[Watford] SSH Questions

Yvan Seth watford.lug.org.uk at malignity.net
Tue Sep 16 12:53:11 UTC 2008


On Tue, Sep 16, 2008 at 11:16:12AM +0100, Mark Stewart wrote:
> thanks Alain - your document is a useful faq but I'm looking at a
> policy to prevent DBA's etc so they don't use passwordless keys or
> leave ssh-agent running or other ssh bad practices. Users can create
> keys anywhere and I'm powerless to stop how they create them.
> 
> If a hacker got hold of password less keys they would control servers
> at ease.
>
> I can't see options for sshd that lets your prevent you accepting
> passwordless keys or find any commercial/open software that does this
> with OpenSSH.

Hi Mark,

Passphrases on SSH keys are 100% handled at the client side.  There is
no way to know at your server-end whether or not the key used was
protected by a passphrase or not (or provided by an ssh-agent for that
matter.)

The best you can do is "implement policy."

The alternative is to not allow key based authentication.  Permit
password authentication only and strengthen up your password quality
requirements.

Both ways have their downsides.

-Yvan



More information about the Watford mailing list