Utility to scan for unpassworded SSH privkeys?
Damien Miller
djm at mindrot.org
Sat May 25 14:36:10 EST 2013
On Fri, 24 May 2013, Nico Kadel-Garcia wrote:
> This is not a new flaw. It dates right back to the original SSH-1 and
> SSH-2, which were forked to create OpenSSH. It's also why the highly
> vaunted security of OpenBSD is fairly pointless, when such gaping
> configuration holes are the *default* configuration. ssh-keygen
> creates passphrase frees by default if you simply hit "Enter" a few
> times, and there is no way I've ever seen for ssh_config to reject
> them by default when loading local keys or loading them into an
> ssh-agent.
If you think it through, what you are asking for is basically impossible
outside of a hugely restricted enviornment (trivial evasion: upload a
custom ssh client that ignores your proposed restriction), and if you
happen to have a hugely restricted environment then you don't need it
to begin with.
-d
More information about the openssh-unix-dev
mailing list