From owner-freebsd-security Mon Sep 10 15:27:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id C565737B405 for ; Mon, 10 Sep 2001 15:27:10 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8ALMue11002; Mon, 10 Sep 2001 14:22:56 -0700 (PDT) Date: Mon, 10 Sep 2001 14:22:56 -0700 (PDT) From: David Kirchner X-X-Sender: To: Alex Holst Cc: Subject: Re: allow selective RSA AUTH in sshd setup? In-Reply-To: <20010910232117.A82808@area51.dk> Message-ID: <20010910141822.M85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Sep 2001, Alex Holst wrote: > Using RSA keys gives you two factors of protection. Using passwords gives > you one factor. > > Allow me to introduce you to the concept of a 'security policy.' -- those > who fail to understand and follow it will be escorted out of the building. > If management support for this approach does not come through then whatever > you are trying to protect can't be all that important. The difficulty in security policy comes with verifying the security policy. There's no way to know that whoever generated the key set a good password, or any password at all, unless you watch them create it. At least with 'passwd' you can try to ensure secure passwords, and with sshd you can deny empty passwords. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message