From owner-freebsd-security Fri Jun 1 6:51: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 17F6237B617 for ; Fri, 1 Jun 2001 06:50:51 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 39033 invoked by alias); 1 Jun 2001 13:51:12 -0000 Received: from unknown (HELO moobert) (137.99.170.140) by d170h113.resnet.uconn.edu with SMTP; 1 Jun 2001 13:51:12 -0000 Message-ID: <00cc01c0eaa2$30bd7ca0$8caa6389@resnet.uconn.edu> From: "Peter C. Lai" To: References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> <3B16D9C8.2F6CE52E@ursine.com> Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Date: Fri, 1 Jun 2001 09:53:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org usually on untrusted systems (such as a public terminal), i ssh via mindterm's java ssh client which is stored on the system that i access. It only uses SSH1 (because they haven't written an SSH2 client yet). The java applet version i'm using is unsigned, and therefore should run in it's own sandbox wrt to the java runtime that i am using. Barring a trojaned java runtime that record all keystrokes, how else is using a trusted client stored on a trusted machine from an untrusted terminal dangerous? Peter C. Lai | University of Connecticut peter.lai@uconn.edu | Undergraduate Research Assistant The information contained in this e-mail is confidential, may be privileged, and is intended only for the use of the recipient(s) named above. If you are not the intended recipient(s) or a representative(s) of the intended recipient(s), you have received this e-mail in error and must not copy, use or disclose the contents of this email to anybody else. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the copy you received. ----- Original Message ----- From: "Michael Bryan" To: Sent: Thursday, May 31, 2001 7:54 PM Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) > > > Alex Holst wrote: > > > > I was > > surprised when I read about the compromise, because it gives the impression > > that people are still using passwords (as opposed to keys with passphrases) > > for authentication in this day and age. Is that correct? If so, why is that? > > Yeah, I'd say it's correct. As to why, I can think of two reasons. 1) It's > easier to use ssh with passwords, and just not be "bothered" with the key > maintenance. 2) The password is sent encrypted, not in cleartext, and that > is in many people's minds one of the most important benefits of using ssh. > The extra safety of keys is just not always seen as being worth the extra > work. [And I'm not arguing either side of that issue, different people believe > or prioritize in different ways...] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message