On Thu, 27 Dec 2001, guy keren wrote:
>
> On Wed, 26 Dec 2001, Shlomi Fish wrote:
>
> > 2. We might wish to enable login as root.
>
> no - we might NOT wish to enable login as root. doing so allows one to
> connect to iglu without leaving any traces of who it was that used 'root',
> which tends to cause problems down the road.
>
> > The reason for it is that
> > passwords delivered over ssh are vulnerable to the keystroke timing
> > sniffing. The reason is that ssh sends each letter one at a time and one
> > can eventually deduce the password from the time in which each letter
> > arrived.
>
> what does that got to do with enabling direct ssh login as root?
>
Picture the following scenario:
I login as shlomif and then I want to become root. So I type "su" press
Enter and type the root password key by key. Someone sniffs the times in
which the packets arrived, and based on that he eventually deduces what
the password is.
This can be overcome by, for example, pasting the password into the
terminal window using the middle mouse button, but it in any case it may
pose a long-term threat.
Regards,
Shlomi Fish
> --
> guy
>
> "For world domination - press 1,
> or dial 0, and please hold, for the creator." -- nob o. dy
>
----------------------------------------------------------------------
Shlomi Fish [EMAIL PROTECTED]
Home Page: http://t2.technion.ac.il/~shlomif/
Home E-mail: [EMAIL PROTECTED]
"Let's suppose you have a table with 2^n cups..."
"Wait a second - is n a natural number?"
----------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED]
Archives available at http://www.mail-archive.com/[email protected]/
