Utility to scan for unpassworded SSH privkeys?
Carson Gaspar
carson at taltos.org
Sun May 26 06:38:59 EST 2013
On 5/25/13 4:33 AM, Damien Miller wrote:
> Sure, but the layers have to actually offer some security and not
> just the theatre of "we have to do _something_!" Offering a control
> in ssh_config that is trivially bypassed is not giving out users
> security, it's selling them a lie.
I'm generally in your camp, Damien, but in this case there _is_ a real
benefit: culpability, in a legal sense. "Forgetting" to encrypt a
private key may be a policy violation. Circumventing the controls that
prevent you from using an unencrypted private key shows malicious
intent, which is a very different thing.
(I Am Not A Lawyer, insert disclaimer here...)
Note that I am not arguing in favour of the code change (I still lean
slightly against it), just pointing out that there is a valid argument
to be made for it.
--
Carson
More information about the openssh-unix-dev
mailing list