On Thu, Sep 4, 2014 at 6:59 AM, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote: > On Thu, Sep 4, 2014 at 6:11 AM, shawn wilson <ag4ve.us@xxxxxxxxx> wrote: >> This got me thinking, shouldn't this go through PAM so that password >> strength restrictions can be set as well? Obviously most ssh keys are >> created locally. But, if this were implemented, I think most distros >> would adopt the same strength criteria on this as they do with passwd >> and the like. > > That... sounds wildly off-topic from the original note, Ah sorry, I should've modified the subject - figured the fwd would give the email a new id. > and extremely > fragile. You'd have to route the existing 'ssh-keygen' tool, which is > an entirely local, well contained, and very stable tool, through PAM, > which is in itself a maintenance and configuration nightmare. There is already kind of the configuration option to do this: --with-pam > If you > think I'm kidding, just *look* at the contents of /etc/pam.d, and the > necessary changes for requirements such as password length or mixed > case policy, and their instability when modified by tools such as > "authconfig" in the Red Hat Linux world. On top of that, modifying > them locally for desired ssh-keygen policy would require hand-editing > the /etc/pam.d files. > > I wouldn't encourage it for ssh-keygen, which works very reliably as is. Well, is there another way to warn of weak passwords in ssh-keygen? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
