On 8/23/06, Stephen Shirley <diamond at skynet.ie> wrote:
> Hum. Ok, upon re-reading it and another one of your replies, it seems
> you are advocating using normal passwords rather than ssh keys +
> passphrases. Isn't that trading the chances of a user screwing up
> against those of a dictionary attack being successful though?
Paul is very correct to a certain extent.... the more convoluted you
make security the weaker the holes that are left in it.
You can actually control the pasphrases used to protect keys if you
issue the keys from a corporate controlled CA, which is where I was at
right back at the start of the thread when I queried support in SSH
clients for PKCS12 keystores.
I've never been much of pin protected hardware tokens, and in security
circles, PKCS12 is typically referred to as smartcard emulation.
Smartcards for example usually can have their pin retrieved by reading
the post-it on them. Its like the oldest problem with bankcard pins.
Even in Pauls scenario of making secure password policies and having
them centrally enforced, try issuing to a non techie dept and give it
a month and check the back of peoples keyboards.... bingo....
passwords.
Simple things work.... hence the bunch of korean schoolkits dictionary
attacking my feckin' servers :,-(
Aine.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
