<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body ><div>Check out FreeIPA, it can do centralized key management for Linux/Unix. Supported versiĆ³n comes with any Red Hat Enterprise Linus subscription. </div><div><br></div><div><br></div><div><div style="font-size:8px;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br><div>-------- Original message --------</div><div>From: Brian Miller <bnmille@gmail.com> </div><div>Date:05/24/2014 12:19 PM (GMT-05:00) </div><div>To: colug-432@colug.net </div><div>Subject: Re: [colug-432] password survey </div><div><br></div>On 05/22/2014 06:52 PM, Scott McCarty wrote:<br>> For keys there are definitely guidelines. Here is an old article I wrote, but still very important data:<br>><br>> http://crunchtools.com/ssh-keychain/<br>><br>> See sections: Key Length & RSA vs. DSA<br>><br>> Best Regards<br>> Scott M<br>><br><br>So, my original post wasn't asking for policy guidance. I was looking <br>for examples of what people actually do. As part of a consolidation <br>effort, we are likely to have over 1000 UNIX/Linux servers under a <br>single management group. The proposed security standard wants us to <br>have 8+ characters, and to change them every 90 days. My initial <br>thought was that if I'm on the management team, they had better give me <br>at least one day every 3 months just to manage MY passwords, since there <br>is no initial plan to have centralized authentication with LDAP. And <br>have they planned enough manpower to handle user password change/reset <br>requests (estimating an average of 6 non-admin user accounts per <br>server)? I'm trying to argue that if we combine SSHD with tcpwrappers <br>(we are looking at a total of maybe 12 Class-C/B subnets from which <br>users would need to connect, and most servers would only need 3 or 4 of <br>them) that would effectively give us 2 factor authentication, so we <br>shouldn't have a need to change passwords at all.<br><br>But thanks for the links.<br><br><br>_______________________________________________<br>colug-432 mailing list<br>colug-432@colug.net<br>http://lists.colug.net/mailman/listinfo/colug-432<br></body>