Patch to discourage unencrypted key generation
John Hawkinson
jhawk at MIT.EDU
Thu May 30 11:24:56 EST 2013
Schaaf, Jonathan P (GE Healthcare) <jonathan.P.schaaf at ge.com> wrote on Wed, 29 May 2013
at 19:14:45 +0000 in <C2DDDB22B0AE094DB5F3CE04CB9E2F2615D393 at CINURCNA02.e2k.ad.ge.com>:
> I hope I'm not submitting something while Martin is halfway through
> working on this, but as previously noted, the real complexities are
> in the change to people's workflow. Let the beatings commence.
...
> + printf("Empty passphrases are a potential security risk. \n" );
> + printf("Type \"I know\" to confirm that you want this: " );
I don't think this is the way to go.
Among other things, it precludes easy automation of this, which is bad
(esp., as was noted, for host keys).
Furthremore, it gives just enough information to not be helpful.
WHY are they a security risk? WHERE can we find out more info? WHAT
are the alternatives?
--jhawk at mit.edu
John Hawkinson
More information about the openssh-unix-dev
mailing list