ssh passphrases and sarbanes oxley (SOX) - SSH

This is a discussion on ssh passphrases and sarbanes oxley (SOX) - SSH ; Hi, group! This question has been addressed to me by a client and I couldn't find a solution on the web yet: As Sarbanes Oxley requires policies like password to be enforced, how is this handled in ssh/openssh? Is there ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: ssh passphrases and sarbanes oxley (SOX)

  1. ssh passphrases and sarbanes oxley (SOX)

    Hi, group!
    This question has been addressed to me by a client and I couldn't find
    a solution on the web yet:

    As Sarbanes Oxley requires policies like password to be enforced, how
    is this handled in ssh/openssh?
    Is there an option to apply aging to a key passprase.
    Would it make sense?

    Sorry to be so unspecific!
    Regards, Markus


  2. Re: ssh passphrases and sarbanes oxley (SOX)


    docmarkus@directbox.com schrieb:

    > Hi, group!
    > This question has been addressed to me by a client and I couldn't find
    > a solution on the web yet:
    >
    > As Sarbanes Oxley requires policies like password to be enforced, how

    sorry gang - meant to write "password aging" ...

    > is this handled in ssh/openssh?
    > Is there an option to apply aging to a key passprase.
    > Would it make sense?
    >
    > Sorry to be so unspecific!
    > Regards, Markus



  3. Re: ssh passphrases and sarbanes oxley (SOX)

    docmarkus@directbox.com wrote:
    > Hi, group!
    > This question has been addressed to me by a client and I couldn't find
    > a solution on the web yet:
    >
    > As Sarbanes Oxley requires policies like password to be enforced, how
    > is this handled in ssh/openssh?
    > Is there an option to apply aging to a key passprase.
    > Would it make sense?
    >
    > Sorry to be so unspecific!
    > Regards, Markus
    >


    IMHO key passphrase aging doesn't gain you anything. If someone gets a
    copy of your private key, they have it encrypted with whatever
    passphrase it was encrypted with at that time, and they then have all
    the time in the world to try to crack it. Remember it's not the
    passphrase that authenticates you to the server, it's the key that does
    that. You could change your passphrase 100 times, but if they finally
    crack that passphrase on that old copy of the key, it's as good as the
    one you're using. If you are going to age anything it should probably be
    the key pair.

    Having said that I have to admit that I change my passphrase regularly
    (but not the keypair). The only reason I change it though is to keep it
    in sync with my network password which is required to change every 90 days.

    I'd like to hear what the rest of this group has to say on the matter.

  4. Re: ssh passphrases and sarbanes oxley (SOX)

    Chuck!
    Thanks for the quick response!
    Actually I was aware of that - I guess I'm rather looking for an answer
    to fend off questions by people centered on their "all paswords have to
    be subject to an aging process" approach - people focussed on processes
    don't always like to take reason into account (not trying to kick off a
    flame war here ...)
    I guess the correct approach would be to require key pairs to be
    recreated regularly - but that would just about do away with most of
    the ease-of-use points I use to advocate ssh/openssh.
    Regards, Markus



    Chuck schrieb:

    > docmarkus@directbox.com wrote:
    > > Hi, group!
    > > This question has been addressed to me by a client and I couldn't find
    > > a solution on the web yet:
    > >
    > > As Sarbanes Oxley requires policies like password to be enforced, how
    > > is this handled in ssh/openssh?
    > > Is there an option to apply aging to a key passprase.
    > > Would it make sense?
    > >
    > > Sorry to be so unspecific!
    > > Regards, Markus
    > >

    >
    > IMHO key passphrase aging doesn't gain you anything. If someone gets a
    > copy of your private key, they have it encrypted with whatever
    > passphrase it was encrypted with at that time, and they then have all
    > the time in the world to try to crack it. Remember it's not the
    > passphrase that authenticates you to the server, it's the key that does
    > that. You could change your passphrase 100 times, but if they finally
    > crack that passphrase on that old copy of the key, it's as good as the
    > one you're using. If you are going to age anything it should probably be
    > the key pair.
    >
    > Having said that I have to admit that I change my passphrase regularly
    > (but not the keypair). The only reason I change it though is to keep it
    > in sync with my network password which is required to change every 90 days.
    >
    > I'd like to hear what the rest of this group has to say on the matter.



  5. Re: ssh passphrases and sarbanes oxley (SOX)

    Maybe I haven't had my coffee this morning BUT,
    if you change the keys, then old documents encoded under KEY1 will not
    be decodeable under the new KEY2. Your public key needs to remain FIXED.

    Chuck wrote:
    > docmarkus@directbox.com wrote:
    >> Hi, group!
    >> This question has been addressed to me by a client and I couldn't find
    >> a solution on the web yet:
    >>
    >> As Sarbanes Oxley requires policies like password to be enforced, how
    >> is this handled in ssh/openssh?
    >> Is there an option to apply aging to a key passprase.
    >> Would it make sense?
    >>
    >> Sorry to be so unspecific!
    >> Regards, Markus
    >>

    >
    > IMHO key passphrase aging doesn't gain you anything. If someone gets a
    > copy of your private key, they have it encrypted with whatever
    > passphrase it was encrypted with at that time, and they then have all
    > the time in the world to try to crack it. Remember it's not the
    > passphrase that authenticates you to the server, it's the key that does
    > that. You could change your passphrase 100 times, but if they finally
    > crack that passphrase on that old copy of the key, it's as good as the
    > one you're using. If you are going to age anything it should probably be
    > the key pair.
    >
    > Having said that I have to admit that I change my passphrase regularly
    > (but not the keypair). The only reason I change it though is to keep it
    > in sync with my network password which is required to change every 90 days.
    >
    > I'd like to hear what the rest of this group has to say on the matter.



    --
    try a random act of kindness today -- you just might surprise even
    yourself

  6. Re: ssh passphrases and sarbanes oxley (SOX)

    Jeff B wrote:
    > Maybe I haven't had my coffee this morning BUT,
    > if you change the keys, then old documents encoded under KEY1 will not
    > be decodeable under the new KEY2. Your public key needs to remain FIXED.


    Get your coffee. Ssh keys are used to authenticate users to a server.
    PGP and GnuPG keys are used to encrypt documents. They are similar but
    not the same.

  7. Re: ssh passphrases and sarbanes oxley (SOX)

    Chuck wrote:
    > Jeff B wrote:
    >> Maybe I haven't had my coffee this morning BUT,
    >> if you change the keys, then old documents encoded under KEY1 will not
    >> be decodeable under the new KEY2. Your public key needs to remain FIXED.

    >
    > Get your coffee. Ssh keys are used to authenticate users to a server.
    > PGP and GnuPG keys are used to encrypt documents. They are similar but
    > not the same.


    humiliating
    but of course!

    --
    try a random act of kindness today -- you just might surprise even
    yourself

  8. Re: ssh passphrases and sarbanes oxley (SOX)

    Jeff B wrote:
    > Chuck wrote:
    >> Jeff B wrote:
    >>> Maybe I haven't had my coffee this morning BUT,
    >>> if you change the keys, then old documents encoded under KEY1 will not
    >>> be decodeable under the new KEY2. Your public key needs to remain
    >>> FIXED.

    >>
    >> Get your coffee. Ssh keys are used to authenticate users to a server.
    >> PGP and GnuPG keys are used to encrypt documents. They are similar but
    >> not the same.

    >
    > humiliating
    > but of course!
    >


    Sorry. Didn't mean to humiliate. There's been plenty of times where I've
    made similar mistakes.

    I have heard rumors of a product that uses the same keys for both
    purposes. It was probably on this NG, but I can't remember the name.

+ Reply to Thread