Date: Fri, 1 Jun 2001 10:29:02 +0200 From: Borja Marcos <borjamar@sarenet.es> To: freebsd-security@freebsd.org Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <01060109174003.87883@borja.sarenet.es> In-Reply-To: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org> References: <Pine.BSF.4.21.0105311727160.66343-100000@pogo.caustic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 01 June 2001 02:28, you wrote: > based on what i've read this morning, it wouldn't have made > all that much of a difference. aparently the compromised > version of ssh recorded passphrases, and keys. > > i don't see how else you could have avoided this problem. If you use an authentication agent the keys are kept in your computer. If you ssh from A to B and from B to C, the challenge used for the authentication is sent from C through B to A. This means that a compromised ssh client in B cannot log any keys. I use to install *all* my ssh servers with "PasswordAuthentication no" in /etc/ssh/sshd_config. And, using an authentication agent would allow you to use a sort of external device to store the keys. For example, a Dallas Semiconductor "iButton", a PDA or a HP calculator. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01060109174003.87883>