Other than making a policy of "Put passwords on your SSH keys", how do you handle the danger of some users potentially not using passwords on their keys?
I'm interested in real-world ways to manage this issue. Policy statements don't cut it for me. :) If I have a system that doesn't allow keys, I can check for weak passwords in the local system password database using various tools. But I can't really *ENFORCE* a check against user keys (i.e., I can't check for weak passwords or no passwords). How are you dealing with this? --- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author: "Best Practices for Managing Linux and UNIX Servers" "Spam Fighting and Email Security in the 21st Century" Download your free copies: http://www.puryear-it.com/publications.htm
