[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Password quality?
- To: Kristian Köhntopp <kris@koehntopp.de>
- Subject: Re: [Full-Disclosure] Password quality?
- From: "Larry W. Cashdollar" <lwc@vapid.ath.cx>
- Date: Wed, 10 Dec 2003 08:59:53 -0500 (EST)
On Wed, 10 Dec 2003, Kristian [iso-8859-1] Köhntopp wrote:
>
> I know how to check Unix and Windows passwords for quality - John the Ripper
> is quite an encompassing tool (http://www.openwall.com/john/).
>
> I now need to check ssh2 and openssh private keys for policy compliance - do
> they have a password, and is it nontrivial?
>
You could attempt to load keys that are not encrypted by a passphrase into
ssh-agent with ssh-add. Keys that load with out a password prompt are
unencrypted and flagged as bad. This would work to verify keys did indeed
have a password. The down side is your going to need access to everyones
private key..or your going to need to store private keys all in one
location. This defeats the purpose of "private" and a layer of security.
As for checking password compliance as a crude measure you could write an
expect script that attempted to load keys with commonly known passwords,
this would be slow and not pretty.
> Which tool am I going to use?
ssh-agent,ssh-add,perl,expect...
>
> Kristian
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html