Utility to scan for unpassworded SSH privkeys?

Nico Kadel-Garcia nkadel at gmail.com
Sun May 26 00:42:01 EST 2013


On Sat, May 25, 2013 at 5:35 AM, Martin Schröder <martin at oneiros.de> wrote:
> 2013/5/24 Nico Kadel-Garcia <nkadel at gmail.com>:
>> configuration holes are the *default* configuration. ssh-keygen
>> creates passphrase frees by default if you simply hit "Enter" a few
>> times, and there is no way I've ever seen for ssh_config to reject
>> them by default when loading local keys or loading them into an
>> ssh-agent.
>
> So where are your patches?

Excellent point. Let me see if I can unpry some tome this week to
submit a patch. But I'm concerned it will run into the "but that would
change people's workflow!!!!" world of rejected patches, even if the
patch is clean.

The "ssh-keygen should not accept blank passwords" looks a lot easier,
I'll take a shot at that as low hanging fruit. But I've had useful
security updates rejected before on the grounds that "if you don't
trust the machine you're on, you shouldn't be using it" and "chroot is
just security theater, people can get around it".


More information about the openssh-unix-dev mailing list