[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Password quality?

To: "Larry W. Cashdollar" <lwc@vapid.ath.cx>
Subject: Re: [Full-Disclosure] Password quality?
From: Holger van Lengerich <hvl@telefonica.de>
Date: Wed, 10 Dec 2003 16:24:47 +0100 (CET)

Hi,

> > I now need to check ssh2 and openssh private keys for policy compliance - do
> > they have a password, and is it nontrivial?

If you are using opensource products (like OpenSSH, LSH, Putty) you can modify
the application itself (e.g. ssh, ssh-add & ssh-keygen) to check the
passphrases as they are typed in.

Trying to crack the passphrases of SSH private keys you extract from a
filesystem may be evaded easily by using two files containing the same private
key:

The first will satisfy you passphrase requirements and is the one you most
  likely will pick up, because it resides in the default location for privat
  key files (.ssh) which ist most likely the only one you will pick up.

The second - concealed somewhere in the home-directory - is not protected
  with any passphrase in filesystem and is used for convenience purposes.

Regards,
  Holger


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] Password quality?
  - From: "Larry W. Cashdollar" <lwc@vapid.ath.cx>

Prev by Date: Re: [Full-Disclosure] Password quality?
Next by Date: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
Previous by thread: Re: [Full-Disclosure] Password quality?
Next by thread: Re: [Full-Disclosure] Password quality?
Index(es):
- Date
- Thread