[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh private key password



Am Samstag, den 10.01.2009, 14:36 -0500 schrieb Gregory Maxwell:
> On Fri, Jan 9, 2009 at 10:33 PM, Jerry Amundson <jamundso gmail com> wrote:
> > On 1/9/09, Gregory Maxwell <gmaxwell gmail com> wrote:
> >> A central unspoofable password dialog does make sense for improving
> >> security, Fedora isn't there yet… but CLI apps kicking you to some
> >> external dialog for passwords is a necessary step to that end.
> >
> > And that's been proven by whom?
> 
> …
> 
> Perhaps you didn't understand what I was saying.
> 
> It is considered a reasonable goal by many that there ought to be a
> way for joe-average-user to be confident that when he is entering a
> password it isn't being entered into some spoof/trojan program.
> 
> There are a number of ways to accomplish this, for example: There
> could be a secure system level password entry box that requires a
> magic keypress to activate, and the keypress can't be intercepted by
> anything 'user level'. (The windows NT press ctrl-alt-delete login box
> is an example of this). Or, for example, the entry could be
> accomplished via a secure hardware device (such as a smartcard or
> external keypad) which communicates with a protected system level
> service.  I'm sure you can imagine a few more possibilities.
> 
> Individual apps (be they CLI or GUI) prompting the user for their
> password inline is simply incompatible with that goal. If every little
> application has it's own password prompts and password entry
> facilities the user can't be confident that the one he's talking to is
> the one he wants and isn't just some trojan.
> 
> This isn't to say that the one-password-dialog-to-rule-them-all must
> be obnoxious, focus stealing, etc. ... only that a particular security
> goal which you may or many not share requires the consistency of
> singular password entry point.
> 

Perhpas slightly off-topic - but related - bug:
 https://bugzilla.redhat.com/show_bug.cgi?id=136341

>From five years ago.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]