From owner-freebsd-security Wed Jan 19 13:37:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from almazs.pacex.net (almazs.pacex.net [204.1.219.156]) by hub.freebsd.org (Postfix) with ESMTP id 344D415052 for ; Wed, 19 Jan 2000 13:37:24 -0800 (PST) (envelope-from admin@pacex.net) Received: from almazs.pacex.net (almazs.pacex.net [204.1.219.156]) by almazs.pacex.net (8.9.3/8.9.3) with ESMTP id NAA98353; Wed, 19 Jan 2000 13:36:14 -0800 (PST) Date: Wed, 19 Jan 2000 13:36:13 -0800 (PST) From: net admin To: Marc Silver Cc: Stephan van Beerschoten , freebsd-security@FreeBSD.ORG Subject: Re: ssh-feature 'backdoor' In-Reply-To: <20000119165350.E8404@is.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am just going to sneak in to this thread and throw-in a question; I have read in the ssh docs that tcp_wrappers do not give any added security benefits is used with ssh, and some even suggested that best not to have tcp_wrappers with ssh????\ Please elucidate as to why tcp_wrappers would give added security when used with ssh. Just seeking more info I am not in the security list yet. Dan On Wed, 19 Jan 2000, Marc Silver wrote: > Ah ok -- I see what you mean. I suppose another way you could kind of > prevent this is to use tcp_wrappers thereby being sure that only the > hosts you want can get into the box. This doesn't help you if the box > is already hacked, but it can help if it isn't. > > My two more cents... > > I'll keep quiet now and no offense meant by my earlier posts if you were > offended btw. ;) > > Cheers, > Marc > > On Wed, Jan 19, 2000 at 03:43:48PM +0100, Stephan van Beerschoten wrote: > > On Wed, Jan 19, 2000 at 03:52:03PM +0200, Marc Silver wrote: > > > That should never happen if this line is in your sshd_config file: > > > > > > PermitRootLogin no > > > > Well, sure this line was there, but one of the kids who hacked it > > must have altered this default behaviour and placed the auth-file. > > > > It was just to bring the auth-file thing to everyone's attention, > > because its not just the root account which can be abused like this.. > > if a possible hacker placed an authorised_keys file (with his key) in > > any user's homedir, this account is permanently open for the hacker to > > logon to. > > > > Just a note. > > -Steve > > > > -- > > Stephan van Beerschoten Email: stephanb@luna.nl > > Network Engineer Luna Internet Services > > PGP fingerprint 4557 9761 B212 FB4C 778D 3529 C42A 2D27 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message