comment on the quality of your passphrase
when you create it, i.e something like this (fictionalized)

$ ssh-keygen
Enter passphrase:  My1Big2$Long3_Passphrase
ssh: on a scale of 1 to 10, your phassprhase ranks a 10!
(it's got capitals, special chars, numbers, lowercase, etc..)

$ ssh-keygen
Enter passphrase: short
ssh: on a scale of 1 to 10, your passphrase ranks a 2!
(dictinoary word)



-----Original Message-----
From: Steve VanDevender [mailto:stevev at darkwing.uoregon.edu]
Sent: Friday, November 16, 2001 4:36 PM
To: Darren Moffat
Cc: mouring at etoh.eviladmin.org; openssh-unix-dev at mindrot.org
Subject: Re: passphrase quality


Darren Moffat writes:
 > >No.  ssh-keygen should never be pamifed. It is worthless to do so.
 > >
 > >If we are going to enforce passphrase quality it should be for all OSes.
 > >The world does not revolve around Linux.  No matter what the press may
 > >think.
 > 
 > The Linux community didn't invent PAM, Sun did.  Many more systems
 > than Linux have PAM, Solaris, HP-UX some BSDs for a start.
 > 
 > Having said that I agree with the comment ssh-keygen shouldn't be
pamified,
 > what you might want to do though is follow the pam model and have a
 > pluggable set of rules that guide a user into choosing a good passphrase.

It occurs to me that hooking cracklib into ssh-keygen might be a more
generically useful approach, as it could be done even on systems that
don't have PAM and cracklib seems to be reasonably portable and flexible.





More information about the openssh-unix-dev mailing list