On Wed, 17 Sep 2008 14:21:41 +0200 Alan McKinnon <[EMAIL PROTECTED]> wrote:
> On Wednesday 17 September 2008 13:16:57 Jil Larner wrote: > > Hello, > > > > You cannot. The reason for this is simple : you can copy as many > > times as you wish it your private key in any place. Even if you > > were able to check-up that a private key is passphrase-protected, > > it wouldn't mean every single copy of that key is protected so. And > > the interest of the private key is that only the owners possesses > > it and hides it; thus you shouldn't think about a mensual > > submission of the keyfile to automatically check it is protected, > > because it would open a serious security hole. > > Agreed. The hole I would like to close (or make smaller) is that the > key is the main security between the user's desktop machine and the > core routers on my network. We originally switched to ssh keys > because users will gladly share passwords with each other without > regard for consequences, and the administration of this is a > nightmare. > > Keys make for better security, but I would like it to be even better. > I also want to have my facts 100% straight - if I tell my boss "it > can't be done" I like to show research to back it up. There's nothing > worse than saying something can't be done, and someone else in the > room immediately says how it can be done ... :-) You could use keys AND passwords for the SSH. It should be trivial to set PAM up for it...
signature.asc
Description: PGP signature
