Hosting Provided By

RE: How to forbid empty passphrases?

From: <Robert.Baskerville(at)Vistorm.com>
Date: Wed Nov 27 2002 - 06:25:37 EST

The contents of this email and any attachments may be confidential. It is intended for the named recipient(s) only. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to any other person or make any copies. Vistorm monitor communications.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex wrote:

> is it possible to forbid users to login with keys using
> empty passphrases (maybe by some setting in sshd_config)?

No.

The passphrase has a single function; the private key is symmetrically encrypted using (effectively) the passphrase.

No information about the passphrase is ever sent to the remote system (quite rightly!) - it is merely used locally to unlock the private key by decrypting it.

Besides, what is meant by "empty passphrase"? Sure, a private key with a null pass phrase. But what about when ssh-agent is in use and the key is (temporarily) held unlocked? Or with a windows client such as SecureCRT which can be set to cache the passphrase for a certain time?

Do you need help?

Passing ANY information about the passphrase to the remote system is dangerous. It tells me (the Evil Sysadmin(tm)) which keys are worth stealing (since a passphraseless key is more valuable to me).

Forcing users to have a passphrase doesn't really help either. If a user is *forced* to have a passphrase rather than being educated into *choosing* to have a passphrase, then they will select a trivial one - giving the illusion of security rather than the reality.

Robert Baskerville

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: www.vistorm.com/pgp

iQGVAwUBPeSrHaLvtZXFYwUMAQLHHAv8D1eju5jfLwxL086ejOkpnGgoB4m29Skt Aae+7gYq0Fdwx2UFvKEBXdKG2L7kmr7rB50jK8NzFza1mLb5SUGPpK2h7lBEP3+1 iT89Z50/L7I0FSfruEC5vWlZai24W4S8WAEj4oSuour/8fuHwf9PxZ5RtDMZCGYo XFFdgWNbDs3ElVl4SzEXd03mbwWoYEdLY/KoqPS9iQCbzYy74h6ySOuaY9+mzHGJ 010TTTgh/g0tXa61YO5qLV57MWHsLT9e8qZ+VXOulMEmE1tTf0iEQpvGQVmCR9tt CLbL8lKoiqwZg0u4mHrGBYZxk7fTtVChNLCUZme5xOIQpFphdZS2ONo2cGtpqmZI qPOWosi9y0+e6U4SD+uWl6/5TXw6kzFZvevzwK4WV+hEdm2OsbfamagOLJjikLPP FzrFRLcEkhVbp549WGSQmsnwuSM2Bu9exinlOGZcSoSxV/12pmT2JrXQVQe37lv2 KHTuO77mG9UFIXI4KAlOTedrI6qTVYon
=SYTN
-----END PGP SIGNATURE-----

Received on Wed Nov 27 11:33:19 2002

This message: [ Message body ]
Next message: Ben Lindstrom: "Re: sftp Subsystem failure"
Previous message: Dennis Puk: "Re: sftp Subsystem failure"
In reply to Alexander.Farber(at)nokia.com: "How to forbid empty passphrases?"
Reply: Dan Hanson: "[VulnWatch] R7-0009: Vulnerabilities in SSH2 Implementations from Multiple Vendors (fwd)"
Reply: Derek Martin: "rssh 1.0.4 released"
Reply: Rüdiger Bock: "SSH hangs up during session!"
Reply: Eric AUGE: "Re: anonymous sftp?"
Reply: Zhang Erning: "RE: Bootable CD problem"
Reply: Ranjeet Shetye: "Re: SFTP"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:51 EDT