[ILUG] SSH dictionary attacks.
Niall O Broin
niall at linux.ie
Wed Aug 23 22:26:19 IST 2006
On 23 Aug 2006, at 22:19, Aine Douglas wrote:
> On 8/23/06, paul at clubi.ie <paul at clubi.ie> wrote:
>> > You can actually control the pasphrases used to protect keys if you
>> > issue the keys from a corporate controlled CA,
>>
>> No you can't, not for ssh keys in the actual "SSH key" sense!
>>
>> You might be able to issue secret keys to users with 'good'
>> pass-phrases on them, but the user has full power over the key,
>> including power to change that annoying IT-issued pass-phrase to
>> something they can remember a bit easier.
>
> I'd challenge that.
And you'd lose.
> The largest, and probably disproportionately most
> expensive PKI system in Ireland is operated by the Revenue
> Commissioners allowing the general public deal with them
> electronically.
>
> They issue you with a digital cert and private key in PKCS12 format
> from their CA for you to sign all online dealing with them in a non
> repudable fashion.
Indeed they do, and they extract a lot of money from me in such a
way :-(
> Sing up at www.ros.ie and try and change the password for that PKCS12
> file outside of the ROS system. Can't be done with any PKCS12 tool
> available.
However, that is NOT an ssh key. The pass phrase to an ssh key can,
as Paul said, be changed or removed altogether by its owner using ssh-
keygen with the -N option.
Niall
More information about the ILUG
mailing list