Patch to discourage unencrypted key generation
Nico Kadel-Garcia
nkadel at gmail.com
Thu May 30 11:24:02 EST 2013
On Wed, May 29, 2013 at 3:14 PM, Schaaf, Jonathan P (GE Healthcare)
<jonathan.P.schaaf at ge.com> wrote:
>>>> configuration holes are the *default* configuration. ssh-keygen
>>>> creates passphrase frees by default if you simply hit "Enter" a few
>>>> times, and there is no way I've ever seen for ssh_config to reject
>>>> them by default when loading local keys or loading them into an
>>>> ssh-agent.
>>>
>>> So where are your patches?
>>
>> Excellent point. Let me see if I can unpry some tome this week to submit a patch.
>> But I'm concerned it will run into the "but that would change people's workflow!!!!"
>> world of rejected patches, even if the patch is clean.
>
>
> I hope I'm not submitting something while Martin is halfway through working on this, but as previously noted, the real complexities are in the change to people's workflow. Let the beatings commence.
That was me, not Martin. Adding a "you have to type the secret
undocumented code phrase, without any manual page entry or
documentation whatsoever" is, indeed cause for beatings with a rubber
hammer. I was personally thinking "add a required '-z' command line
argument for a zero-length passphrase", since the ssh-keygen is
already using "-n" and "-e" for other options.
More information about the openssh-unix-dev
mailing list