Full Disclosure mailing list archives
Re: Password quality?
From: "Larry W. Cashdollar" <lwc () vapid ath cx>
Date: Wed, 10 Dec 2003 08:59:53 -0500 (EST)
On Wed, 10 Dec 2003, Kristian [iso-8859-1] K?hntopp wrote:
I know how to check Unix and Windows passwords for quality - John the Ripper is quite an encompassing tool (http://www.openwall.com/john/). I now need to check ssh2 and openssh private keys for policy compliance - do they have a password, and is it nontrivial?
You could attempt to load keys that are not encrypted by a passphrase into ssh-agent with ssh-add. Keys that load with out a password prompt are unencrypted and flagged as bad. This would work to verify keys did indeed have a password. The down side is your going to need access to everyones private key..or your going to need to store private keys all in one location. This defeats the purpose of "private" and a layer of security. As for checking password compliance as a crude measure you could write an expect script that attempted to load keys with commonly known passwords, this would be slow and not pretty.
Which tool am I going to use?
ssh-agent,ssh-add,perl,expect...
Kristian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Password quality? Kristian Köhntopp (Dec 10)
- Re: Password quality? Larry W. Cashdollar (Dec 10)
- Re: Password quality? Holger van Lengerich (Dec 10)
- Re: Password quality? petard (Dec 10)
- Re: Password quality? the1 (Dec 10)
- <Possible follow-ups>
- Re: Password quality? Larry W. Cashdollar (Dec 10)
- Re: Password quality? Kristian Köhntopp (Dec 10)
- Re: Password quality? Larry W. Cashdollar (Dec 10)