lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: petard at freeshell.org (petard)
Subject: Password quality?

On Wed, Dec 10, 2003 at 11:24:34AM +0100, Kristian K?hntopp wrote:
> 
> I know how to check Unix and Windows passwords for quality - John the Ripper 
> is quite an encompassing tool (http://www.openwall.com/john/).
> 
> I now need to check ssh2 and openssh private keys for policy compliance - do 
> they have a password, and is it nontrivial?
> 
> Which tool am I going to use?
I am not aware of any publically available tool that does what you want
(other than the expect script someone posted to the list). I do know of
one or two private tools in circulation and may be able to persuade one
of the authors to post his here or allow me to do so. They are crude but
far better than the expect scripts, as well as far more efficient. (Over
1000 guesses/second on a PPC G4 1GHz... I haven't tried with a really
good word list.)

The basic method used by these tools is:

1. Take the openssh source code and build libssh.a
2. Use the key_load_private() function along with a good word list to
check for empty/obvious passphrases. See ssh-keygen.c for an example of
how the key_load_private() function works.

Others have commented on the lack of usefulness here, due to the users
ability to keep a copy of the key with a different passphrase in a
non-standard location, and still use it, as well as problems inherent in
collecting everyone's private keys for analysis.

As an aside, you can use ssh-keygen to solve half of your problem. It
will tell you whether keys have a passphrase or not. Just use the
syntax:
ssh-keygen -f /path/to/private/key -p

If it asks you for the old passphrase, that means one is set. If it goes
straight to asking for a new one, that means the key is unprotected.

HTH,

petard

--
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ