Ok, a few remarks, if I may.
First - we now have three versions of ssh installed. /usr/bin has
openssh version 2.1.1. This is also the version that is being run if you
just type "ssh".
/usr/local/bin/ssh is OpenSSH version 3.0.2p1, which is also the version
that is listening on port 22. /usr/local/bin/ssh2, however, is the
commercial ssh, version 2.2.0 (old).
Also, if I may make a suggestion, next time anyone upgrades ssh, please
try to keep the server key. Man in the middle attacks are easier to
deflect this way.
Shlomi Fish wrote:
>On Thu, 27 Dec 2001, guy keren wrote:
>
>>On Wed, 26 Dec 2001, Shlomi Fish wrote:
>>
>>>2. We might wish to enable login as root.
>>>
>>no - we might NOT wish to enable login as root. doing so allows one to
>>connect to iglu without leaving any traces of who it was that used 'root',
>>which tends to cause problems down the road.
>>
>>>The reason for it is that
>>>passwords delivered over ssh are vulnerable to the keystroke timing
>>>sniffing. The reason is that ssh sends each letter one at a time and one
>>>can eventually deduce the password from the time in which each letter
>>>arrived.
>>>
>>what does that got to do with enabling direct ssh login as root?
>>
>
>Picture the following scenario:
>
>I login as shlomif and then I want to become root. So I type "su" press
>Enter and type the root password key by key. Someone sniffs the times in
>which the packets arrived, and based on that he eventually deduces what
>the password is.
>
>This can be overcome by, for example, pasting the password into the
>terminal window using the middle mouse button, but it in any case it may
>pose a long-term threat.
>
>Regards,
>
> Shlomi Fish
>
Personally, I believe the advantage of being able to track who logged in
as root far outweights the disadvantage of a potential attack of this
kind. This is true especially with the password being what it is today.
There is another point to consider, however, which is the point of
emergancy recovery. Having an accesible root login available is an
important thing in case the machine is locked out.
Shachar
----------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED]
Archives available at http://www.mail-archive.com/[email protected]/
