OpenSSH daemon security bug?
Davi Diaz
davi at leals.com
Wed Jan 6 09:43:02 EST 2010
Michael Stone wrote:
> It's true that for some threats a poorly managed ssh private key
> is weaker authentication than a well managed password.
>
> Trying to fix poor password management (brute force ssh password
> guessing doesn't work with well managed password policies) by
> mandating the use of ssh keys is generally a recipe for disaster.
[...]
> In many cases the ideal option would be *both* a certificate *and*
> a password.
That is to say, a private key protected by password and password-access
disabled via "PasswordAuthentication no".
Unfortunately, as you wrote, we can not even check if the private key is being
protected by a password, however we can check that a password account is
strong.
Unfortunately we can not configure sshd to require both account-password and
key authentication to be able to login. That maybe would help to solve the
key management risk because at least we could automate the check to force the
use of strong account-passwords in our policy security.
More information about the openssh-unix-dev
mailing list