From owner-freebsd-security Fri Jun 1 1:29: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from borja.sarenet.es (borja.sarenet.es [192.148.167.77]) by hub.freebsd.org (Postfix) with ESMTP id 796D737B422 for ; Fri, 1 Jun 2001 01:29:05 -0700 (PDT) (envelope-from borjam@sarenet.es) Received: from borja.sarenet.es (localhost [127.0.0.1]) by borja.sarenet.es (8.11.3/8.11.3) with SMTP id f518T2088225 for ; Fri, 1 Jun 2001 10:29:04 +0200 (CEST) (envelope-from borjam@sarenet.es) Content-Type: text/plain; charset="iso-8859-1" From: Borja Marcos To: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Date: Fri, 1 Jun 2001 10:29:02 +0200 X-Mailer: KMail [version 1.2] References: In-Reply-To: MIME-Version: 1.0 Message-Id: <01060109174003.87883@borja.sarenet.es> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday 01 June 2001 02:28, you wrote: > based on what i've read this morning, it wouldn't have made > all that much of a difference. aparently the compromised > version of ssh recorded passphrases, and keys. > > i don't see how else you could have avoided this problem. If you use an authentication agent the keys are kept in your computer. If you ssh from A to B and from B to C, the challenge used for the authentication is sent from C through B to A. This means that a compromised ssh client in B cannot log any keys. I use to install *all* my ssh servers with "PasswordAuthentication no" in /etc/ssh/sshd_config. And, using an authentication agent would allow you to use a sort of external device to store the keys. For example, a Dallas Semiconductor "iButton", a PDA or a HP calculator. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message