From owner-freebsd-security  Thu May 31 17:54:59 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP id 0C15337B424
	for <freebsd-security@FreeBSD.ORG>; Thu, 31 May 2001 17:54:56 -0700 (PDT)
	(envelope-from crist.clark@globalstar.com)
Received: from globalstar.com ([207.88.153.184]) by
          nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with
          ESMTP id GE87UQ00.57J; Thu, 31 May 2001 17:54:26 -0700 
Message-ID: <3B16E7D9.3E9B78FF@globalstar.com>
Date: Thu, 31 May 2001 17:54:49 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
Organization: Globalstar LP
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "f.johan.beisser" <jan@caustic.org>
Cc: Alex Holst <a@area51.dk>, freebsd-security@FreeBSD.ORG
Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd)
References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

"f.johan.beisser" wrote:
> 
> On Fri, 1 Jun 2001, Alex Holst wrote:
> 
> > That should be verified often with scanssh or something similar. I was
> > surprised when I read about the compromise, because it gives the impression
> > that people are still using passwords (as opposed to keys with passphrases)
> > for authentication in this day and age. Is that correct? If so, why is that?
> 
>         based on what i've read this morning, it wouldn't have made
>         all that much of a difference. aparently the compromised
>         version of ssh recorded passphrases, and keys.
> 
>         i don't see how else you could have avoided this problem.

*sigh*

You cannot 'record passphrases.' RSA authentication uses public key
cryptography. The client, the person logging in, proves it knows a 
secret, the private key, without ever revealing it to the server who
only knows the public key.

The use of public key crypto allows you to log into potentially 
untrusted servers without revealing your secret.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message