>No. ssh-keygen should never be pamifed. It is worthless to do so. > >If we are going to enforce passphrase quality it should be for all OSes. >The world does not revolve around Linux. No matter what the press may >think.The Linux community didn't invent PAM, Sun did. Many more systems than Linux have PAM, Solaris, HP-UX some BSDs for a start. Having said that I agree with the comment ssh-keygen shouldn't be pamified, what you might want to do though is follow the pam model and have a pluggable set of rules that guide a user into choosing a good passphrase. -- Darren J Moffat
On Fri, 16 Nov 2001 17:26:36 EST, Darren Moffat writes:> > Having said that I agree with the comment ssh-keygen shouldn't be pamified, > what you might want to do though is follow the pam model and have a > pluggable set of rules that guide a user into choosing a good passphrase.Kind of like cracklib (which pam_cracklib uses)? Cf. http://www.users.dircon.co.uk/~crypto/). However, note that: - cracklib is designed for passwords, not passphrases (it's aimed at *short* strings); - the dictionary that it checks against won't necessarily be the same on all systems, so any kind of consistency would be nontrivial to maintain. Cracklib is simple enough to hook into ssh-keygen, and although it's better than nothing as far as enforcing/encouraging passphrase quality goes, I doubt it's worthwhile to try to support it officially. (You'd need at least two separate configuration options--one for the location of the library, and another for the location of the dictionary.) -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
Darren Moffat writes: > >No. ssh-keygen should never be pamifed. It is worthless to do so. > > > >If we are going to enforce passphrase quality it should be for all OSes. > >The world does not revolve around Linux. No matter what the press may > >think. > > The Linux community didn't invent PAM, Sun did. Many more systems > than Linux have PAM, Solaris, HP-UX some BSDs for a start. > > Having said that I agree with the comment ssh-keygen shouldn't be pamified, > what you might want to do though is follow the pam model and have a > pluggable set of rules that guide a user into choosing a good passphrase. It occurs to me that hooking cracklib into ssh-keygen might be a more generically useful approach, as it could be done even on systems that don't have PAM and cracklib seems to be reasonably portable and flexible.
On Fri, Nov 16, 2001 at 02:26:36PM -0800, Darren Moffat wrote:> Having said that I agree with the comment ssh-keygen shouldn't be pamified, > what you might want to do though is follow the pam model and have a > pluggable set of rules that guide a user into choosing a good passphrase.You're thinking something along the lines of allowing a compile-time option to use cracklib if desired? For the reasons I already stated, I don't know that a "picky" ssh-keygen (PAM-ified or not) should do any more than display a warning & perhaps prompt for confirmation ("Are you sure you want to use such a weak passphrase?"). -Peter
I think the responses to the original email are missing his topic as he stated it. He was asking for ssh to comment on the quality of your passphrase when you create it, i.e something like this (fictionalized) $ ssh-keygen Enter passphrase: My1Big2$Long3_Passphrase ssh: on a scale of 1 to 10, your phassprhase ranks a 10! (it's got capitals, special chars, numbers, lowercase, etc..) $ ssh-keygen Enter passphrase: short ssh: on a scale of 1 to 10, your passphrase ranks a 2! (dictinoary word) -----Original Message----- From: Steve VanDevender [mailto:stevev at darkwing.uoregon.edu] Sent: Friday, November 16, 2001 4:36 PM To: Darren Moffat Cc: mouring at etoh.eviladmin.org; openssh-unix-dev at mindrot.org Subject: Re: passphrase quality Darren Moffat writes: > >No. ssh-keygen should never be pamifed. It is worthless to do so. > > > >If we are going to enforce passphrase quality it should be for all OSes. > >The world does not revolve around Linux. No matter what the press may > >think. > > The Linux community didn't invent PAM, Sun did. Many more systems > than Linux have PAM, Solaris, HP-UX some BSDs for a start. > > Having said that I agree with the comment ssh-keygen shouldn't be pamified, > what you might want to do though is follow the pam model and have a > pluggable set of rules that guide a user into choosing a good passphrase. It occurs to me that hooking cracklib into ssh-keygen might be a more generically useful approach, as it could be done even on systems that don't have PAM and cracklib seems to be reasonably portable and flexible.