Full Disclosure mailing list archives
Re: Password quality?
From: Holger van Lengerich <hvl () telefonica de>
Date: Wed, 10 Dec 2003 16:24:47 +0100 (CET)
Hi,
I now need to check ssh2 and openssh private keys for policy compliance - do they have a password, and is it nontrivial?
If you are using opensource products (like OpenSSH, LSH, Putty) you can modify the application itself (e.g. ssh, ssh-add & ssh-keygen) to check the passphrases as they are typed in. Trying to crack the passphrases of SSH private keys you extract from a filesystem may be evaded easily by using two files containing the same private key: The first will satisfy you passphrase requirements and is the one you most likely will pick up, because it resides in the default location for privat key files (.ssh) which ist most likely the only one you will pick up. The second - concealed somewhere in the home-directory - is not protected with any passphrase in filesystem and is used for convenience purposes. Regards, Holger _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Password quality? Kristian Köhntopp (Dec 10)
- Re: Password quality? Larry W. Cashdollar (Dec 10)
- Re: Password quality? Holger van Lengerich (Dec 10)
- Re: Password quality? petard (Dec 10)
- Re: Password quality? the1 (Dec 10)
- <Possible follow-ups>
- Re: Password quality? Larry W. Cashdollar (Dec 10)
- Re: Password quality? Kristian Köhntopp (Dec 10)
- Re: Password quality? Larry W. Cashdollar (Dec 10)