Patch to discourage unencrypted key generation

Dan Kaminsky dan at doxpara.com
Fri May 31 04:43:29 EST 2013


Unpassworded SSH private keys are the most successful mechanism in the last decade for getting real users to use public key cryptography, rather than passwords, to identify themselves. 

Everything else is a miserable failure.

Don't mess with this one success.

Proper API's for adding pubkeys to servers, that might be nice. We've let this authorized_keys situation kinda rot for a bit.

Sent from my iPhone

On May 30, 2013, at 10:13 AM, Iain Morgan <imorgan at nas.nasa.gov> wrote:

> On Wed, May 29, 2013 at 20:24:56 -0500, John Hawkinson wrote:
>> Schaaf, Jonathan P (GE Healthcare) <jonathan.P.schaaf at ge.com> wrote on Wed, 29 May 2013
>> at 19:14:45 +0000 in <C2DDDB22B0AE094DB5F3CE04CB9E2F2615D393 at CINURCNA02.e2k.ad.ge.com>:
>> 
>>> I hope I'm not submitting something while Martin is halfway through
>>> working on this, but as previously noted, the real complexities are
>>> in the change to people's workflow.  Let the beatings commence.
>> ...
>>> + printf("Empty passphrases are a potential security risk. \n" );
>>> + printf("Type \"I know\" to confirm that you want this: " );
>> 
>> I don't think this is the way to go.
>> Among other things, it precludes easy automation of this, which is bad
>> (esp., as was noted, for host keys).
>> 
>> Furthremore, it gives just enough information to not be helpful.
>> WHY are they a security risk? WHERE can we find out more info? WHAT
>> are the alternatives?
> 
> What I would suggest is this:
> 
>    - Remove the "(empty for no passphrase)" part of the password
>      prompt
>    - Only allow empty passwords with -A or -N ''
>    - When run as non-root and using an empty password, print a
>      warning message and give a simple yes/no prompt to determine
>      whether or not to continue.
>    - Document the use of -N '' in ssh-keygen(1)
>    - Possibly add a SECURITY section to ssh-keygen(1) to provide
>      further details on the security implications of using empty
>      passwords and how to mitigate them
> 
> This avoids impacting the typical process of creating host keys and
> minimally ikpacts the process for non-root users.
> 
> -- 
> Iain Morgan
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list