Re: password changes
Brought to you by:
xystrus
From: Derek M. <co...@pi...> - 2006-01-25 02:35:59
|
On Tue, Jan 24, 2006 at 12:04:34PM -0800, Matt wrote: > >>This is all true, but there's no way to check that the user has a > >>passphrase on their private key. > > > >Sure there is... > > > >If the users all have their private keys on a centralized server, you > >can loop through them and try to use them to connect to the sftp > >server. If you succeed, you know they have no passphrase. Remove > >their public key until they upload a key with a passphrase. As a > >matter of policy, there's no reason you can't make storing them on a > >specific server mandatory... You don't even have to tell them why. > >If you want to remove suspicion, you can even design your environment > >so that they will need to use their keys from the specific server you > >designate for some task that is required on a periodic basis, so you > >can be sure their keys will be there... > > > > This is garbage. Users can remove their password with "ssh-keygen -p" > which is tempting as is makes things more convenient. Garbage, eh? I never said users can't make keys with no passphrase. I *DID* say that this is possible to detect, and you can remove their access if they do it. And that is a fact. See above. > Derek, please inform yourself better before writing such nonsense > -- as the rssh author people may assume you are knowledgeable in > this area. I guess this is supposed to be some sort of attempt to "turn the tables" on me, except it seems that you didn't even read what I wrote. Rather, you have complained about my behavior, misinterpreted what I wrote, and then openly insulted me, engaging in behavior that's worse than anything I've done on this list, as far as I can tell -- or at the very least exactly what you're accusing me of. I'm supposed to take that seriously? > BTW, I very much concur Martin's assessment of your behavior on this > list. I'm sorry you feel that way, but in the end it doesn't matter what you think. I never insult people, I only state facts, though occasionally I express my frustration, as I did in Jacob's response. Occasionally some people don't know enough about using SSH correctly to use rssh safely, and that is just a fact. I feel that to let them go off without letting them know that they are running dangerously is wrong. FWIW, Jacob is not one of those people, and I never intended to suggest that he was. The "sigh" at the end of my message was precisely because I know that he IS clued in -- he's been on the list for quite a while -- and yet has decided to use an authentication that he has agreed is less secure because of convenience. It doesn't mean I hold him in contempt... His choice has led him to ask for a change to rssh which is sub-optimal and downright yucky, and the fact that people continue to want this solution is frustrating to me. There's no way to do this well, IMO. THAT is why I sigh. I'm sorry that he misinterpreted my response, and I'm sorry that some people feel like I browbeat users. But it's tough cookies. Frankly, I'm sick of taking flack for doing what I think is right for my software and my users. If you don't like what I have to say, you are welcome to filter my posts or leave the list. If you unsubscribed and/or stopped using my software because you don't like me, it wouldn't hurt my feelings one iota. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |