On Sat, 2006-12-02 at 15:52 -0800, Tracy R Reed wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > guy keren wrote: > > i think that the problem with this setup, is that the security people > > have no way to enforce that you create a key with a pass-phrase. once > > they allow you to use ssh keys, it is up to you (the user) whether or > > not to use a pass-phrase. at least that was the situation with sshd in > > the past - i don't know if this issue was resolved yet. > > They could do what I do which is to use cfengine to control what keys > are installed on the servers. cfengine blows away any keys it does not > recognize. Any key that wants to be installed on the server has to be > run by me as the security person and I approve it by putting it into the > cfengine key distribution and I don't approve it unless I see the key > generated with a passphrase.
i assume you're running cfengine only every so-often (it is a polling-based system, not a notification-based system, as far as i know). so you still have some amount of time when users might put pass-phrase-less keys. --guy -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
