[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Password quality?

To: Kristian K?hntopp <kris@koehntopp.de>
Subject: Re: [Full-Disclosure] Password quality?
From: petard <petard@freeshell.org>
Date: Wed, 10 Dec 2003 20:56:16 +0000

On Wed, Dec 10, 2003 at 11:24:34AM +0100, Kristian K?hntopp wrote:
> 
> I know how to check Unix and Windows passwords for quality - John the Ripper 
> is quite an encompassing tool (http://www.openwall.com/john/).
> 
> I now need to check ssh2 and openssh private keys for policy compliance - do 
> they have a password, and is it nontrivial?
> 
> Which tool am I going to use?
I am not aware of any publically available tool that does what you want
(other than the expect script someone posted to the list). I do know of
one or two private tools in circulation and may be able to persuade one
of the authors to post his here or allow me to do so. They are crude but
far better than the expect scripts, as well as far more efficient. (Over
1000 guesses/second on a PPC G4 1GHz... I haven't tried with a really
good word list.)

The basic method used by these tools is:

1. Take the openssh source code and build libssh.a
2. Use the key_load_private() function along with a good word list to
check for empty/obvious passphrases. See ssh-keygen.c for an example of
how the key_load_private() function works.

Others have commented on the lack of usefulness here, due to the users
ability to keep a copy of the key with a different passphrase in a
non-standard location, and still use it, as well as problems inherent in
collecting everyone's private keys for analysis.

As an aside, you can use ssh-keygen to solve half of your problem. It
will tell you whether keys have a passphrase or not. Just use the
syntax:
ssh-keygen -f /path/to/private/key -p

If it asks you for the old passphrase, that means one is set. If it goes
straight to asking for a new one, that means the key is unprotected.

HTH,

petard

--
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Password quality?
  - From: Kristian Köhntopp <kris@koehntopp.de>

Prev by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by Date: [Full-Disclosure] [SCSA-023] Multiple vulnerabilities in Mambo Server
Previous by thread: Re: [Full-Disclosure] Password quality?
Next by thread: Re: [Full-Disclosure] Password quality?
Index(es):
- Date
- Thread