[ILUG] SSH dictionary attacks.
Niall O Broin
niall at linux.ie
Wed Aug 23 22:26:19 IST 2006
On 23 Aug 2006, at 22:19, Aine Douglas wrote:
> On 8/23/06, paul at clubi.ie <paul at clubi.ie> wrote:
>> > You can actually control the pasphrases used to protect keys if you
>> > issue the keys from a corporate controlled CA,
>> No you can't, not for ssh keys in the actual "SSH key" sense!
>> You might be able to issue secret keys to users with 'good'
>> pass-phrases on them, but the user has full power over the key,
>> including power to change that annoying IT-issued pass-phrase to
>> something they can remember a bit easier.
> I'd challenge that.
And you'd lose.
> The largest, and probably disproportionately most
> expensive PKI system in Ireland is operated by the Revenue
> Commissioners allowing the general public deal with them
> They issue you with a digital cert and private key in PKCS12 format
> from their CA for you to sign all online dealing with them in a non
> repudable fashion.
Indeed they do, and they extract a lot of money from me in such a
> Sing up at www.ros.ie and try and change the password for that PKCS12
> file outside of the ROS system. Can't be done with any PKCS12 tool
However, that is NOT an ssh key. The pass phrase to an ssh key can,
as Paul said, be changed or removed altogether by its owner using ssh-
keygen with the -N option.
More information about the ILUG