From owner-freebsd-security Thu May 31 17:43:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailer.progressive-comp.com (docs3.abcrs.com [63.238.77.222]) by hub.freebsd.org (Postfix) with ESMTP id DD1A837B424 for ; Thu, 31 May 2001 17:43:41 -0700 (PDT) (envelope-from docs@mailer.progressive-comp.com) Received: (from docs@localhost) by mailer.progressive-comp.com with id UAA18400; Thu, 31 May 2001 20:43:10 -0400 Date: Thu, 31 May 2001 20:43:10 -0400 Message-Id: <200106010043.UAA18400@mailer.progressive-comp.com> From: Hank Leininger Reply-To: Hank Leininger To: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) X-Shameless-Plug: Check out http://marc.theaimsgroup.com/ X-Warning: This mail posted via a web gateway at marc.theaimsgroup.com X-Warning: Report any violation of list policy to abuse@progressive-comp.com X-Posted-By: Hank Leininger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-06-01, "f.johan.beisser" wrote: > On Fri, 1 Jun 2001, Alex Holst wrote: > > impression that people are still using passwords (as opposed to keys > > with passphrases) for authentication in this day and age. Is that > > correct? If so, why is that? > based on what i've read this morning, it wouldn't have made > all that much of a difference. aparently the compromised > version of ssh recorded passphrases, and keys. > i don't see how else you could have avoided this problem. a) Don't hop through untrusted systems. b) Use protocol 2 exclusively to make MITM'ing harder. c) Use/require from=" " entries in your authorized_keys* files. d) When breaking a), exclusively port-forward the second hop inside the first; do *not* ssh to a command prompt and run 'ssh' on the intermediate host. e) When breaking all of the above (in an emergency, say) communicate with someone OOB *immediately* who can revoke all access you used in a safe way, until you can restore it via safe channels (consider any keys, passwords, etc you used to be compromised and never use them again). f) Hide under the bed. -- Hank Leininger To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message