From owner-freebsd-security Sat Jan 13 23:46:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from isr5429.urh.uiuc.edu (isr5429.urh.uiuc.edu [130.126.209.169]) by hub.freebsd.org (Postfix) with SMTP id 4CE0737B698 for ; Sat, 13 Jan 2001 23:46:13 -0800 (PST) Received: (qmail 41492 invoked by uid 1000); 14 Jan 2001 07:46:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Jan 2001 07:46:08 -0000 Date: Sun, 14 Jan 2001 01:46:08 -0600 (CST) From: Frank Tobin X-X-Sender: To: Cc: , Subject: Re: opinions on password policies In-Reply-To: <200101140733.XAA00644@spammie.svbug.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org opentrax@email.com, at 23:33 -0800 on Sat, 13 Jan 2001, wrote: This is not a good policy. For small infrasturcures (5-100 users), PKA might be acceptable. However, this is useful only if ALL users login remotely. Even then, PKA, such as used in SSH, has management problems. I'll agree that a lot is dependent on the context of the authentication (something which was not elaborated on). However, if it is a system where each user has their own (single-user,closed) workstation, along with there existing network-wide servers used, a good policy might be to mandate public-key authentictaion on the network-wide servers, while not caring about the security policy each user puts on his own machine. If there is secure computational power at the hands of the user, then PKA is definitely a good way to go. -- Frank Tobin http://www.uiuc.edu/~ftobin/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message