On Thu, 27 Dec 2001, Shachar Shemesh wrote:
> If it's alright with everyone, I would like to try and go over the
> install. We need to remove the RPMs for openssh and openssl (as Shlomi
> has compiled them seperately).
>
> I would also ask whether there is anyone here who absolutely must use
> SSH version 1. I can point you to free (both beer and speach) SSH2
> client for Windows (putty), and we all know of one for Unix. If it is
> alright with everyone, I would rather disable version 1 protocol support
> altogether.
>
The problem is that some servers don't carry OpenSSH and only a commercial
ssh 1 or ssh 2 implementation. At least that is the case in the Technion.
But since I don't work on these servers directly, but rather access them
from a Windows or Linux machine, I can live with this fact. So I am
neutral.
Regards,
Shlomi Fish
> Shachar
>
> Shlomi Fish wrote:
>
> >On Thu, 27 Dec 2001, Shachar Shemesh wrote:
> >
> >>Ok, a few remarks, if I may.
> >>
> >>First - we now have three versions of ssh installed. /usr/bin has
> >>openssh version 2.1.1. This is also the version that is being run if you
> >>just type "ssh".
> >>
> >
> >I can install the recent version of SSH under /usr too, if that what is
> >being called for.
> >
> >>/usr/local/bin/ssh is OpenSSH version 3.0.2p1, which is also the version
> >>that is listening on port 22. /usr/local/bin/ssh2, however, is the
> >>commercial ssh, version 2.2.0 (old).
> >>
> >
> >Besides them, there is OpenSSH version 3.0.2p1 installed under my
> >home-directory.
> >
> >>Also, if I may make a suggestion, next time anyone upgrades ssh, please
> >>try to keep the server key. Man in the middle attacks are easier to
> >>deflect this way.
> >>
> >
> >Will copying the files:
> >
> >ssh_host_dsa_key
> >ssh_host_dsa_key.pub
> >ssh_host_key
> >ssh_host_key.pub
> >ssh_host_rsa_key
> >ssh_host_rsa_key.pub
> >
> >To the appropriate place (/usr/local/etc, /usr/etc, etc.) be enough to do
> >that?
> >
> >>Shlomi Fish wrote:
> >>
> >>>On Thu, 27 Dec 2001, guy keren wrote:
> >>>
> >>>>On Wed, 26 Dec 2001, Shlomi Fish wrote:
> >>>>
> >>>>>2. We might wish to enable login as root.
> >>>>>
> >>>>no - we might NOT wish to enable login as root. doing so allows one to
> >>>>connect to iglu without leaving any traces of who it was that used 'root',
> >>>>which tends to cause problems down the road.
> >>>>
> >>>>>The reason for it is that
> >>>>>passwords delivered over ssh are vulnerable to the keystroke timing
> >>>>>sniffing. The reason is that ssh sends each letter one at a time and one
> >>>>>can eventually deduce the password from the time in which each letter
> >>>>>arrived.
> >>>>>
> >>>>what does that got to do with enabling direct ssh login as root?
> >>>>
> >>>Picture the following scenario:
> >>>
> >>>I login as shlomif and then I want to become root. So I type "su" press
> >>>Enter and type the root password key by key. Someone sniffs the times in
> >>>which the packets arrived, and based on that he eventually deduces what
> >>>the password is.
> >>>
> >>>This can be overcome by, for example, pasting the password into the
> >>>terminal window using the middle mouse button, but it in any case it may
> >>>pose a long-term threat.
> >>>
> >>>Regards,
> >>>
> >>> Shlomi Fish
> >>>
> >>Personally, I believe the advantage of being able to track who logged in
> >>as root far outweights the disadvantage of a potential attack of this
> >>kind. This is true especially with the password being what it is today.
> >>
> >
> >I fixed it now - ssh to [EMAIL PROTECTED] is being rejected.
> >
> >>There is another point to consider, however, which is the point of
> >>emergancy recovery. Having an accesible root login available is an
> >>important thing in case the machine is locked out.
> >>
> >
> >Is it possible that it would be possible to login straight as root, but
> >not login as a user and then su into root?
> >
> >Regards,
> >
> > Shlomi Fish
> >
> >> Shachar
> >>
> >>
> >>
> >>----------------------------------------------------------------------------
> >>To unsubscribe, send a message to [EMAIL PROTECTED]
> >>Archives available at http://www.mail-archive.com/[email protected]/
> >>
> >
> >
> >
> >----------------------------------------------------------------------
> >Shlomi Fish [EMAIL PROTECTED]
> >Home Page: http://t2.technion.ac.il/~shlomif/
> >Home E-mail: [EMAIL PROTECTED]
> >
> >"Let's suppose you have a table with 2^n cups..."
> >"Wait a second - is n a natural number?"
> >
> >
> >----------------------------------------------------------------------------
> >To unsubscribe, send a message to [EMAIL PROTECTED]
> >Archives available at http://www.mail-archive.com/[email protected]/
> >
>
>
----------------------------------------------------------------------
Shlomi Fish [EMAIL PROTECTED]
Home Page: http://t2.technion.ac.il/~shlomif/
Home E-mail: [EMAIL PROTECTED]
"Let's suppose you have a table with 2^n cups..."
"Wait a second - is n a natural number?"
----------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED]
Archives available at http://www.mail-archive.com/[email protected]/
