making the passphrase prompt more clear

Nico Kadel-Garcia nkadel at
Thu Sep 4 20:59:54 EST 2014

On Thu, Sep 4, 2014 at 6:11 AM, shawn wilson < at> wrote:
> This got me thinking, shouldn't this go through PAM so that password
> strength restrictions can be set as well? Obviously most ssh keys are
> created locally. But, if this were implemented, I think most distros
> would adopt the same strength criteria on this as they do with passwd
> and the like.

That... sounds wildly off-topic from the original note, and extremely
fragile. You'd have to route the existing 'ssh-keygen' tool, which is
an entirely local, well contained, and very stable tool, through PAM,
which is in itself a maintenance and configuration nightmare. If you
think I'm kidding, just *look* at the contents of /etc/pam.d, and the
necessary changes for requirements such as password length or mixed
case policy, and their instability when modified by tools such as
"authconfig" in the Red Hat Linux world. On top of that, modifying
them locally for desired ssh-keygen policy would require hand-editing
the /etc/pam.d files.

I wouldn't encourage it for ssh-keygen, which works very reliably as is.

More information about the openssh-unix-dev mailing list