[Watford] SSH Questions

[Magnus Kelly]

Hi,

Would it not be possible to generate centrally password protected keys
and then distribute the private key to the people who require them?
(fter installing the other key pair on the servers that need remote
access?)

Would this not achieve two things a) Prevent non password keys from
being used and b) prevent anyone from being able to lock the system
owner from being locked out?

Magnus

> -----Original Message-----
> From: watford-bounces at mailman.lug.org.uk [mailto:watford-
> bounces at mailman.lug.org.uk] On Behalf Of Yvan Seth
> Sent: 16 September 2008 13:41
> To: watford at mailman.lug.org.uk
> Subject: Re: [Watford] SSH Questions
> 
> On Tue, Sep 16, 2008 at 11:16:12AM +0100, Mark Stewart wrote:
> > thanks Alain - your document is a useful faq but I'm looking at a
> > policy to prevent DBA's etc so they don't use passwordless keys or
> > leave ssh-agent running or other ssh bad practices. Users can create
> > keys anywhere and I'm powerless to stop how they create them.
> >
> > If a hacker got hold of password less keys they would control
servers
> > at ease.
> >
> > I can't see options for sshd that lets your prevent you accepting
> > passwordless keys or find any commercial/open software that does
this
> > with OpenSSH.
> 
> Hi Mark,
> 
> Passphrases on SSH keys are 100% handled at the client side.  There is
> no way to know at your server-end whether or not the key used was
> protected by a passphrase or not (or provided by an ssh-agent for that
> matter.)
> 
> The best you can do is "implement policy."
> 
> The alternative is to not allow key based authentication.  Permit
> password authentication only and strengthen up your password quality
> requirements.
> 
> Both ways have their downsides.
> 
> -Yvan
> 
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford