Bryan J. Smith <b.j.smith@ieee.org>
2005-May-13 16:02 UTC
[CentOS] Re: About strongs passwords! -- PAM
From: israel.garcia at cimex.com.cu> 1. My users have to work on the shell because, they run a C++ > scritp to work in tha database..If it's just 1 or 2 scripts, consider limiting access to programs with another shell and/or a web or other front-end that only lets them launch a specific process.> 2. So I want to force my users to pick a strong password.. Is there some > command, tool to do this?Actually, modifying PAM rules are highly recommended for this. So it not only does it for a single program, but all programs that change the password. But ideally, you should consider _not_ using passwords for SSH. You should enable either public key authentication or Kerberos. It increases security ten-fold because the actual communication sent is a challenge -- i.e., a one-time, random password that is not good ever again. In the case of public key authentication, you'll want to use passphrases, and enforce strong rules on those. The passphrases protect the private key on the client, which you never want to store whole. You'll need to research how to enforce that with "ssh-keygen" and the local "/etc/ssh/*config*" on each system where they are using the SSH client. If you're really anal, you can use smart cards. Then no system ever has even the private key. It's actually easier to setup for SSH than most people think. -- Bryan J. Smith mailto:b.j.smith at ieee.org
On 5/13/05 9:02 AM, Bryan J. Smith <b.j.smith at ieee.org> wrote:> If you're really anal, you can use smart cards. Then no system ever > has even the private key. It's actually easier to setup for SSH than > most people think.Can you comment on any of the smart-card hardware that you've used? -- Paul Heinlein <> heinlein at madboa.com <> www.madboa.com