CentOS - May 2005 - Re: About strongs passwords! -- PAM

From: israel.garcia at cimex.com.cu
> 1.  My users have to work on the shell because, they run a C++
> scritp to work in tha database..
If it's just 1 or 2 scripts, consider limiting access to programs with
another
shell and/or a web or other front-end that only lets them launch a specific
process.
> 2. So I want to force my users to pick a strong password.. Is there some
> command, tool to do this?
Actually, modifying PAM rules are highly recommended for this.
So it not only does it for a single program, but all programs that change
the password.

But ideally, you should consider _not_ using passwords for SSH.
You should enable either public key authentication or Kerberos.
It increases security ten-fold because the actual communication
sent is a challenge -- i.e., a one-time, random password that is
not good ever again.

In the case of public key authentication, you'll want to use passphrases,
and enforce strong rules on those.  The passphrases protect the
private key on the client, which you never want to store whole.
You'll need to research how to enforce that with "ssh-keygen" and
the
local "/etc/ssh/*config*" on each system where they are using
the SSH client.

If you're really anal, you can use smart cards.  Then no system ever
has even the private key.  It's actually easier to setup for SSH than
most people think.



--
Bryan J. Smith   mailto:b.j.smith at ieee.org

On 5/13/05 9:02 AM, Bryan J. Smith <b.j.smith at ieee.org> wrote:
> If you're really anal, you can use smart cards.  Then no system ever
> has even the private key.  It's actually easier to setup for SSH than
> most people think.
Can you comment on any of the smart-card hardware that you've used?

-- 
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com