Utility to scan for unpassworded SSH privkeys?
Alan Barrett
apb at cequrux.com
Sun May 26 05:54:26 EST 2013
On Sat, 25 May 2013, Damien Miller wrote:
> Offering a control in ssh_config that is trivially bypassed is
> not giving out users security, it's selling them a lie.
No, it's neither security nor a lie, it's education, and it is
beneficial.
An error message of the form "I refuse to use that
non-password-protected key" can certainly be bypassed by editing a
config file or installing a different ssh client, but users won't
always bypass the message, they will sometimes add a password to
their key, which is the desired result. Editing the configuration
or installing a different ssh client might be a violation of
company policy, and the users will at least think about that
before doing it. Even if it's a personal system with no company
policy involved, the user will think at least a little about
whether to edit the config option or to add a password.
--apb (Alan Barrett)
More information about the openssh-unix-dev
mailing list