Date: Thu, 25 Mar 1999 23:14:16 -0600 (CST) From: Frank Tobin <ftobin@bigfoot.com> Cc: FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG> Subject: Re: sudo (was Re: Kerberos vs SSH) Message-ID: <Pine.BSF.4.10.9903252308080.76901-100000@isr3277.urh.uiuc.edu> In-Reply-To: <Pine.BSF.4.05.9903251642150.23152-100000@kasie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
James Wyatt, on Thu, 25 Mar 1999, wrote: > The thing I don't like about it is that it makes programs like linsniffer > more effective. It looks at TCP startups of telnet, FTP, pop, etc... and > very nicely captures their password. Capturing root passwords from users > 'su'-ing requires a *lot* more advanced sniffer or cracker intervention. > This easily captured password is sufficient for root access if the user is > allowed to do anything that might gain them shell. - Jy@ A decent way to get to prevent such attacks is to allow the use only S/Key one-time passwords when a person sudo's (or even logs in via any unencrypted means). I'm not sure how this would be accomplished, but I'd be surprised if it couldn't be done. -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGPenvelope = Pine + PGP 5.0(i) PGP: 1502 6E84 8C08 E828 7945 http://www.bigfoot.com/~ftobin/resources 3F4A 02F8 503A F40E B65E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9903252308080.76901-100000>