[PLUG] SSH Experts Here?

Wil Cooley wcooley at nakedape.cc
Wed Dec 6 06:18:44 UTC 2006


On Tue, 2006-12-05 at 19:17 -0800, Elliott Mitchell wrote:

> As long as you check host keys, there isn't really any practical
> difference. Your target machine will have the password, if it is
> compromised, an attacker *will* get your password (when you log onto the
> console if nothing else). Pass-phrases are really most important when
> you're going unencrypted through somewhere, either an intermediate sshd
> host, or through wireless without encryption.

What are you talking about?  Both password and public key authentication
methods are secure, regardless of the security of the underlying medium.
All the client has to do is encrypt the password with the server's
public key.  Now, if you don't have the server's public key cached, that
could be the source of a MITM attack.

> >    If you folks who deal with security have suggestions on how to debug this
> > situation, please let me know.
> 
> The logs have already been suggested. `ssh -v` is a tremendous source of
> information, in the worst case stopping `sshd` and then running `sshd -d`
> is another source of information (remember to fully restart sshd when
> done!).

Actually, the best way is to add the '-p' and set up the debugging
server on a separate port.  If you've got to go through a firewall it's
a little more fiddling, but having a working SSH server seems a
requisite for a happy life.

Wil
-- 
Wil Cooley <wcooley at nakedape.cc>
http://nakedape.cc/wiki/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20061205/521b9b20/attachment.asc>


More information about the PLUG mailing list