Patch to discourage unencrypted key generation

Iain Morgan imorgan at nas.nasa.gov
Fri May 31 03:13:09 EST 2013


On Wed, May 29, 2013 at 20:24:56 -0500, John Hawkinson wrote:
> Schaaf, Jonathan P (GE Healthcare) <jonathan.P.schaaf at ge.com> wrote on Wed, 29 May 2013
> at 19:14:45 +0000 in <C2DDDB22B0AE094DB5F3CE04CB9E2F2615D393 at CINURCNA02.e2k.ad.ge.com>:
> 
> > I hope I'm not submitting something while Martin is halfway through
> > working on this, but as previously noted, the real complexities are
> > in the change to people's workflow.  Let the beatings commence.
> ...
> > + printf("Empty passphrases are a potential security risk. \n" );
> > + printf("Type \"I know\" to confirm that you want this: " );
> 
> I don't think this is the way to go.
> Among other things, it precludes easy automation of this, which is bad
> (esp., as was noted, for host keys).
> 
> Furthremore, it gives just enough information to not be helpful.
> WHY are they a security risk? WHERE can we find out more info? WHAT
> are the alternatives?
> 

What I would suggest is this:

	- Remove the "(empty for no passphrase)" part of the password
	  prompt
	- Only allow empty passwords with -A or -N ''
	- When run as non-root and using an empty password, print a
	  warning message and give a simple yes/no prompt to determine
	  whether or not to continue.
	- Document the use of -N '' in ssh-keygen(1)
	- Possibly add a SECURITY section to ssh-keygen(1) to provide
	  further details on the security implications of using empty
	  passwords and how to mitigate them

This avoids impacting the typical process of creating host keys and
minimally ikpacts the process for non-root users.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list