I would look at 2 factor authentication as another option. http://www.securecomputing.com/index.cfm?skey=1277 is one example of this. -----Original Message----- From: Carlos E. R. [mailto:robin1.listas@tiscali.es] Sent: Sunday, March 06, 2005 7:21 PM To: SuSE Security List Subject: RE: [suse-security] Allow MAC addresses through SuSEfirewall2 The Sunday 2005-03-06 at 14:18 -0000, Thomas Knight wrote:

...

There are settings in Yast (profesional version) to force users to have "safer" passwords. I supposse the enterprise version has similar settings.

Also, you could set up ssh to not accept login/password entry, but public key instead.

I'm with you there. What I mean is if I use username/password they'll just save the password somewhere.

You can also force them to change the passwords every two weeks :-P I remember once, while working for a certain important company (US based multinational), we were issued passwords for accessing certain machines (not exactly computers). A "boss" gave us big envelopes. Inside, there was a sealed envelope (secret and confidential) and a booklet explaining how to safely use passwords, how to choose them, how to keep them... etc. We had to sign and return a form as "read and understood". The sealed envelope contained the passwords, of course. I'm unsure now if the person that gave us the envelopes waited nearby till we returned the forms while keeping an eye on us, but I think he did... Sounds too paranoic? :-) Actually, I saw more "paranoic" measures from them a few years later on.

If they use PPK they'll "forget" to specify a passphrase for their private key, which is out of my control.

Yes, that's a thing I noticed recently. The sshd server can not force the client to use a long passphrase, I understand.

Hey, I'll log all access and they'll have limited privs. We do what we can!

Yap :-)

Ta for the thoughts,

Welcome. -- Cheers, Carlos Robinson -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here