If it's alright with everyone, I would like to try and go over the
install. We need to remove the RPMs for openssh and openssl (as Shlomi
has compiled them seperately).
I would also ask whether there is anyone here who absolutely must use
SSH version 1. I can point you to free (both beer and speach) SSH2
client for Windows (putty), and we all know of one for Unix. If it is
alright with everyone, I would rather disable version 1 protocol support
altogether.
Shachar
Shlomi Fish wrote:
>On Thu, 27 Dec 2001, Shachar Shemesh wrote:
>
>>Ok, a few remarks, if I may.
>>
>>First - we now have three versions of ssh installed. /usr/bin has
>>openssh version 2.1.1. This is also the version that is being run if you
>>just type "ssh".
>>
>
>I can install the recent version of SSH under /usr too, if that what is
>being called for.
>
>>/usr/local/bin/ssh is OpenSSH version 3.0.2p1, which is also the version
>>that is listening on port 22. /usr/local/bin/ssh2, however, is the
>>commercial ssh, version 2.2.0 (old).
>>
>
>Besides them, there is OpenSSH version 3.0.2p1 installed under my
>home-directory.
>
>>Also, if I may make a suggestion, next time anyone upgrades ssh, please
>>try to keep the server key. Man in the middle attacks are easier to
>>deflect this way.
>>
>
>Will copying the files:
>
>ssh_host_dsa_key
>ssh_host_dsa_key.pub
>ssh_host_key
>ssh_host_key.pub
>ssh_host_rsa_key
>ssh_host_rsa_key.pub
>
>To the appropriate place (/usr/local/etc, /usr/etc, etc.) be enough to do
>that?
>
>>Shlomi Fish wrote:
>>
>>>On Thu, 27 Dec 2001, guy keren wrote:
>>>
>>>>On Wed, 26 Dec 2001, Shlomi Fish wrote:
>>>>
>>>>>2. We might wish to enable login as root.
>>>>>
>>>>no - we might NOT wish to enable login as root. doing so allows one to
>>>>connect to iglu without leaving any traces of who it was that used 'root',
>>>>which tends to cause problems down the road.
>>>>
>>>>>The reason for it is that
>>>>>passwords delivered over ssh are vulnerable to the keystroke timing
>>>>>sniffing. The reason is that ssh sends each letter one at a time and one
>>>>>can eventually deduce the password from the time in which each letter
>>>>>arrived.
>>>>>
>>>>what does that got to do with enabling direct ssh login as root?
>>>>
>>>Picture the following scenario:
>>>
>>>I login as shlomif and then I want to become root. So I type "su" press
>>>Enter and type the root password key by key. Someone sniffs the times in
>>>which the packets arrived, and based on that he eventually deduces what
>>>the password is.
>>>
>>>This can be overcome by, for example, pasting the password into the
>>>terminal window using the middle mouse button, but it in any case it may
>>>pose a long-term threat.
>>>
>>>Regards,
>>>
>>> Shlomi Fish
>>>
>>Personally, I believe the advantage of being able to track who logged in
>>as root far outweights the disadvantage of a potential attack of this
>>kind. This is true especially with the password being what it is today.
>>
>
>I fixed it now - ssh to [EMAIL PROTECTED] is being rejected.
>
>>There is another point to consider, however, which is the point of
>>emergancy recovery. Having an accesible root login available is an
>>important thing in case the machine is locked out.
>>
>
>Is it possible that it would be possible to login straight as root, but
>not login as a user and then su into root?
>
>Regards,
>
> Shlomi Fish
>
>> Shachar
>>
>>
>>
>>----------------------------------------------------------------------------
>>To unsubscribe, send a message to [EMAIL PROTECTED]
>>Archives available at http://www.mail-archive.com/[email protected]/
>>
>
>
>
>----------------------------------------------------------------------
>Shlomi Fish [EMAIL PROTECTED]
>Home Page: http://t2.technion.ac.il/~shlomif/
>Home E-mail: [EMAIL PROTECTED]
>
>"Let's suppose you have a table with 2^n cups..."
>"Wait a second - is n a natural number?"
>
>
>----------------------------------------------------------------------------
>To unsubscribe, send a message to [EMAIL PROTECTED]
>Archives available at http://www.mail-archive.com/[email protected]/
>
----------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED]
Archives available at http://www.mail-archive.com/[email protected]/
