One thing that could be done would be to roll a bash script which would
run ssh-keygen with acceptable parameters for the system in use and in
that bash script have a note displayed telling users how and why to
generate good pass phrases and collect the pass phrase from the user and
have ssh-keygen create each key pair in a user's space. I have many
passwords in use as do we all and use braille to store those since it is
in itself a form of encryption and I know how to apply additional
encryption to written passwords and pass phrases as well. Since pass
phrases are not recoverable if lost it may be useful for users to
encrypt pass phrases as they write those on paper and generate them with
the bash script. The apg utility with parameters acceptable to the
system might be run inside a bash script to offer a list of choices to a
user to speed the creation of key sets too. This way, users not
extremely familiar with ssh-keygen who don't like to read man pages
could generate system-acceptable key sets.
On Tue, 12 Jan 2016, Dan Ritter wrote:
Date: Tue, 12 Jan 2016 11:22:14
From: Dan Ritter <[email protected]>
To: Steve Matzura <[email protected]>
Cc: debian <[email protected]>
Subject: Re: Generating ssh key pairs
Resent-Date: Tue, 12 Jan 2016 16:22:35 +0000 (UTC)
Resent-From: [email protected]
On Mon, Jan 11, 2016 at 03:57:24PM -0500, Steve Matzura wrote:
Dan,
On Mon, 11 Jan 2016 14:15:53 -0500, Dan wrote:
In general, you want your SFTP users to send you their own
public keys, and you drop them into ~user/.ssh/authorized_keys
That's going to be difficult, as most of my users wouldn't know a
public key from their house key (LOL). I was hoping it would be
simpler than that.
If you generate their key pairs for them, how are you going to
safely send them their private keys?
If they can't generate a keypair, they probably can't secure it
with a passphrase.
Generating a keypair is easy for Linux and Mac users, and only
slightly more complicated for Windows users. (They have the
additional step of installing something like putty.)
-dsr-
--
