Utility to scan for unpassworded SSH privkeys?

Corinna Vinschen vinschen at redhat.com
Sun May 26 04:14:30 EST 2013


On May 25 10:42, Nico Kadel-Garcia wrote:
> On Sat, May 25, 2013 at 5:35 AM, Martin Schröder <martin at oneiros.de> wrote:
> > 2013/5/24 Nico Kadel-Garcia <nkadel at gmail.com>:
> >> configuration holes are the *default* configuration. ssh-keygen
> >> creates passphrase frees by default if you simply hit "Enter" a few
> >> times, and there is no way I've ever seen for ssh_config to reject
> >> them by default when loading local keys or loading them into an
> >> ssh-agent.
> >
> > So where are your patches?
> 
> Excellent point. Let me see if I can unpry some tome this week to
> submit a patch. But I'm concerned it will run into the "but that would
> change people's workflow!!!!" world of rejected patches, even if the
> patch is clean.
> 
> The "ssh-keygen should not accept blank passwords" looks a lot easier,

So, how do you generate passphraseless keys in future?  There's a
legitimate scenario to use them, running cron-based automatic remote
tasks from a secure control server.  Do you really think it's the right
thing to do to break this?  If so, people will simply be annoyed and run
a patched version of ssh-keygen which disables this check.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat


More information about the openssh-unix-dev mailing list