lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031210084835.U19545-100000@vapid.ath.cx>
From: lwc at vapid.ath.cx (Larry W. Cashdollar)
Subject: Password quality?



On Wed, 10 Dec 2003, Kristian [iso-8859-1] Köhntopp wrote:

>
> I know how to check Unix and Windows passwords for quality - John the Ripper
> is quite an encompassing tool (http://www.openwall.com/john/).
>
> I now need to check ssh2 and openssh private keys for policy compliance - do
> they have a password, and is it nontrivial?
>

You could attempt to load keys that are not encrypted by a passphrase into
ssh-agent with ssh-add.  Keys that load with out a password prompt are
unencrypted and flagged as bad. This would work to verify keys did indeed
have a password.  The down side is your going to need access to everyones
private key..or your going to need to store private keys all in one
location.  This defeats the purpose of "private" and a layer of security.


As for checking password compliance as a crude measure you could write an
expect script that attempted to load keys with commonly known passwords,
this would be slow and not pretty.

> Which tool am I going to use?


ssh-agent,ssh-add,perl,expect...

>
> Kristian
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ