lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0312101554360.12245@rolinck>
From: hvl at telefonica.de (Holger van Lengerich)
Subject: Password quality?

Hi,

> > I now need to check ssh2 and openssh private keys for policy compliance - do
> > they have a password, and is it nontrivial?

If you are using opensource products (like OpenSSH, LSH, Putty) you can modify
the application itself (e.g. ssh, ssh-add & ssh-keygen) to check the
passphrases as they are typed in.

Trying to crack the passphrases of SSH private keys you extract from a
filesystem may be evaded easily by using two files containing the same private
key:

The first will satisfy you passphrase requirements and is the one you most
  likely will pick up, because it resides in the default location for privat
  key files (.ssh) which ist most likely the only one you will pick up.

The second - concealed somewhere in the home-directory - is not protected
  with any passphrase in filesystem and is used for convenience purposes.

Regards,
  Holger

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ