undefined | Better HN

0 pointsoofbey4y ago0 comments

I would take password-protected keyfiles - I would love it in fact. But AFAIK there's no way for the server to know if the keyfile was password protected or not. Is there? It seems like it wouldn't be reliable - you kinda have to trust the client to tell you the truth about whether or not it decrypted the keyfile before using it.

0 comments

3 comments · 1 top-level

R0b0t14y ago· 2 in thread

Why does that matter? There's no way to ensure your employees aren't writing down their passwords. If you don't trust someone to follow procedure then don't employ them.

oofbeyOP4y ago

Security always exists in layers. Policy is a layer - e.g. asking people to do something. Another layer is to have a system to remind/enforce that policy. Writing down passwords is (generally) an obviously stupid thing to do, perhaps worthy of termination. But forgetting to put a passphrase on one SSH key when you regularly use a dozen of them for different purposes - this is absolutely not an offense worthy of termination.

R0b0t14y ago

If that's what you need it's possible to generate and issue keys from a centralized host just like with TLS. You can even set up login with SSH/TLS certs, which can be password protected.

j / k navigate · click thread line to collapse