lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: lwc at vapid.ath.cx (Larry W. Cashdollar) Subject: Password quality? On Wed, 10 Dec 2003, Kristian [iso-8859-1] Köhntopp wrote: > > I know how to check Unix and Windows passwords for quality - John the Ripper > is quite an encompassing tool (http://www.openwall.com/john/). > > I now need to check ssh2 and openssh private keys for policy compliance - do > they have a password, and is it nontrivial? > You could attempt to load keys that are not encrypted by a passphrase into ssh-agent with ssh-add. Keys that load with out a password prompt are unencrypted and flagged as bad. This would work to verify keys did indeed have a password. The down side is your going to need access to everyones private key..or your going to need to store private keys all in one location. This defeats the purpose of "private" and a layer of security. As for checking password compliance as a crude measure you could write an expect script that attempted to load keys with commonly known passwords, this would be slow and not pretty. > Which tool am I going to use? ssh-agent,ssh-add,perl,expect... > > Kristian > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists