On Thu, 27 Dec 2001, Shachar Shemesh wrote:
> Ok, a few remarks, if I may.
>
> First - we now have three versions of ssh installed. /usr/bin has
> openssh version 2.1.1. This is also the version that is being run if you
> just type "ssh".
>
I can install the recent version of SSH under /usr too, if that what is
being called for.
> /usr/local/bin/ssh is OpenSSH version 3.0.2p1, which is also the version
> that is listening on port 22. /usr/local/bin/ssh2, however, is the
> commercial ssh, version 2.2.0 (old).
>
Besides them, there is OpenSSH version 3.0.2p1 installed under my
home-directory.
> Also, if I may make a suggestion, next time anyone upgrades ssh, please
> try to keep the server key. Man in the middle attacks are easier to
> deflect this way.
>
Will copying the files:
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_key
ssh_host_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
To the appropriate place (/usr/local/etc, /usr/etc, etc.) be enough to do
that?
> Shlomi Fish wrote:
>
> >On Thu, 27 Dec 2001, guy keren wrote:
> >
> >>On Wed, 26 Dec 2001, Shlomi Fish wrote:
> >>
> >>>2. We might wish to enable login as root.
> >>>
> >>no - we might NOT wish to enable login as root. doing so allows one to
> >>connect to iglu without leaving any traces of who it was that used 'root',
> >>which tends to cause problems down the road.
> >>
> >>>The reason for it is that
> >>>passwords delivered over ssh are vulnerable to the keystroke timing
> >>>sniffing. The reason is that ssh sends each letter one at a time and one
> >>>can eventually deduce the password from the time in which each letter
> >>>arrived.
> >>>
> >>what does that got to do with enabling direct ssh login as root?
> >>
> >
> >Picture the following scenario:
> >
> >I login as shlomif and then I want to become root. So I type "su" press
> >Enter and type the root password key by key. Someone sniffs the times in
> >which the packets arrived, and based on that he eventually deduces what
> >the password is.
> >
> >This can be overcome by, for example, pasting the password into the
> >terminal window using the middle mouse button, but it in any case it may
> >pose a long-term threat.
> >
> >Regards,
> >
> > Shlomi Fish
> >
> Personally, I believe the advantage of being able to track who logged in
> as root far outweights the disadvantage of a potential attack of this
> kind. This is true especially with the password being what it is today.
>
I fixed it now - ssh to [EMAIL PROTECTED] is being rejected.
> There is another point to consider, however, which is the point of
> emergancy recovery. Having an accesible root login available is an
> important thing in case the machine is locked out.
>
Is it possible that it would be possible to login straight as root, but
not login as a user and then su into root?
Regards,
Shlomi Fish
> Shachar
>
>
>
> ----------------------------------------------------------------------------
> To unsubscribe, send a message to [EMAIL PROTECTED]
> Archives available at http://www.mail-archive.com/[email protected]/
>
----------------------------------------------------------------------
Shlomi Fish [EMAIL PROTECTED]
Home Page: http://t2.technion.ac.il/~shlomif/
Home E-mail: [EMAIL PROTECTED]
"Let's suppose you have a table with 2^n cups..."
"Wait a second - is n a natural number?"
----------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED]
Archives available at http://www.mail-archive.com/[email protected]/
