From owner-freebsd-security Fri Jun 1 6:40: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 6205037B423 for ; Fri, 1 Jun 2001 06:40:06 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA58870; Fri, 1 Jun 2001 15:40:04 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Alex Holst Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> From: Dag-Erling Smorgrav Date: 01 Jun 2001 15:40:04 +0200 In-Reply-To: <20010601013041.A32818@area51.dk> Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Holst writes: > That should be verified often with scanssh or something similar. I was > surprised when I read about the compromise, because it gives the impression > that people are still using passwords (as opposed to keys with passphrases) > for authentication in this day and age. Keys with passphrases wouldn't have made any difference. The ssh binary on sourceforge was trojaned, and could have harvested ssh keys just as easily as passwords. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message