Hi
On Thu, 15 Mar 2001, Tom Laurie <[EMAIL PROTECTED]> wrote:
> on the network? I went to the OpenSSH site and read that eavesdropping and
> connection hijacking are problems with ftp but could not find how these
> worked. My first question is: What are the actual mechanics of hacking into
> a machine through a ftp hole if you don't have physical access to the
> network?
There are also bugs in the ftp servers (esp. wu-ftp). So no sniffing
need be required: e.g. they connect to the server, send it some strings
specially crafted to cause a buffer overrun and they get in. Was the ftp
server up to date?
As far as I know, sniffing passwords requires physical access to the
network somewhere. Where were the legitimate users logging in from?
Technically a password could be sniffed any where along the way...
> My second question is: If a hacker can't sniff the ids and passwords and
> must resort to programs that guess, then why is ssh considered more secure?
> Couldn't the hacker use these same programs to guess an id and password for
> let's say a PuTTY session?
Yes this is true. If sshd is setup to allow password authentication,
then guessing will work just a well as it does for telnet or ftp.
Sysadmins occasionally forget this: After a telnet/ftpd sniffed
password intrusion the admin turns off telnet and ftp but forget ssh is
still a way in. And if the intruder has stolen the password file then
he may know 25-50% of the passwords by running crack on it.
Note that sshd can be setup to NOT use passwords (PasswordAuthentication no),
then you can only use RhostsRSAAuthentication or RSAAuthentication.
These two use public/private keys (RSA or DH) to authenticate the
incoming user. These are safer (IMHO at least) since ~1024 bit private
key and its corresponding passphrase must be stolen. Arguably RSAAuthentication is
the best. Details are in sshd(1).
Karl
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
