passphrase quality

Tim McGarry tim at mcgarry.ch
Tue Nov 20 06:29:14 EST 2001


This is exactly what I want, obviously anybody can build there passphases,
on another ssh version, and I can't stop that. I'm assuming that if they've
got enough noodles to do that, then they probably understand the importance
of a good pass-phrase. I just want some sort of
prompt for novice ssh users that says as in the example below.

$ ssh-keygen
Enter passphrase: short
ssh: your password quality
your passphrase quality is 60%, would you like to re-enter a different
passphrase (Y/n) <CR>
Enter passphase: BitBetter
your passphrase quality is 80%, would you like to re-enter a different
passphrase (Y/n) <CR>
Enter passphase: VielB Esserm Ultil Ingual
your passphrase quality is 95%, would you like to re-enter a different
passphrase (Y/n) <CR>
Re-Enter passphase: VielB Esserm Ultil Ingual

I dont really see the need to use crack or any other dictionary lookups, I
just want to stop users choosing simple one word passphrases without being
warned, of the dangers.

Obviously, this sort of check is not for everyone, it should probably be
either fixed at compile time or in ssh_config, or (perhaps a flag)

My preferred choice would be to make it available as a flag in ssh_config.

WeakPassPhrase={ALLOW|WARN|DENY}

Once the quality is over 90% the default choice should be to accept it,
obviously there's no point in annoying people by reading the pass-phrase a
second time until the quality level has been accepted.

Tim McGarry



----- Original Message -----
From: "Ladner, Eric (CLAD)" <CLAD at chevrontexaco.com>
To: <openssh-unix-dev at mindrot.org>
Sent: Sunday, November 18, 2001 12:16 AM
Subject: RE: passphrase quality


> I think the responses to the original email are missing his topic
> as he stated it.
>
> He was asking for ssh to comment on the quality of your passphrase
> when you create it, i.e something like this (fictionalized)
>
> $ ssh-keygen
> Enter passphrase:  My1Big2$Long3_Passphrase
> ssh: on a scale of 1 to 10, your phassprhase ranks a 10!
> (it's got capitals, special chars, numbers, lowercase, etc..)
>
> $ ssh-keygen
> Enter passphrase: short
> ssh: on a scale of 1 to 10, your passphrase ranks a 2!
> (dictinoary word)
>
>
>
> -----Original Message-----
> From: Steve VanDevender [mailto:stevev at darkwing.uoregon.edu]
> Sent: Friday, November 16, 2001 4:36 PM
> To: Darren Moffat
> Cc: mouring at etoh.eviladmin.org; openssh-unix-dev at mindrot.org
> Subject: Re: passphrase quality
>
>
> Darren Moffat writes:
>  > >No.  ssh-keygen should never be pamifed. It is worthless to do so.
>  > >
>  > >If we are going to enforce passphrase quality it should be for all
OSes.
>  > >The world does not revolve around Linux.  No matter what the press may
>  > >think.
>  >
>  > The Linux community didn't invent PAM, Sun did.  Many more systems
>  > than Linux have PAM, Solaris, HP-UX some BSDs for a start.
>  >
>  > Having said that I agree with the comment ssh-keygen shouldn't be
> pamified,
>  > what you might want to do though is follow the pam model and have a
>  > pluggable set of rules that guide a user into choosing a good
passphrase.
>
> It occurs to me that hooking cracklib into ssh-keygen might be a more
> generically useful approach, as it could be done even on systems that
> don't have PAM and cracklib seems to be reasonably portable and flexible.
>
>




More information about the openssh-unix-dev mailing list