Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password quality?

From: "Larry W. Cashdollar" <lwc () vapid ath cx>
Date: Wed, 10 Dec 2003 08:59:53 -0500 (EST)



On Wed, 10 Dec 2003, Kristian [iso-8859-1] K?hntopp wrote:



I know how to check Unix and Windows passwords for quality - John the Ripper
is quite an encompassing tool (http://www.openwall.com/john/).

I now need to check ssh2 and openssh private keys for policy compliance - do
they have a password, and is it nontrivial?



You could attempt to load keys that are not encrypted by a passphrase into
ssh-agent with ssh-add.  Keys that load with out a password prompt are
unencrypted and flagged as bad. This would work to verify keys did indeed
have a password.  The down side is your going to need access to everyones
private key..or your going to need to store private keys all in one
location.  This defeats the purpose of "private" and a layer of security.


As for checking password compliance as a crude measure you could write an
expect script that attempted to load keys with commonly known passwords,
this would be slow and not pretty.


Which tool am I going to use?



ssh-agent,ssh-add,perl,expect...



Kristian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: