From owner-freebsd-security Thu May 31 17:29: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id 21F4E37B423 for ; Thu, 31 May 2001 17:28:58 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.0/ignatz) with ESMTP id f510SqI66794; Thu, 31 May 2001 17:28:52 -0700 (PDT) Date: Thu, 31 May 2001 17:28:52 -0700 (PDT) From: "f.johan.beisser" To: Alex Holst Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: <20010601013041.A32818@area51.dk> Message-ID: X-Ignore: This statement isn't supposed to be read by you MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Jun 2001, Alex Holst wrote: > That should be verified often with scanssh or something similar. I was > surprised when I read about the compromise, because it gives the impression > that people are still using passwords (as opposed to keys with passphrases) > for authentication in this day and age. Is that correct? If so, why is that? based on what i've read this morning, it wouldn't have made all that much of a difference. aparently the compromised version of ssh recorded passphrases, and keys. i don't see how else you could have avoided this problem. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "which then led me to realize leading my life by the motto 'i'm not as bad as jan' would still let me get away with A LOT" --- j. leah williams, University of Chicago, 19 Jan, 2001 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message