On Thu, Sep 4, 2014 at 6:11 AM, shawn wilson <ag4ve.us@xxxxxxxxx> wrote: > This got me thinking, shouldn't this go through PAM so that password > strength restrictions can be set as well? Obviously most ssh keys are > created locally. But, if this were implemented, I think most distros > would adopt the same strength criteria on this as they do with passwd > and the like. That... sounds wildly off-topic from the original note, and extremely fragile. You'd have to route the existing 'ssh-keygen' tool, which is an entirely local, well contained, and very stable tool, through PAM, which is in itself a maintenance and configuration nightmare. If you think I'm kidding, just *look* at the contents of /etc/pam.d, and the necessary changes for requirements such as password length or mixed case policy, and their instability when modified by tools such as "authconfig" in the Red Hat Linux world. On top of that, modifying them locally for desired ssh-keygen policy would require hand-editing the /etc/pam.d files. I wouldn't encourage it for ssh-keygen, which works very reliably as is. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev