| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: hvl at telefonica.de (Holger van Lengerich) Subject: Password quality? Hi, > > I now need to check ssh2 and openssh private keys for policy compliance - do > > they have a password, and is it nontrivial? If you are using opensource products (like OpenSSH, LSH, Putty) you can modify the application itself (e.g. ssh, ssh-add & ssh-keygen) to check the passphrases as they are typed in. Trying to crack the passphrases of SSH private keys you extract from a filesystem may be evaded easily by using two files containing the same private key: The first will satisfy you passphrase requirements and is the one you most likely will pick up, because it resides in the default location for privat key files (.ssh) which ist most likely the only one you will pick up. The second - concealed somewhere in the home-directory - is not protected with any passphrase in filesystem and is used for convenience purposes. Regards, Holger
Powered by blists - more mailing lists