On Wed, Dec 10, 2003 at 11:24:34AM +0100, Kristian K?hntopp wrote: > > I know how to check Unix and Windows passwords for quality - John the Ripper > is quite an encompassing tool (http://www.openwall.com/john/). > > I now need to check ssh2 and openssh private keys for policy compliance - do > they have a password, and is it nontrivial? > > Which tool am I going to use? I am not aware of any publically available tool that does what you want (other than the expect script someone posted to the list). I do know of one or two private tools in circulation and may be able to persuade one of the authors to post his here or allow me to do so. They are crude but far better than the expect scripts, as well as far more efficient. (Over 1000 guesses/second on a PPC G4 1GHz... I haven't tried with a really good word list.)
The basic method used by these tools is: 1. Take the openssh source code and build libssh.a 2. Use the key_load_private() function along with a good word list to check for empty/obvious passphrases. See ssh-keygen.c for an example of how the key_load_private() function works. Others have commented on the lack of usefulness here, due to the users ability to keep a copy of the key with a different passphrase in a non-standard location, and still use it, as well as problems inherent in collecting everyone's private keys for analysis. As an aside, you can use ssh-keygen to solve half of your problem. It will tell you whether keys have a passphrase or not. Just use the syntax: ssh-keygen -f /path/to/private/key -p If it asks you for the old passphrase, that means one is set. If it goes straight to asking for a new one, that means the key is unprotected. HTH, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
