<br><br><div class="gmail_quote">On Thu, Dec 23, 2010 at 3:29 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
<br>
I know I'm doing my IPv6 talk next month for ALE. Maybe I need to<br>
schedule my talk on "Securing the Secure Shell" some time in the next<br>
few months as well. I gave that talk in front of AUUG a while back but<br>
I don't think I've delivered it at ALE before.<br>
<br clear="all"></blockquote></div>I am all for hearing it! Aaron please contact MHW ASAP before he changes his mind! :-)<br><br>At work, I'm prepping an ssh-key repository to ensure that all keys use a good password. The repository will generate the ssh keys for the users and archive the original, no password key in a vault (literal, steel vault with key as text on paper with a barcode for fast input, placed there buy someone with a firearms license at the federal level), then the user must enter a password to encrypt the key. That encrypted key is then copied to their thumb drive and the original unencrypted is hashed, wiped and the hash stored. Their pub key is placed in the ldap server.The sshd is a modified one that locates ssh pub keys from ldap. It is also configured to never allow a password entry. <br>
<br>The complicated (and unwritten) stage is to devise a method that checks the connecting users priv key for being still password locked once they log in. If it's NOT locked, they are kicked out and the pub key is removed from ldap. Not sure yet on how to do this.<br>
-- <br>-- <br>James P. Kinney III<br>I would rather stumble along in freedom than walk effortlessly in chains.<br><br><br>