From owner-freebsd-stable Fri Oct 5 10:46:43 2001 Delivered-To: freebsd-stable@freebsd.org Received: from tomts20-srv.bellnexxia.net (tomts20.bellnexxia.net [209.226.175.74]) by hub.freebsd.org (Postfix) with ESMTP id 3AB9137B401 for ; Fri, 5 Oct 2001 10:46:36 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.92.161.107]) by tomts20-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011005174635.AMD1865.tomts20-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Fri, 5 Oct 2001 13:46:35 -0400 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 1CB0B19DD; Fri, 5 Oct 2001 13:46:29 -0400 (EDT) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 3DBE720BE1; Fri, 5 Oct 2001 13:46:46 -0400 (EDT) Date: Fri, 5 Oct 2001 13:46:46 -0400 From: The Anarcat To: Brandon Fosdick Cc: stable@FreeBSD.ORG Subject: Re: Why sshd:PermitRootLogin = no ? Message-ID: <20011005134645.A7287@shall.anarcat.dyndns.org> References: <19436.1002297239@axl.seasidesoftware.co.za> <20011005120139.D10847@pir.net> <3BBDF0E9.20BA0F56@glue.umd.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline In-Reply-To: <3BBDF0E9.20BA0F56@glue.umd.edu> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You must be talking about a vulnerability which allows an attacker to "guess" the *length* of a string being passed in an SSH connection. This has been fixed, for what I know. And IIRC, if you use UseLogin=3Dyes, probably that it doesn't make a difference wether you su or login root. A. On Fri Oct 05, 2001 at 01:42:01PM -0400, Brandon Fosdick wrote: > Peter Radcliffe wrote: > >=20 > > Sheldon Hearn probably said: > > > Why is sshd's PermitRootLogin set to 'no' in the default installation= of > > > FreeBSD? > >=20 > > Because it's sensible. >=20 > Given the semi-recent articles on determining passwords from sniffed ssh = packets > which is least secure? Allowing remote root logins over ssh or su'ing to = root? > It's my understanding that the aforementioned sniffing method doesn't wor= k on > the initial ssh login, only on passwords typed after that (i.e. while su'= ing).=20 >=20 > It seems to me that neither method is all that secure, so maybe the defau= lt > should be based on convenience? >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Pour information voir http://www.gnupg.org iEYEARECAAYFAju98gQACgkQttcWHAnWiGeG/gCcDIzSc3zMceJwqAh212NXiRK1 hWgAnRqrtyGF1fJe/BIgnG+/F5oQjiL6 =rJHI -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message