Oh what a tangled web we weave. Communication channels continue to become stronger, and yet the end-points still remain just as vulnerable.
--- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author: "Best Practices for Managing Linux and UNIX Servers" "Spam Fighting and Email Security in the 21st Century" Download your free copies: http://www.puryear-it.com/publications.htm Monday, January 22, 2007, 2:10:00 PM, you wrote: > "Dustin Puryear" <dustin at puryear-it.com> writes: >> If I have a system that doesn't allow keys, I can check for weak >> passwords in the local system password database using various tools. >> But I can't really *ENFORCE* a check against user keys (i.e., I can't >> check for weak passwords or no passwords). >> >> How are you dealing with this? > We run a kerberos realm, but that doesn't really do more than shift > the problem, though krb5 has policies which help enforce better > passwords and the like. On the other hand, we also allow keys as a > fallback mechanism because of the number of automated tests we run at > night that use ssh and "can't rely upon tickets"... As a result, most > of our developers end up never kinit'ing and then fall-back to their > keys and never realize it.
