-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 guy keren wrote: > i think that the problem with this setup, is that the security people > have no way to enforce that you create a key with a pass-phrase. once > they allow you to use ssh keys, it is up to you (the user) whether or > not to use a pass-phrase. at least that was the situation with sshd in > the past - i don't know if this issue was resolved yet.
They could do what I do which is to use cfengine to control what keys are installed on the servers. cfengine blows away any keys it does not recognize. Any key that wants to be installed on the server has to be run by me as the security person and I approve it by putting it into the cfengine key distribution and I don't approve it unless I see the key generated with a passphrase. cfengine is great for security. It ensures that patches are applied, checks md5sums, ensures that files have the correct permissions, ensures that security sensitive programs have the correct things in their configuration files network-wide, and can help automate tasks like managing your ssh keys and systems in general. - -- Tracy R Reed http://ultraviolet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFchHa9PIYKZYVAq0RAmAYAJ9aAhO3sP9P/vneHTgyyEiYY22GJACgmjmT 9xRJ0aQSth+i8RVV64nAzak= =db1c -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
