Norman, There are no passwords involved in doing anonymous ftp. If you are talking about authenticated ftp, then that should obviously be disabled together with telnet. Don't even think about using passwords with ftp if your threat model requires the use of ssh. The bad guys can do just as much damage with ftp as they can do with telnet. What you need is some form of one time passwords. Either generated in hardware (SecurID comes to mind), or in software (like PilOTP on the 3Com Palm). Please describe your threat model in more detail if you want a specific recommendation. A. On Mon, 18 Oct 1999, Norman Yelle wrote: > Hi All, > > Is it possible to prevent users from choosing empty passphrase? Or to > force a passphrase on users? > > Or for SSH to force users to go through a 2-step authentication process? > (e.g. users must enter a passphrase and a password) > > This is something similar to dialup servers where the user must enter > a port password and the username/password combination in order to get in. > > Basically I want to prevent a user from divulging his normal password > (e.g. user divulges his real password when using anonymous ftp) > and then an intruder from coming in the ssh server using that password. > > We have something in place to prevent bad/guessable passwords, but we > want to protect ourselves from a password being involutarily divulged. > > I know I can set set PasswordAuthentication to "no", to prevent this > password authentication, but if I choose RSAAuthentication, a user can > choose an empty passphrase or a bad/guessable one. > > Thanks > Norman. >
